Re: VTP MD5 hash changes

From: Muhabat Khan (muhabat@gmail.com)
Date: Mon Dec 29 2008 - 09:21:55 ARST

Next message: Mujeeb Sarwar: "Re: GRE Tunnel"
Previous message: Shahid Ansari: "Happy New Hijri Year - 1430"
Maybe in reply to: Muhabat Khan: "VTP MD5 hash changes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Carlos for this info....
i can summarize
info propagation
force client
to some thing else.
second: MD5 Digest
of vtp configuration

Thanks again

On Mon, Dec

> What
> For
> in the
> the
>
> This
> the
> first
>
> -Carlos
>
> Muhabat
> >
> > not synchronizing....
> >
> > SW1
> >
> > sw1#sh vtp status
> > VTP Version
> >
> >
> >
> > VTP Operating Mode
> > VTP Domain Name
> > VTP Pruning Mode
> > VTP V2 Mode
> > VTP Traps Generation
> > MD5 digest
> >
> >
> > sw1#
> > sw1#sh inter trunk
> >
> > Port Mode
> > Fa1/9 on
> > Fa1/10 on
> >
> > Port
> > Fa1/9 1-4094
> > Fa1/10 1-4094
> >
> > Port
> > Fa1/9 1,10,20,30
> > Fa1/10 1,10,20,30
> >
> > Port
> > Fa1/9 1,10,20,30
> > Fa1/10 1,10,20,30
> > sw1#
> > sw1#sh cdp nei
> >
> >
> >
> > Device ID
> ID
> > sw2
> 1/10
> > sw2
> 1/9
> > sw1#
> > sw1#sh vtp pass
> > VTP Password: CISCO
> > sw1#
> >
> > SW2
> >
> > sw2#sh vtp status
> > VTP Version
> >
> >
> >
> > VTP Operating Mode
> > VTP Domain Name
> > VTP Pruning Mode
> > VTP V2 Mode
> > VTP Traps Generation
> > MD5 digest
> >
> > sw2#
> > sw2#sh int trunk
> >
> > Port Mode
> > Fa1/9 on
> > Fa1/10 on
> >
> > Port
> > Fa1/9 1-4094
> > Fa1/10 1-4094
> >
> > Port
> > Fa1/9 1,10
> > Fa1/10 1,10
> >
> > Port
> > Fa1/9 1,10
> > Fa1/10 none
> > sw2#
> > sw2#sh cdp nei
> >
> >
> >
> > Device ID
> ID
> > sw1
> 1/10
> > sw1
> 1/9
> > sw2#
> > sw2#sh vtp pass
> > VTP Password: CISCO
> > sw2#
> >
> >
> >
> >
> >
> >
> > Not really.
> >
> >
> >
> >
> >
> change!
> >
> > -Carlos
> >
> >
> >
> back
> > > connected...
> >
> password
> >
> >
> > change and
> >
> >
> > >
> >
> sw1,
> >
> > creating
> >
> > >
> > >
> > >
> >
> >
> >
> > >
> >
> > not need
> >
> > pretend
> >
> > >
> > >
> >
> > >
> > >
> > >
> > >
> > >
> > >
> > rec ? OK!
> > >
> >
> > "check" for
> >
> > > -Carlos
> > >
> >
> >
> > means you can
> >
> > > impossible)
> >
> > force
> >
> > > >
> >
> > will not
> > > sync
> >
> vtp
> > > then how
> >
> > > >
> >
> > > >
> > > >
> >
> > > >
> >
> > > password on
> >
> > same password
> >
> > > translated
> >
> > in all
> >
> > > >
> > > >
> > >
> >
>

Next
Previous
Maybe
Messages [ date ] [ [ [ [

This archive : Thu Jan 01 2009 - 12:53:10 ARST that, in VTP domain names should match for vlan to clients and changing the domain name on server will not to get new name once its domain name has been changed from NULL (hash) is not derived only from password but is a result including domain name + password.... for clearing up the matter.............. 29, 2008 at 2:07 PM, Carlos G Mendioroz <tron@huapi.ba.ar>wrote: do you mean by synchronizing ? a client to trust a server and copy its vlan info, it has to be same domain. It follows that if you change the server domain, client, which is now in another domain, will not keep the synch. rule ONLY breaks if the client domain is "null", in which case client will blindfully believe whatever domain it hears in the vtp message, and use that from that point on. Khan @ 29/12/2008 9:01 -0200 dixit: i am really confused about this strange behavior.... SW1 and SW2 are : 2 Configuration Revision : 2 Maximum VLANs supported locally : 36 Number of existing VLANs : 8 : Server : myown : Disabled : Disabled : Disabled : 0xE5 0x45 0xEF 0x90 0x22 0x26 0x46 0xD5 Configuration last modified by 0.0.0.0 at 3-1-02 00:05:32 Local updater ID is 0.0.0.0 (no valid interface found) Encapsulation Status Native vlan 802.1q trunking 1 802.1q trunking 1 Vlans allowed on trunk Vlans allowed and active in management domain Vlans in spanning tree forwarding state and not pruned Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Local Intrfce Holdtme Capability Platform Port Fas 1/10 155 R S I 3725 Fas Fas 1/9 155 R S I 3725 Fas : 2 Configuration Revision : 1 Maximum VLANs supported locally : 36 Number of existing VLANs : 6 : Client : CCIE : Disabled : Disabled : Disabled : 0x9C 0xEA 0x9C 0x29 0x31 0x9A 0xBC 0x9F Configuration last modified by 0.0.0.0 at 3-1-02 00:07:15 Encapsulation Status Native vlan 802.1q trunking 1 802.1q trunking 1 Vlans allowed on trunk Vlans allowed and active in management domain Vlans in spanning tree forwarding state and not pruned Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Local Intrfce Holdtme Capability Platform Port Fas 1/10 135 R S I 3725 Fas Fas 1/9 135 R S I 3725 Fas and no synchronization................... On Mon, Dec 29, 2008 at 1:50 PM, Carlos G Mendioroz <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>> wrote: What makes the check pass is that the hash computes correctly to whatever was transmitted, and that computation is done with the received data plus stored secret. So if you change the domain, the client is expecting the hash to Muhabat Khan @ 29/12/2008 8:44 -0200 dixit: > IF YES, then here bigger issue comes.... i have sw1 - sw2 back to > sw1 is server and sw2 is client.... both have same domain and > so hash will match.... and both will sync. > if i change domain name on sw1 (server) then hash on sw1 will > will be different than sw2, then sw2 will not get domain change > notification from sw1... and vtp sync will be broken. > BTW: changing only domain name will not change revision number on > to increase revision number we have to do some thing else, like > or deleting some dummy vlan. :) > On Mon, Dec 29, 2008 at 1:31 PM, Carlos G Mendioroz <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>> wrote: > If the hash was derived from the secret alone, then you would > knowing the secret. Just knowing the hash would be enough to > being someone else. That's why you "cover" actual data too. > Hash(secret+data) -> x1x2x3x4 data / x1x2x3x4 --> tx rx --> data / received hash Hash(secret+data) = > No secret (password) is transmitted, but the hash has to > message to be accepted. > Muhabat Khan @ 29/12/2008 8:23 -0200 dixit: > > First of all hashes are "always" a one way process... it > > create a hash from Secret but it is not possible (or near to > > to obtain Secret from hash, unless some one is trying brute > > or dictionary attacks. > > AFAIK if two hashes don't match on two switches then both > > (server/client mode), if hash depends upon whole config of > > both switches will sync... May be i am missing some thing. > > from Cisco > > VTP Password > > If you configure a password for VTP, you must configure the > > all switches in the VTP domain. The password must be the > > on all those switches. The VTP password that you configure is > > by algorithm into a 16-byte word (MD5 value) that is carried > > summary-advertisement VTP packets. ://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml">http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml > > On Mon, Dec 29, 2008 at 1:13 PM, Carlos G Mendioroz > <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>> > > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>> wrote: > > If the hash only depended on the password, then just > > password + hash the "password" would render the whole > > useless (Just a longer password). > > Hashes usually cover more than the "secret", and are > > authenticity to the data, not to mention an easy way to > > something has changed. To that extent may be that the > > AFAIK all the vtp config... > > -Carlos > > Muhabat Khan @ 29/12/2008 8:05 -0200 dixit: > > > In switches, VTP MD5 Hash (or MD5 digest) is derived > > password. for > > > successful interswitch vtp information synchronization. > > values > > > should match else both swiches (server/client mode) > > > each other as each packet has this hash value and only > > switch will > > > accept information if hash value of receiving packet > > > own hash value. > > > Theoretically these Hash values should be changed only > changing after > > > password but in this case hash value is being derived > > > password+domain name.... quite strange. > > > > > > two hash values are......... > > > > > > MD5 digest : 0x13 0x95 0x3A 0xE0 > > 0x5E 0x18 > > > MD5 digest : 0xC1 0x76 0xED 0x05 > > 0x10 0xC1 > > > > > > > > > > > > On Mon, Dec 29, 2008 at 12:47 PM, Carlos G Mendioroz > > <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>> > > > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>>> wrote: > > > > > > What is a hash ? > > > > > > Muhabat Khan @ 29/12/2008 6:49 -0200 dixit: > > > > Hi GS, > > > > when i change a vtp domain name then hash value > > > changes.... > > > > is this normal behavior? BTW i am using dynamips > > switch. > > > > > > > > Please see below output. > > > > > > > > Configuration last modified by 0.0.0.0 at 0-0-00 > > > > sw2(config)#do sh vtp status > > > > VTP Version : 2 > > > > Configuration Revision : 0 > > > > Maximum VLANs supported locally : 36 > > > > Number of existing VLANs : 5 > > > > VTP Operating Mode : Client > > > > VTP Domain Name : null > > > > VTP Pruning Mode : Disabled > > > > VTP V2 Mode : Disabled > > > > VTP Traps Generation : Disabled > > > > MD5 digest : 0x13 0x95 0x3A > > > 0x5E 0x18 > > > > Configuration last modified by 0.0.0.0 at 0-0-00 > > > > sw2(config)#vtp > > > > sw2(config)#vtp do > > > > sw2(config)#vtp domain CCIE > > > > Changing VTP domain name from null to CCIE > > > > sw2(config)#do sh vtp status > > > > VTP Version : 2 > > > > Configuration Revision : 0 > > > > Maximum VLANs supported locally : 36 > > > > Number of existing VLANs : 5 > > > > VTP Operating Mode : Client > > > > VTP Domain Name : CCIE > > > > VTP Pruning Mode : Disabled > > > > VTP V2 Mode : Disabled > > > > VTP Traps Generation : Disabled > > > > MD5 digest : 0xC1 0x76 0xED > > > 0x10 0xC1 > > > > Configuration last modified by 0.0.0.0 at 0-0-00 > > > > > > > > > > > > Blogs and organic groups at http://www.ccie.net > > > > > > > > > > > __________________________________________________________ > > > > Subscription information may be found at: > > > > http://www.groupstudy.com/list/CCIELab.html > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Carlos G Mendioroz <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>> > > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>> > > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>>> > > > LW7 EQI Argentina > > > > > > > > Carlos G Mendioroz <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> > <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>>> > > LW7 EQI Argentina > Carlos G Mendioroz <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar> <mailto:tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>> LW7 EQI Argentina Carlos G Mendioroz <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>> <tron@huapi.ba.ar> LW7 EQI Argentina organic groups at http://www.ccie.net message: Mujeeb Sarwar: "Re: GRE Tunnel" message: Shahid Ansari: "Happy New Hijri Year - 1430" in reply to: Muhabat Khan: "VTP MD5 hash changes" sorted by: thread ] subject ] author ] attachment ] was generated by hypermail 2.1.4