prevent VTP override by rogue switch on access switchport...

Discussion in 'Cisco' started by wr, Sep 3, 2004.

  1. wr

    wr Guest

    We all know about the vtp issue where a switch with a higher version
    vtp file can have its vlan config overwrite a switch with a lower vlan
    config. So what about the scenario where a rogue user brings in a
    cisco switch and plugs it into the network at the access layer.

    The switch its plugged into is set to be a VTP client, so it is
    possible to overwrite this switch VLAN config. Is there a command to
    issue on the switchports to prevent this?

    In the most dangerous case, the access layer switch is set to be in
    VTP server mode, which would cause the changes to propogate up the
    tree to the distribution and possibly core switches.

    Here are my solutions so far:

    1) Thank goodness access switch is client mode and you only wipe out
    one switch.
    2) Use VTP domain, as sort of a password
    3) Use VTP password to protect the info transfer
    4) Stop VTP at a port. HOW DO YOU DO THIS?

    I like 4 the best, but don't know how to do this. Any ideas?

    thanks,

    wr
     
    wr, Sep 3, 2004
    #1
    1. Advertising

  2. Try using BPDU guard on the access ports.

    Thanks
    Anthony

    wr wrote:
    > We all know about the vtp issue where a switch with a higher version
    > vtp file can have its vlan config overwrite a switch with a lower vlan
    > config. So what about the scenario where a rogue user brings in a
    > cisco switch and plugs it into the network at the access layer.
    >
    > The switch its plugged into is set to be a VTP client, so it is
    > possible to overwrite this switch VLAN config. Is there a command to
    > issue on the switchports to prevent this?
    >
    > In the most dangerous case, the access layer switch is set to be in
    > VTP server mode, which would cause the changes to propogate up the
    > tree to the distribution and possibly core switches.
    >
    > Here are my solutions so far:
    >
    > 1) Thank goodness access switch is client mode and you only wipe out
    > one switch.
    > 2) Use VTP domain, as sort of a password
    > 3) Use VTP password to protect the info transfer
    > 4) Stop VTP at a port. HOW DO YOU DO THIS?
    >
    > I like 4 the best, but don't know how to do this. Any ideas?
    >
    > thanks,
    >
    > wr
     
    Anthony Louis Swanson, Sep 4, 2004
    #2
    1. Advertising

  3. wr

    Chris Thomas Guest

    In article <>, says...
    > wr wrote:
    > > 1) Thank goodness access switch is client mode and you only wipe out
    > > one switch.
    > > 2) Use VTP domain, as sort of a password
    > > 3) Use VTP password to protect the info transfer
    > > 4) Stop VTP at a port. HOW DO YOU DO THIS?


    Use the password. This will stop any accidental updates. If someone
    is trying to nail you, and actually puts the VTP pw in an
    unauthorized switch, then you have worse problems than just VTP.

    Using BPDU guard will stop some switches, but lately I've been seeing
    some Sony laptops that emit BPDUs in the from-the-factory default, so
    in some environments, BPDU guard will nail innocent users.
     
    Chris Thomas, Sep 4, 2004
    #3
  4. wr

    Ivan Ostres Guest

    In article <>, says...
    > Try using BPDU guard on the access ports.
    >
    > Thanks
    > Anthony
    >
    > wr wrote:
    > > We all know about the vtp issue where a switch with a higher version
    > > vtp file can have its vlan config overwrite a switch with a lower vlan
    > > config. So what about the scenario where a rogue user brings in a
    > > cisco switch and plugs it into the network at the access layer.
    > >
    > > The switch its plugged into is set to be a VTP client, so it is
    > > possible to overwrite this switch VLAN config. Is there a command to
    > > issue on the switchports to prevent this?
    > >
    > > In the most dangerous case, the access layer switch is set to be in
    > > VTP server mode, which would cause the changes to propogate up the
    > > tree to the distribution and possibly core switches.
    > >
    > > Here are my solutions so far:
    > >
    > > 1) Thank goodness access switch is client mode and you only wipe out
    > > one switch.
    > > 2) Use VTP domain, as sort of a password
    > > 3) Use VTP password to protect the info transfer
    > > 4) Stop VTP at a port. HOW DO YOU DO THIS?
    > >
    > > I like 4 the best, but don't know how to do this. Any ideas?
    > >
    > > thanks,
    > >
    > > wr

    >
    >


    My recommendation would be not to use VTP at all. It does much more
    trouble than good... Anyway.. how often do you modify your VLAN
    settings?


    --
    -Ivan.

    *** Use Rot13 to see my eMail address ***
     
    Ivan Ostres, Sep 4, 2004
    #4
  5. wr

    mh Guest

    Solution 5 - disable VTP entirely
     
    mh, Sep 4, 2004
    #5
  6. wr schrieb:

    > 4) Stop VTP at a port. HOW DO YOU DO THIS?
    >
    > I like 4 the best, but don't know how to do this. Any ideas?
    >

    Force all user ports to access mode. VTP works only in trunk mode.
     
    Wilhelm Becker, Sep 6, 2004
    #6
  7. wr

    Hansang Bae Guest

    In article <chh1j1$cht$-Dortmund.DE>, -
    dortmund.de says...
    >
    >
    > wr schrieb:
    >
    > > 4) Stop VTP at a port. HOW DO YOU DO THIS?
    > >
    > > I like 4 the best, but don't know how to do this. Any ideas?
    > >

    > Force all user ports to access mode. VTP works only in trunk mode.
    >
    >



    Or better yet, set vtp mode to transparent.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Sep 7, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve Ames
    Replies:
    2
    Views:
    3,237
    Erik Tamminga
    May 15, 2005
  2. mostro
    Replies:
    0
    Views:
    623
    mostro
    Sep 16, 2005
  3. Ned
    Replies:
    2
    Views:
    62,124
  4. Replies:
    1
    Views:
    1,629
    Thrill5
    May 30, 2007
  5. lowfell1
    Replies:
    1
    Views:
    5,355
    thort
    Sep 26, 2007
Loading...

Share This Page