Hi, well my question goes with the possible consequences of a third party (client infrastructure) is been owned the Call Center Admin Root Vlan for so long and to know if Call Center has been exposed to some kind of attack since Call Center VTP domain has no password enable.

A STP change management was approved (but with pending date to implement) to modify the Root bridge and provide the Switch core the Vlan Root Bridge management as should be.

Thank you

Thank you for your feedback.

Hello @patramirezort ,

usind a password for protection of VTP domain if using VTP version 2 is something I would suggest and that can be added.

The change for adding a password will require a maintenance window but there is no real impact during the deployment

At the end you can check that all switches are again in the same VP domain but with a hash ( 16 bytes if I correctly remember ).

On the long term moving to VTP version 3 is the best choice for security as it eliminates the issue of the rogue switch with a greater revision number that can change the VTP database.

Of coiurse before moving to VTP version 3 you should check using

show vtp status

that all of your switches support VTP version 3.

This would be a greater change but it is a wise move on the long term.

Hope to help

Giuseppe

Giuseppe,

I also agree that if @patramirezort is actively using VTP in his network, it would be best to protect it with a password. At the same time, knowing VTP deficiencies, I personally recommend considering migating away from VTP altogether. If the network size is small (only a handful of switches), and if the VLANs are added or removed infrequently, running VTP there brings little to no advantage. In such case, it would be safer to just disable VTP altogether (or at least move it to transparent mode).

As for the need of a maintenance window to configure a VTP password, I respectfully disagree there. Configuring VTP password is a non-disruptive operation. A VTP password mismatch means that a change to the VLAN database will not be accepted by the switch with a different VTP password, but the existing VLANs won't disappear - they will stay in place. The only real risk is with VTP Pruning. If VTP Pruning is on, a password mismatch could potentially result into blackholing of the broadcast / unknown unicast / multicast (BUM) traffic.

Best regards,
Peter

Hello Peter,

>> As for the need of a maintenance window to configure a VTP password, I respectfully disagree there

Yes, from a technical point of view there should be no impact in deploying a VTP password .

I expressed my thoughts in a wrong way I should have written: 

"The change for adding a password would not require a maintenance window because there is no real impact during the deployment. However, depending on how change management happens in your company ( ITIL policies for example)  you ( = the original poster) may feel more comfortble to ask for one."

Regarding moving to VTP transparent mode is a possible advice and it can be a good move if the network is small with stable set of VLANs or even in a big environment with the need to create and delete VLANs if network automation is used by IT stuff.

We don't know how many switches are under the admin control of the original poster. We can assume that the set of Vlans is stable being a contact center serving multiple customers we can think that new VLANs are added for new customers.

However, it is difficult to say more.

Hope to help

Giuseppe

I just wanted to add, some years ago, ran into a production issue with VTP pruning.  Had part of a production network where a VLAN would work for a few minutes, and then stop working.  I did find the issue, and resolved it.

Don't recall the full particulars, but it was due to VTP and pruning.  Cisco was working fine, i.e. wasn't a bug, but it was somehow related to various timers of how long it would take VTP to actually prune vs. VLAN information.  I think (?) it has something to due with a switch, being transversed, that wasn't running VTP (as a client [or server]).

Personally, I like VTP, but have seen a whole production network's VLANs dropped by the classical (and careless) adding a prior lab switch to the production network.  (BTW, at least for that one, it wasn't me.)

VTP, to me, is like "matches".  Can be very useful, but if you're careless, you'll get burned.

I haven't used it, but my reading of VTPv3, addresses most, if not all, of the "classical" "accidents" that can happen with earlier VTP versions.

Oh, I don't recall for sure, but VTP v1 or v2, passwords might be passed at clear text.  I.e. if so, not a super strong security option, but I also recommend using it, as it was another "safeguard" to help insure safe VTP operation (along with defining an actual VTP domain).  Configure both to help preclude "accidents".

Hello @Joseph W. Doherty ,

I tested in a lab the possible accident of adding a switch with an higer revision number to avoid to rebuild the lab we just demonstrate it was able to update the VLAN DB by adding a new VLAN.

>> I don't recall for sure, but VTP v1 or v2, passwords might be passed at clear text.

My understanding is that the password is used to create an MD5 hash at least in VTP version 2.

Nowdays MD5 is considered breakable but at least passwords are not sent in clear text.

VTPv3 is really a great improvement and it can be combined with MST and using an additional database it can advertsie VLANS to MST instances mappings making life easier in case of a change.

In VTPv3 only the primary server can make changes to the VLAN database and this solves all the issues of older versions.

Hope to help

Giuseppe

Hi,

Thank you again for your best practices recommendations.

Regards,

Patricia

Good day Giuseppe, 

Thank you for your VTP best practices recommendations.

Patricia