Žilinská univerzita > Fakulta riadenia a informatiky > Katedra informačných sietí

VTP (+DTP) security threat - myth or fact?

There is some confusion and misunderstanding regarding VTP (VLAN Trunking Protocol)+DTP (Dynamic Trunking Protocol) and this article will hopefully make it all clear. Most of the confusion comes from the statement that VTP is always a security threat to your network. There are even some CCIE material which I find to be wrong on this topic so my advice here is to test everything by yourself.


I assume that you have sufficient knowledge about VTP and DTP, if not or you would like to refresh your memory take a look here:








Just to remember

Default DTP mode is dynamic auto or dynamic desirable on the newer switches. Leaving DTP in dynamic mode is ALWAYS a security threat as other side (evil attacker) can negotiate trunk with any of these switches and get access to all VLANs.


We know that VTP could be harmful when a switch with higher revision number than the one in our domain is connected to such domain. Remember that switch with highest VTP configuration revision number in a domain is considered most recent. Therefore when any switch with lower configuration revision number receives update with higher conf. rev. number it will flush the whole VLAN database and build new one according to the update that it received.


We also know that DTP messages contains information about VTP domain and trunk will be only formed if both switches (their ports) belongs to the same VTP domain.


But there is an special case and we will look at it closer right now.



Imagine that you are in a company where 3 switches are already configured and running. They are running VTP in version 2 with 5 additional VLANs configured, (vlan 10,20,30,40,50). Configuration revision on all of these switches is 5. VTP domain name is MyVtpDomain. DTP on every switch is left in default mode which is dynamic auto or dynamic desirable on the newer switches.


The statement that I ran into is this: 

Let's have our scenario  (3 switches in the same VTP domain called MyVtpDomain, conf. rev. number is 5).


"The domain name by default is blank. Cisco considers that NULL. It's at this point that the switch will be in its most acceptable mode meaning if I plug it into a network that is running VTP and a trunk port is negotiated with me, VTP runs on top of the trunks, it will take whatever VTP domain name and password that the company has. So what this means is if I plug the switch in I don't even need VTP name or the password. I'm going to get all the VTP updates sent down to me...If the switch will negotiate a trunk port with company switch and if its VTP domain name is set to NULL that means whatever VTP advertisement it receives it will automatically configures itself to. So all your security you thought you had by assigning VTP name and password is gone becase the password is sent in clear-text over the trunk port."




Well, at least not on every level. I would like to separate right from wrong here.


So when is the trunk formed and when does the new switch configure itself with the other VTP domain?

New switch MUST have VTP domain name unconfigured=blank (NULL).

The switch configured in existing VTP domain (company switch) MUST NOT have password configured.

Ports that connects new switch to the company switch should be able to form trunk (either dynamically or be configured as trunk). VTP domain name is advertised through DTP messages - and trunk will be formed olny if both ends match (are in the same VTP domain). Now you see that this is not always true - we have one switch with unconfigured domain and the other with configured - this is a special case which works. Remember - Although DTP should work only when both switches are in the same VTP domain, this is an exception.


And what about the case when new switch which domain is NULL but has higher configuration revision number than any of the company switches?

In such case, nothing bad happens. No disaster here. The reason is, that when the new switch configure itself with VTP domain MyVtpDomain, it will reset its configuration revision number to the one in advertisement (in this case, configuration revision number will be 5).


Why does it not work with password configured? 

Well it's password, why else would it be there? :) It simply does not work because the MD5 digests (which does take password into account) on the two switches does not match and such advertisement is ingored.


But the password is sent as clear-text in VTP advertisement, I can read it from there and configure my switch with it.

No you can't. It is NOT sent in clear-text in fact it is NOT SENT AT ALL! The VTP password that you configure is translated by algorithm into a 16-byte word (MD5 value) that is carried in all summary-advertisement VTP packets. So it is part of MD5 digest.



In conclusion, leaving DTP in dynamic mode is not recommended. But when you forget, try to at least configure VTP with password and that should be enough to avoid problem described in this article.


Tested on Cisco 2960 ( C2960-LANBASEK9-M, Version 12.2(58)SE1 ) and Cisco 2950 ( C2950-I6K2L2Q4-M, Version 12.1(22)EA13 ) switches.