Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > prevent VTP override by rogue switch on access switchport...

Reply
Thread Tools

prevent VTP override by rogue switch on access switchport...

 
 
wr
Guest
Posts: n/a
 
      09-03-2004
We all know about the vtp issue where a switch with a higher version
vtp file can have its vlan config overwrite a switch with a lower vlan
config. So what about the scenario where a rogue user brings in a
cisco switch and plugs it into the network at the access layer.

The switch its plugged into is set to be a VTP client, so it is
possible to overwrite this switch VLAN config. Is there a command to
issue on the switchports to prevent this?

In the most dangerous case, the access layer switch is set to be in
VTP server mode, which would cause the changes to propogate up the
tree to the distribution and possibly core switches.

Here are my solutions so far:

1) Thank goodness access switch is client mode and you only wipe out
one switch.
2) Use VTP domain, as sort of a password
3) Use VTP password to protect the info transfer
4) Stop VTP at a port. HOW DO YOU DO THIS?

I like 4 the best, but don't know how to do this. Any ideas?

thanks,

wr
 
Reply With Quote
 
 
 
 
Anthony Louis Swanson
Guest
Posts: n/a
 
      09-03-2004
Try using BPDU guard on the access ports.

Thanks
Anthony

wr wrote:
> We all know about the vtp issue where a switch with a higher version
> vtp file can have its vlan config overwrite a switch with a lower vlan
> config. So what about the scenario where a rogue user brings in a
> cisco switch and plugs it into the network at the access layer.
>
> The switch its plugged into is set to be a VTP client, so it is
> possible to overwrite this switch VLAN config. Is there a command to
> issue on the switchports to prevent this?
>
> In the most dangerous case, the access layer switch is set to be in
> VTP server mode, which would cause the changes to propogate up the
> tree to the distribution and possibly core switches.
>
> Here are my solutions so far:
>
> 1) Thank goodness access switch is client mode and you only wipe out
> one switch.
> 2) Use VTP domain, as sort of a password
> 3) Use VTP password to protect the info transfer
> 4) Stop VTP at a port. HOW DO YOU DO THIS?
>
> I like 4 the best, but don't know how to do this. Any ideas?
>
> thanks,
>
> wr


 
Reply With Quote
 
 
 
 
Chris Thomas
Guest
Posts: n/a
 
      09-04-2004
In article <(E-Mail Removed)>, http://www.velocityreviews.com/forums/(E-Mail Removed) says...
> wr wrote:
> > 1) Thank goodness access switch is client mode and you only wipe out
> > one switch.
> > 2) Use VTP domain, as sort of a password
> > 3) Use VTP password to protect the info transfer
> > 4) Stop VTP at a port. HOW DO YOU DO THIS?


Use the password. This will stop any accidental updates. If someone
is trying to nail you, and actually puts the VTP pw in an
unauthorized switch, then you have worse problems than just VTP.

Using BPDU guard will stop some switches, but lately I've been seeing
some Sony laptops that emit BPDUs in the from-the-factory default, so
in some environments, BPDU guard will nail innocent users.
 
Reply With Quote
 
Ivan Ostres
Guest
Posts: n/a
 
      09-04-2004
In article <(E-Mail Removed)>, (E-Mail Removed) says...
> Try using BPDU guard on the access ports.
>
> Thanks
> Anthony
>
> wr wrote:
> > We all know about the vtp issue where a switch with a higher version
> > vtp file can have its vlan config overwrite a switch with a lower vlan
> > config. So what about the scenario where a rogue user brings in a
> > cisco switch and plugs it into the network at the access layer.
> >
> > The switch its plugged into is set to be a VTP client, so it is
> > possible to overwrite this switch VLAN config. Is there a command to
> > issue on the switchports to prevent this?
> >
> > In the most dangerous case, the access layer switch is set to be in
> > VTP server mode, which would cause the changes to propogate up the
> > tree to the distribution and possibly core switches.
> >
> > Here are my solutions so far:
> >
> > 1) Thank goodness access switch is client mode and you only wipe out
> > one switch.
> > 2) Use VTP domain, as sort of a password
> > 3) Use VTP password to protect the info transfer
> > 4) Stop VTP at a port. HOW DO YOU DO THIS?
> >
> > I like 4 the best, but don't know how to do this. Any ideas?
> >
> > thanks,
> >
> > wr

>
>


My recommendation would be not to use VTP at all. It does much more
trouble than good... Anyway.. how often do you modify your VLAN
settings?


--
-Ivan.

*** Use Rot13 to see my eMail address ***
 
Reply With Quote
 
mh
Guest
Posts: n/a
 
      09-04-2004
Solution 5 - disable VTP entirely
 
Reply With Quote
 
Wilhelm Becker
Guest
Posts: n/a
 
      09-06-2004


wr schrieb:

> 4) Stop VTP at a port. HOW DO YOU DO THIS?
>
> I like 4 the best, but don't know how to do this. Any ideas?
>

Force all user ports to access mode. VTP works only in trunk mode.

 
Reply With Quote
 
Hansang Bae
Guest
Posts: n/a
 
      09-07-2004
In article <chh1j1$cht$(E-Mail Removed)-Dortmund.DE>, (E-Mail Removed)-
dortmund.de says...
>
>
> wr schrieb:
>
> > 4) Stop VTP at a port. HOW DO YOU DO THIS?
> >
> > I like 4 the best, but don't know how to do this. Any ideas?
> >

> Force all user ports to access mode. VTP works only in trunk mode.
>
>



Or better yet, set vtp mode to transparent.


--

hsb

"Somehow I imagined this experience would be more rewarding" Calvin
*************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
************************************************** ******************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VTP questions (multiple VTP servers on same domain) news8080@yahoo.com Cisco 1 05-30-2007 06:52 PM
Looking for magic method to override to prevent dict(d) from grabbing subclass inst d contents directly Bengt Richter Python 3 11-23-2005 04:46 AM
Prevent Rogue DHCP using CISCO 4500??? mostro Cisco 0 09-16-2005 01:39 AM
Switch Recommendation to prevent "rogue" DHCP? Steve Ames Cisco 2 05-15-2005 01:15 PM
Learning VTP Domain Name Bob Simon Cisco 7 05-23-2004 10:24 AM



Advertisments