Is VTP protocol good practice in critical environments?

rafaelsalvinos · ‎09-09-2020

Hello,

In the company where I work we use VTP, with VTP Server being the CORE switch of the network. VTP Clients are 30 top rack switches in the datacenter and also in the 100 departmental access switches.
To add security to the VTP protocol, we set the domain and password on the switches that run the protocol.

I have always heard some colleagues comment that it is not a good practice to use the VTP protocol in highly critical environments. But they never made the reason so clear.

Since I have domain and password parameters configured to use VTP, I cannot see the vulnerability that this equipment can generate on the network.

We are in the process of replacing the CORE switch and I am evaluating whether we will keep the VTP or eliminate this protocol by transforming the access switches into VTP Transparent.

I never had any problems with VTP running in the environment and I see that removing such a protocol from the environment would influence a lot of manual work with creating VLANs on several switches.

Could you bring your opinion by informing me if it is a good practice or not to use the VTP protocol in a highly critical environment?

Thankful,

Rafael Santos

balaji.bandi · ‎09-09-2020

Personally, there is Pros and cons on every technology, what we need to take out from that of pros which is beneficial.

VTP is good at some point level with the security you have mentioned, but when things go wrong, it affects all the devices in the VTP domain, which hard sometimes, you may have downtime and run around to fix the issue.

I agree old days there is no other mechanism available so we opted VTP to minimize the admin task.

Now we are in the era of automation auto provision / dot1.x / SGT so on, so you do not need as many as VLAN as you think of in the future, since Security is tightened with Identify Management moving forward.

I may say sorry to disappoint you, I just want to give you the right direction what i know - on how the networking world heading too.

make sense? if not happy to listen to other comments.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rafaelsalvinos · ‎09-09-2020

Hello balaji.bandi,

Your comment is very valid.

The comparison of pros and cons is something that certainly must be taken into account in the decision.

Thanks for inserting the variables that will help me in the decision.

Ruben Cocheno · ‎09-09-2020

@rafaelsalvinos

i've used VTP a lot in the past, and it was good stuff to help me out on deploying large campus and maintain it. However i'm not a big fan of it when comes to datacenter environments, where uptime has to be 100% or real close.I had a case once that a customer wanted to use VTP on the their datacenter, and the only thing i've suggested was to have multiple domains of VTP, so a failure would have minimal impact in the all datacenter.

Mistakes happen, but the real question is how fast can you recover from a failure on the VTP across your environment? With that question in mind, make your own decision.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

rafaelsalvinos · ‎09-09-2020

Ruben,

Great placement.
The suggestion for creating more than one VTP domain is very interesting. Thus, in case of failure by VTP, the problem would be segmented.
From the answers so far, I see that there is no definition of right or wrong regarding the use of the VTP protocol, but what will be mandatory will be the benefits of the protocol versus my ability to recover the environment in the event of failure.