-
VTP (VLAN Trunking Protocol)
A protocol for managing VLANs across switches within the same VTP domain. It allows centralized creation, deletion, and modification of VLANs, automatically synchronizing them across other switches.
Operating modes:- Server: Manages and propagates VLAN changes.
- Client: Receives VLAN updates but cannot modify them.
- Transparent: Does not propagate VLANs but forwards VTP messages.
Risk: Misconfigured VTP can delete all existing VLANs.
-
DTP (Dynamic Trunking Protocol)
A protocol for dynamically negotiating the port mode (trunk or access). It automatically sets up the connection type between switches.
Modes:- Dynamic Desirable: Actively tries to establish a trunk.
- Dynamic Auto: Passively waits for trunk negotiation.
- Access/Trunk: Manually sets the mode.
Risk: Automation can lead to vulnerabilities, such as when an attacker connects their device.
L2 switches
#DTP - Dynamic Trunking Protocol
enable
configure terminal
int g0/0 #
switchport mode access #assigned to a single VLAN and the port doesn`t send DTP packets
switchport mode trunk #multiple VLANs 802.1Q-tagged frames,except for the native VLAN, which is untagged
switchport mode dynamic auto #the port will negotiate trunking only if requested by the peer - it is default mode
switchport mode dynamic desirable #the port will actively try to negotiate a trunk link
switchport nonegotiate #disables DTP negotiation on the port
#Examples:
====
switchport mode access
switchport access vlan 10
====
switchport mode trunk
switchport trunk allowed vlan 10,20,30
switchport trunk native vlan 99
====
#VTP - VLAN Trunking Protocol (Ver.1 - 1-1005 VLANs, Ver.2 + VTP pruning, Ver.3 1006-4095 VLANs + description + VTP authen)
#VTP is enable by default and all switches work in server mode.
#In client mode switch joins to any domain
#Old switches, witch has VTP configuration can rewrite all your VLANs in case they have bigger number in the "configuration revision"
vtp domain <some-domain> #a logical group of Cisco switches that share VLAN configuration information
vtp mode {server | client |transperent}
Server: switches can create, modify, and delete VLANs for the entire VTP domain.
Client: switches cannot create, modify, or delete VLANs. They receive VLAN information from VTP servers. It is auto.
Transparent: switches in transparent mode do not participate in VTP advertisements.
VTP Pruning - then enabled, a switch will only forward VTP advertisements for VLANs that exist on that switch or on other switches connected through trunks.
vtp version {2 |3 } #set VTP version
vtp mode server #set server mode
vtp mode client #set client mode
vtp mode transparent #set transparent mode
vtp password <YourPassword> #set a password for the domain (if you don`t input on to client SW
vtp pruning #sets only on servers, info auto shares to the domain clients
show vtp status #show vtp status
#use for interfaces: switchport trunk allowed vlan 1,10,20 to circumvent the restriction