Download EVE-NG Lab
Concepts: VLAN Trunk Protocol (VTP), Dynamic Trunking Protocol (DTP), and Spanning-Tree Protocol (STP)
Use-case: Centralized VLAN management, dynamic trunk negotiations, and layer-2 loop-prevention
VTP
VLAN Trunk Protocol (VTP) may prove beneficial in environments where network segmentation is consistent across a large number of network switches. This could be a multi-story building, or potentially several offices that all connect back to a centralized layer 2 device. Instead of manually configuring all your VLANs on each switch you deploy, we can update the VLANs on all of our infrastructure via a single switch which then provides VLAN updates to all of our downstream devices.
Configuring VTP is relatively simple, but there are a few necessary components for both functionality, and security:
Domain Name
This designates a logical separation of the VTP environment. You can have multiple domains within a network, but only one domain may exist on a server switch.
command:
vtp domain CISCOVersion
VTP consists of versions 1, 2 and 3
Version 1 (Default):
- Supports standard VLAN range 1-1001
- Does not support token-ring VLANs
- Transparent mode does not pass along VTP updates
Version 2 :
- Backwards compatible with Version 1
- Supports token-ring VLANs
- Transparent mode will pass along VTP updates
Version 3:
- Only backwards compatible with Version 2
- Only the primary server is able to create/modify/delete VLANs
- Extended, Private, and RSPAN VLANs can now be synced
- MST is synchronized
- VTP mode off can be used to disable VTP globally, or per interface
command:
vtp version [1|2|3]Password
A password helps to secure the VTP environment and prevent unauthorized devices from influencing the VLAN database. Without one, joining and influencing the network is as simple as knowing the domain name; this is especially dangerous if you are also incorporating dynamic trunking.
command:
vtp password youshallnotpassMode
There are several modes to configure with VTP depending on the version you are running.
| Versions 1 & 2 | Server | Client | Transparent |
|---|---|---|---|
| Create/Modify/Delete VLANs | Yes | No | Local only |
| Synchronizes Self | Yes | Yes | No |
| Forwards Updates | Yes | Yes | Yes |
| Version 3 | Primary Server | Client | Transparent | Off |
|---|---|---|---|---|
| Create/Modify/Delete VLANs | Yes | No | Local only | Local only |
| Synchronizes Self | Yes | Yes | No | No |
| Forwards Updates | Yes | Yes | Yes | No |
command:
vtp mode [server/client/transparent/off]DTP
Dynamic Trunking Protocol (DTP) can dynamically create trunk ports when configured properly. Rather than statically configuring designated trunk ports (e.g. switchport mode trunk), we can specify that the distributed switches will always attempt a trunk, meanwhile, the access layer will comply if instructed to do so. In this case, we configure the access switch to a dynamic mode of ‘auto’ and the distribution layer interface to a mode of ‘desirable’ so as to force the downstream access switch to become a trunk since that is what is desired.
As you may be suspecting, dynamic trunking introduces a level of risk. If a malicious actor connects their device to a port that is set to desire being a trunk – well, now all of the allowed VLANs are going to be accessible. Thus, DTP is not something I have personally seen in environments I have worked with. I’d avoid using it within any given enterprise.
DTP modes
Auto – Negotiates the mode based on the remote interface setting
Desirable – If the remote interface is anything other than access, it will become a trunk
In the wild, I have not seen DTP being used intentionally. I prefer to statically configure trunks as a security posture, to prevent rogue devices from plugging in and becoming a trunk. Convenience is often accompanied by risk.
command:
switchport mode dynamic [auto/desirable]STP
Spanning-tree (STP) is a crucial component in loop prevention when there are redundant paths to a remote switch. Additionally, there are several ‘flavors’ of spanning-tree that offer unique benefits; we will look into the differences later.
With STP, we have the ability to specify which interface is used on a per-VLAN basis to distribute traffic more efficiently. When configured properly, alternative (or backup) paths will be marked until communication ceases on the root interface, at which point the entire spanning-tree topology will reconverge and shift traffic to be forwarded on the alternate/backup path until the primary link restores.
Ultimately, STP is a loop prevention technology that has helped to optimize traffic flow and eliminate layer-2 network loops. This is a very high-level overview of what STP accomplishes, and why it is needed in today’s networks. I look forward to diving deeper into this topic in a future post!
Leave a Reply