Cisco VLAN Trunking Protocol Vulnerability
I have got a cisco 2821 model router with a c2800nm-advipservicesk9-mz.151-2.T4 IOS, and was reported with 'Cisco VLAN Trunking Protocol Vulnerability'.
Though the device is in server mode, I do not have any domain name or trunk port configured.
Is my device really vulnerable? If yes, whats next?
Hi Alex,
for the trunk port on Catalyst on port GE 1/0/45, we need to enable the trunk and for on encapsulation dot1q because this catalyst model is ISL capable also and the SF300 working only with Dot1q Encapsultion
The configuration on catalyst should :
#config terminal
#interface Gi 1/0/45
# switchport encapsulation
#switchport trunk encapsulation dot1q
#switchport mode trunk
#switchport trunk allowed vlan 101-103
#spanning-tree portfast
For SF300 the port trunk it looks fine but for the port where the PC should receive an IP address
#interface fastethernet29
#switchport mode access
#switchport ccess vlan 103
Please let me know after this configuration
Thanks
Mehdi
Please rate or mark as answered to help other Cisco Customers
Similar Messages
-
Hi,
Im configuring a vlan trunk between 2 switches but I'm having a problem somehow.
Switch 1 a Cisco 3750G n
name: alrswcc00
interface GigabitEthernet1/0/28
description Uplink Alrswcc20
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-30
switchport mode trunk
end
Name: Gi1/0/28
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 1-30
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Switch 2 a Cisco 2960S
name: alrswcc20
interface GigabitEthernet1/0/25
description Uplink Alrswcc00
switchport trunk allowed vlan 1-30
switchport mode trunk
end
Name: Gi1/0/24
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 10 (Inactive)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 10,20,30,40
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Then lastly on switch 2 I created a port for an Ubiquiti access point with following settings.
interface GigabitEthernet1/0/24
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
end
But my AP doesn't seem the get an IP. Where as if I plug it in on Switch 1 it does with the same settings.
So I am assuming there is something wrong with my trunk. What am I doing wrong?
Thank you,
MichaelHere are a couple of observations:
1. The switchport trunk encap dot1q command was not applied on the 2960 because 802.1q trunking is the default. The 2960 series switches do not support ISL encapsulation, as the OP observed. There is, therefore, no need to manually specify the trunking protocol. The show int g1/0/24 switchport command confirmed that trunking is working. I find the show int g1/0/24 trunk command to be more informative in this context. It tells you what VLANs are active and trunking between the connection.
2. You do need to define VLANS 2-30 on your second switch. You can do so manually or you can configure VLAN Trunking Protocol (VTP). VTP is your easiest bet. Example config:
Switch 1
sw1(config)# vtp mode server
sw1(config)# vtp version 2
sw1(config)# vtp domain MY_DOMAIN
sw1(config)# vtp password MySecret
Issue a show vtp status in priv exce mode to very your settings.
Switch 2
sw2# show vtp status
Do this command FIRST and make sure that the configuration revision number is smaller than the revision number of SW1.
VTP Operating Mode : Client
Maximum VLANs supported locally : 255
Number of existing VLANs : 25
Configuration Revision : 174
If config revision on SW2 is greater than config revision of SW1, then issue following command:
SW2(config)# vtp domain bogus
SW2(config)# vtp domain MY_Domain
SW2(config)# do show vtp status
Your config revision should go back to zero.
Now issue the same commands on SW2.
SW2(config)# vtp version 2 (pretty sure that is default, but I issue it anyway)
SW2(config)# vtp mode client (means you cannot define VLANs on this switch. Most admins prefer that only one switch be capable of creating VLANs).
SW2(config)# do sh vtp status
The config revision was important because injecting a switch into your network that has a higher VTP revision can overwrite your existing VLAN database. If that happens, chances are that most of your network traffic will cease to function as all of your access ports will be in a VLAN mismatch mode. -
VLAN trunking from Cisco Catalyst 3750 to Cisco SF300-48P issue and related
Hello expert,
I'm having difficulties to configure VLAN trunking between Cisco Catalyst 3750 switch with Cisco SF300-48P switch and my workstation unable to get any DHCP IP from our DHCP server via Cisco SF300-48P switch. Below is the snippet of configuration on both switches:
[Cisco Catalyst 3750 Switch]
interface GigabitEthernet1/0/45
description NCC-CC-1stFlr
no switchport trunk encapsulation dot1q
no switchport trunk allowed vlan 101-103
spanning-tree portfast
[Cisco SF300-48P Switch]
interface fastethernet48
spanning-tree link-type point-to-point
switchport trunk allowed vlan add 101-103
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
interface fastethernet29
switchport mode general
switchport general allowed vlan add 103 tagged
switchport general pvid 103
Are these are correct? Kindly advice!
Thank you very much!
Regards,
AlexHi Alex,
for the trunk port on Catalyst on port GE 1/0/45, we need to enable the trunk and for on encapsulation dot1q because this catalyst model is ISL capable also and the SF300 working only with Dot1q Encapsultion
The configuration on catalyst should :
#config terminal
#interface Gi 1/0/45
# switchport encapsulation
#switchport trunk encapsulation dot1q
#switchport mode trunk
#switchport trunk allowed vlan 101-103
#spanning-tree portfast
For SF300 the port trunk it looks fine but for the port where the PC should receive an IP address
#interface fastethernet29
#switchport mode access
#switchport ccess vlan 103
Please let me know after this configuration
Thanks
Mehdi
Please rate or mark as answered to help other Cisco Customers -
What trunking protocols are supported by the Cisco AP1200 series
Guys,
What trunking protocols are supported by the Cisco AP1200 series?
Advanved thanking for your replyHas to be a dot1q encapsulation.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Does the 8540 support VLAN Trunking
I would like to VLAN trunk four VLANs(8540 bridge-groups) from an 8540 switch router to a Cat 5000. I have not seen in Cisco's documentation anything that indicates that the 8540 supports VLAN trunking.
8540 supports both ISL and 802.1q VLAN trunking
http://www.cisco.com/univercd/cc/td/doc/product/atm/c8540/12_1/pereg_1/quick_cg/layer3.htm#39775 -
Decided we'd give the Cisco 300 series switches a try and see
what we think about them compared to our Cisco Catalyst 2960 switches.
I'm already stumped on setting up VLAN trunking between 4 switches. Do I have to manually setup all the VLAN's on each switch? I set them up on the first switch and was expecting GVRP would propagate them to the others like VTP.
DennyDecided we'd give the Cisco 300 series switches a try and see
what we think about them compared to our Cisco Catalyst 2960 switches.
I'm already stumped on setting up VLAN trunking between 4 switches. Do I have to manually setup all the VLAN's on each switch? I set them up on the first switch and was expecting GVRP would propagate them to the others like VTP.
Denny -
How many VLANs supported via MACsec VLAN-trunk link?
Hi,
Any one know how many VLANs maximum allowed across a MACsec link between two C6500 with Sup2Ts or between two N7K respectively?
As far as I know, C3750X has limitation of 8 VLANs, according to
•Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/trustsec.html
Thanks,
CedarHi,
Any one know how many VLANs maximum allowed across a MACsec link between two C6500 with Sup2Ts or between two N7K respectively?
As far as I know, C3750X has limitation of 8 VLANs, according to
•Cisco TrustSec enforcement is supported only on up to eight VLANs on a VLAN-trunk link. If there are more than eight VLANs configured on a VLAN-trunk link and Cisco TrustSec enforcement is enabled on those VLANs, the switch ports on those VLAN-trunk links will be error-disabled.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_2_se/configuration/guide/3750x_cg/trustsec.html
Thanks,
Cedar -
Is it possible to run a VLAN trunk (DOT1Q) from a Central site to a remote over a MPLS connection?
You can do that either by using dot1q tunnelling or port based EoMPLS. For a description of these two features, please refer to the following document:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5013/products_feature_guide09186a0080088187.html
Hope this helps, -
Hello,
does SG200 supoort VLAN Trunking?Hello, I think there is support:
I found this site too which shows how to configure it: http://lachlanmiskin.com/blog/2012/08/01/cisco-sg-200-08-trunking/
Cisco's datasheet says it supports tagging 802.1q.
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps11229/data_sheet_c78-667827.html
Hope this helps.
Please rate useful posts and remember to mark any solved questions as answered. Thank you. -
VLAN trunking newbie SRW208MP to SRW2008MP
Hello All,
Just need a simple setup - 2 VLANs, a few ports each, on each unit, trunked together (ultimately on SFP module). Tried what seems to be right but (natch) not working. Just need simple guidelines to see where am going wrong. Thanks!OK, well, using that example, as well as another thread here (Cisco SLM224P
VLAN TRUNKING), I reset and redid all the VLAN related settings.
There are 2 subnets in play here -
10.51.0.0/255.255.252.0 - VLAN 1 - Used as the Management VLAN.
10.51.4.0/255.255.255.0 - VLAN 5 - A subnet for Wireless LAN POE connection and management.
And 2 switches -
198 is a SRW208MP, remote unit. will have single WAP and various devices.
199 is a SRW2008MP, at head end near subnet(s) source. Will have up to 4 WAPs and the
connections required to provide for both subnets.
For purposes of discussion, the planned fiber SFP interconnect is being played by a copper trunk.
Setups follow:
198 VLANs-
198 Port Setting-
198 Ports to VLAN 1-
198 Ports to VLAN 5-
198 VLAN to Ports-
Unit 2 - 199
199 VLANs-
199 Port Settings-
199 Ports to VLAN 1-
199 Ports to VLAN 5-
199 VLAN to Ports-
The configuration as posted does not provide the expected results.
I am convinced I am overlooking something simple. Usually is!
The net results are that the Management VLAN (1) is present and accounted for on both switches, but that could even be because they are acting as switches do.
The VLAN 5, however, does not function at either end. The 'Local' switch, 199, shows traffic on the WAP ports but no traffic of any consequence is traversing and the WAPs are nonresponsive.
Ditto Remote switch. Management VLAN yes, 5 VLAN no.
Any suggestions greatly appreciated. -
I have not been able to configure a VLAN trunk at a CE-500. I configure the port using CNA as router and specify the native VLAN, but I do not know where to specify the allowed VLANs. The port is connected to a Cisco Router with sub-interfaced configured. When I click on "modify" the smartport, an small windows quicky opens and closes, only leaving an option for the native VLAN. What am I doing wrong? How do I specify a port as a trunk port?
Thanks a lot for the help.
Juan SI believe you are aware of creating the standard Cisco IOS procedure for creating VLAN trunks.
under the interface configuration mode, in which you need to create a trunk,
switchport mode trunk
switchport mode trunk encapsulation isl/dot1q
switchport mode trunk native vlan
switchport mode trunk allowed vlans
But if you are already using these commands correctly, still you have the problem, I want you to let me know the following informations.
1. What error message you receive at the console while implementing trunking?
2. What is the other end device with which you are trying to establish trunk?. -
Catalyst 2960 - IBM/Cisco IGESM - Trunk port configuration
Good day all!
I am new in Cisco world and try to configure a trunk between a Catalyst 2960 switch and a IBM Blade Center IGESM switch (manifactured by Cisco).
Unfortunately, it seems that the network traffic doesn't cross the trunk link.
I have followed (at least, I think so) the instructions given on the different Cisco documentation papers but I can't find the mistake in my configuration (lack of experience :-( !).
Both switches are using IOS. 2960 uses IOS 12.2(25)FX and IGESM uses IOS 12.2(22)EA8.
The ports are connected through a cross-over cable Cat5e.
Please find below the configuration for each ports:
Catalyst 2960:
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 200 (Workstation VLAN)
Trunking Native Mode VLAN: 200 (Workstation VLAN)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 1,99,200
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
IBM/Cisco IGESM:
Name: Gi0/20
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 200 (Workstation VLAN)
Trunking Native Mode VLAN: 200 (Workstation VLAN)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 1,99,200
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
For my test, I try to ping a blade (connected to IGESM) in VLAN 200 from a workstation connected to Catalyst 2960 (in VLAN 200 too). From a network anaylser (ethereal), I can see the ARP broadcast from each side but none are going across the trunk link.
I am a bit lost about this problem and would be grateful for any assistance in solving it!
Many, many thanks in advance for your time!
Best regards,
FabianHi Glen!
Both switches (Catalyst 2960 & IGESM) are brand new and most ports are still reflecting manufacturer's default configuration. Vlan 2 is the default native vlan for IGESM ports (excluding ports used for switch management which use vlan 1 as most Cisco switches).
I changed the native vlan for g0/5 on IGESM to 200. Now, ports g0/5 (access mode) and g0/20 (trunk mode) are on native vlan 200. On g0/5 is installed Windows 2003 instance (firewall disabled). The only purpose is to receive and send ping request to test connectivity.
My workstation is connected to 2960 switch on port fa0/1 (please find the configuration below). I can successfully ping other vlan 200 machines connected on the same switch. For testing purpose, I try to ping the blade machine connected on port g0/5 on IGESM.
Configuration of fa0/1:
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 200 (Workstation VLAN)
Trunking Native Mode VLAN: 200 (Workstation VLAN)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Is there any other information I could provide to better help you to understand the configuration?
Cheers!
Fabian -
Dynamic Trunking Protocol and ports mode
((Dynamic Trunking Protocol (DTP), as the name implies, is the protocol used to automatically negotiate a trunk link.
DTP supports the auto negotiation of both ISL and 802.1q.
By default all ports on the Catalyst 3550 are dynamic desirable ports which will aggressively attempt to negotiate trunking through DTP.
To disable DTP and the auto negotiation of trunking, issue the interface level command switchport
nonegotiate)).
1- How many trunk mode have we got ? one of them is negotiation,,,Do we have any other ?
2- "By default all ports on the Catalyst 3550 are dynamic desirable ports".
2/a- Are there any other mode for ports ?
2/b- Is this different form one type of switch to another type ?"1.Diff trunk modes are on,off,desirable,negotiate".
Does DTP decide which mode to be used (chose one out of 5)?
"2/a. Diff modes of ports are, access, trunk, dynamic desirable. "
does that mean the dynamic desirable can be either access or trunk port ?
I get confused between three different interface mode :
1- switchports----can be access and trunk ports
2- routed ports
3- switched-virtual interface -
Encrypting vlan-trunk traffic between switches
Hi,
Can anyone guide me to some papers or other resources on how to encrypt traffic between 2 switches. The switchces will be connected with fiber and use dot-1q tagging. And I wan't to encrypt all of the trunked traffic.
I was thinking of L2TP, but I haven't found any good description on how to implement this. I have two 3750 switches I thought I might use.
Thanks for any input,
Regards,
Oyvind Mathiesen
mnemonic
NorwayHi,
Thanks for the response. I had a look at MACsec and it looks good. I would have liked to employ something P2P though, to also limit the ammount of MAC addresses broadcasted on the "wire". But let me first give you an understanding of the task:
We have two sites, connected via fibre and we want to create a VLAN trunk across and order to expand the broadcast domains to te other site.
The IDIOT carrier, has a limitation on the number of MAC addresses they allow on the fibre service, 100.
We also need to encrypt the datatraversing this connectivity.
MACsec wuold work 100% exept the source and dstination MAC addresses are still sent (at least according to https://docs.google.com/viewer?a=v&q=cache:LEf2qOmYZyYJ:www.ieee802.org/1/files/public/docs2011/bn-hutchison-macsec-sample-packets-0511.pdf+&hl=en&gl=za&pid=bl&srcid=ADGEESgmAHXpDOY0RBAE-Rv1HDpu_C_gkeSPN4cv6NGgyP0M1aXVu0UqzCfxo8t_P41ep6J37k4OLKnjfp1M9hoTDHxY22WGz2h7yB7YRLyPvRUbGS8TICzvEMlG92xqbhy6RWFugmnj&sig=AHIEtbTfu0LQIJejdYidE6yzq4lpPifxjQ
And that would cause me to eat into the 100 MAC limit.
Ridiculous I know, but we are looking for an out-of-the-norm plan...
Thanks -
Cisco Security Manager is vulnerable to CVE-2014-0160 - aka Heartbleed
Dear All,
We have CSM 4.4.0 SP2 patch 1 installed with no default configuration.
According to cisco, CSM is under Vulnerable Products list with cisco bug ID CSCuo19265.
Do I need to take any action for my CSM ?
Thanks & Regards
Ahmed...Im not sure if that's true. the release notes don't state anything about fixing that big. and also looking at the opensource licenses PDF for 4.6.0 it states OpenSSL version: 1.0.1e (which is the same version as 4.5.0 and all versions 1a through 1f are vulnerable).
I would find it very odd they didn't fix it considering it was released just yesterday.
Maybe you are looking for
-
Changing Apple ID - email already registered
Hi guys, I've attempted to change my apple ID to my current email address as I do not use my old one any longer. When i try to change it, apple tells me that i cannot use this email address as it is already in use. I know this new email is not in use
-
IWeb -MobileMe widget flash alternative?
I use an iMac and use iWeb to create and manage my website - it is great. I use the MobileMe widget to have photos scrolling on my page automatically - very nice... unfortunately if a visitor views my website with an iPhone or an iPad ("the ultimate
-
How to Create Graph In forms 10g
Dear All How to create a graph in Forms10G ? Can you please give a small full example step by step ?
-
Get Date x number of days before current Date
How do you subtract x number of days from a Date object? Is there a better way than int x = 28; // number of days long minisPerDay = 24 * 60 * 60 * 1000; Date newDate = new Date (oldDate.getTime() - (x * minisPerDay );
-
Filmstrip doesn't pop up on mouse over...
Only just started happening, when you hover the moue over the little up arrow icon on the filmstrip bar it just flashes brighter for a second and stays resolutely where it is! I can click the icon and the bar will expand as expected, clicking it agai