prevent VTP override by rogue switch on access switchport...

Discussion in 'Cisco' started by wr, Sep 3, 2004.

  1. wr

    wr Guest

    We all know about the vtp issue where a switch with a higher version
    vtp file can have its vlan config overwrite a switch with a lower vlan
    config. So what about the scenario where a rogue user brings in a
    cisco switch and plugs it into the network at the access layer.

    The switch its plugged into is set to be a VTP client, so it is
    possible to overwrite this switch VLAN config. Is there a command to
    issue on the switchports to prevent this?

    In the most dangerous case, the access layer switch is set to be in
    VTP server mode, which would cause the changes to propogate up the
    tree to the distribution and possibly core switches.

    Here are my solutions so far:

    1) Thank goodness access switch is client mode and you only wipe out
    one switch.
    2) Use VTP domain, as sort of a password
    3) Use VTP password to protect the info transfer
    4) Stop VTP at a port. HOW DO YOU DO THIS?

    I like 4 the best, but don't know how to do this. Any ideas?


    wr, Sep 3, 2004
    1. Advertisements

  2. Try using BPDU guard on the access ports.

    Anthony Louis Swanson, Sep 4, 2004
    1. Advertisements

  3. wr

    Chris Thomas Guest

    Use the password. This will stop any accidental updates. If someone
    is trying to nail you, and actually puts the VTP pw in an
    unauthorized switch, then you have worse problems than just VTP.

    Using BPDU guard will stop some switches, but lately I've been seeing
    some Sony laptops that emit BPDUs in the from-the-factory default, so
    in some environments, BPDU guard will nail innocent users.
    Chris Thomas, Sep 4, 2004
  4. wr

    Ivan Ostres Guest

    My recommendation would be not to use VTP at all. It does much more
    trouble than good... Anyway.. how often do you modify your VLAN
    Ivan Ostres, Sep 4, 2004
  5. wr

    mh Guest

    Solution 5 - disable VTP entirely
    mh, Sep 4, 2004
  6. Force all user ports to access mode. VTP works only in trunk mode.
    Wilhelm Becker, Sep 6, 2004
  7. wr

    Hansang Bae Guest

    Or better yet, set vtp mode to transparent.



    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    Hansang Bae, Sep 7, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.