Identify VLAN source

D_Lebedev · ‎08-24-2017

Hi,

We've about 300 Cisco devices in our network.

Couple of weeks ago i've noticed,about 30 new vlans appeared on all the L3 devices.I can confirm that all these vlans do not belong to our network.I tried to identify source of these foreign vlans,but no success.

Can anybody please advice me how it will be possible find the source device where these vlans are coming from?

Thank you.

Seb Rupik · ‎08-24-2017

Hi there,

Please clarify, the Layer2 VLAN definitions appearded in the VLAN databases, or the Layer3 SVIs appeared in the running config?

cheers,

Seb.

Julio E. Moisa · ‎08-24-2017

Hi

The VLANs cannot be created by themselves, so you could verify your Syslog servers or configure archive to collect more information about who configured it. You should verify your VTP configuration as well.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Richard Burts · ‎08-24-2017

Seb asks a good question about whether we are talking about layer 2 vlans or layer 3 SVI. Assuming that it is layer 2 vlans then probably the next question is what vtp mode the switches are in, and what switches are masters in vtp?

HTH

Rick

HTH

Rick

D_Lebedev · ‎08-25-2017

Hi, Thanks for your replies.

With one of our core 4500X i can see vlans in run. config also.

With other L3 and L2 switches foreign VLANs are shown in vlan database.

The issue is we have wan links from few providers and i can determine by vlan name these vlans are belongs to other companies.I've contacted already all of our providers,but nobody of them confirmed the problem as own.

Seb Rupik · ‎08-25-2017

Are you running VTP (ie not transparent) on the switches in questions? It seems unlikely that you would have the same VTP domain name configured as your WAN providers, but not impossible (vtp domain cisco).

If you are running VTP client/ server, what is the output of 'sh vtp status' ? This will give us a clue as to the where abouts of the VTP server.

If you aren't using VTP, and VLANs are appearing in your database, which haven't been configured by your network team then you have a more serious security situtation to deal with!

cheers,

Seb.

Richard Burts · ‎08-25-2017

Thanks for the additional information. If you do see the vlans in show run of one of your 4500 then it is likely that someone added those vlans by configuring that switch. So then the question becomes who has access to configure that switch? And the question is also whether you have any logging enabled that might show who made those changes.

I agree with Seb that it is unlikely (though possible) that the new vlans were learned from the ISP. show vtp status would be a good way to gather information that might be helpful.

HTH

Rick

HTH

Rick

CSCO12099251 · ‎09-06-2017

Hi,

From my knowledge, even if switch does not have any VTP configured (will be in "null" domain) will accept the vtp configuration(including domain name) from other switches and update it in its database. This is applicable only if new switch in "null" domain. So I am suspecting this might be the case here.

Still not sure if we can track from where the VLAN information is sourced by using "sh vtp status" output. I think we need to run this on all switches to see which one is master. Please advise me if there is any other option to get this.