DTP/VTP

Done

DTP (Dynamic Trunking Protocol)

This proprietary Cisco Protocol allow its switches to auto-negotiate the state of their ports: if connected to a switch it uses trunk mode, but if connected to a host it uses access mode.

It is enabled by default in Cisco switches and can be exploited for vulnerabilities

There are two DTP Modes you can set in a switch: Dynamic Desirable or Dynamic Auto

Desirable mode will actively try to form a trunk, while in Auto mode it will not, it will just “follow the flow”.

configure terminal
interface g0/0
switchport mode dynamic {auto/desirable}

Administrative Mode	Trunk	Dynamic Desirable	Access	Auto
Trunk	Trunk	Trunk	X	Trunk
Dynamically Desirable	Trunk	Trunk	Access	Trunk
Access	X	Access	Access	Access
Auto	Trunk	Trunk	Access	Access

💡

DTP will not form automatically a trunk with a PC or a router, so if you want ROAS, it will have to be manually configured

💡

On default it is configured: - Older Switches = Dynamic Desirable - Newer Switches = Dynamic Auto

Disable DTP Negotiation

configure terminal
interface g0/0
switchport nonegotiate

Switches with more than one encapsulation protocol, will auto-negotiate (switchport trunk encapsulation negotiate) the protocol. Where, if both of them support ISL, it is it that will be used. Also, DTP Frames will be sent through VLAN 1 in ISL and the Native VLAN through 802.1Q

Show switchport status

show interface g0/0 switchport // show interface {interface-id} switchport

VTP (VLAN Trunking Protocol)

It is a protocol used to synchronize VLAN Databases (configurations) across a domain. For example, If I add/remove/modify a VLAN in switch 1, it will send a VTP advertisement through its trunk port and the switch 2 will have the same VLAN settings.

There are essentially three VTP Modes:

VTP Server
- In this mode changes can me made to the VLAN Database, and all this changes will be forwarded via trunk to the other switches connected.
- Can act as a VTP Client as well, the VLAN Database will be determined by the highest Configuration Revision. which increases by one at every modification made.
- Store the VLAN Database locally (NVRAM)
- Default mode for Cisco switches

VTP Client
- In this mode, however, no changes can be made to the VLAN Database. It only syncs the VLAN Database and advertises to other switches.
- Only stores the VLAN Database in VTP Version 3

VTP Transparent
- This mode isolates the switch from the others, so no VTP advertisement will modify its VLAN Database and it will not advertise itself, everything is local (NVRAM).
- However, it will forward VTP Advertisements if in the same VTP Domain

💡

WARNING: An older switch introduced to the network with a higher revision number, could disrupt a network, forcing every switch to rewrite their VLAN Database to match the older switch`s one.

Show VTP Status

show vtp status

Change VTP Domain Name

configure terminal // Global Configuration Mode
vtp domain cisco // vtp domain {domain-name}

💡

Switches in VTP Server and VTP Client will receive a VTP Domain if it has none.

Set VTP Mode

configure terminal // Global Configuration Mode
vtp mode {client/server/transparent}

💡

Setting VTP Mode to Transparent or change the VTP Domain will reset the revision number to 0

Switch VTP version

configure terminal
vtp version {1/2/3}

VTP Version 2 only introduces Token Ring to VLANs, but VTP Version 3 introduce more features.

VTP Password

Setting a password allows only switches with the correct password to synchronize the VLAN Database

configure terminal
vtp password cisco // vtp password {password-name}

How to only know the Root Bridge for every vlan?

show spanning-tree root detail