CCIE Pursuit Blog

June 28, 2007

Fun With VTP Passwords

Filed under: Home Lab,Switching,Tech Tips,VTP — cciepursuit @ 9:34 pm

As I mentioned earlier, I did a ton of VTP labbing last weekend.  I’ll be posting some of the more interesting/strange results.  A lot of this will not be applicable to the lab, but you may come across some of this in real life.  I’ve never worked on a network that actually ran VTP except for using the domain name to identify LANs for CiscoWorks (all of the switches were in transparent mode).  I’ve never run VTP server/client in a production network and my only experience with that type of setup was during my CCNP studies.  ‘Nuff said, on to my adventures with the VTP password.

1) The VTP password can be set from the privileged exec mode:

sw4#sh vtp pass
The VTP password is not configured.
sw4#vtp pass MYPASSWORD
Setting device VLAN database password to MYPASSWORD
sw4#sh vtp pass
VTP Password: MYPASSWORD

2) It makes sense that the VTP password can be removed from privileged exec mode as well:

sw4#sh vtp password
VTP Password: MYPASSWORD
sw4#no vtp password
Clearing device VLAN database password.
sw4#sh vtp password
The VTP password is not configured.

3) You cannot set a VTP password without first configuring a VTP domain.  This makes sense,  you couldn’t really authenticate another switch if it wasn’t in the same VTP domain:

No VTP domain, no VTP password:
sw4#vtp pass MYPASSWORD
 %The VTP password cannot be set for NULL domain
sw4#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
sw4(config)#vtp domain CISCO
Changing VTP domain name from NULL to CISCO
sw4(config)#^Z
*Mar  1 12:58:08: %SYS-5-CONFIG_I: Configured from console by console

We can set the VTP password after setting the VTP domain 
sw4#vtp pass MYPASSWORD
Setting device VLAN database password to MYPASSWORD
sw4#sh vtp password
VTP Password: MYPASSWORD

4) The MD5 hash of a null (default) password and a cleared (“no vtp password”) VTP password are different:

Default switch VTP status:
sw4#sh vtp statu
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

VTP status after VTP password cleared (“no vtp pass”):
sw4#sh vtp status
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 : CISCO
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xD3 0x78 0x41 0xC8 0x35 0x56 0x89 0x97
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

MD5 digest(default)                      : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
MD5 digest(password cleared)    : 0xD3 0x78 0x41 0xC8 0x35 0x56 0x89 0x97

I think that the reason for this is that the switch uses the VTP domain name in its calculation of the VTP MD5 hash.  I think a way to prove this would be to set up two (default) switches in different VTP domains with the same password and then compare the MD5 hashes.  I’ll try this tomorrow and drop the results into this entry.

Update: I was right about the MD5 hash using the VTP domain name in its calculation.

5) This one is obvious from the above entries, but anyone in privileged exec mode can see the VTP password with “show vtp password” command.  Since a switch in VTP server or client mode does not keep the VTP configuration in the running-configuration (more on that later), this is the only way to verify the VTP password on switches running in those VTP modes (switches in VTP transparent mode will show the VTP configuration in the running-configuration)

Cisco Documentation:

Configuring VTP

Advertisements

5 Comments »

  1. […] MD5 Hash Utilizes VTP Domain Name In a previous post, I hypothesized that VTP  takes the VTP domain name into account when calculating the VTP MD5 […]

    Pingback by VTP MD5 Hash Utilizes VTP Domain Name « CCIE Pursuit — June 29, 2007 @ 5:23 pm | Reply

  2. […] You View The VTP Password From User Mode? As I touched on in this post, anyone in exec (privileged) mode can view the VTP password on a switch: sw1#sh vtp pass VTP […]

    Pingback by Can You View The VTP Password From User Mode? « CCIE Pursuit — July 30, 2007 @ 5:06 pm | Reply

  3. Hi,

    I have a VTP question, unrelated to vtp passwords.
    I have multiple switches connected by trunks, most on the same vtp domain. Two of the switches are VTP Servers – an Agg pair, and the others are either Transparent or clients.
    What command can I use at a Transparent or Client switch, to identify the VTP Server that is managing the VLANs, that sent the last update. Thanks much, hope you can help.

    Regards,

    Comment by jb — September 17, 2007 @ 1:46 pm | Reply

  4. Hi jb.

    This is a good question. The answer is yes (with some stipulations). See the post below for more details:

    https://cciepursuit.wordpress.com/2007/09/25/vtp-which-vtp-server-generated-the-most-recent-update/

    Comment by cciepursuit — September 25, 2007 @ 5:03 pm | Reply

  5. Maybe because that, the domain name of the switches is case sensitive…

    Comment by James — October 24, 2009 @ 11:20 am | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: