Introduction

VLAN Trunking Protocol is a Cisco exclusive convention that spreads the meaning of Virtual Local Area Networks in all neighborhoods. To do this, VTP conveys VLAN data to every one of the switches in a VTP space. VTP commercials can be sent over 802.1Q and ISL trunks.VTP is a Cisco-proprietary tool that advertises all VLANs on a switch. Suppose 4800 users are to be connected together, but one switch only contains 48 ports. So, we would need 100 such switches in order to establish the connection and would have to do the same configuration over all the 99 switches as done first. So as to avoid manual configuration over 100 switches, the dynamic configuration is done through VTP.

Conditions

The trunk must be enabled.
VTP domain/password must be the same.

Modes of VTP

There are three modes of VTP-

• Server
• Client
• Transparent

Configuration Revision Number- 

It is a 32-bit number that indicates the number of times changes are being made in the VTP packet. The number of times a VTP packet is revised, +1 is added to the configuration revision number.

A switch can only accept packets from another switch either with the same CR number or lower.
When a switch receives a packet from a lower CR number than itself, it upgrades itself to the CR number of the sender.
While the switch upgrades itself, an attack is possible. Though it can be avoided by using transparent mode (CR no.- 1).

Path Redundancy

Bridging Network is used to connect two or more different LANs which have a similar protocol.
STP (Spanning-Tree Protocol) is a layer-2 protocol
1. It is, by default, enabled on switches.
2. The key role is to prevent loop formation by using-
3. Forwarding state
4. Blocking state
5. VLAN Trunk Protocol

Election Process on Switch

When the loop is formed, the switch has the responsibility to select which packet to forward from respective ports and which to block. To perform such a task, the packets go through a root-bridge election.

Conditions for election to be in forwarding state-

1. Lowest priority
2. Lowest MAC address

Ports of the forwarding state are DP (designated port) and RP (root port), while the port available at the blocking state is BP (blocking port). There is only one RP on one switch, opposite to BP.
The packets are called BPDU (bridge protocol data unit) which are 32-bit in size.
Forwarded Delay Timer is of 0-45 seconds.
By default, all ports of switches are active.

Port Election-

On fast ethernet, the cost value is calculated in BPDU.
In case the cost value is the same, the sender port ID becomes the new criterion.

In case the initially chosen path goes down, ‘topology change’ is being performed.

STP Security

1. Security established over the root bridge to prevent STP/priority-based attack is Root Guard, while security over the non-root bridge is Loop Guard.
2. BPDU Guard blocks the port of attack, along with the user and the communication.
3. BPDU Filter- It filters priority packets rather than blocking them.

DHCP Security

Man In The Middle attack or DHCP spoofing attack is when a third unwanted party eavesdrop on the conversation between the user and application without being noticed and thus portrays the conversation as normal and secured.

Prevention-

MITM attacks could be prevented by DHCP snooping, which divides ports as trusted and untrusted. On untrusted ports, the packets are not negotiated but on trust.