I have a question regarding Spanning Tree Root.
I work in a Call Center, this organization uses Cisco Switches to manage their infrastructure; some clients made a hybrid topology (uses Call Center L2 switches to connect end users but made a connection to their L3 SW and FW to reach their network services).
The Call Center has an Admin the Vlan 10, with Spanning Tree Root Bridge placed as default (the lowest SW Mac Add management). But it brings to my attention that main Vlan has a different Root Bridge than others Vlans.
Example:
Switch_Core#sh spanning-tree root
!
Vlan Root ID Cost Time Age Dly Root Port
VLAN0008 32776 000c.cee2.a940 19 2 20 15 Gi0/46
VLAN0009 32777 000c.cee2.a940 19 2 20 15 Gi0/46
VLAN0010 32768 0026.995a.fb00 42 2 20 15 Gi0/48
!
By doing some Root Bridge traceroute, I found that Vlan 10 reaches another Sw from the company:
!
Switch_Dist#sh spanning-tree root | i VLAN0010
!
VLAN0010 32768 0026.995a.fb00 38 2 20 15 Gi0/8
!
By doing more traceroute, this Vlan root bridge as next step Switch reaches a client Switch (unable to access) with a Cost of 38.
My question is if this Call Center may be exposed to any attack since Admin Vlan Root Bridge is under another Switch topology?
I do not create this topology but found these configurations mistakes and Spanning Tree redesign for the Root Bridge rearrangement (to provide the highest value for the switch core) and upgrade to RSTP that I proposed was approved just recently. But wonder what consequences will produce that Admin Vlan has been exposed for so long.
This current topology has no VTP password, since we’re sharing L2 switches with clients, should the call center implement the VTP password as well?
Any suggestion will be welcome.