Deleting the VTP Configuration From a Cisco Switch

WARNING:  If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!!

I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TAC.  The basic problem was that I couldn’t get the routers to route traffic in this kind of environment:

I wasn’t using the firewall feature; just routing.  (The firewalls in the diagram were ASAs).

Well, the Cisco engineer couldn’t figure out what was wrong, so I pulled a couple of routers out of the network and set up a small lab so the engineer could remote in and play with it.  The lab environment looked like this:

The networks were all connected with a Cisco 2950 24-port switch using VLAN and a Cisco 2601 configured as a router-on-a-stick.

I know… really old hardware, but it was just lying around collecting dust and it can do what I needed, so why not?

When I attempted to blank out the config, I couldn’t get rid of the VLANs… which reminded me how frustrating VTP can be.

For example, years ago, I borrowed one of these 2950’s from the datacenter where I have a few cabinets.  Before I returned it, I wiped the config.  Six months later, I get a call from their head engineer informing me that I had taken down the entire datacenter.

VTP configuration information is stored in the VLAN database, which is NOT deleted when one clears the config.  I had actually used VTP in my network, but they didn’t and the VTP operating mode of all of their switches were still the default – “server”.  So, when they put that switch back into production, my VTP config was pushed out across their network and every single VLAN database on every single switch was overwritten with my VLAN config.

This is one of the reasons why everyone should know how to clear the VTP config out of the VLAN database.

The VLAN database is stored as a file in the flash memory.  To see it, go into privileged mode and issue a directory command for flash:

The VLAN database is stored in the file “vlan.dat”.

Since Cisco represents the state-of-the-art for networking equipment, one could assume the VTP configuration could be reset by issuing a command such as “clear config vtp”.  Of course, one would assume incorrectly.

You actually have to delete the file:


Once you’ve done that, you should be good to go.  Reload the switch and you’ll find the VTP (and VLAN) configuration has been removed.

Hope this helps!

Installing and Configuring an SSL Certificate on Cisco 3000 Series VPN Concentrator

Some of the equipment on our network is a bit dated as we have some customers who still rely on those services for their day-to-day operations.  One of the oldest pieces of equipment we have is a Cisco 3030 VPN Concentrator.

Generally speaking, installing an SSL certificate is a pretty straightforward procedure.  Unfortunately, this is a bit of a challenge on the Cisco VPN Concentrator due to its age and lack of support for more current certificate file formats.  When following the normal enrollment procedure within the concentrator’s UI, one receives the following error:

ErrorSo, in order to keep the concentrator’s SSL certificate current, a workaround will have to be performed.  To do this, you’ll need access to a computer with Internet Information Services (IIS)and OpenSSL.

The certificate itself is going to be created and installed on a Windows server via IIS using the VPN concentrator’s information.

Next, export the certificate, ensuring you’ve recorded the password assigned to the exported certificate.  At this point, you have a certificate in PKCS#12 format which is not supported by the VPN concentrator as it requires a certificate in PKCS#8 format.

To convert the certificate from one format to the other, we’ll use OpenSSL.  What’s interesting here is that you can’t just convert from PKCS#12 to PKCS#8.  Instead, you have to convert from PKCS#12 to PEM and then from PEM to PKCS#8.

NOTE: Make sure you launch the command prompt as Administrator or you might get “unable to write ‘random state'” errors.

So, converting the file to PEM:

Convert 12 to PEM2

pkcs12 is the OpenSSL command that indicates we’re working with a PKCS#12 format file
-in is the parameter that indicates the next input is the name of the file to be reformatted
D:\Temp\ExportCert.pfx is the path and filename of the file to be reformatted
-out is the parameter that indicates the next input is the name of the reformatted file
D:\Temp\ExportCert.pem is the path and filename of the reformatted file

You can see that I was prompted for the password of the exported certificate file.  Once that was supplied and verified, OpenSSL prompted me for a passphrase for the reformatted file.  I just used the same password I had used before to keep things simple.

Now, we’re going to convert from PEM to PKCS#8.  The commands are almost identical as the ones we used for converting to PEM from PKCS#12:

Convert PEM to 8

Hopefully, the syntax here is rather obvious with the only differences being the use of “pkcs8” rather than “pkcs12” as the OpenSSL command.  Also, you’ll see the -topk8 switch which tells OpenSSL the incoming private key is to be converted to the PKCS#8 format.

If you look at the contents of the .pk8 file, you’ll see something like this:

<A whole lot of random-looking characters>

Create a new text document in your favorite text editor and copy and paste the contents of the .pk8 file into it.

Once you’ve done that, open the .pem file you created when converting from .pfx and you should see a section that has the certificate you were issued by the CA:

<A whole lot of random-looking characters>

Cut and paste this section into your new text document immediately following the private key contents from the .pk8 file.  It should look like this:

<A whole lot of random-looking characters>
<A whole lot of random-looking characters>

Save this file so you don’t lose what you’ve accomplished so far.

The next step is to install the certificate bundle you received from the CA which contains the Intermediate and Root CA certificates.  This should be okay to install straight into the concentrator via the UI.

Go to Administration > Certificate Management > Installation and choose “Install CA Certificate” and upload the file from the CA.  I’ve been able to do this without any problems.

Next, go to Administration > Certificate Management and look for the “SSL Certificates” section.  You should have three interfaces listed there:  Private, Public and External.  You’ll want to perform this operation on each of the interfaces:

1. Click on “Import”
2. Select “Cut & Paste Text”
3. Copy and paste the contents of the text file which contains the private key and certificate
4. Type in the password for the private key
5. Click on “Install”

That’s it!  Hopefully, this will save you a bunch of time and some heartache.  I know this problem has frustrated me for quite some time.

Let me know what you think!