Gregory's ServerThe number of cases I have that are "China" but are actually VTP,
Do not use VTP
Never use VTP
especially in your legacy industrial environments
somebody is gonna plug a switch in
send toot
 45 comments
 @risottobias @Xavier nobody did either, somebody in a factory always ends up plugging in an old switch out of a closet  @hacks4pancakes @risottobias @Xavier lol, I was once accused of taking down the network for a major theater wide military exercise with an ARP storm. Turns out, someone took an unmanaged consumer hub and plugged it into the exercise network. And then someone took an Ethernet cable, plugged one end into the hub, and the other end into the same hub. It took the better part of an hour to finally track it down. @DaveMWilburn @hacks4pancakes @risottobias @Xavier lol... that sounds almost like the flag to capture/sabotage to find?  @nils_ballmann @DaveMWilburn @hacks4pancakes @risottobias @Xavier "FRONT TOWARDS NETWORK" @hacks4pancakes @risottobias @Xavier A lesson learned early on at University and at various jobs: Someone will definitely bring a wifi router configured to be a dhcp server in from home and plug it into the network to get better wifi reception on their laptop. @hacks4pancakes @risottobias @Xavier this is why I always backup and then clear a switch especially all vtp config before storing it in a closet. I love my vtp too much to not use it. 🙂 @Xavier @hacks4pancakes easiest way to loop up a network in existence, short of a physical loop. @hacks4pancakes that reminds of the best lesson of my early IT life, I learned VTP very quickly, took me an hour or two to restore what blew up. @mlukaszuk This is why it is super important to have other experiences in systems and network administration going into security because stuff like this happens and they're like "switchports are flashing, network is dead, it's China" @hacks4pancakes I reached security after few tech support roles. I can see that from my point of view this path is a huge benefit. @hacks4pancakes @mlukaszuk I feel like I should stop being surprised how prevalent "it can't be our own not-so-good decisions coming to haunt us, it must be [insert state-level-actor]" is. @nightdice @hacks4pancakes @mlukaszuk That would imply that people were willing to admit their faults. @hacks4pancakes @mlukaszuk And it's just the poor guy frantically blinking those lights with morse code because he's locked in the boiler room and someone turned the heat up.  @hacks4pancakes @mlukaszuk there’s a reason why “…sometimes someone just tripped over a power cable” is a thing I say. Frequently.  @hacks4pancakes @mlukaszuk Can confirm. I've worked on the dark side (IoT dev) before switching to the good team (audits of aforementioned stuff and others)  @hacks4pancakes “hey we are just going to connect this new control panel to the plant network for testing” @hacks4pancakes STP was my big wake up. Plugged a new switch into the LAN that my employer’s call centre ran on so we could link up some PCs to play Quake II. All the switches dipped off line while they calculated the spanning tree and I got shouted at a lot by my boss because nobody could take an order. @hacks4pancakes I always set the core to such a low number that you’d have to purposely want to take the network down. @hacks4pancakes @hacks4pancakes VTP is horrible. I inherited a network running it, and found a bug that would cause the switch to drop broadcast and multicast traffic on the trunk interface. Broke DHCP, routing protocols, and mdns. @hacks4pancakes a few of my lab mates were doing load testing on some equipment. They plugged into the corporate networks to be able to reach their testbed on the admin. Guess how they discovered the corporate network had some of the same VLAN numbers in the testbed. @hacks4pancakes if you haven't been burnt by VTP at least once are you even doing networking? I'm surprised it's still an issue now though. @smallsees @hacks4pancakes they decide, we wind up being at fault. pet peeve. You missed all the fun! Why are all the switches lights blinking orange and nothing works anymore. I did a write erase where are these vlans coming from and why are they the ones from the building the switch was removed from/the run up room? The "fun" I experienced was the CPU hitting 110% utilization on Windows because some moron thought that it's a good practical joke to connect two LAN ports to each other... You see this was a university dormitory with ~1300 endpoints across three buildings, and I had to track down the room and request keys to the doors while all those users were loosing their mind not having internet access. @hacks4pancakes ARGH. Fucking VTP. A while back I ended up going through a whole bunch of switches and rage-disabling VTP. Like, no, just fucking do what I tell you, switch, stop trying to be smart.  @rmd1023 @hacks4pancakes I have that reaction to a LOT of things in recent years. If everything could just stop trying to outthink me and maintain a stable UI, I can actually do things faster if I could memorize how things work. @rmd1023 oh no, is the VTP that @hacks4pancakes was warning us about VLAN Trunking Protocol?! 😱 (Here was I assuming “VTP” was some acronym overload for something else in operational networks that people should worry about. Not a 1990s network ghost living on 😬) https://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.html @rmd1023 @hacks4pancakes I need to better understand how to kill VTP. I somehow only had my first unfortunate run-in this week. 🤔  @hacks4pancakes Probably even worse in modern industrial environments where every other cabinet has a switch in it. @hacks4pancakes After reading this toot, would you say you like or really like VTP? :ablobcatnodfast: @hacks4pancakes I've found myself at a small MSP responsible for a hospital with a single network engineer who really likes VTP. Please send help.  @hacks4pancakes you mean people actually use it on purpose!? I guess it might be the sort of thing that is maybe tempting to use in an enterprise environment if you haven't understood how it works and the resulting risks. Fortunately I learned with "service provider mindset" as we acquired a SP network with some Cisco in it ~20 years ago and when I took the cisco press books on holiday to learn how to run my new network, the immediate determination on VTP was: "no, never that"  @hacks4pancakes VTP does not solve any problem any non cisco network has, but it sure does cause problems for cisco networks! Fun fact. The only time @hacks4pancakes and I have collaborated even remotely professionally was because of a VTP issue. My advice was basically: VTP is quite possibly the most profound example of a technology with zero regression testing ever created. |
@hacks4pancakes VTP?