Last time discussed:

1)VTP ?
2)VTP server domain vs VTP server null (Configuration of VTP domin to one VTP
server, auto replicated to other VTP server in Null domain.
3)VTP Mode and its operation
Server
Client
Transparent
====================
Sunday Topic

1)VTP
What is VTP
VTP Mode
VTP Vulerability or VTP attack
VTP Version
VTP Configuration Revision number
VTP message types
VTP version in detail
VTP Pruning

copy running-config startup-config

Note Only VTP mode and domain name are saved in the switch running configuration
and can be copied to the startup configuration file.

VTP is Cisco proprietary protocol, which was designed by Cisco for better
administration over Vlan managemnt domain.
VTP only propagate Vlan information. It dosn't bind the port into required vlan.
Hence still static configuration is required.
When you configure VTP, you must configure a trunk port so that the switch can send
and receive VTP advertisements to and from other switches in the domain
VTP can run globally an enable or disable per interface as well.

VTP Monitoring Commands

show vtp counters
show vtp devices conflict
show vtp interface x/x/x
show vtp password
show vtp status

In VTP versions 1 and 2, when you configure extended-range VLANs on the switch, the
switch must be in VTP transparent mode. VTP version 3 also supports creating
extended-range VLANs in client or server mode.

VTP versions 1 and 2 do not support private VLANs. If you configure private VLANs,
the switch must be in VTP transparent mode. When private VLANs are configured on
the switch, do not change the VTP mode from transparent to client or server mode.

VTP version 3 does support private VLANs.

########(Verify this in LAB)#########

For VTP version 1 and version 2, if extended-range VLANs are configured on the
switch, you cannot change VTP mode to client or server. You receive an error
message, and the configuration is not allowed. VTP version 1 and version 2 do not
propagate configuration information for extended range VLANs (VLANs 1006 to 4094).
You must manually configure these VLANs on each device.

Note For VTP version 1 and 2, before you create extended-range VLANs (VLAN IDs 1006
to 4094), you must set VTP mode to transparent by using the vtp mode transparent
global configuration command. Save this configuration to the startup configuration
so that the switch starts in VTP transparent mode. Otherwise, you lose the
extended-range VLAN configuration if the switch resets and boots up in VTP server
mode (the default).

•VTP version 3 supports extended-range VLANs. If extended VLANs are configured, you
cannot convert from VTP version 3 to VTP version 2.
•If you configure the switch for VTP client mode, the switch does not create the
VLAN database file (vlan.dat). If the switch is then powered off, it resets the VTP
configuration to the default. To keep the VTP configuration with VTP client mode
after the switch restarts, you must first configure the VTP domain name before the
VTP mode.

Caution

If all switches are operating in VTP client mode, do not configure a VTP domain
name. If you do, it is impossible to make changes to the VLAN configuration of that
domain. Therefore, make sure you configure at least one switch as a VTP server.

Lets say you have a network with 20 switches and 50 Vlans.

We have two methos to acomplish this task:
-Static
-Dynamic

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$

The VTP information is saved in the VTP VLAN database.

When VTP mode is transparent, the VTP domain name and mode are also saved in the
switch running configuration file, and you can save it in the switch startup
configuration file by entering the copy running-config startup-config.You must use
this command if you want to save VTP mode as transparent if the switch resets.

When you save VTP information in the switch startup configuration file and restart
the switch, the configuration is selected as follows:

•If the VTP mode is transparent in both the startup configuration and the VLAN
database and the VTP domain name from the VLAN database matches that in the startup
configuration file, the VLAN database is ignored (cleared). The VTP and VLAN
configurations in the startup configuration file are used. The VLAN database
revision number remains unchanged in the VLAN database.

•If the VTP mode or the domain name in the startup configuration do not match the
VLAN database, the domain name and the VTP mode and configuration for the first
1005 VLANs use the VLAN database information.

Domain Names
********************
When you configure a domain name, it cannot be removed; you can only reassign a
switch to a different domain

When configuring VTP for the first time, you must always assign a domain name. You
must configure all switches in the VTP domain with the same domain name. Switches
in VTP transparent mode do not exchange VTP messages with other switches, and you
do not need to configure a VTP domain name for them.

Note If NVRAM and DRAM storage is sufficient, all switches in a VTP domain should
be in VTP server mode.

########(Verify this in LAB)#########

Caution Do not configure a VTP domain if all switches are operating in VTP client
mode. If you configure the domain, it is impossible to make changes to the VLAN
configuration of that domain. Make sure that you configure at least one switch in
the VTP domain for VTP server mode.

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

VTP Password

Passwords (If you want to protect the VTP advertisement use the Password)
You can configure a password for the VTP domain, but it is not required.
If you do configure a domain password, all domain switches must share the same
password and you must configure the password on each switch in the management
domain. Switches without a password or with the wrong password reject VTP
advertisements.

If you configure a VTP password for a domain, a switch that is booted without a VTP
configuration does not accept VTP advertisements until you configure it with the
correct password. After the configuration, the switch accepts the next VTP
advertisement that uses the same password and domain name in the advertisement.

If you are adding a new switch to an existing network with VTP capability, the new
switch learns the domain name only after the applicable password has been
configured on it.

Caution

When you configure a VTP domain password, the management domain does not function
properly if you do not assign a management domain password to each switch in the
domain.

vtp password mylab hidden

show vtp password

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

VTP Mode

VTP mode(4):
-Server
-Client
-Transparent
-Off

VTP Server:

In VTP server mode, you can create, modify, and delete VLANs, and specify other
configuration parameters (such as the VTP version) for the entire VTP domain. VTP
servers advertise their VLAN configurations to other switches in the same VTP
domain and synchronize their VLAN configurations with other switches based on
advertisements received over trunk links.

VTP server is the default mode.

Note:-
In VTP server mode, VLAN configurations are saved in NVRAM.
If the switch detects a failure while writing a configuration to NVRAM, VTP mode
automatically changes from server mode to client mode.
If this happens, the switch cannot be returned to VTP server mode until the NVRAM
is functioning.

VTP client
A VTP client behaves like a VTP server and transmits and receives VTP updates on
its trunks, but you cannot create, change, or delete VLANs on a VTP client. VLANs
are configured on another switch in the domain that is in server mode.

Note:- ########(Verify this in LAB)#########

In VTP versions 1 and 2, in VTP client mode, VLAN configurations are not saved in
NVRAM.
In VTP version 3, VLAN configurations are saved in NVRAM in client mode.

VTP transparent

VTP transparent switches do not participate in VTP.

A VTP transparent switch does not advertise its VLAN configuration and does not
synchronize its VLAN configuration based on received advertisements.
Switches in VTP transparent mode do not exchange VTP messages with other switches,
and you do not need to configure a VTP domain name for them.

########(Verify this in LAB)#########

However, in VTP version 2 or version 3, transparent switches do forward VTP
advertisements that they receive from other switches through their trunk
interfaces.
What about VTP version1????? -> Does VTP Version 1 in transparent mode forward the
VTP advertisement to other switch ??
You can create, modify, and delete VLANs on a switch in VTP transparent mode.

########(Verify this in LAB)########

In VTP versions 1 and 2, the switch must be in VTP transparent mode when you create
extended-range VLANs.
VTP version 3 also supports creating extended-range VLANs in client or server mode.

########(Verify this in LAB)########

In VTP versions 1 and 2, the switch must be in VTP transparent mode when you create
private VLANs and when they are configured, you should not change the VTP mode from
transparent to client or server mode.VTP version 3 also supports private VLANs in
client and server modes.
When the switch is in VTP transparent mode, the VTP and VLAN configurations are
saved in NVRAM, but they are not advertised to other switches. In this mode, VTP
mode and domain name are saved in the switch running configuration, and you can
save this information in the switch startup configuration file by using the copy
running-config startup-config

VTP off
A switch in VTP off mode functions in the same manner as a VTP transparent switch,
except that it does not forward VTP advertisements on trunks.

VTP Transparent vs Off

******************************
Quick Question:
Hopefully a quick questions. I need to disable VTP on our access and distribution
switches as we dont want VTP to operate on our network. What is typically the
best/recommended way to do this now? Is it better to use VTP mode transparent or
off? What are the differences between the two?

Answer1:
A switch in VTP off mode functions in the same manner as a VTP transparent switch,
except that it does not forward VTP advertisements on trunks.
I would like to add that In you case you should use the off mode, and as a result
you will not find any traffic related to the vtp in your network.

VTP transparent mode: The switch configured in VTP transparent mode will not make
change in its database and will actively forward VTP messages.
VTP off mode: The switch configured in VTP off mode will not make change in its
database and will NOT forward VTP messages.

Will you need VTP messages to go through these switches to other switches that are
using VTP? If so then you will need to use transparent mode.
If VTP is not used at all in your network, or nor VTP messages need to go through
these particular switches then VTP off.

PS: VLAN information is saved in running-configuration wherein VTP other modes its
saved in "vlan.dat" file in flash.

Answer2:

There is a huge difference between VTP transparent mode and OFF.

Transparent : The switch is participating, however, its not going to update and
VLAN information from the server, it will just pass the vlan details to next
switch.
OFF : We are not enabling VTP itself in a switch meaning the Switch is not
participating in VTP

Lets take an example of Switch "B"

OFF mode :

Switch A ------------------- Switch B ---------------------Switch C

Vlan10,20 No vlans No vlans
Transparent mode :
Switch A--------------------Switch B------------------------Switch C
Vlan 10,20 No vlan Vlan 10,20

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

VTP Version

VTP Version

VTP version 2 and version 3 are disabled by default.

########(Verify this in LAB)########

•When you enable VTP version 2 on a switch, every VTP version 2-capable switch in
the VTP domain enables version 2. To enable VTP version 3, you must manually
configure it on each switch.

########(Verify this in LAB)########

•With VTP versions 1 and 2, you can configure the version only on switches in VTP
server or transparent mode. If a switch is running VTP version 3, you can change to
version 2 when the switch is in client mode if no extended VLANs exist, no private
VLANs exist, and no hidden password was configured.

Caution VTP version 1 and VTP version 2 are not interoperable on switches in the
same VTP domain. Do not enable VTP version 2 unless every switch in the VTP domain
supports version 2.

•VTP version 3 is supported on switches running Cisco IOS Release 12.2(52) SE or

later.
Caution In VTP version 3, both the primary and secondary servers can exist on an
instance in the domain.

########(Verify this in LAB)########

•All switches in a VTP domain must have the same domain name, but they do not need
to run the same VTP version.
•A VTP version 2-capable switch can operate in the same VTP domain as a switch
running VTP version 1 if version 2 is disabled on the version 2-capable switch
(version 2 is disabled by default).
•If a switch running VTP version 1 but capable of running VTP version 2 receives
VTP version 3 advertisements, it automatically moves to VTP version 2.
•If a switch running VTP version 3 is connected to a switch running VTP version 1,
the VTP version 1 switch moves to VTP version 2, and the VTP version 3 switch sends
scaled-down versions of the VTP packets so that the VTP version 2 switch can update
its database.
•A switch running VTP version 3 cannot move to version 1 or 2 if it has extended
VLANs.

•Do not enable VTP version 2 on a switch unless all of the switches in the same VTP
domain are version-2-capable. When you enable version 2 on a switch, all of the
version-2-capable switches in the domain enable version 2. If there is a version 1-
only switch, it does not exchange VTP information with switches that have version 2
enabled.
•We recommend placing VTP version 1 and 2 switches at the edge of the network
because they do not forward VTP version 3 advertisements.
•If there are TrBRF and TrCRF Token Ring networks in your environment, you must
enable VTP version 2 or version 3 for Token Ring VLAN switching to function
properly. To run Token Ring and Token Ring-Net, disable VTP version 2.

