cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3283
Views
0
Helpful
8
Replies

vtp server / vtp client revision numbers

w.speckle
Level 1
Level 1

Is there a good way to protect the vlan definition on vtp servers ?

I want to assure that vtp clients with higher revision numbers cannot overwrite the information on the vtp server ?

e.g. set the definition file to read only, etc ?

Thanks, Wolfgang

1 Accepted Solution

Accepted Solutions

I don't agree.

There is no way how to prevent VTP database from overiding in the moment you connect a switch with higher revision number to the VTP domain.

You just have to be careful. The best practice it to clear the revision number via changing the VTP domain name on the new switch to "something-else" and back to "your-VTP-domain" before connecting the new switch to your network.

BUT there is NO DIFFERENCE between VTP server and client from this point of view. If you have a network with one VTP server and all other switches VTP clients and you connect a new VTP client with a higher revision number, the VTP database on the VTP server WILL be changed!

So my recommendation is to have at least two VTP servers (one as a backup for a case of hardware failure) and once again be careful when connecting a new switch.

Regards,

Milan

View solution in original post

8 Replies 8

rsissons
Level 5
Level 5

Unfortunately not. The best way is simply to have only the one VTP server in a network and ensure all the other switches are VPN clients.

I don't agree.

There is no way how to prevent VTP database from overiding in the moment you connect a switch with higher revision number to the VTP domain.

You just have to be careful. The best practice it to clear the revision number via changing the VTP domain name on the new switch to "something-else" and back to "your-VTP-domain" before connecting the new switch to your network.

BUT there is NO DIFFERENCE between VTP server and client from this point of view. If you have a network with one VTP server and all other switches VTP clients and you connect a new VTP client with a higher revision number, the VTP database on the VTP server WILL be changed!

So my recommendation is to have at least two VTP servers (one as a backup for a case of hardware failure) and once again be careful when connecting a new switch.

Regards,

Milan

gurkang
Level 1
Level 1

hi,

vtp clients can't write on the vtp server database. only other vtp servers can write to other vtp servers database if its revision number is higher.

regards,

Gurkan

Hi,

VTP client CAN overwrite VTP server database.

I've just tested it in my lab with two 3548s running IOS 12.0(5)WC5a.

I've configured a VTP server on one switch, created some VLANs. The final VTP revision version was 2.

I've made the same on the second switch, created VLANs with different numbers, the final VTP version was 8.

I changed the second switch to VTP client. The VTP version remained 8.

Finally I connected these two switches via a trunk. (I simulated connecting a new switch - VTP client with higher revision version - to the network.)

After approximately five minutes the VTP version on the server changed to 8 and the VLAN database changed - VLANs which have not been defined on the client were removed and the VLANs defined on the client only have been added.

So VTP client definitely can overwrite VTP server database.

The most dangerous thing is the fact that even switching the power off doesn't clear the revision number and VLAN database on the Cat3548 client.

It is necessary either to clear the revision number via the steps I described in my previous message or to delete the VLAN.DAT file from the client flash and reboot the client switch to be able to connect it to the production network safely.

Regards,

Milan

Hi,

VTP client CAN overwrite VTP server database.

I've just tested it in my lab with two 3548s running IOS 12.0(5)WC5a.

I've configured a VTP server on one switch, created some VLANs. The final VTP revision version was 2.

I've made the same on the second switch, created VLANs with different numbers, the final VTP version was 8.

I changed the second switch to VTP client. The VTP version remained 8.

Finally I connected these two switches via a trunk. (I simulated connecting a new switch - VTP client with higher revision version - to the network.)

After approximately five minutes the VTP version on the server changed to 8 and the VLAN database changed - VLANs which have not been defined on the client were removed and the VLANs defined on the client only have been added.

So VTP client definitely can overwrite VTP server database.

The most dangerous thing is the fact that even switching the power off doesn't clear the revision number and VLAN database on the Cat3548 client.

It is necessary either to clear the revision number via the steps I described in my previous message or to delete the VLAN.DAT file from the client flash and reboot the client switch to be able to connect it to the production network safely.

Regards,

Milan

I typically use VTP password as part of the VTP domain configuration.

If a device is plugged in and is not configured with the VTP password configured on the domain it cannot corrupt the database.

What I'm trying to explain is the fact it's necessary to be careful when connecting a new switch to VTP domain.

Of course if you use incorrect password the VTP client can't change the database. It can't communicate with the other switches in the VTP domain at all.

But when you connect a client switch to the VTP domain (i.e. correct VTP domain name) and the new client has higher revision number accidently (a remain of previous lab testing, if you are lazy and using the same VTP domain in your production network and your lab, e.g.) it can rewrite your domain VTP database in the moment you configure correct VTP password on it.

The reasonable practice is to use different VTP domains in lab and production network and to use VTP passwords, too. And for sure doublecheck VTP revision number before connecting a new switch to the network.

Some people recommend not to use VTP at all (i.e. configure all switches as transparent (or off in the latest CatOS)) and configure VLANs manually on each switch.

Regards,

Milan

Milan is correct , if you connect a client (does not have to be a server) and it has a higher revision number it will change the vlan database , we got bit once on this a long time ago .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco