Dynamic Trunking Protocol and Virtual Trunking Protocol

An introduction to DTP and VTP.

Hello! In this post, I’d like to talk about:

• Dynamic Trunking Protocol (DTP).

• Virtual Trunking Protocol (VTP).

• Solve a lab from Jeremy’s IT Lab.

These two protocols are Cisco proprietary which means that only Cisco switches will be able to use it.

Dynamic Trunking Protocol (DTP)

DTP allows switches to automatically determine the status of their interfaces (whether they should be trunk or access). It’s enabled by default and can actually be exploited by attackers.

One example is the DTP spoofing attack: an attacker can send spoofed DTP packets to force a switchport into trunk mode and gain access to multiple VLANs. For this reason, it’s recommended to disable DTP on all switchports where it’s not needed.

In the Cisco CLI, we can configure the port mode like this:

• switchport mode trunk

• switchport mode dynamic desirable (It will actively try to form a trunk)

• switchport mode dynamic auto (It will not acively form a trunk and it will use the configuration of the neightbor switch)

Here’s an image showing how different combinations of these modes behave.

To disable DTP, we use:

• SW1(config-if)# switchport nonegociate

VLAN Trunking Protocol (VTP)

VTP allows VLANs to be configured on a central switch (the VTP server), while other switches (configured as clients) automatically sync their VLAN database with it.

However, VTP is rarely used in modern networks and often discouraged. This is because it uses a revision number to determine the latest config, and if a switch with an outdated config but a higher revision number is introduced, it can overwrite the VLAN database for the entire network. That can cause major misconfigurations and downtime.

• VTP Servers:

  • Can add/modify/delete VLANs.

  • Store the VLAN database in non-volatile RAM (NVRAM)

  • Will increase the revision number everytime a VLAN is added/modified/deleted.

  • Will advertise the databse and VTP clients will syncronize.

  • VTP advertisement will not be sent to VTP access port.

• VTP clients:

  • Can’t add/modify/delete VLANs

  • Doesn’t store the VLAN database in NVRAM

  • Will sycronized their database with the server.

  • Will advertize their VLAN database and forward VTP advertizements to other clients over trunk ports.

Lab fro Jeremy’s IT Lab

In this lab, we configure three switches and answer some questions.

1. Configure the switchports connecting switches as trunk ports.Disable DTP on the ports. Confirm the administrative and operational mode of each interface.

Let’s start by configuring the switchports and disabling DTP

For this we have to use the following commands:

• SW1 > enable

• SW1# show interfaces g0/1 switchport (to see its configuration)

• SW1# configure terminal

• SW1(config)#interface G0/1

• SW1(config-if)# switchport mode trunk

• SW1(config-if)# switchport nonegociate (disable DTP)

At first, Administrative Mode might be dynamic auto and Operational Mode static access. That’s because two dynamic auto ports won’t form a trunk. So, we change it to trunk and disable DTP.

Repeat the same config for the interfaces connected to other switches. I’ve shown it on SW1—you can do it on SW2 and SW3 the same way.

Now, the Administrative and Operational Mode should both show as trunk.

2. Configure SW1 in VTP domain CCNA.Create VLANs 10, 20, and 30 on SW1.Have SW2 and SW3 added VLANs 10, 20, and 30?

To configure the VTP domain name:

SW1(config)#vtp domain CCNA

Then, we have to create VLANs 10, 20 and 30, for this we will use the same command and we have to write the VLAN number.

SW1(config)# vlan <vlan-number>

And the VLANs appears in SW2 and SW3. We can check this with:

SW2# show vlan

SW3# show vlan

3. Configure SW2 in VTP transparent mode. Add VLAN40 to SW2.Is VLAN40 added to the VLAN database of SW1/SW3?

Spoiler: It won’t be added.

Transparent mode means the switch acts independently and doesn’t sync the VLAN database..

For this we have to use the following commands:

• SW2(config)# vtp mode transparent

• SW2(config)# vlan 40

  

And if we check in SW1 and SW3, VLAN 40 wasn’t created on those switches

As we can see in both pictures, VLAN 40 wasn’t created and this is because SW2 is in transparent mode.

4. Configure SW3 in VTP client mode.Try to configure VLAN50 on SW3. Is it added?

Now, the task is asking us to configure SW3 in VTP client mode and add VLAN 50. When a switch is in VTP client mode it only can synchronize the switch server database, so we will not be able to create a VLAN.

• SW3(config)# vtp mode client

• SW3(config)# vlan 50

We will get the following message “VTP VLAN configuration not allowed when device is in CLIENT mode.”

5. Configure all switchports connected to hosts in the correct VLAN. Manually configure them as access ports. Is DTP still enabled on the switchports?

We have done something similar in other posts, so here is an small example, if you want to read more about it, I recommend you to check the other posts. Here is an small example:

• SW1(config)#interface f0/1

• SW1(config-if)#switchport mode access

• SW1(config-if)# switchport access vlan 10

These commands are only for SW1 interface f0/1 you can continue with the other interfaces by yourself.

And no, DTP is no longer enabled on these ports. Since we’ve manually configured them as access ports, they don’t negotiate trunking. You can confirm with:

• SW3 #show interface <interface> switchport

That’s all for today’s post!
Thanks for reading — and keep on learning and hacking.
Have a great week!