Solved: vtp and md5

sarahr202 · ‎02-05-2013

Hi everybody.

I just configured vlan 3 on the switch which increased the config number and sw2 generated a summary message with md5 computed as shown below:

Sw#show vtp sta

VTP Version : 2

Configuration Revision : 2

Maximum VLANs supported locally : 36

Number of existing VLANs : 7

VTP Operating Mode : Server

VTP Domain Name : zee

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x33 0x2B 0xB5 0x17 0x51 0x04 0x6E 0x25

How is this md5 computed i.e is it computed over the contents of vtp message without any key ?

have a great day ( yea I know it is not weekend)

kcnajaf · ‎02-05-2013

Hi Sarah,

It's me again:-)

According to Cisco, "The general purpose of an MD5 value is to verify the integrity of a received packet and to detect any changes to the packet or corruption of the packet during transit. When a switch detects a new revision number that is different from the currently stored value, the switch sends a request message to the VTP server and requests the VTP subsets. A subset advertisement contains a list of VLAN information. The switch calculates the MD5 value for the subset advertisements and compares the value to the MD5 value of the VTP summary advertisement. If the two values are different, the switch increases the No of config digest errors counter

On top of this

Message Digest 5 (MD5) carries the VTP password, if MD5 is configured and used to authenticate the validation of a VTP update.
VTP takes the VTP domain name into account when calculating the VTP MD5 hash
The MD5 hash of a null (default) password. If you debug, you see like below data,

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

View solution in original post

cadet alain · ‎02-05-2013

Hi,

Md5 hash is different each time vtp message is transmitted even though domain name and password ( it is null) are same.

This is because the configuration revision number is used to calculate the hash and as it is different after creating the vlan then the md5 will be different.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

kcnajaf · ‎02-06-2013

Hi Sarah,

This is due the configuration revision number like Alain said.

It think the output you got was during the time when switch is coverging the VTP infromation. During the next VTP advertisement Sw2 will send its VTP advertisement to Sw1 and it Sw1 verify the configuration revision number which it get from Sw2 and idetify it has high and except this information. Now Sw1 calculate the Md5 value based on the new configration revision number it received from Sw2. During this calculation both Sw1 and Sw2 will have same MD5 values.

Hope this helps.

Regards

Najaf

View solution in original post

kcnajaf · ‎02-05-2013

Hi Sarah,

It's me again:-)

According to Cisco, "The general purpose of an MD5 value is to verify the integrity of a received packet and to detect any changes to the packet or corruption of the packet during transit. When a switch detects a new revision number that is different from the currently stored value, the switch sends a request message to the VTP server and requests the VTP subsets. A subset advertisement contains a list of VLAN information. The switch calculates the MD5 value for the subset advertisements and compares the value to the MD5 value of the VTP summary advertisement. If the two values are different, the switch increases the No of config digest errors counter

On top of this

Message Digest 5 (MD5) carries the VTP password, if MD5 is configured and used to authenticate the validation of a VTP update.
VTP takes the VTP domain name into account when calculating the VTP MD5 hash
The MD5 hash of a null (default) password. If you debug, you see like below data,

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

sarahr202 · ‎02-05-2013

Hi Najaf

The general purpose of an MD5 value is to verify the integrity of a received packet and to detect any changes to the packet or corruption of the packet during transit

Message Digest 5 (MD5) carries the VTP password, if MD5 is configured and used to authenticate the validation of a VTP update.
VTP takes the VTP domain name into account when calculating the VTP MD5 hash

If the receiving switch finds the md5 does not match, it implies two things:

1) domain name is wrong

2)vtp password does not match.

But that also means hackers can alter the other field present in vtp message while keeping the domain name unaltered.

=================================================================================

Please consider the following example:

sw1----------------------------------------sw2

sw2 receives a vtp summary advertisement with high config number.

sw2 sends a vtp advertisement request.

sw1 first sends vtp summary advertisements listing the number of subset advertisement to follow.

sw1 then sends vtp subset advertisements.

Here is my questions. Since md5 hash is computed using domain name and configured password if one is configured, therefore all the vtp advertisements sent by sw1 will have the same md5 hash because domain name and password is same.

However when I perform the lab I found out sw1 always sends a vtp messages with different hash value.

Sw1----------------------------------sw2

sw1#show vtp status

VTP Version : 2

Configuration Revision : 0

Maximum VLANs supported locally : 36

Number of existing VLANs : 5

VTP Operating Mode : Server

VTP Domain Name : zee

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0xC2 0x6F 0x90 0xF9 0x75 0x7F 0x92 0x68

Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Local updater ID is 0.0.0.0 (no valid interface found)

next I configure vlan2 on sw1 which increase the config revision number to1

R1#show vtp status

VTP Version : 2

Configuration Revision : 1

Maximum VLANs supported locally : 36

Number of existing VLANs : 6

VTP Operating Mode : Server

VTP Domain Name : zee

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0xE3 0xC6 0x61 0x30 0x70 0x95 0xBA 0xEC

Configuration last modified by 0.0.0.0 at 3-1-02 00:02:49

Local updater ID is 0.0.0.0 (no valid interface found)e

Md5 hash is different each time vtp message is transmitted even though domain name and password ( it is null) are same.

I appreciate your help.

Have a good night.

cadet alain · ‎02-05-2013

Hi,

Md5 hash is different each time vtp message is transmitted even though domain name and password ( it is null) are same.

This is because the configuration revision number is used to calculate the hash and as it is different after creating the vlan then the md5 will be different.

Regards.

Alain

Don't forget to rate helpful posts.

kcnajaf · ‎02-06-2013

Hi Sarah,

This is due the configuration revision number like Alain said.

It think the output you got was during the time when switch is coverging the VTP infromation. During the next VTP advertisement Sw2 will send its VTP advertisement to Sw1 and it Sw1 verify the configuration revision number which it get from Sw2 and idetify it has high and except this information. Now Sw1 calculate the Md5 value based on the new configration revision number it received from Sw2. During this calculation both Sw1 and Sw2 will have same MD5 values.

Hope this helps.

Regards

Najaf