09-09-2020 10:45 AM
Hello,
In the company where I work we use VTP, with VTP Server being the CORE switch of the network. VTP Clients are 30 top rack switches in the datacenter and also in the 100 departmental access switches.
To add security to the VTP protocol, we set the domain and password on the switches that run the protocol.
I have always heard some colleagues comment that it is not a good practice to use the VTP protocol in highly critical environments. But they never made the reason so clear.
Since I have domain and password parameters configured to use VTP, I cannot see the vulnerability that this equipment can generate on the network.
We are in the process of replacing the CORE switch and I am evaluating whether we will keep the VTP or eliminate this protocol by transforming the access switches into VTP Transparent.
I never had any problems with VTP running in the environment and I see that removing such a protocol from the environment would influence a lot of manual work with creating VLANs on several switches.
Could you bring your opinion by informing me if it is a good practice or not to use the VTP protocol in a highly critical environment?
Thankful,
Rafael Santos
09-09-2020 11:55 AM - edited 09-09-2020 11:56 AM
Personally, there is Pros and cons on every technology, what we need to take out from that of pros which is beneficial.
VTP is good at some point level with the security you have mentioned, but when things go wrong, it affects all the devices in the VTP domain, which hard sometimes, you may have downtime and run around to fix the issue.
I agree old days there is no other mechanism available so we opted VTP to minimize the admin task.
Now we are in the era of automation auto provision / dot1.x / SGT so on, so you do not need as many as VLAN as you think of in the future, since Security is tightened with Identify Management moving forward.
I may say sorry to disappoint you, I just want to give you the right direction what i know - on how the networking world heading too.
make sense? if not happy to listen to other comments.
09-09-2020 12:23 PM
Hello balaji.bandi,
Your comment is very valid.
The comparison of pros and cons is something that certainly must be taken into account in the decision.
Thanks for inserting the variables that will help me in the decision.
09-09-2020 02:27 PM
i've used VTP a lot in the past, and it was good stuff to help me out on deploying large campus and maintain it. However i'm not a big fan of it when comes to datacenter environments, where uptime has to be 100% or real close.I had a case once that a customer wanted to use VTP on the their datacenter, and the only thing i've suggested was to have multiple domains of VTP, so a failure would have minimal impact in the all datacenter.
Mistakes happen, but the real question is how fast can you recover from a failure on the VTP across your environment? With that question in mind, make your own decision.
09-09-2020 03:25 PM
Ruben,
Great placement.
The suggestion for creating more than one VTP domain is very interesting. Thus, in case of failure by VTP, the problem would be segmented.
From the answers so far, I see that there is no definition of right or wrong regarding the use of the VTP protocol, but what will be mandatory will be the benefits of the protocol versus my ability to recover the environment in the event of failure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide