Cisco VLAN Trunking Protocol Vulnerability

Similar Messages

• Vlan trunk problem

  Hi,
  Im configuring a vlan trunk between 2 switches but I'm having a problem somehow.
  Switch 1 a Cisco 3750G n
  name: alrswcc00
  interface GigabitEthernet1/0/28
   description Uplink Alrswcc20
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 1-30
   switchport mode trunk
  end
  Name: Gi1/0/28
  Switchport: Enabled
  Administrative Mode: trunk
  Operational Mode: trunk
  Administrative Trunking Encapsulation: dot1q
  Operational Trunking Encapsulation: dot1q
  Negotiation of Trunking: On
  Access Mode VLAN: 1 (default)
  Trunking Native Mode VLAN: 1 (default)
  Administrative Native VLAN tagging: enabled
  Voice VLAN: none
  Administrative private-vlan host-association: none
  Administrative private-vlan mapping: none
  Administrative private-vlan trunk native VLAN: none
  Administrative private-vlan trunk Native VLAN tagging: enabled
  Administrative private-vlan trunk encapsulation: dot1q
  Administrative private-vlan trunk normal VLANs: none
  Administrative private-vlan trunk private VLANs: none
  Operational private-vlan: none
  Trunking VLANs Enabled: 1-30
  Pruning VLANs Enabled: 2-1001
  Capture Mode Disabled
  Capture VLANs Allowed: ALL
  Switch 2 a Cisco 2960S
  name: alrswcc20
  interface GigabitEthernet1/0/25
   description Uplink Alrswcc00
   switchport trunk allowed vlan 1-30
   switchport mode trunk
  end
  Name: Gi1/0/24
  Switchport: Enabled
  Administrative Mode: trunk
  Operational Mode: trunk
  Administrative Trunking Encapsulation: dot1q
  Operational Trunking Encapsulation: dot1q
  Negotiation of Trunking: On
  Access Mode VLAN: 1 (default)
  Trunking Native Mode VLAN: 10 (Inactive)
  Administrative Native VLAN tagging: enabled
  Voice VLAN: none
  Administrative private-vlan host-association: none
  Administrative private-vlan mapping: none
  Administrative private-vlan trunk native VLAN: none
  Administrative private-vlan trunk Native VLAN tagging: enabled
  Administrative private-vlan trunk encapsulation: dot1q
  Administrative private-vlan trunk normal VLANs: none
  Administrative private-vlan trunk associations: none
  Administrative private-vlan trunk mappings: none
  Operational private-vlan: none
  Trunking VLANs Enabled: 10,20,30,40
  Pruning VLANs Enabled: 2-1001
  Capture Mode Disabled
  Then lastly on switch 2 I created a port for an Ubiquiti access point with following settings.
  interface GigabitEthernet1/0/24
   switchport trunk native vlan 10
   switchport trunk allowed vlan 10,20,30,40
   switchport mode trunk
  end
  But my AP doesn't seem the get an IP. Where as if I plug it in on Switch 1 it does with the same settings.
  So I am assuming there is something wrong with my trunk. What am I doing wrong?
  Thank you,
  Michael

  Here are a couple of observations:
  1.  The switchport trunk encap dot1q command was not applied on the 2960 because 802.1q trunking is the default.  The 2960 series switches do not support ISL encapsulation, as the OP observed.  There is, therefore, no need to manually specify the trunking protocol.  The show int g1/0/24 switchport command confirmed that trunking is working.  I find the show int g1/0/24 trunk command to be more informative in this context.  It tells you what VLANs are active and trunking between the connection.
  2.  You do need to define VLANS 2-30 on your second switch. You can do so manually or you can configure VLAN Trunking Protocol (VTP).  VTP is your easiest bet.  Example config:
  Switch 1
  sw1(config)# vtp mode server
  sw1(config)# vtp version 2
  sw1(config)# vtp domain MY_DOMAIN
  sw1(config)# vtp password MySecret
  Issue a show vtp status  in priv exce mode to very your settings.
  Switch 2
  sw2# show vtp status
  Do this command FIRST and make sure that the configuration revision number is smaller than the revision number of SW1.
  VTP Operating Mode                : Client
  Maximum VLANs supported locally   : 255
  Number of existing VLANs          : 25
  Configuration Revision            : 174
  If config revision on SW2 is greater than config revision of SW1, then issue following command:
  SW2(config)# vtp domain bogus
  SW2(config)# vtp domain MY_Domain
  SW2(config)# do show vtp status
  Your config revision should go back to zero.
  Now issue the same commands on SW2. 
  SW2(config)# vtp version 2  (pretty sure that is default, but I issue it anyway)
  SW2(config)# vtp mode client (means you cannot define VLANs on this switch.  Most admins prefer that only one switch be capable of creating VLANs).
  SW2(config)# do sh vtp status
  The config revision was important because injecting a switch into your network that has a higher VTP revision can overwrite your existing VLAN database.  If that happens, chances are that most of your network traffic will cease to function as all of your access ports will be in a VLAN mismatch mode.

• VLAN trunking from Cisco Catalyst 3750 to Cisco SF300-48P issue and related

  Hello expert,
  I'm having difficulties to configure VLAN trunking between Cisco Catalyst 3750 switch with Cisco SF300-48P switch and my workstation unable to get any DHCP IP from our DHCP server via Cisco SF300-48P switch. Below is the snippet of configuration on both switches:
  [Cisco Catalyst 3750 Switch]
  interface GigabitEthernet1/0/45
   description NCC-CC-1stFlr
   no switchport trunk encapsulation dot1q
   no switchport trunk allowed vlan 101-103
   spanning-tree portfast
  [Cisco SF300-48P Switch]
  interface fastethernet48
   spanning-tree link-type point-to-point
   switchport trunk allowed vlan add 101-103
   macro description switch
   !next command is internal.
   macro auto smartport dynamic_type switch
  interface fastethernet29
   switchport mode general
   switchport general allowed vlan add 103 tagged
   switchport general pvid 103
  Are these are correct? Kindly advice!
  Thank you very much!
  Regards,
  Alex

  Hi Alex,
  for the trunk port on Catalyst on port GE 1/0/45, we need to enable the trunk and for on encapsulation dot1q because this catalyst model is ISL capable also and the SF300 working only with Dot1q Encapsultion
  The configuration on catalyst should :
  #config terminal
  #interface Gi 1/0/45
  # switchport encapsulation 
  #switchport trunk encapsulation dot1q
  #switchport mode trunk 
  #switchport trunk allowed vlan 101-103
  #spanning-tree portfast
  For SF300 the port trunk it looks fine but for the port where the PC should receive an IP address
  #interface fastethernet29
   #switchport mode access
   #switchport ccess vlan 103
  Please let me know after this configuration
  Thanks
  Mehdi
  Please rate or mark as answered to help other Cisco Customers

• What trunking protocols are supported by the Cisco AP1200 series

  Guys,
  What trunking protocols are supported by the Cisco AP1200 series?
  Advanved thanking for your reply

  Has to be a dot1q encapsulation.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Does the 8540 support VLAN Trunking

  I would like to VLAN trunk four VLANs(8540 bridge-groups) from an 8540 switch router to a Cat 5000. I have not seen in Cisco's documentation anything that indicates that the 8540 supports VLAN trunking.

  8540 supports both ISL and 802.1q VLAN trunking
  http://www.cisco.com/univercd/cc/td/doc/product/atm/c8540/12_1/pereg_1/quick_cg/layer3.htm#39775

• VLAN Trunking and GVRP

  Decided we'd give the Cisco 300 series switches a try and see
  what we think about them compared to our Cisco Catalyst 2960 switches.
  I'm already stumped on setting up VLAN trunking between 4 switches. Do I have to manually setup all the VLAN's on each switch? I set them up on the first switch and was expecting GVRP would propagate them to the others like VTP.
  Denny

  Decided we'd give the Cisco 300 series switches a try and see
  what we think about them compared to our Cisco Catalyst 2960 switches.
  I'm already stumped on setting up VLAN trunking between 4 switches. Do I have to manually setup all the VLAN's on each switch? I set them up on the first switch and was expecting GVRP would propagate them to the others like VTP.
  Denny

• How many VLANs supported via MACsec VLAN-trunk link?

  Hi,
  Any one know how many VLANs maximum allowed across a MACsec link between two C6500 with Sup2Ts or between two N7K respectively?
  As far as I know, C3750X has limitation of 8 VLANs, according to
  •Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/trustsec.html
  Thanks,
  Cedar

  Hi,
  Any one know how many VLANs maximum allowed across a MACsec link between two C6500 with Sup2Ts or between two N7K respectively?
  As far as I know, C3750X has limitation of 8 VLANs, according to
  •Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/trustsec.html
  Thanks,
  Cedar

• VLAN trunk via MPLS

  Is it possible to run a VLAN trunk (DOT1Q) from a Central site to a remote over a MPLS connection?

  You can do that either by using dot1q tunnelling or port based EoMPLS. For a description of these two features, please refer to the following document:
  http://www.cisco.com/en/US/products/sw/iosswrel/ps5013/products_feature_guide09186a0080088187.html
  Hope this helps,

• SG200 vlan trunking?

  Hello,
  does SG200 supoort VLAN Trunking?

  Hello, I think there is support:
  I found this site too which shows how to configure it: http://lachlanmiskin.com/blog/2012/08/01/cisco-sg-200-08-trunking/
  Cisco's datasheet says it supports tagging 802.1q.
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps11229/data_sheet_c78-667827.html
  Hope this helps.
  Please rate useful posts and remember to mark any solved questions as answered. Thank you.

• VLAN trunking newbie SRW208MP to SRW2008MP

  Hello All,
  Just need a simple setup - 2 VLANs, a few ports each, on each unit, trunked together (ultimately on SFP module). Tried what seems to be right but (natch) not working. Just need simple guidelines to see where am going wrong. Thanks!

  OK, well, using that example, as well as another thread here (Cisco SLM224P
  VLAN TRUNKING), I reset and redid all the VLAN related settings.
  There are 2 subnets in play here -
  10.51.0.0/255.255.252.0 - VLAN 1 - Used as the Management VLAN.
  10.51.4.0/255.255.255.0 - VLAN 5 - A subnet for Wireless LAN POE connection and management.
  And 2 switches -
  198 is a SRW208MP, remote unit. will have single WAP and various devices.
  199 is a SRW2008MP, at head end near subnet(s) source. Will have up to 4 WAPs and the
  connections required to provide for both subnets.
  For purposes of discussion, the planned fiber SFP interconnect is being played by a copper trunk.
  Setups follow:
  198 VLANs-
  198 Port Setting-
  198 Ports to VLAN 1-
  198 Ports to VLAN 5-
  198 VLAN to Ports-
  Unit 2 - 199
  199 VLANs-
  199 Port Settings-
  199 Ports to VLAN 1-
  199 Ports to VLAN 5-
  199 VLAN to Ports-
  The configuration as posted does not provide the expected results.
  I am convinced I am overlooking something simple. Usually is!
  The net results are that the Management VLAN (1) is present and accounted for on both switches, but that could even be because they are acting as switches do.
  The VLAN 5, however, does not function at either end. The 'Local' switch, 199, shows traffic on the WAP ports but no traffic of any consequence is traversing and the WAPs are nonresponsive.
  Ditto Remote switch. Management VLAN yes, 5 VLAN no.
  Any suggestions greatly appreciated.

• CE-500 VLAN trunks

  I have not been able to configure a VLAN trunk at a CE-500. I configure the port using CNA as router and specify the native VLAN, but I do not know where to specify the allowed VLANs. The port is connected to a Cisco Router with sub-interfaced configured. When I click on "modify" the smartport, an small windows quicky opens and closes, only leaving an option for the native VLAN. What am I doing wrong? How do I specify a port as a trunk port?
  Thanks a lot for the help.
  Juan S

  I believe you are aware of creating the standard Cisco IOS procedure for creating VLAN trunks.
  under the interface configuration mode, in which you need to create a trunk,
  switchport mode trunk
  switchport mode trunk encapsulation isl/dot1q
  switchport mode trunk native vlan
  switchport mode trunk allowed vlans
  But if you are already using these commands correctly, still you have the problem, I want you to let me know the following informations.
  1. What error message you receive at the console while implementing trunking?
  2. What is the other end device with which you are trying to establish trunk?.

• Catalyst 2960 - IBM/Cisco IGESM - Trunk port configuration

  Good day all!
  I am new in Cisco world and try to configure a trunk between a Catalyst 2960 switch and a IBM Blade Center IGESM switch (manifactured by Cisco).
  Unfortunately, it seems that the network traffic doesn't cross the trunk link.
  I have followed (at least, I think so) the instructions given on the different Cisco documentation papers but I can't find the mistake in my configuration (lack of experience :-( !).
  Both switches are using IOS. 2960 uses IOS 12.2(25)FX and IGESM uses IOS 12.2(22)EA8.
  The ports are connected through a cross-over cable Cat5e.
  Please find below the configuration for each ports:
  Catalyst 2960:
  Name: Gi0/1
  Switchport: Enabled
  Administrative Mode: trunk
  Operational Mode: trunk
  Administrative Trunking Encapsulation: dot1q
  Operational Trunking Encapsulation: dot1q
  Negotiation of Trunking: On
  Access Mode VLAN: 200 (Workstation VLAN)
  Trunking Native Mode VLAN: 200 (Workstation VLAN)
  Administrative Native VLAN tagging: enabled
  Voice VLAN: none
  Administrative private-vlan host-association: none
  Administrative private-vlan mapping: none
  Administrative private-vlan trunk native VLAN: none
  Administrative private-vlan trunk Native VLAN tagging: enabled
  Administrative private-vlan trunk encapsulation: dot1q
  Administrative private-vlan trunk normal VLANs: none
  Administrative private-vlan trunk private VLANs: none
  Operational private-vlan: none
  Trunking VLANs Enabled: 1,99,200
  Pruning VLANs Enabled: 2-1001
  Capture Mode Disabled
  Capture VLANs Allowed: ALL
  Protected: false
  Unknown unicast blocked: disabled
  Unknown multicast blocked: disabled
  Appliance trust: none
  IBM/Cisco IGESM:
  Name: Gi0/20
  Switchport: Enabled
  Administrative Mode: trunk
  Operational Mode: trunk
  Administrative Trunking Encapsulation: dot1q
  Operational Trunking Encapsulation: dot1q
  Negotiation of Trunking: On
  Access Mode VLAN: 200 (Workstation VLAN)
  Trunking Native Mode VLAN: 200 (Workstation VLAN)
  Voice VLAN: none
  Administrative private-vlan host-association: none
  Administrative private-vlan mapping: none
  Administrative private-vlan trunk native VLAN: none
  Administrative private-vlan trunk encapsulation: dot1q
  Administrative private-vlan trunk normal VLANs: none
  Administrative private-vlan trunk private VLANs: none
  Operational private-vlan: none
  Trunking VLANs Enabled: 1,99,200
  Pruning VLANs Enabled: 2-1001
  Capture Mode Disabled
  Capture VLANs Allowed: ALL
  Protected: false
  Unknown unicast blocked: disabled
  Unknown multicast blocked: disabled
  Appliance trust: none
  For my test, I try to ping a blade (connected to IGESM) in VLAN 200 from a workstation connected to Catalyst 2960 (in VLAN 200 too). From a network anaylser (ethereal), I can see the ARP broadcast from each side but none are going across the trunk link.
  I am a bit lost about this problem and would be grateful for any assistance in solving it!
  Many, many thanks in advance for your time!
  Best regards,
  Fabian

  Hi Glen!
  Both switches (Catalyst 2960 & IGESM) are brand new and most ports are still reflecting manufacturer's default configuration. Vlan 2 is the default native vlan for IGESM ports (excluding ports used for switch management which use vlan 1 as most Cisco switches).
  I changed the native vlan for g0/5 on IGESM to 200. Now, ports g0/5 (access mode) and g0/20 (trunk mode) are on native vlan 200. On g0/5 is installed Windows 2003 instance (firewall disabled). The only purpose is to receive and send ping request to test connectivity.
  My workstation is connected to 2960 switch on port fa0/1 (please find the configuration below). I can successfully ping other vlan 200 machines connected on the same switch. For testing purpose, I try to ping the blade machine connected on port g0/5 on IGESM.
  Configuration of fa0/1:
  Name: Fa0/1
  Switchport: Enabled
  Administrative Mode: dynamic auto
  Operational Mode: static access
  Administrative Trunking Encapsulation: dot1q
  Operational Trunking Encapsulation: native
  Negotiation of Trunking: On
  Access Mode VLAN: 200 (Workstation VLAN)
  Trunking Native Mode VLAN: 200 (Workstation VLAN)
  Administrative Native VLAN tagging: enabled
  Voice VLAN: none
  Administrative private-vlan host-association: none
  Administrative private-vlan mapping: none
  Administrative private-vlan trunk native VLAN: none
  Administrative private-vlan trunk Native VLAN tagging: enabled
  Administrative private-vlan trunk encapsulation: dot1q
  Administrative private-vlan trunk normal VLANs: none
  Administrative private-vlan trunk private VLANs: none
  Operational private-vlan: none
  Trunking VLANs Enabled: ALL
  Pruning VLANs Enabled: 2-1001
  Capture Mode Disabled
  Capture VLANs Allowed: ALL
  Protected: false
  Unknown unicast blocked: disabled
  Unknown multicast blocked: disabled
  Appliance trust: none
  Is there any other information I could provide to better help you to understand the configuration?
  Cheers!
  Fabian

• Dynamic Trunking Protocol and ports mode

  ((Dynamic Trunking Protocol (DTP), as the name implies, is the protocol used to automatically negotiate a trunk link.
  DTP supports the auto negotiation of both ISL and 802.1q.
  By default all ports on the Catalyst 3550 are dynamic desirable ports which will aggressively attempt to negotiate trunking through DTP.
  To disable DTP and the auto negotiation of trunking, issue the interface level command switchport
  nonegotiate)).
  1- How many trunk mode have we got ? one of them is negotiation,,,Do we have any other ?
  2- "By default all ports on the Catalyst 3550 are dynamic desirable ports".
  2/a- Are there any other mode for ports ?
  2/b- Is this different form one type of switch to another type ?

  "1.Diff trunk modes are on,off,desirable,negotiate".
  Does DTP decide which mode to be used (chose one out of 5)?
  "2/a. Diff modes of ports are, access, trunk, dynamic desirable. "
  does that mean the dynamic desirable can be either access or trunk port ?
  I get confused between three different interface mode :
  1- switchports----can be access and trunk ports
  2- routed ports
  3- switched-virtual interface

• Encrypting vlan-trunk traffic between switches

  Hi,
  Can anyone guide me to some papers or other resources on how to encrypt traffic between 2 switches. The switchces will be connected with fiber and use dot-1q tagging. And I wan't to encrypt all of the trunked traffic.
  I was thinking of L2TP, but I haven't found any good description on how to implement this. I have two 3750 switches I thought I might use.
  Thanks for any input,
  Regards,
  Oyvind Mathiesen
  mnemonic
  Norway

  Hi,
  Thanks for the response. I had a look at MACsec and it looks good. I would have liked to employ something P2P though, to also limit the ammount of MAC addresses broadcasted on the "wire". But let me first give you an understanding of the task:
  We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.
  The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.
  We also need to encrypt the datatraversing this connectivity.
  MACsec wuold work 100% exept the source and dstination MAC addresses are still sent (at least according to https://docs.google.com/viewer?a=v&q=cache:LEf2qOmYZyYJ:www.ieee802.org/1/files/public/docs2011/bn-hutchison-macsec-sample-packets-0511.pdf+&hl=en&gl=za&pid=bl&srcid=ADGEESgmAHXpDOY0RBAE-Rv1HDpu_C_gkeSPN4cv6NGgyP0M1aXVu0UqzCfxo8t_P41ep6J37k4OLKnjfp1M9hoTDHxY22WGz2h7yB7YRLyPvRUbGS8TICzvEMlG92xqbhy6RWFugmnj&sig=AHIEtbTfu0LQIJejdYidE6yzq4lpPifxjQ
  And that would cause me to eat into the 100 MAC limit.
  Ridiculous I know, but we are looking for an out-of-the-norm plan...
  Thanks

• Cisco Security Manager is vulnerable to CVE-2014-0160 - aka Heartbleed

  Dear All,
                We have CSM 4.4.0 SP2 patch 1 installed with no default configuration.
  According to cisco, CSM is under Vulnerable Products list with cisco bug ID CSCuo19265. 
  Do I need to take any action for my CSM ?
  Thanks & Regards
  Ahmed...

  Im not sure if that's true. the release notes don't state anything about fixing that big. and also looking at the opensource licenses PDF for 4.6.0 it states OpenSSL version: 1.0.1e (which is the same version as 4.5.0 and all versions 1a through 1f are vulnerable).
  I would find it very odd they didn't fix it considering it was released just yesterday.