The Cisco switch must authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using the most secured cryptographic algorithm available.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-101223	CISC-L2-000030	SV-110327r1_rule		Medium

Description
VLAN Trunk Protocol (VTP) provides central management of VLAN domains, thus reducing administration in a switched network. When configuring a new VLAN on a VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP pruning preserves bandwidth by preventing VLAN traffic (unknown MAC, broadcast, multicast) from being sent down trunk links when not needed, that is, there are no access switch ports in neighboring switches belonging to such VLANs. An attack can force a digest change for the VTP domain enabling a rogue device to become the VTP server, which could allow unauthorized access to previously blocked VLANs or allow the addition of unauthorized switches into the domain. Authenticating VTP messages with a cryptographic hash function can reduce the risk of the VTP domain's being compromised.

Description

VLAN Trunk Protocol (VTP) provides central management of VLAN domains, thus reducing administration in a switched network. When configuring a new VLAN on a VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP pruning preserves bandwidth by preventing VLAN traffic (unknown MAC, broadcast, multicast) from being sent down trunk links when not needed, that is, there are no access switch ports in neighboring switches belonging to such VLANs. An attack can force a digest change for the VTP domain enabling a rogue device to become the VTP server, which could allow unauthorized access to previously blocked VLANs or allow the addition of unauthorized switches into the domain. Authenticating VTP messages with a cryptographic hash function can reduce the risk of the VTP domain's being compromised.

STIG	Date
Cisco NX-OS Switch L2S Security Technical Implementation Guide	2020-05-07

Details

Check Text ( C-100103r1_chk )
Review the switch configuration to verify if VTP is enabled. Step 1: Enter the show feature command to determine if vtp is enabled. Step 2: Enter the show vtp status command to determine operating mode. SW1# show vtp status VTP Status Information ---------------------- VTP Version : 2 (capable) Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 VTP Operating Mode : Transparent VTP Domain Name : XXXXX VTP Pruning Mode : Disabled (Operationally Disabled) VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 Digest : 0x0C 0x5E 0xC3 0x74 0x3F 0xB0 0x2F 0x49 If mode is set to anything other than off or transparent, verify that a password has been configured using the show vtp password command. Note: VTP authenticates all messages using an MD5 hash that consists of the VTP version + The VTP Password + VTP Domain + VTP Configuration Revision. If VTP is enabled on the switch and is not authenticating VTP messages with a hash function using a configured password, this is a finding.

Check Text ( C-100103r1_chk )

Review the switch configuration to verify if VTP is enabled.

Step 1: Enter the show feature command to determine if vtp is enabled.

Step 2: Enter the show vtp status command to determine operating mode.

SW1# show vtp status
VTP Status Information
----------------------
VTP Version : 2 (capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Transparent
VTP Domain Name : XXXXX
VTP Pruning Mode : Disabled (Operationally Disabled)
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 Digest : 0x0C 0x5E 0xC3 0x74 0x3F 0xB0 0x2F 0x49

If mode is set to anything other than off or transparent, verify that a password has been configured using the show vtp password command.

Note: VTP authenticates all messages using an MD5 hash that consists of the VTP version + The VTP Password + VTP Domain + VTP Configuration Revision.

If VTP is enabled on the switch and is not authenticating VTP messages with a hash function using a configured password, this is a finding.

Fix Text (F-106927r1_fix)
Configure the switch to authenticate all VLAN Trunk Protocol (VTP) messages with a hash function using a configured password as shown in the example below: SW1(config)# vtp password xxxxxxxxx