Vlans leaking into my switch

Johan Olsson · ‎10-23-2015

Hello,

We rent an office place in a large campus. I have not thought so much about vtp settings etc and we have a stack of two 3750 switches and a few 2960 access switches. The 3750 switches are set in vpt server mode. They are in default configuration and no vtp domain.

Now we have rented an additional office space on the other side of the campus and they have setup a fiber cable between our two offices.

I have connected the fiber to one of the 3750 switches in our main office. In the new small office I have a cisco 2960 with default vtp settings. I have created our internal vlan (20) manually and the communication is working between our networks.

But now I see a lot of other vlan in the 2960 remote switch and if I type “show vtp status” I get a “domain-name” from another company in the building.

I suspect that the fiber cable between my offices are shared and now the other company’s vlan/vtp server/domain are leaking into my switch.

This is not happening on my 3750 switch on the other side.

Can someone please explain how this can happen and what I should do? I do not feel secure with this and I assume if I configure a switch port interface with one of the other company’s vlan I can access their network? And maybe they can access mine.

Thanks for any inputs!

Jon Marshall · ‎10-23-2015

Can you post a "sh vtp status" from both the 3750 stack and the 2960 switch.

Did you connect the 2960 with a trunk or an access port link ?

Can you also post a "sh int trunk" from your 2960.

Jon

Johan Olsson · ‎10-23-2015

Hi, here it is.

sh int trunk on 2960:

#sh int trunk

Port Mode Encapsulation Status Native vlan
Gi0/24 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi0/24 1-4094

Port Vlans allowed and active in management domain
Gi0/24 1-3,8-14,20-21,29-38,40,50,55,70-72,84,96,99-101,192,200,224,250,254-255,300-302,314,400-431,500,600-601,661,666

Port Vlans in spanning tree forwarding state and not pruned
Gi0/24 1-3,8-14,20-21,29-38,40,50,55,70-72,84,96,99-101,192,200,224,250,254-255,300-302,314,400-431,500,600-601,661,666

2960:

#sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : xxx.xxx.com
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 001f.6dd2.2f00
Configuration last modified by 10.52.2.12 at 6-24-93 08:08:15
Local updater ID is 10.52.2.12 on interface Vl20 (lowest numbered VLAN interface found)

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 255
Number of existing VLANs          : 84
Configuration Revision            : 118
MD5 digest                        : 0xB0 0xAA 0xAC 0x08 0xBF 0x8B 0x26 0x06
                                    0x52 0xF7 0xED 0x59 0x6B 0x83 0x4D 0x7A

3750

#sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 0013.1a24.f980
Configuration last modified by 10.52.2.253 at 7-30-15 13:36:53
Local updater ID is 10.52.2.253 on interface Vl20 (lowest numbered VLAN interface found)

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 45
Configuration Revision            : 0
MD5 digest                        : 0x1D 0x3D 0xE4 0x38 0x1F 0xA0 0xD4 0x7B
                                    0xD1 0x46 0xF5 0xA0 0xB2 0xB2 0xF0 0xF6

Jon Marshall · ‎10-23-2015

While I agree with Joe's comments it's not at all clear how your 2960 has picked up this information.

What does a "sh cdp neighbour detail" show on the 2960 ?

Do you have any VTP passwords set ?

If not it's not clear either why your 2960 has not overwritten your 3750 because as soon as your 2960 gets a domain name it should be advertising it's vlans and the revision number is a lot higher on the 2960.

Unless Joe can spot something I have missed ?

Jon

Johan Olsson · ‎10-23-2015

Hi Jon,

Thanks for the info,
cdp only show my 3750 switch. I have not configured any vtp password. I Think I will begin to set all switches to transparent mode, it feels more secure right now until I have talked to the people there we rent the connection. It would be really bad if my vlan was overwritten by another switch.

Jon Marshall · ‎10-23-2015

I agree, that is the first thing I would do as well.

It's really not clear how this connection is working but if you change to VTP transparent and manually match up the vlan databases then at least that protects you to some extent.

Jon

Joseph W. Doherty · ‎10-23-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Pre v3 VTP with a default will, I believe, "pick up" a domain name from another switch whose domain isn't a default (across a trunk). So, yes, its possible your switches have picked up and joined a VTP domain you didn't intend.

If this happens, besides your switches using a different VLAN database, they can lose their prior defined VLANs.

As to what you can do, you can either change your switches to not use VTP themselves (transparent of off mode), or place them into their own VTP domain. Switches can still pass traffic between different VTP domains, but they won't share the same VLAN database.

Which approach to use depends on whether you want to use VTP yourself or not. Personally, I like anything that automates some management, but many hate VTP with a passion because of how easy it is to fall into situations like the one you describe. If you do pursue using VTP, understand it, to avoid issues like this one and if your switches support it, consider using VTP v3, which is designed to avoid similar situations by default.

Johan Olsson · ‎10-23-2015

Hello Joseph,

Thanks for the information, but isn't this a big security issue, can someone put their switchport in my "vlan 20" and access my resources? I believed that they configured the fiber Connection as a isolated connection, but now it seems to be a "open" shared network.

I am also thinking about if the switch received the vlan's before the connection was setup? Is there any way to check if I still have access to the vtp domain?

Joseph W. Doherty · ‎10-23-2015

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Well, it is and isn't a security issue. VLANs are still defined per port. What you're sharing is the VLAN database. VLAN traffic would still share across trunks if the VLANs tags agree, even if the VLAN databases did not. So the security issue is your VLAN database being replaced, or the converse, more so than exchanging traffic, which has it's own security issues. Generally, if you're sharing traffic at L2, your security is likely low because security is often imposed at L3, not L2.

Regarding access, you can examine your switches' VTP settings - on your VTP servers, you likely can make changes, which may impact the other company. What you want to do is isolate the two VTP domains, if you don't want them to share.

piyush.dhupia · ‎10-24-2015

Hi,

Please check the VTP mode of 2960 switch; by default its Server mode; make it transparent or client.

Take the downtime (1 Hrs maximum) and before that if possible delete all configuration or reset to factory mode ( write erase command).

Configure VTP mode first before connect to network.