Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1300
Views
9
Helpful
8
Replies

To VTP or not VTP is the question...

Go to solution
egak473
Level 1
Level 1

‎12-05-2025 06:06 AM - edited ‎12-05-2025 08:09 AM

Hi Folks, 

Just began working on this project and figured, heck, let's get some additional feedback in case we miss something. 

Please find attachment. 

Originally, this project was presented as your standard switch refresh. After some data collection and investigation we noticed this network had VTP enabled. Well, as you can see in the attachment, most of the switches are configured as 'server', with a few configured as 'transparent' and one lone wolf as 'client'.

The ask: upon this discovery, what we'd like to do is not only refresh their switches but optimize their network config for all of their switches. We typically do not recommend VTP as we've seen hairy situations when one plugs the wrong switch into the network and everything goes dark. Are there any recommendations based on the information provided? 

VTP version is currently 1

Labels:
Preview file
46 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎12-05-2025 11:11 AM

Personally, back in the day when L2 domains flowed all over (today with L3 switches, ideally, a set of VLANs should only be known to an individual edge L3 switch, or to one edge L2 switch and its upstream L3 distro/core switch), I loved VTP for keeping VLANs and VLAN names consistent across a VTP domain.  Yes, if you're lacking knowledge how to use VTP, or were careless in its usage, it could burn down your network (which I've seen happen [wasn't me, that time, though]).

I agree with both @Dustin Anderson and @Jens Albrecht , what you've posted doesn't provide much confidence in how VTP was previously being used.

If you're doing a switch refresh, perhaps you should also consider a network topology architecture refresh too.

If not, if you continue to use VTP, you might consider moving to VTPv3, as it's designed to avoid most, if not all, the common ways to "accidentally" cause network issues using VTP.  It's a major change, though.

If you want to stay with VTP v1 or v2 (few differences between them), undertake to use it correctly (like whatever was done to have VTP devices with different revision numbers!) and "better" (like avoiding using a null VTP domain name and using a VTP password [password, not so much for "security" but to possible insure you've taken the time to configure VTP to join the VTP domain you really intend]).

Regarding VTP pruning, if I remember correctly, if you have something like SW1(VLANs 1,2,3 ports used)<trunk>SW2(VLANs 1,3 ports used), VLAN 2 will be pruned off trunk (although not immediately, VTP has to figure it out).  However, again if I remember correctly,  if you have something like SW1(VLANs 1,2,3 ports used)<trunk>SW2(VLANs 1,3 ports used)<trunk>SW3(VLANs 1,2,3 ports used), VLAN 2 will still be pruned because the transit switch doesn't assign a port to it.

Within VTP v1 and v2, the only real difference between "client" and "server" modes, the latter allows manual VLAN configuration changes.  I.e. an off-net "client", dropped into the VTP domain, with a higher revision number, will change the whole VTP topology to match it!

If you have more than one active VTP server (again, v1 or v2), and changes are being made on both, concurrently, you have a "race" condition concerning how other VTP nodes are updated.  I.e. the switches, showing the same revision number, may disagree, and/or one of the server's updates might be completely erased by the other server.

Basically, when you get into how VTP v1 or v2 functions, without using it properly, it's quite easy to mess up your L2 network.  (This is why VTP has such a bad rapt.  It's not so much it doesn't work as it should but it's very easy [again versions 1 or 2] to cause problems by how you use it.)

BTW, in your PDF, you list most switches as "2960/3750".  Generally a 2960 is considered a L2 switch (some models support very limited routing) while the 3750 is a L3 switch (although what L3 protocols it supported, vary much on the IOS feature being used).  The 3750 series is also stackable, and some models of the 2960 series are too.   I mention this, because even with those very old switches, possibly there was no need to have many L2 switches to VLAN manage, which is what VTP was designed to assist with.  I.e. reduce the demand for managing VLANs across lots of L2 switches, and the demand for VTP is diminished.

Lastly, if you don't use VTP, on later implementations, set the mode to "off" rather than "transparent".

View solution in original post

8 Replies 8

Go to solution
Dustin Anderson
VIP
VIP

‎12-05-2025 06:30 AM

So, on us we had issues with VTP pruning vlans that were in use on the switch. We have ~150 switchstacks of over 500 switches in total and have gone to manual trunking. 

Looking at the mess you walked into says to me whoever was working on it didn't know VTP and set switches as server so they could configure vlans. I really can't see another reason for everything being set as a server. Now, if you want to keep VTP, I would probably make the core your server and maybe set a second as backup, rest as clients. If you want to do VTP and have low enough vlans, you could do "no vtp pruning" , but this will put every vlan everywhere even if not called.

Go to solution
Jens Albrecht
VIP
VIP

‎12-05-2025 07:03 AM

Hello @egak473,

based on your data most of the switches do not have a domain name at all and your domain #1 shows 4 different values regarding the configuration revision which should not happen if things are set up properly.

My recommendation regarding VTP is very simple: Just don't use it!

Looking at the current state of your network, getting rid of VTP shouldn't be a big issue, improves security and makes the behaviour of the network more reliable and predictable.

HTH!

Go to solution
David Ruess
VIP
VIP

‎12-05-2025 10:52 AM - edited ‎12-05-2025 10:52 AM

Hello,

A lot of people are against VTP due to its destructive nature that can happen as you have mentioned. As with every technology its always an it depends answer. You need to evaluate your environment and decide what works best for you. I have been a part of many organizations all using VTP with absolutely no issues, so it is possible. That being said VTPv3 has come a long way to allow for authentication and a primary and backup servers. This helps prevent VTP being as destructive as it once was and erroneous switches are less of a problem (for VTP anyway - if someone is plugging unauthorized switches in your network I would address that problem quickly).