Extended Vlan propagation limitation in VTP V1 & V2 - should configure manually on

all the switch.

•VTP version 1 and version 2 do not propagate configuration information for

extended range VLANs (VLANs 1006 to 4094). You must configure these VLANs manually
on each device. VTP version 3 supports extended-range VLANs. You cannot convert
from VTP version 3 to VTP version 2 if extended VLANs are configured.

•When a VTP version 3 device trunk port receives messages from a VTP version 2
device, it sends a scaled-down version of the VLAN database on that particular
trunk in VTP version 2 format. A VTP version 3 device does not send VTP version 2-
formatted packets on a trunk unless it first receives VTP version 2 packets on that
trunk port.

•When a VTP version 3 device detects a VTP version 2 device on a trunk port, it
continues to send VTP version 3 packets, in addition to VTP version 2 packets, to
allow both kinds of neighbors to coexist on the same trunk.

•A VTP version 3 device does not accept configuration information from a VTP
version 2 or version 1 device.
•Two VTP version 3 regions can only communicate in transparent mode over a VTP
version 1 or version 2 region.

Devices that are only VTP version 1 capable cannot interoperate with VTP version 3
devices.

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

VTP Advertisement

VTP Advertisements
Each switch in the VTP domain sends periodic global configuration advertisements
from each trunk port to a reserved multicast address. Neighboring switches receive
these advertisements and update their VTP and VLAN configurations as necessary.

Note Because trunk ports send and receive VTP advertisements, you must ensure that
at least one trunk port is configured on the switch and that this trunk port is
connected to the trunk port of another switch. Otherwise, the switch cannot receive
any VTP advertisements.

VTP advertisements distribute this global domain information:

•VTP domain name

•VTP configuration revision number
•Update identity and update timestamp
•MD5 digest VLAN configuration, including maximum transmission unit (MTU) size for
each VLAN.
•Frame format

VTP advertisements distribute this VLAN information for each configured VLAN:

•VLAN IDs (ISL and IEEE 802.1Q)

•VLAN name
•VLAN type
•VLAN state
•Additional VLAN configuration information specific to the VLAN type

In VTP version 3, VTP advertisements also include the primary server ID, an
instance number, and a start index.

VTP Version 2
If you use VTP in your network, you must decide which version of VTP to use. By
default, VTP operates in version 1.

VTP version 2 supports these features that are not supported in version 1:

Token Ring support—VTP version 2 supports Token Ring Bridge Relay Function (TrBRF)
and Token Ring Concentrator Relay Function (TrCRF) VLANs.
Unrecognized Type-Length-Value (TLV) support—A VTP server or client propagates
configuration changes to its other trunks, even for TLVs it is not able to parse.
The unrecognized TLV is saved in NVRAM when the switch is operating in VTP server
mode.

########(Verify this in LAB)########

Version-Dependent Transparent Mode—In VTP version 1, a VTP transparent switch
inspects VTP messages for the domain name and version and forwards a message only
if the version and domain name match. Because VTP version 2 supports only one
domain, it forwards VTP messages in transparent mode without inspecting the version
and domain name.

Consistency Checks—In VTP version 2, VLAN consistency checks (such as VLAN names
and values) are performed only when you enter new information through the CLI or
SNMP. Consistency checks are not performed when new information is obtained from a
VTP message or when information is read from NVRAM. If the MD5 digest on a received
VTP message is correct, its information is accepted.

VTP Version 3

VTP version 3 supports these features that are not supported in version 1 or
version 2:

########(Verify this in LAB)########

•Enhanced authentication—You can configure the authentication as hidden or secret.
When hidden, the secret key from the password string is saved in the VLAN database
file, but it does not appear in plain text in the configuration. Instead, the key
associated with the password is saved in hexadecimal format in the running
configuration. You must reenter the password if you enter a takeover command in the
domain. When you enter the secret keyword, you can directly configure the password
secret key.
########(Verify this in LAB)########
•Support for extended range VLAN (VLANs 1006 to 4094) database propagation. VTP
versions 1 and 2 propagate only VLANs 1 to 1005. If extended VLANs are configured,
you cannot convert from VTP version 3 to version 1 or 2.

