CCIE Pursuit Blog

June 29, 2007

VTP MD5 Hash Utilizes VTP Domain Name

Filed under: IOS,Switching,VTP — cciepursuit @ 5:23 pm

In a previous post, I hypothesized that VTP  takes the VTP domain name into account when calculating the VTP MD5 hash.  I decided to test this by configuring two switches with the same VTP configurations (and not adding any vlans) except for the VTP domain name.  If I am correct, then the VTP MD5 hash of the two switches should be different.

Here’s our first switch that has been defaulted:
sw1#sh vtp status
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Transparent
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
sw1#sh vtp pass
The VTP password is not configured.

Let’s configure this sucker:
sw1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
sw1(config)#vtp domain DOMAIN1
Changing VTP domain name from NULL to DOMAIN1
sw1(config)#vtp mode server
Setting device to VTP SERVER mode
sw1(config)#vtp password PASSWORD
Setting device VLAN database password to PASSWORD
sw1(config)#^Z
sw1#sh vtp
*Mar  1 00:29:22: %SYS-5-CONFIG_I: Configured from console by console
sw1#sh vtp statu
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 : DOMAIN1
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xB9 0x5B 0x76 0xF1 0x64 0x83 0x17 0xF3
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

Okay.  Here’s the second switch:
sw2#sh vtp status
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Transparent
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
sw2#sh vtp pass
The VTP password is not configured.

Let’s give it the same configuration as sw1 except for the VTP domain name:
sw2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
sw2(config)#vtp domain DOMAIN2
Changing VTP domain name from NULL to DOMAIN2
sw2(config)#vtp mode server
Setting device to VTP SERVER mode
sw2(config)#vtp pass PASSWORD
Setting device VLAN database password to PASSWORD
sw2(config)#^Z
sw2#sh vtp
*Mar  1 00:30:36: %SYS-5-CONFIG_I: Configured from console by console
sw2#sh vtp statu
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 : DOMAIN2
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x2E 0xC6 0x1E 0x6E 0xA6 0xC3 0xA7 0x86
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

Let’s compare the two MD5 hashes (different VTP domain names):
sw1: MD5 digest: 0xB9 0x5B 0x76 0xF1 0x64 0x83 0x17 0xF3
sw2: MD5 digest: 0x2E 0xC6 0x1E 0x6E 0xA6 0xC3 0xA7 0x86

They are different.  This proves my hypothesis.  Now let’s Change sw2’s domain to DOMAIN1 (to match sw1) and see if the MD5 hashes match:

sw2(config)#vtp domain DOMAIN1
Changing VTP domain name from DOMAIN2 to DOMAIN1
sw2(config)#^Z
sw2#sh
*Mar  1 00:32:30: %SYS-5-CONFIG_I: Configured from console by console
sw2#sh vtp statu
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 : DOMAIN1
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xB9 0x5B 0x76 0xF1 0x64 0x83 0x17 0xF3
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

sw1: MD5 digest: 0xB9 0x5B 0x76 0xF1 0x64 0x83 0x17 0xF3
sw2: MD5 digest: 0xB9 0x5B 0x76 0xF1 0x64 0x83 0x17 0xF3


Booyah!!!!  This proves that the VTP MD5 hash takes into account the VTP domain name as well as the password.

About these ads

2 Comments »

  1. [...] Update: I was right about the MD5 hash using the VTP domain name in its calculation. [...]

    Pingback by Fun With VTP Passwords « CCIE Pursuit — June 29, 2007 @ 5:30 pm | Reply

  2. Hi

    Somewhat late response to your article, but only came across it now :)

    The MD5 hash is a hash of the vtp configuration.
    Changing the vtp pruning & version on vtp server also changes the md5 digest.

    It is surprising that this info is not made clearer on the Cisco website but what is mentioned under the command ref for sh vtp status is:

    ============
    MD5 Digest

    A 16-byte checksum of the VTP configuration.
    ==============

    Comment by Roy Waterman — August 10, 2008 @ 9:50 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 112 other followers

%d bloggers like this: