native vlan issue

I have 3 cisco 2950 switches:

- vtp server (primary)
- vtp server (secondary)
- vtp access

note: all 3 switches can ping vice versa and as I have (no current default gateway I have none set).

vtp is set on primary switch and has propagated across the other server & client switch successfully

vtp server (primary

config t
vlan 800
spanning-tree vlan 800 root primary diameter 3 hello-time 3

int fa0/1
description connected to secondary switch
switchport mode trunk
switchport trunk allowed vlan 1
no shut

test 1

vtp server (primary)
sh vlan - shows vlan 800 - as expected

test 2

vtp server & client

sh vlan - cannot see vlan 800

question1.  why can I not see vlan 800 as I assume this has taken over from default vlan 1  ?
mikey250Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Matt VCommented:
It looks like VLAN800 is not allowed across the trunk port.

I could be mis-reading though.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mikey250Author Commented:
hi I only added the below on the trunk and did not add 'vlan 800'.  currently I only have 1 x vlan ie vlan 1 which I assumed will be vlan 800 instead and once I got that right I could then add multiple vlans:

int fa0/1
 description connected to secondary switch
 switchport mode trunk
 switchport trunk allowed vlan 1
 no shut
Matt VCommented:
But if you only allow VLAN1, then VLAN800 is by definition not allowed.

If you only VLAN is VLAN800, then switch your config to:

int fa0/1
  description connected to secondary switch
  switchport mode trunk
  switchport trunk allowed vlan 800
  no shut
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

mikey250Author Commented:
I will add multiple vlans later, but if vlan 800 has replaced vlan 1, then surely I do not need to add vlan 1 and then just do:

my version of ios only allows the below commands:


spanning-tree vlan 1,800 root primary diameter 3 hello-time 3

int fa0/1
   description connected to secondary switch
   switchport mode trunk
   switchport trunk native vlan 800
   no shut

or

spanning-tree vlan 800 root primary diameter 3 hello-time 3

int fa0/1
   description connected to secondary switch
   switchport mode trunk
   switchport trunk native vlan 800
   no shut
Matt VCommented:
You are correct, if you replace VLAN1 with VLAN800, then you would not need to allow VLAN1 transport over the trunk.
mikey250Author Commented:
what about:

spanning-tree vlan 1,800 root primary diameter 3 hello-time 3

spanning-tree vlan 800 root primary diameter 3 hello-time 3
Matt VCommented:
If you are not using VLAN1, you should not need to advertise it.
mikey250Author Commented:
at the moment for some unknown reason on my 'vtp server (primary) 1 all 3 of my ports should be 'desg ports' but 1 of the ports are showing as 'root port' & designated port.  im assuming I may need to disconnect all my switches and delete the vlan.dat on all switches if located and reload all switches and start again!! which is what I am currently doing and then the below.

ive just realised I haven't even changed the following from vlan 1 to vlan 800:

vtp server (primary)
int vlan 1
ip address x.x.x.x x.x.x.x
no shut

to

vtp server (primary)
int vlan 800
ip address x.x.x.x x.x.x.x
no shut
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Just so you know, if you have the statement:

switchport trunk allowed vlan XXX

Regardless of whether VTP is configured, the only allowed VLAN across that trunk port will be XXX.

Additionally, I believe VTP requires you use VLAN 1 for VTP, however you can still disable VLAN 1 (by not including it in the allowed vlan statement) across the trunk port and VTP will still work.

As far as one of your ports showing as a root port, that means that the primary vtp server is not the spanning tree root. bridge.  That isn't a problem, unless you want the switch to be a root bridge.  However, STP and VTP are two completely separate protocols.
mikey250Author Commented:
I can ping the following:

vtp server (primary)
vtp server (secondary)
vtp access

- ping from vtp access to vtp server (primary) - successful

- ping from vtp access to vtp server (secondary) - unsuccessful - all links are up/up (trunk)

note: all vtp info is set on both vtp primary/secondary & access - correctly

-----------------------------------------------------------------------------------------------
vtp server (primary)

config t
spanning-tree vlan 800 root primary diameter 3 hello-time 3

- sh span - shows hello time/max age & forward delay correctly
------------------------------------------------------------------------------------------

vtp server (secondary)

config t
spanning-tree vlan 800 root secondary

- sh span - does not show hello time/max age & forward delay like vtp server (primary)

question 1. I thought the vtp server (primary) would amend the vtp server (secondary) hello time/max-age & forward delay automatically  ?
mikey250Author Commented:
the reason why I cannot ping to and from vtp server (secondary) is because when I do:

sh vlan - no vlan 800 is showing, but I thought vtp would propagate this across once the 'hello time/max-age & forward delay was sent across form the vtp server (primary), but it has not  .?
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Can you post your configs for me to take a look at?  It will be easier for me to correct them.

Remember to correctly sanitize your configs (MASK IPs, Passwords, etc)
mikey250Author Commented:
hi I have removed vlan 1 from all 'trunks' and have have set native vlan 800 across all switch trunks only.

my vtp server (primary) is the root bridge
my vtp server (secondary) is also the root bridge
my access - normal

as I cannot manually delete vlan 1, yes by not adding it I presumed it switched off vlan 1.

all switches have the following with their own specific ip address/mask

int vlan 1
no ip address
shut

int vlan 800
ip address x.x.x.x x.x.x.x
no shut
mikey250Author Commented:
hi daniel,

I have now left for the evening but I would like to push these screenshots across to you tomorrow if possible.
mikey250Author Commented:
please read my 2nd from last comment above this one regarding the 'hello-time/max-age/forward' delay not changing on the vtp server (secondary) to match changes made on the vtp server (primary) .
Don JohnstonInstructorCommented:
First off.  You cannot truely prune VLAN 1 from a trunk. You can issue the command, but CDP, VTP, LACP, etc. will still cross the trunk.

It will be easier to troubleshoot this if you post the output of a "show int trunk" for all the switches (and indicate which ports go to which switches).

Finally, post the output of "show vtp status" and "show vtp password" for the three switches.
mikey250Author Commented:
hi ive done it, it must have been a vtp issue. so resolved!!!!!!!!!!!!! :)

question 1.  so does this mean a potential intruder would have to guess what vlan my native vlan is on ie 800 instead of default vlan 1, in order to gain access whether it be remote connection or even physical connection as I have also done the following:  ?

- added a bogus vlan on ports not used
- switchport all unused ports to 'switchport mode access'
- shutdown all unused ports
Don JohnstonInstructorCommented:
The whole thing about native "VLAN vulnerability" is really a bit limited since all it does is allow someone access from the non-native VLAN to the native VLAN... but not back.  Which means that someone could inject frames into the native VLAN but they would never receive anything back.

If the native VLAN was 1, then that's a pretty big vulnerability since that's where VTP operates. Which is why you NEVER want to leave the native VLAN as 1. Best practice is to either A) create a VLAN with no purpose other than to be the native VLAN or B) tag all VLANs (even the native VLAN).

Adding a VLAN for unused ports is not a bad approach. But the preferred way would be to disable the ports which makes the need for the bogus VLAN unnecessary.

Making all ports access ports except those going to trunking devices is also a best practice..
mikey250Author Commented:
hi don, thanks for the reply.

"which means that someone could inject frames into the native VLAN but they would never receive anything back"

-  oh i thought the native vlan configuration 'stopped' that from happening, but what you are saying is 'they would never receive anything back'..... whats the point of that  config?


my reading states:  one alternative is to force all 802.1q trunks to add tags to frames for the native vlan, too.  the double-tagged vlan hopping attack wont work because the switch wont remove the first tag with the native vlan id (vlan 10) for example and not be passed onto vlan 20 being the real internal connection required.

instead that tag will remain on the spoofed frame as it enters the trunk.  at the ar end of the trunk the same tag will be examined and the frame will stay on the original access vlan 10.

to force a switch to tag the native vlan on all its 802.1q trunks use the below command:

- vlan dot1 tag native

the above command does not work with my ios so i would obviously have to upgrade

question 1.   im thinking b) tag all vlans even the native vlan makes more sense so why do what i have done ?
Don JohnstonInstructorCommented:
oh i thought the native vlan configuration 'stopped' that from happening, but what you are saying is 'they would never receive anything back'..... whats the point of that  config?
Do you mean: what the benefit of sending frames when you can't receive any?
If so, The reason is it would allow an attacker to disrupt the network. For example, send VTP frames that delete all the VLANs.  Send DTP frames that cause the trunks to go down.

im thinking b) tag all vlans even the native vlan makes more sense so why do what i have done ?
If you can tag the native VLAN (which isn't available on older versions), then the vulnerability is effectively neutralized.
mikey250Author Commented:
hi don, yes i understand.

thanks for that!
mikey250Author Commented:
sound advice. although in the end it appeared to be a 'vtp issue'.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.