interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security aging time 60
switchport port-security aging static
switchport port-security mac-address 0000.1111.1111

sw1(config-if)#do sho port-s

Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
(Count)       (Count)          (Count)
—————————————————————————
Fa0/1              1            1                  0         Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 6144

sw1(config-if)#do  sho port-s addres
Secure Mac Address Table
————————————————————————
Vlan    Mac Address       Type                     Ports   Remaining Age
(mins)
—-    ———–       —-                     —–   ————-
1    0000.1111.1111    SecureConfigured         Fa0/1       59
————————————————————————
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 6144

to test
r1
int f0/0
no mac 0000.1111.1111

sw1(config-if)#
06:57:59: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state

sw1(config-if)#
06:57:59: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0017.5925.f8d0 on port FastEthernet0/1.

06:58:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

sw1(config-if)#
06:58:01: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

sw1(config-if)#do sho inter status | inc err-dis
Fa0/1                        err-disabled 1            auto   auto 10/100BaseTX

sw1(config-if)#do sho inter status  err-dis

Port      Name               Status       Reason               Err-disabled Vlans
Fa0/1                        err-disabled psecure-violation

sw1(config-if)#do sho port-se
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
(Count)       (Count)          (Count)
—————————————————————————
Fa0/1              1            1                  1         Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 6144

=====================================================

macro name Port-Secur
sw mo acc
sw port-s
sw port-s mac-address stick
sw port-s max 1
sw port-s vio pro
@

interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0017.5925.f8d1
macro description Port-Secur | Port-Secur
end

sw2(config-if-range)#  do sho run int f0/2
Building configuration…

Current configuration : 275 bytes
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security violation protect
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0017.5902.9ce9
macro description Port-Secur | Port-Secur
end

etc………

====================================

to prevent two server from talking to each other in the same vlan

int range f0/15 – 16
sw mo acc
sw acc v 18
sw protected

sw2(config-if-range)#do sho int f0/15 sw
Name: Fa0/15
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 88 (VLAN0088)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: true <—————————<<<<
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
===========================

prevent UNKNOWN uni and mulitcast between the ports

int range f0/15 – 16
sw2(config-if-range)#switchport block unicast
sw2(config-if-range)#switchport block multicast

=======================================================

sw1(config)#do sho dot1x
Sysauthcontrol             Disabled
Dot1x Protocol Version            2
Critical Recovery Delay         100
Critical EAPOL             Disabled

aaa new-model
aaa authent login default none <–no radius srv– used so I’m not locked out
aaa authentication dot1x default group radius

radius-server host 192.168.1.2 key cisco

sw1(config-if)#do sh dot1x int f0/16

interface FastEthernet0/16
switchport mode access
dot1x pae authenticator
dot1x port-control auto
end

sw1(config-if)#do sh dot1x int f0/16
Dot1x Info for FastEthernet0/16
———————————–
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0

===================================

sw1(config)#do sh mac-address-table aging-time
Global Aging Time:  300
Vlan    Aging Time
—-    ———-
1     300
88     300

sw1(config)#mac-address-table aging-time 600
sw1(config)#
sw1(config)#
sw1(config)#
sw1(config)#do sh mac-address-table aging-time
Global Aging Time:  600
Vlan    Aging Time
—-    ———-
1     600
88     600
==================================

to have the config.text and vlan.dat fiel deleted in password recoverty
no service password-recovery

sh ver
..(omitted for brevity)..
The password-recovery mechanism is disabled
…
========================================

sw1(config)# do sh dot1x int f0/16

Dot1x Info for FastEthernet0/16
———————————–
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0

sw1(config)#int f0/16
sw1(config-if)#dot1x host-mode multi-host

sw1(config-if)# do sh dot1x int f0/16

Dot1x Info for FastEthernet0/16
———————————–
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = MULTI_HOST
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
=============================================================

sw1(config)#mac-address-table static 0000.6666.6666 vlan 56 int f0/6
sw1(config)#do sho mac-address-table stat int f0/6
Mac Address Table
——————————————-

Vlan    Mac Address       Type        Ports
—-    ———–       ——–    —–
56    0000.6666.6666    STATIC      Fa0/6
Total Mac Addresses for this criterion: 1

===================

sw1(config)#mac-address-table stat 0000.1111.2222 vlan 1 drop
sw1(config)#
sw1(config)#
sw1(config)#
sw1(config)#do sho mac-address-table stat add 0000.1111.2222
Mac Address Table
——————————————-

Vlan    Mac Address       Type        Ports
—-    ———–       ——–    —–
1    0000.1111.2222    STATIC      Drop
Total Mac Addresses for this criterion: 1

=======================

r1(config-if)#do sho ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.1.1.2                0   0000.2222.2222  ARPA   FastEthernet0/0
Internet  10.1.1.1                -   0000.1111.1111  ARPA   FastEthernet0/0

cat1
ip arp inspection vlan 1
ip arp inspection filter TST vlan  1 static

arp access-list TST
permit ip host 10.1.1.2 mac host 0000.2222.2222
permit ip host 10.1.1.1 mac host 0000.1111.1111

testing

r2(config-if)#do pin 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
r2(config-if)#do sho ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.1.1.2                -   0000.2222.2222  ARPA   FastEthernet0/1
Internet  10.1.1.1                0   0000.1111.1111  ARPA   FastEthernet0/1
r2(config-if)#no mac-add 0000.2222.2222
r2(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
…..

cat1

08:20:58: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 1.([0017.5902.9ce9/10.1.1.2/0000.0000.0000/10.1.1.1/08:20:58 UTC Mon Mar 1 1993])
sw1(config-arp-nacl)#
08:21:00: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 1.([0017.5902.9ce9/10.1.1.2/0000.0000.0000/10.1.1.1/08:21:00 UTC Mon Mar 1 1993])
sw1(config-arp-nacl)#
08:21:02: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 1.([0017.5902.9ce9/10.1.1.2/0000.0000.0000/10.1.1.1/08:21:02 UTC Mon Mar 1 1993])
sw1(config-arp-nacl)#
08:21:04: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 1.([0017.5902.9ce9/10.1.1.2/0000.0000.0000/10.1.1.1/08:21:04 UTC Mon Mar 1 1993])
sw1(config-arp-nacl)#
08:21:06: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 1.([0017.5902.9ce9/10.1.1.2/0000.0000.0000/10.1.1.1/08:21:06 UTC Mon Mar 1 1993])

=================

sw1(config-if)#ip arp inspection limit rate 10 burst interval 2
sw1(config-if)#
sw1(config-if)#
sw1(config-if)#
sw1(config-if)#do sho ip arp insp inter

Interface        Trust State     Rate (pps)    Burst Interval
—————  ———–     ———-    ————–
Fa0/1            Untrusted               10                 2
Fa0/2            Untrusted               15                 1
Fa0/3            Untrusted               15                 1

=================

mac access-list extended TEST
deny   any any decnet-iv
deny   any any etype-6000
deny   any any etype-8042
permit any any

sw1(config-if)#do sho mac access int f0/10
Interface FastEthernet0/10:
Inbound access-list is TEST
Outbound access-list is not set

===================================

mac access-list extended MAC-forward
permit host 0000.1111.2222 any
permit host 0000.1111.3333 any
mac access-list extended Protocol-forward
permit any any decnet-iv
permit any any vines-ip
mac access-list extended Protocol=forward
mac access-list extended TEST
deny   any any decnet-iv
deny   any any etype-6000
deny   any any etype-8042
permit any any

vlan access-map TST 10
action drop
match ip address R1-2
vlan access-map TST 20
action drop
match ip address UDP
vlan access-map TST 30
action drop
match ip address TCP
vlan access-map TST 40
action drop
match ip address IGMP
vlan access-map TST 50
action drop
match mac address MAC-forward
vlan access-map TST 60
action drop
match mac address Protocol-forward
vlan access-map TST 70
action forward
!
vlan filter TST vlan-list 2

ip access-list extended IGMP
permit igmp any any
ip access-list extended R1-2
permit ip host 10.1.1.1 host 10.1.1.2
permit ip host 10.1.1.2 host 10.1.1.1
ip access-list extended TCP
permit tcp host 10.1.1.3 host 10.1.1.4
permit tcp host 10.1.1.4 host 10.1.1.3
ip access-list extended UDP
permit udp any any
============================

sw1

interface FastEthernet0/13
channel-group 12 mode auto

interface FastEthernet0/14
channel-group 12 mode auto

interface Port-channel12
switchport trunk encapsulation dot1q
switchport mode trunk

sw2
interface FastEthernet0/13
channel-group 21 mode auto

interface FastEthernet0/14
channel-group 21 mode auto

interface Port-channel 21
switchport trunk encapsulation dot1q
switchport mode trunk
===========================

interface FastEthernet0/16
channel-group 13 mode on

interface FastEthernet0/17
channel-group 13 mode on

interface Port-channel13
switchport trunk encapsulation dot1q
switchport mode trunk

sw1(config-if)#do sho etherc
Channel-group listing:
———————-

Group: 12
———-
Group state = L2
Ports: 2   Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol:   PAgP

Group: 13
———-
Group state = L2
Ports: 2   Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol:    -

sw1(config-if)#do sho etherc sum
Flags:  D – down        P – in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3      S – Layer2
U – in use      f – failed to allocate aggregator
u – unsuitable for bundling
w – waiting to be aggregated
d – default port

Number of channel-groups in use: 2
Number of aggregators:           2

Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
12     Po12(SU)        PAgP      Fa0/13(P)   Fa0/14(P)
13     Po13(SU)         -        Fa0/16(P)   Fa0/17(P)

==========

w1(config)#port-channel load-balance ?
dst-ip       Dst IP Addr
dst-mac      Dst Mac Addr
src-dst-ip   Src XOR Dst IP Addr
src-dst-mac  Src XOR Dst Mac Addr
src-ip       Src IP Addr
src-mac      Src Mac Addr

sw1(config)#port-channel load-balance ds
sw1(config)#port-channel load-balance dst-m
sw1(config)#port-channel load-balance dst-mac
sw1(config)#do sho ether load-bal
EtherChannel Load-Balancing Configuration:
dst-mac

EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Destination MAC address
IPv4: Destination MAC address
IPv6: Destination MAC address
===================

sw2(config)#port-channel load-balance src-dst-ip
sw2(config)#
sw2(config)#
sw2(config)#do sho etherc load-b
EtherChannel Load-Balancing Configuration:
src-dst-ip

EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address
IPv6: Source XOR Destination IP address
===============

interface FastEthernet0/19
channel-group 24 mode desirable

interface FastEthernet0/20
channel-group 24 mode desirable

interface Port-channel24
switchport trunk encapsulation isl
switchport mode trunk

sw4(config-if-range)#do sho etherc prot
Channel-group listing:
———————-

Group: 24
———-
Protocol:  PAgP

sw4(config-if-range)#do sho etherc sum
Flags:  D – down        P – in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3      S – Layer2
U – in use      f – failed to allocate aggregator
u – unsuitable for bundling
w – waiting to be aggregated
d – default port

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
24     Po24(SU)        PAgP      Fa0/16(P)   Fa0/17(P)

==================

sw3
interface Port-channel34
switchport trunk encapsulation isl
switchport mode trunk

interface FastEthernet0/19
channel-group 34 mode passive

interface FastEthernet0/20
channel-group 34 mode passive

sw4

interface Port-channel43
switchport trunk encapsulation isl
switchport mode trunk
!
interface FastEthernet0/19
channel-group 43 mode active
!
interface FastEthernet0/20
channel-group 43 mode active

sw3(config-if)#do sho ether
Channel-group listing:
———————-

Group: 31
———-
Group state = L2
Ports: 2   Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol:    -

Group: 34
———-
Group state = L2
Ports: 2   Maxports = 16
Port-channels: 1 Max Port-channels = 16
Protocol:   LACP

sw3(config-if)#do sho ether sum
Flags:  D – down        P – in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3      S – Layer2
U – in use      f – failed to allocate aggregator
u – unsuitable for bundling
w – waiting to be aggregated
d – default port

Number of channel-groups in use: 2
Number of aggregators:           2

Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
31     Po31(SU)         -        Fa0/13(P)   Fa0/14(P)
34     Po34(SU)        LACP      Fa0/19(P)   Fa0/20(P)

=================================

interface Port-channel23
no switchport
ip address 10.1.23.2 255.255.255.0

interface FastEthernet0/16
no switchport
no ip address
channel-group 23 mode on

interface FastEthernet0/17
no switchport
no ip address
channel-group 23 mode on

sw2(config-if)#do sho ether sum
Flags:  D – down        P – in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
R – Layer3      S – Layer2
U – in use      f – failed to allocate aggregator
u – unsuitable for bundling
w – waiting to be aggregated
d – default port

Number of channel-groups in use: 3
Number of aggregators:           3

Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
21     Po21(SU)        PAgP      Fa0/13(P)   Fa0/14(P)
23     Po23(RU)         -        Fa0/16(P)   Fa0/17(P)
24     Po24(SU)        PAgP      Fa0/19(P)   Fa0/20(P)

vlan 10
private-vlan primary
private-vlan association 20,30,40
!
vlan 12
!
vlan 20
private-vlan community
!
vlan 30
private-vlan community
!
vlan 40
private-vlan isolated

.

sw1(config)#do sho vlan private-vl

Primary Secondary Type              Ports
——- ——— —————– ——————————————
10      20        community
10      30        community
10      40        isolated

interface FastEthernet0/1
switchport private-vlan mapping 10 20,30,40
switchport mode private-vlan promiscuous
!
interface FastEthernet0/2
switchport private-vlan host-association 10 20
switchport mode private-vlan host
!
interface FastEthernet0/3
!
interface FastEthernet0/4
switchport private-vlan host-association 10 30
switchport mode private-vlan host
!

!
interface FastEthernet0/10
switchport private-vlan host-association 10 40
switchport mode private-vlan host

!
interface FastEthernet0/11
switchport private-vlan host-association 10 40
switchport mode private-vlan host

sw1(config-if-range)#do sho vlan pri

Primary Secondary Type              Ports
——- ——— —————– ——————————————
10      20        community         Fa0/1, Fa0/2
10      30        community         Fa0/1, Fa0/4
10      40        isolated          Fa0/1, Fa0/10, Fa0/11

sw1(config-if-range)#

conf t

sdm prefer dual-ipv4-and-ipv6 default

A reload is needed for this to take effect.

spanning tree uplink fast – takes approximately 1 to 5 seconds.
spanning tree backcone fast – move immediately to the listening state without waiting for the maximum aging time for the interface to expire.

VTP – manages VLANs.

VTP only learns about the normal range (1-1005). Extended vlans (1006-4094)are not supported.

Until you assign a VTP domain name you can not create/modify/propagate vlan info to other switches.

Highest revision number wins. To reset the revision number change the domain name then change it back to what you had and the counter will be zeroed out.

The switch must be in VTP transparent mode when you create extended range vlans. If you have extended range vlans configured on your switch you will receive an error message if you try to change the vtp mode to server or client.

VTP client does not create a vlan.dat file.

To reset the VTP mode do no vtp mode.

Troubleshooting Forwarding Loops

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080136673.shtml

show catalyst6000 traffic-meter

show interface | include line|\/sec

show interface g4/3 counters errors

cat 6500
remote command switch test spanning-tree process-stats

show spanning-tree vlan 1 detail < — look for topology chg

STP Debugging Commands

Many STP debug commands are intended for development engineering use. They do not provide any output that is meaningful to someone without detailed knowledge of the STP implementation in Cisco IOS software. Some debugs can provide output which is instantly readable, such as port state changes, role changes, events such as TCs, and a dump of received and transmitted BPDUs. This section does not provide a complete description of all of the debugs, but rather briefly introduces the most frequently used ones.

Note: When you use debug commands, enable the minimum necessary debugs. If real-time debugs are not needed, record the output to the log rather than print it to the console. Excessive debugs can overload the CPU and disrupt switch operation. To direct debug output to the log instead of to the console or to Telnet sessions, issue the logging console informational and no logging monitor commands in global configuration mode.

To see the general events log, issue the debug spanning-tree event command for Per VLAN Spanning-Tree (PVST) and Rapid-PVST. This is the first debug that gives a general idea of what is happening with STP.

In Multiple Spanning-Tree (MST) mode, it does not work to issue the debug spanning-tree event command. Therefore, issue the debug spanning-tree mstp roles command to see the port role changes.

To see the port STP state changes, issue the debug spanning-tree switch state command together with the debug pm vp command.

To understand why STP behaves in a certain way, it is often useful to see the BPDUs that are received and sent by the switch:

debug spanning-tree bpdu receive

This debug works for PVST, Rapid-PVST, and MST modes; but it does not decode the contents of the BPDUs. However, you can use it to ensure that BPDUs are received.

To see the contents of the BPDU, issue the debug spanning-tree switch rx decode command together with the debug spanning-tree switch rx process command for PVST and Rapid-PVST. Issue the debug spanning-tree mstp bpdu-rx command to see the contents of the BPDU for MST.

For the MST mode, you can enable detailed BPDU decode with this debug command:

debug spanning-tree mstp bpdu-rx

Note: For Cisco IOS Software Release 12.1.13E and later, conditional debugs for STP are supported. This means that you can debug BPDUs that are received or transmitted on a per-port or per-VLAN basis.

Issue the debug condition vlan vlan_num or debug condition interface interface commands, to limit the scope of the debug output to per-interface or per-VLAN.

Securing the Network Against Forwarding Loops

• When enabled, UDLD and Loop Guard eliminate the majority of the possible causes for forwarding loops. Rather than create a forwarding loop, the offending link (or all links dependent on the failing hardware) is shut down or blocked.
• Enable portfast on all end-station ports.
• Set EtherChannels to desirable mode on both sides (where supported) and non-silent  option.
• Do not disable auto-negotiation (if supported) on switch-to-switch links.
• Use caution when you tune the STP timers.
• If denial of service attacks are possible, secure the network STP perimeter with Root Guard.
• Enable BPDU Guard on portfast-enabled ports, to prevent STP from being affected by unauthorized network devices (such as hubs, switches, and bridging routers) that are connected to the ports.
• Avoid user traffic on the management VLAN. The management VLAN is contained to a building block, not the entire network.
• A predictable (hardcoded) STP root and backup STP root placement.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_sec/configuration/guide/swdynarp.html

Understanding Dynamic ARP Inspection

ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the broadcast domain receive the ARP request, and Host A responds with its MAC address. However, because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device under attack flows through the attacker’s computer and then to the router, switch, or host.

A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Figure 19-1 shows an example of ARP cache poisoning.

Figure 19-1 ARP Cache Poisoning

Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When Host A needs to communicate to Host B at the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB. When the switch and Host B receive the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA; for example, IP address IA is bound to MAC address MA. When Host B responds, the switch and Host A populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB.

Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB. This means that Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the middle attack.

Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks.

Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch performs these activities:

•Intercepts all ARP requests and responses on untrusted ports

•Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination

•Drops invalid ARP packets

Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range global configuration command. For configuration information, see the “Configuring Dynamic ARP Inspection in DHCP Environments” section.

In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses. You define an ARP ACL by using the arp access-list acl-name global configuration command. For configuration information, see the “Configuring ARP ACLs for Non-DHCP Environments” section. The switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped Packets” section.

You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command. For more information, see the “Performing Validation Checks” section.

Interface Trust States and Network Security

Dynamic ARP inspection associates a trust state with each interface on the switch. Packets arriving on trusted interfaces bypass all dynamic ARP inspection validation checks, and those arriving on untrusted interfaces undergo the dynamic ARP inspection validation process.

In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering the network from a given switch bypass the security check. No other validation is needed at any other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection trust interface configuration command.

Caution Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity.

In Figure 19-2, assume that both Switch A and Switch B are running dynamic ARP inspection on the VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface between Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B. Connectivity between Host 1 and Host 2 is lost.

Figure 19-2 ARP Packet Validation on a VLAN Enabled for Dynamic ARP Inspection

Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the network. If Switch A is not running dynamic ARP inspection, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running dynamic ARP inspection.

Dynamic ARP inspection ensures that hosts (on untrusted interfaces) connected to a switch running dynamic ARP inspection do not poison the ARP caches of other hosts in the network. However, dynamic ARP inspection does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running dynamic ARP inspection.

In cases in which some switches in a VLAN run dynamic ARP inspection and other switches do not, configure the interfaces connecting such switches as untrusted. However, to validate the bindings of packets from nondynamic ARP inspection switches, configure the switch running dynamic ARP inspection with ARP ACLs. When you cannot determine such bindings, at Layer 3, isolate switches running dynamic ARP inspection from switches not running dynamic ARP inspection switches. For configuration information, see the “Configuring ARP ACLs for Non-DHCP Environments” section.

Note Depending on the setup of the DHCP server and the network, it might not be possible to validate a given ARP packet on all switches in the VLAN.

Rate Limiting of ARP Packets

The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack. By default, the rate for untrusted interfaces is 15 packets per second (pps). Trusted interfaces are not rate-limited. You can change this setting by using the ip arp inspection limit interface configuration command.

When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the error-disabled state. The port remains in that state until you intervene. You can use the errdisable recovery global configuration command to enable error disable recovery so that ports automatically emerge from this state after a specified timeout period.

For configuration information, see the “Limiting the Rate of Incoming ARP Packets” section.

Relative Priority of ARP ACLs and DHCP Snooping Entries

Dynamic ARP inspection uses the DHCP snooping binding database for the list of valid IP-to-MAC address bindings.

ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs only if you configure them by using the ip arp inspection filter vlan global configuration command. The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping.

Logging of Dropped Packets

When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.

You use the ip arp inspection log-buffer global configuration command to configure the number of entries in the buffer and the number of entries needed in the specified interval to generate system messages. You specify the type of packets that are logged by using the ip arp inspection vlan logging global configuration command. For configuration information, see the “Configuring the Log Buffer” section.

Configuring Dynamic ARP Inspection

These sections describe how to configure dynamic ARP inspection on your switch:

•Default Dynamic ARP Inspection Configuration

•Dynamic ARP Inspection Configuration Guidelines

•Configuring Dynamic ARP Inspection in DHCP Environments (required in DHCP environments)

•Configuring ARP ACLs for Non-DHCP Environments (required in non-DHCP environments)

•Limiting the Rate of Incoming ARP Packets (optional)

•Performing Validation Checks (optional)

•Configuring the Log Buffer (optional)

Default Dynamic ARP Inspection Configuration

Table 19-1 shows the default dynamic ARP inspection configuration.

Dynamic ARP Inspection Configuration Guidelines

These are the dynamic ARP inspection configuration guidelines:

•Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking.

•Dynamic ARP inspection is not effective for hosts connected to switches that do not support dynamic ARP inspection or that do not have this feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast domain, separate the domain with dynamic ARP inspection checks from the one with no checking. This action secures the ARP caches of hosts in the domain enabled for dynamic ARP inspection.

•Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses. For configuration information, see “Configuring DHCP Features.”

When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny packets.

•Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.

•A physical port can join an EtherChannel port channel only when the trust state of the physical port and the channel port match. Otherwise, the physical port remains suspended in the port channel. A port channel inherits its trust state from the first physical port that joins the channel. Consequently, the trust state of the first physical port need not match the trust state of the channel.

Conversely, when you change the trust state on the port channel, the switch configures a new trust state on all the physical ports that comprise the channel.

•The rate limit is calculated separately on each switch in a switch stack. For a cross-stack EtherChannel, this means that the actual rate limit might be higher than the configured value. For example, if you set the rate limit to 30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to become error-disabled.

•The operating rate for the port channel is cumulative across all the physical ports within the channel. For example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces combined on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on the channel-port members.

The rate of incoming packets on a physical port is checked against the port-channel configuration rather than the physical-ports configuration. The rate-limit configuration on a port channel is independent of the configuration on its physical ports.

If the EtherChannel receives more ARP packets than the configured rate, the channel (including all physical ports) is placed in the error-disabled state.

•Make sure to limit the rate of ARP packets on incoming trunk ports. Configure trunk ports with higher rates to reflect their aggregation and to handle packets across multiple dynamic ARP inspection-enabled VLANs. You also can use the ip arp inspection limit none interface configuration command to make the rate unlimited. A high rate-limit on one VLAN can cause a denial-of-service attack to other VLANs when the software places the port in the error-disabled state.

Configuring Dynamic ARP Inspection in DHCP Environments

This procedure shows how to configure dynamic ARP inspection when two switches support this feature. Host 1 is connected to Switch A, and Host 2 is connected to Switch B as shown in Figure 19-2. Both switches are running dynamic ARP inspection on VLAN 1 where the hosts are located. A DHCP server is connected to Switch A. Both hosts acquire their IP addresses from the same DHCP server. Therefore, Switch A has the bindings for Host 1 and Host 2, and Switch B has the binding for Host 2.

Note Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses. For configuration information, see “Configuring DHCP Features.”

For information on how to configure dynamic ARP inspection when only one switch supports the feature, see the “Configuring ARP ACLs for Non-DHCP Environments” section.

Beginning in privileged EXEC mode, follow these steps to configure dynamic ARP inspection. You must perform this procedure on both switches. This procedure is required.

To disable dynamic ARP inspection, use the no ip arp inspection vlan vlan-range global configuration command. To return the interfaces to an untrusted state, use the no ip arp inspection trust interface configuration command.

This example shows how to configure dynamic ARP inspection on Switch A in VLAN 1. You would perform a similar procedure on Switch B:

Switch(config)# ip arp inspection vlan 1

Switch(config)# interface gigabitethernet 0/1

Switch(config-if)# ip arp inspection trust

Configuring ARP ACLs for Non-DHCP Environments

This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure 19-2 does not support dynamic ARP inspection or DHCP snooping.

If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and apply it to VLAN 1. If the IP address of Host 2 is not static (it is impossible to apply the ACL configuration on Switch A) you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them.

Beginning in privileged EXEC mode, follow these steps to configure an ARP ACL on Switch A. This procedure is required in non-DHCP environments.

To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global configuration command.

This example shows how to configure an ARP ACL called host2 on Switch A, to permit ARP packets from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.0001), to apply the ACL to VLAN 1, and to configure port 1 on Switch A as untrusted:

Switch(config)# arp access-list host2

Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host 1.1.1

Switch(config-arp-acl)# exit

Switch(config)# ip arp inspection filter host2 vlan 1

Switch(config)# interface gigabitethernet 0/1

Switch(config-if)# no ip arp inspection trust

Limiting the Rate of Incoming ARP Packets

The switch CPU performs dynamic ARP inspection validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.

When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the error-disabled state. The port remains in that state until you enable error-disabled recovery so that ports automatically emerge from this state after a specified timeout period.

Note Unless you configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.

For configuration guidelines for rate limiting trunk ports and EtherChannel ports, see the “Dynamic ARP Inspection Configuration Guidelines” section.

Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional.

To return to the default rate-limit configuration, use the no ip arp inspection limit interface configuration command. To disable error recovery for dynamic ARP inspection, use the no errdisable recovery cause arp-inspection global configuration command.

Performing Validation Checks

Dynamic ARP inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address.

Beginning in privileged EXEC mode, follow these steps to perform specific checks on incoming ARP packets. This procedure is optional.

To disable checking, use the no ip arp inspection validate [src-mac] [dst-mac] [ip] global configuration command. To display statistics for forwarded, dropped, and MAC and IP validation failure packets, use the show ip arp inspection statistics privileged EXEC command.

Configuring the Log Buffer

When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.

A log-buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry.

If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. A — in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer or increase the logging rate.

Beginning in privileged EXEC mode, follow these steps to configure the log buffer. This procedure is optional.

To return to the default log buffer settings, use the no ip arp inspection log-buffer {entries | logs} global configuration command. To return to the default VLAN log settings, use the no ip arp inspection vlan vlan-range logging {acl-match | dhcp-bindings} global configuration command. To clear the log buffer, use the clear ip arp inspection log privileged EXEC command.

Displaying Dynamic ARP Inspection Information

To display dynamic ARP inspection information, use the privileged EXEC commands described in Table 19-2:

To clear or display dynamic ARP inspection statistics, use the privileged EXEC commands in Table 19-3:

For the show ip arp inspection statistics command, the switch increments the number of forwarded packets for each ARP request and response packet on a trusted dynamic ARP inspection port. The switch increments the number of ACL or DHCP permitted packets for each packet that is denied by source MAC, destination MAC, or IP validation checks, and the switch increments the appropriate failure count.

To clear or display dynamic ARP inspection logging information, use the privileged EXEC commands in Table 19-4:

Do labs x2 on 3x use doc cd.

VTP – vlan trunk protocol -

VLAN Trunk Protocol (VTP) reduces administration in a switched network. When you configure a new VLAN on one VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP is a Cisco-proprietary protocol that is available on most of the Cisco Catalyst series products.

Configuration Revision Number

The configuration revision number is a 32-bit number that indicates the level of revision for a VTP packet. Each VTP device tracks the VTP configuration revision number that is assigned to it. Most of the VTP packets contain the VTP configuration revision number of the sender.

This information is used in order to determine whether the received information is more recent than the current version. Each time that you make a VLAN change in a VTP device, the configuration revision is incremented by one. In order to reset the configuration revision of a switch, change the VTP domain name, and then change the name back to the original name.

Summary Advertisements

By default, Catalyst switches issue summary advertisements in five-minute increments. Summary advertisements inform adjacent Catalysts of the current VTP domain name and the configuration revision number.

When the switch receives a summary advertisement packet, the switch compares the VTP domain name to its own VTP domain name. If the name is different, the switch simply ignores the packet. If the name is the same, the switch then compares the configuration revision to its own revision. If its own configuration revision is higher or equal, the packet is ignored. If it is lower, an advertisement request is sent.

Advertisement Requests

A switch needs a VTP advertisement request in these situations:

• The switch has been reset.
• The VTP domain name has been changed.
• The switch has received a VTP summary advertisement with a higher configuration revision than its own.

Upon receipt of an advertisement request, a VTP device sends a summary advertisement. One or more subset advertisements follow the summary advertisement.

VTP Modes

You can configure a switch to operate in any one of these VTP modes:

• Server—In VTP server mode, you can create, modify, and delete VLANs and specify other configuration parameters, such as VTP version and VTP pruning, for the entire VTP domain. VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on advertisements received over trunk links. VTP server is the default mode.
• Client—VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.
• Transparent—VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements, but transparent switches do forward VTP advertisements that they receive out their trunk ports in VTP Version 2.
• Off (configurable only in CatOS switches)—In the three described modes, VTP advertisements are received and transmitted as soon as the switch enters the management domain state. In the VTP off mode, switches behave the same as in VTP transparent mode with the exception that VTP advertisements are not forwarded.

VTP V2

VTP V2 is not much different than VTP V1. The major difference is that VTP V2 introduces support for Token Ring VLANs. If you use Token Ring VLANs, you must enable VTP V2. Otherwise, there is no reason to use VTP V2.

VTP Password

If you configure a password for VTP, you must configure the password on all switches in the VTP domain. The password must be the same password on all those switches. The VTP password that you configure is translated by algorithm into a 16-byte word (MD5 value) that is carried in all summary-advertisement VTP packets.

VTP Pruning

VTP ensures that all switches in the VTP domain are aware of all VLANs. However, there are occasions when VTP can create unnecessary traffic. All unknown unicasts and broadcasts in a VLAN are flooded over the entire VLAN. All switches in the network receive all broadcasts, even in situations in which few users are connected in that VLAN. VTP pruning is a feature that you use in order to eliminate or prune this unnecessary traffic.

When VTP pruning is enabled on a VTP server, pruning is enabled for the entire management domain. Making VLANs pruning-eligible or pruning-ineligible affects pruning eligibility for those VLANs on that trunk only (not on all switches in the VTP domain). VTP pruning takes effect several seconds after you enable it. VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. Extended-range VLANs (VLAN IDs greater than 1005) are also pruning-ineligible.

Use VTP in a Network

By default, all switches are configured to be VTP servers. This configuration is suitable for small-scale networks in which the size of the VLAN information is small and the information is easily stored in all switches (in NVRAM). In a large network, the network administrator must make a judgment call at some point, when the NVRAM storage that is necessary is wasteful because it is duplicated on every switch. At this point, the network administrator must choose a few well-equipped switches and keep them as VTP servers. Everything else that participates in VTP can be turned into a client. The number of VTP servers should be chosen in order to provide the degree of redundancy that is desired in the network.

Notes:

• If a switch is configured as a VTP server without a VTP domain name, you cannot configure a VLAN on the switch.
• If a new Catalyst is attached in the border of two VTP domains, the new Catalyst keeps the domain name of the first switch that sends it a summary advertisement. The only way to attach this switch to another VTP domain is to manually set a different VTP domain name.
• Dynamic Trunking Protocol (DTP) sends the VTP domain name in a DTP packet. Therefore, if you have two ends of a link that belong to different VTP domains, the trunk does not come up if you use DTP. In this special case, you must configure the trunk mode as on or nonegotiate, on both sides, in order to allow the trunk to come up without DTP negotiation agreement.
• If the domain has a single VTP server and it crashes, the best and easiest way to restore the operation is to change any of the VTP clients in that domain to a VTP server. The configuration revision is still the same in the rest of the clients, even if the server crashes. Therefore, VTP works properly in the domain.

Conclusion

There are some disadvantages to the use of VTP. You must balance the ease of VTP administration against the inherent risk of a large STP domain and the potential instability and risks of STP. The greatest risk is an STP loop through the entire campus. When you use VTP, there are two things to which you must pay close attention:

• Remember the configuration revision and how to reset it each time that you insert a new switch in your network so that you do not bring down the entire network.
• Avoid as much as possible to have a VLAN that spans the entire network.

REFERENCE: http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml

There are two methods that you can use in order to configure VTP, as this section shows. Method 2 (the global configuration mode method) is not available in earlier software on Catalyst 6500 series switches that run Cisco IOS® Software.

1. In VLAN database mode:

   In Cisco IOS Software, you can configure the VTP domain name, the VTP mode, and the VLANs in VLAN configuration mode.

   1. In EXEC mode, issue this command in order to enter VLAN configuration mode:
      

      Router#vlan database
      
      !--- Issue this command in privileged EXEC mode,
      !--- not in global configuration mode.
      
      Router(vlan)#
      
      !--- This is VLAN configuration mode.
      

   2. Issue this command in order to set the VTP domain name:
      

      Router(vlan)#vtp mode {client | server | transparent}

   3. Issue the exit command in order to exit VLAN configuration mode.

      Note: The end and the Ctrl-Z commands do not work in this mode.

      Router(vlan)#end
      
      Router(vlan)#^Z
      
      % Invalid input detected at '^' marker.
      
      Router(vlan)#
      
      Router(vlan)#exit
      
      APPLY completed.
      Exiting....
      Router#

2. In global configuration mode:

   In Cisco IOS Software global configuration mode, you can configure all VTP parameters with Cisco IOS Software commands. This is the command format:

   Router(config)#vtp ?
   
   domain     Set the name of the VTP administrative domain.
   file       Configure IFS filesystem file where VTP configuration is stored.
   interface  Configure interface as the preferred source for the VTP IP updater
              address. 
   mode       Configure VTP device mode
   password   Set the password for the VTP administrative domain
   pruning    Set the administrative domain to permit pruning
   version    Set the administrative domain to VTP version

3. Issue these commands in order to monitor VTP operation and status:
   

   Router#show vtp status
   
   Router#show vtp counters

Catalyst 2900XL, 3500XL, 2950, and 3550

Complete these steps:

1. Issue these commands from the VLAN database mode:

   Note: This is similar to the method for Cisco 6500 series switches that run Cisco IOS Software.

   vtp [client | server | transparent]
   vtp domain name
   

2. From enable mode, issue these commands in order to monitor VTP operation:
   

   show vtp counters
   show vtp status

REFERENCE: http://www.cisco.com/en/US/tech/tk389/tk689/technologies_configuration_example09186a0080890607.shtml