Note VTP pruning still applies only to VLANs 1 to 1005, and VLANs 1002 to 1005 are
still reserved and cannot be modified.

########(Verify this in LAB)########

•Private VLAN support.

########(Verify this in LAB)########

•Support for any database (Vlan database or MST database) in a domain.

In addition to propagating VTP information, version 3 can propagate Multiple

Spanning Tree (MST) protocol database information. A separate instance of the VTP
protocol runs for each application that uses VTP.

########(Verify this in LAB)########

•VTP primary server and VTP secondary servers. A VTP primary server updates the
database information and sends updates that are honored by all devices in the
system.
A VTP secondary server can only back up the updated VTP configurations received
from the primary server to its NVRAM.

########(Verify this in LAB)########

By default, all devices come up as secondary servers. You can enter the vtp primary
privileged EXEC command to specify a primary server. Primary server status is only
needed for database updates when the administrator issues a takeover message in the
domain. You can have a working VTP domain without any primary servers. Primary
server status is lost if the device reloads or domain parameters change, even when
a password is configured on the switch.

########(Verify this in LAB)########

•The option to turn VTP on or off on a per-trunk (per-port) basis. You can enable
or disable VTP per port by entering the [no] vtp interface configuration command.
When you disable VTP on trunking ports, all VTP instances for that port are
disabled. You cannot set VTP to off for the MST database and on for the VLAN
database on the same port.

########(Verify this in LAB)########

When you globally set VTP mode to off, it applies to all the trunking ports in the
system. However, you can specify on or off on a per-VTP instance basis. For
example, you can configure the switch as a VTP server for the VLAN database but
with VTP off for the MST database.

VTP Pruning
You can only enable VTP pruning on a switch in VTP server mode
With VTP versions 1 and 2, when you enable pruning on the VTP server, it is enabled
for the entire VTP domain. In VTP version 3, you must manually enable pruning on
each switch in the domain.
Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2
through 1001 are pruning-eligible on trunk ports. Reserved VLANs and extended-range
VLANs cannot be pruned.
Configuring VTP on a Per-Port Basis
With VTP version 3, you can enable or disable VTP on a per-port basis. You can
enable VTP only on ports that are in trunk mode. Incoming and outgoing VTP traffic
are blocked, not forwarded.

Note:-
VTP pruning takes effect several seconds after you enable it.
VTP pruning is not designed to function in VTP transparent mode.

VTP pruning increases network available bandwidth by restricting flooded traffic to

those trunk links that the traffic must use to reach the destination devices.
Without VTP pruning, a switch floods broadcast, multicast, and unknown unicast
traffic across all trunk links within a VTP domain even though receiving switches
might discard them. VTP pruning is disabled by default.

VTP pruning blocks unneeded flooded traffic to VLANs on trunk ports that are
included in the pruning-eligible list.
Only VLANs included in the pruning-eligible list can be pruned. By default, VLANs 2
through 1001 are pruning eligible switch trunk ports. If the VLANs are configured
as pruning-ineligible, the flooding continues. VTP pruning is supported in all VTP
versions.

Below Figure is a switched network without VTP pruning enabled.

Fa0/1 on Switch 1 and Fa0/4 on Switch 4 are assigned to the VLAN10.
If a broadcast is sent from the host PC1connected to Switch 1, Switch 1 floods the
broadcast and every switch in the network receives it, even though Switches 3, 5,
and 6 have no ports in the VLAN10

Figure- Flooding Traffic without VTP Pruning

----------------------->
-----------------------> -----------------------> ??
----------------------->??
Switch1------------------------------
Switch2---------------------------------Switch4----------------------------------
Switch5-------------------------------Switch6
fa0/1| ^ |
fa0/4| No Vlan10
No Vlan10
| | | |
| |
fa0/0 |
| \/ ?? | \/
---------
-------------- ---------
| PC1| | Switch3 |
| PC3 |
---------
--------------- -----------
Vlan10 No Vlan10
Vlan10

Below Figure shows a switched network with VTP pruning enabled.

The broadcast traffic from Switch 1 is not forwarded to Switches 3, 5, and 6
because traffic for the VLAN 10 has been pruned on the links shown (fa0/4 on Switch
2 and fa4/0 on Switch 4).

Figure- Optimized Flooded Traffic with VTP Pruning

Remember, Pruning work on Join & prune principle

|flooded traffic is pruned

----------------------->
-----------------------> fa4/0 -----------------------> ??
----------------------->??
Switch1------------------------------
Switch2---------------------------------Switch4----------------------------------
Switch5-------------------------------Switch6
fa0/1| ^ fa0/2 | (flooded
traffic is pruned) fa0/4| No Vlan10
No Vlan10
| | | |
| |
fa0/0 |
| \/ ?? | \/
---------
-------------- ---------
| PC1| | Switch3 |
| PC3 |
---------
--------------- -----------
Vlan10 No Vlan10
Vlan10

Enabling VTP pruning on a VTP server enables pruning for the entire management
domain. Making VLANs pruning-eligible or pruning-ineligible affects pruning
eligibility for those VLANs on that trunk only (not on all switches in the VTP
domain).

VTP pruning takes effect several seconds after you enable it.
VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1
and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs
cannot be pruned.
As per the design, Extended-range VLANs (VLAN IDs higher than 1005) are also
pruning-ineligible.

VTP pruning is not designed to function in VTP transparent mode.

If one or more switches in the network are in VTP transparent mode, you should do
one of these:

•Turn off VTP pruning in the entire network.

•Turn off VTP pruning by making all VLANs on the trunk of the switch upstream to
the VTP transparent switch pruning ineligible.

To configure VTP pruning on an interface, use the switchport trunk pruning vlan
interface configuration command
VTP pruning operates when an interface is trunking. You can set VLAN pruning-
eligibility, whether or not VTP pruning is enabled for the VTP domain, whether or
not any given VLAN exists, and whether or not the interface is currently trunking.

Default VTP Configuration

Feature
Default Setting
VTP domain name Null
VTP mode (VTP version 1 and version 2) Server
VTP mode (VTP version 3) The mode is the
same as the mode in VTP version 1 or 2 before conversion to version 3.
VTP version
Version 1
MST database mode Transparent
VTP version 3 server type Secondary
VTP password None
VTP pruning
Disabled

$$$$
$Lab1$$$$

Vlan
Standard Vlan10,20 & 30 Propagation
Extended Vlan 1006, 2007, 3008

1-Run the VTP on default mode (Server)

2-Verify the CRN (Configuration Revision Number)
3-Configure the trunk over all the transit link.
4-Enable debug (debug sw-vlan vtp event/packet) on every switch in the transit
5-Configure Vlans 10.20.30(Question1 -Does this Server advertise the Vlans as I
have done with Trunk port configuration or anything left?)
6-Configure Domain name on VTP server switch only. Since other switch automatically
join the VTP domain name)

Please note:-
On 3750 Switch -Spanning Tree block the non-trunk port upon dot1Q bpdu
reception.

%SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non

trunk FastEthernet1/1 VLAN1.

Spanning-tree block upon detection of any layer2 mismatch like:

-Native Vlan mismatch
-Port type (Access or Trunk) mismatch
Action - Spanning Tree block the port and put the port into inconsistentports
as "port type mismatch"

Verify
sh spanning-tree inconsistentports

Solution:
Disable the spanning-tree on the non-trunk port
Configure the non-trunk port as Trunk

VTP
Client - Server architecture

SW1(VTP Server1) -----------T---------------SW2(VTP

Server2)-------------T---------------SW3(VTP Server3)
SW1(VTP Server) -----------T---------------SW2(VTP
Client)-------------T---------------SW3(VTP Client)
SW1(VTP Server) -----------T---------------SW2(VTP
Transparent)-------------T---------------SW3(VTP Client)
Domain null -------------------------> Domain
null <----------------------Domain null
Domain-MyLab1-------------------------> Domain-MyLab1
<----------------------Domain-MyLab1
Authentication
Authentication Authentication
Version1
Version1 Version1
Version1
Version2 Version1
Version1
Version3 Version3
Version2
Version2 Version2
Version2
Version3 Version2
Version3
Version3 Version3

$$$$
$Lab2$$$$

VTP
Vulnerabilities

$$$$
$Lab1$$$$

Replicate the attacks mentioned Point1 & Point2:

SW1(VTP Server1) -----------T---------------SW2(VTP

Server2)-------------T---------------SW3(VTP Server3)
Domain null -------------------------> Domain
null <----------------------Domain null
Domain-MyLab1-------------------------> Domain-MyLab1
<----------------------Domain-MyLab1

Vulnerabilities:
******************
Point1(Vulerabililty case1 -> VTP domain name is default "Null")

-By default, all the Cisco Switch is VTP Server, thats why you are able
to make changes on those switches manually.
However Default domain is null, means no doman is configured.
Vulerabilites is that if you left all switches in default VTP mode that
is VTP server with domain "null", then attacker can damage your
network by launching the Switch Spoof attack and then sniff VTP message and then
launch massive VTP attack by advertising VTP message with higher
configuration revision number with fake vlans. If this is done successfully, your
network becomes like no land (means those dummy vlan updated by all the
switches which are not exist) - Isko kahte hai pairo tale zameen gayab hona!!!!

Point2(Vulerabililty case2 -> VTP domain name is configured "MYLAB") -Still your
are not safe............
- If attacker is able to compromise the directly connected switch by
launching the Switch spoof attack then attacker can also be able to
launch the massive DOS attack in your LAN, there won't be any service available
through the victim switch for any user. This can be mitigated by using
fixed version of cat IOS or IOS code or run VTP V3.

Attacks!!
1)First Attack launch-> Switch spoof attack

-Attacker can send thousands

of DTP frame to the directly connected switch to launch the MITM DOS attack.
Result -> CPU & Memory
resources will be fully engaged & go high to process all those attacks and unable
to process real time user traffic. This types of attacks can also cause to hang
your switch or
reboot your switch.

2)Second Attack launch (Massive attack)

-Attacker can also exploit the

network resources in other means, like compromising the directly connected
switch by launching the first attack as above mentioned, then he sniff all the VTP
messages and get to know
the VTP Domain name, VTP Version, Vlans info & configuration revision number. Now
this is the high time to
launch bigger attack than the first one. Why this is bigger attack? This time
attacker is not targeting just only
one switch to launch the massive DOS attack, this time his target is whole network
means all the switches in your
infrastructure which means your whole network is under big threat.

$$$$$Lab2$$$$

1-Run the VTP on default mode (Server)

2-Verify the CRN (Configuration Revision Number)
3-Configure the trunk over all the transit link.
4-Enable debug (debug sw-vlan vtp event/packet) on every switch in the transit
5-Configure Vlans (Question1 -Does this Server advertise the Vlans as I have done
with Trunk port configuration or anything left?)
6-Configure Domain name on VTP server switch only. Since other switch automatically
join the VTP domain name)
(Lab2- Proove it. Connect 3 switches)
SW1(VTP Server1) -----------T---------------SW2(VTP
Server2)-------------T---------------SW3(VTP Server3)
Domain-MyLab1-------------------------> Domain null??
<----------------------Domain-MyLab2

$$$$$Lab3$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

2)STP
What is STP
What is Loop? How many types of Loop in the network?
-This Loop is different than LOOP Protocol at layer 2.
-Layer2 Loop (Bridging Loop) - There is no such TTL feature eliminate loops
at layer 2
-Layer3 Loop (Routing Loop) - It used TTL and used as one of the loop
eliminatoin feature.
How Layer2 Loop is formed?
-Lab Scenario on Bridging Loop.
_________________________________