As far as addressing if you need VTP ask yourself some questions:

Do I have a big L2 domain where VTP would be useful or do I have a couple of switches here and there where manually adding them isn't really a burden?

Do I want to get rid of VLANS and bring L3 to the access level like with SDA? (even if its eventually since you're talking about optimization).

Do I want to use automation and is the staff currently equipped to deploy it? As I have mentioned I have worked for several organizations and automation was pretty much out of the question due to employee limitations or training inadequacies. No one knew how to accomplish it or wasn't knowledgeable enough to move that direction.

I don't think I will EVERR be a "don't ever use this technology" person, rather every technology has its place, but you also don't have to use every technology.

 

-David

 

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎12-05-2025 11:11 AM

Personally, back in the day when L2 domains flowed all over (today with L3 switches, ideally, a set of VLANs should only be known to an individual edge L3 switch, or to one edge L2 switch and its upstream L3 distro/core switch), I loved VTP for keeping VLANs and VLAN names consistent across a VTP domain.  Yes, if you're lacking knowledge how to use VTP, or were careless in its usage, it could burn down your network (which I've seen happen [wasn't me, that time, though]).

I agree with both @Dustin Anderson and @Jens Albrecht , what you've posted doesn't provide much confidence in how VTP was previously being used.

If you're doing a switch refresh, perhaps you should also consider a network topology architecture refresh too.

If not, if you continue to use VTP, you might consider moving to VTPv3, as it's designed to avoid most, if not all, the common ways to "accidentally" cause network issues using VTP.  It's a major change, though.

If you want to stay with VTP v1 or v2 (few differences between them), undertake to use it correctly (like whatever was done to have VTP devices with different revision numbers!) and "better" (like avoiding using a null VTP domain name and using a VTP password [password, not so much for "security" but to possible insure you've taken the time to configure VTP to join the VTP domain you really intend]).

Regarding VTP pruning, if I remember correctly, if you have something like SW1(VLANs 1,2,3 ports used)<trunk>SW2(VLANs 1,3 ports used), VLAN 2 will be pruned off trunk (although not immediately, VTP has to figure it out).  However, again if I remember correctly,  if you have something like SW1(VLANs 1,2,3 ports used)<trunk>SW2(VLANs 1,3 ports used)<trunk>SW3(VLANs 1,2,3 ports used), VLAN 2 will still be pruned because the transit switch doesn't assign a port to it.

Within VTP v1 and v2, the only real difference between "client" and "server" modes, the latter allows manual VLAN configuration changes.  I.e. an off-net "client", dropped into the VTP domain, with a higher revision number, will change the whole VTP topology to match it!

If you have more than one active VTP server (again, v1 or v2), and changes are being made on both, concurrently, you have a "race" condition concerning how other VTP nodes are updated.  I.e. the switches, showing the same revision number, may disagree, and/or one of the server's updates might be completely erased by the other server.

Basically, when you get into how VTP v1 or v2 functions, without using it properly, it's quite easy to mess up your L2 network.  (This is why VTP has such a bad rapt.  It's not so much it doesn't work as it should but it's very easy [again versions 1 or 2] to cause problems by how you use it.)

BTW, in your PDF, you list most switches as "2960/3750".  Generally a 2960 is considered a L2 switch (some models support very limited routing) while the 3750 is a L3 switch (although what L3 protocols it supported, vary much on the IOS feature being used).  The 3750 series is also stackable, and some models of the 2960 series are too.   I mention this, because even with those very old switches, possibly there was no need to have many L2 switches to VLAN manage, which is what VTP was designed to assist with.  I.e. reduce the demand for managing VLANs across lots of L2 switches, and the demand for VTP is diminished.

Lastly, if you don't use VTP, on later implementations, set the mode to "off" rather than "transparent".

Go to solution
egak473
Level 1
Level 1

‎12-07-2025 05:46 AM

Thank you all for the your input!

Update: we talked with the customer regarding their current network setup and the implications of VTP. It appears over the years as their organization grew, they'd copy and paste the config from a production switch (configured as VTP server) and deploy a new switch in the new location not really knowing what they were doing. With IT personnel churn and knowledge limitations, a ticking timebomb was created. 

They are open to talk about remediation. We're creating a change order or proposal to clean up their network topology architecture. 

Go to solution
Scott Leport
Level 7
Level 7

‎12-16-2025 06:39 AM

Hi, 

Late to the party so no doubt the decision has been made and you've got all the best advice you can.

IMO, if you're using any version of VTP, use version 3. Otherwise, don't use it or participate in it. 

Unless you're having to add or remove VLANs in bulk on a daily basis (including adding and removing VLANs on active trunks between switch uplinks), there is no benefit to using VTP. 

Go to solution
egak473
Level 1
Level 1
In response to Scott Leport

‎12-16-2025 08:55 AM

@Scott Leport Agreed. The customer asked us how many times have we come across issues like this? We said not many. This is a bit of doozy 🙂 

0 Helpful

Go to solution
paul driver
VIP
VIP

‎01-02-2026 02:46 AM - edited ‎01-02-2026 10:55 AM

Hello
By the looks of that output file looks like vtp isn’t working for the majority of your network anyway - 
As if it was all the revision numbers for all switches in each of their respective vtp domains would be the same as the active running elected vtp server
Going forward if you are to refresh the lan network you need to decide on if you either require vtp - note its cisco proprietary so if you envisage you may in the future have other vendors switches running in your network the vtp will not be even applicable to them
TBH - ask yourself if you even require vtp - 
if it just to update all the switches dynamically as/when you add-remove L2 vlans then i would don’t use it
Pruning of TRKs - its suggested to be done manually and this is even negated if you chose MST as a spanning tree and if you decide to use a L3 access design neither will be required !


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents