Removing VTP from a Network

nick.jackson1 · ‎09-08-2015

I have just started a new job where the infrastructure is overly complicated for what it needs to be here is a brief overview -

There are currently 57 VLAN's in place although not all of them span the entire network. VTP is currently being used and the Core Switch is the VTP server with the rest being clients. The network at the head office has been subnetted so each department has its own separate VLAN which is extremely over kill in departments where there are only 3 machines for example.

So my question is how hard would it be to back out of using VTP as I know the pitfall of using VTP is that if a new switch is installed without proper configurations it can erase all the VLAN's and bring the entire network down. Is it possible for VTP to be removed from the infrastructure as a whole? If so how much work is roughly involved in this process and what would the impact be to the business in doing something of that scale?

A secondary question would be if it is not possible to remove VTP is it fairly easy to back out the super nets and VLSM to go back to simplified networking and split the building into groups of floors per network as there are only roughly 250 users at Head office so could for arguements sake split into 2 class C networks instead as certain departments are running out of IP addresses on their smaller networks at the moment. If anybody can shed some light on which would be the best solution I would massively appreciate it?

Thanks.

Peter Paluch · ‎09-08-2015

Hi Nick,

You seem to have posted this question twice, the second thread is here:

https://supportforums.cisco.com/discussion/12600926/removing-vtp-network

You may want to delete that one to prevent the answers from being spread over the two thread needlessly.

I assume that you are running VTP version 1 or 2, and not VTP version 3 that has a better protection against inadvertent VLAN database overwrites.

Removing VTPv1/VTPv2 from a network is easy. The only caveat is the VTP Pruning - if you are using it, you must first deactivate it on any VTP Server switch using the no vtp pruning command. It should be deactivated throughout the entire VTP domain but I would suggest making sure that each switch reports the VTP pruning as being off in the show vtp status. After VTP Pruning has been successfully deactivated domain-wide, you can easily start configuring your switches as VTP Transparent switches in any order. These changes should not have any impact on network connectivity.

Best regards,
Peter

nick.jackson1 · ‎09-09-2015

Thanks for the advice and apologies about the double posting hadn't realized it had done that.

Do you know if the show vtp status command will include the version number of VTP that we are using? I'll run it in any case just wanted to double check.

With regard to removing the subnets most of the network is made up of 2960's with a couple of 3750 stacks and then the core which is a 4510 I know that the 4510 and 3750's are L3 not sure about the 2960 though are these L3 also?

Peter Paluch · ‎09-09-2015

Hi Nick,

The show vtp status command will indeed display the VTP version running. Some newer IOS versions display the the currently running VTP version including the list of supported VTP versions, older IOS version will say that the VTP version is 2 but what they truly mean is that they support VTPv2 but whether the version 2 is indeed activated is displayed in a different line of the output saying something similar to "V2-mode". In any case, these older switches do not even support VTPv3 so there's no worries about those.

I am not entirely sure about your question regarding "removing subnets". By removing VTP, you do not remove VLANs or subnets. But to just answer your question, Catalyst 2960 switches can be described as limited L3 switches - they can be set up to act as multilayer switches performing inter-VLAN routing but they do not support any routing protocol. There is a quick check to see if your 2960 are operating in routed mode: if the show ip route command shows you a normal routing table then they are operating in routed mode; if this command is rejected then they are operating in switched mode only.

Best regards,
Peter

nick.jackson1 · ‎09-09-2015

Hi Peter,

Thank you very much for such a quick reply the VTP version showed as Version 3 as you mentioned earlier.

I will run the ip route command on the 2960's to see if a routing table shows if not then I will know which mode they are in as you have pointed out.

I am comfortable removing the VLAN's side of thing just by reassigning ports to different VLAN's then shutting down the VLAN that has been removed and updating the running config. My concern was more towards the removal of a subnetted class C network back to it's original form and there by removing the multiple smaller networks created in its place does that make more sense in terms of what I am trying to achieve now?

Kind Regards,

Nick

Peter Paluch · ‎09-09-2015

Hi Nick,

Just to be on a safe side, can you post the output of the show vtp status from one of your switches?

Regarding the change of your addressing and perhaps getting back to an unsubnetted (or more coarsely subnetted) class C network, I do not see any problem with particular respect to the switch types you are using. If you are not running RIP as a routing protocol, you can subnet or supernet anyway you like.

You should, however, be aware that the change you are proposing has an impact on what stations will suddenly become located in a common broadcast domain (a single VLAN) and thus a single IP network. This is basically a network redesign and its impact will need to be carefully assessed. There are no universal recommendations for this because it all depends on so many variables depending on your particular network topology, hosts, applications, services, traffic patterns etc. So - technically - yes, you can delete some of the VLANs and migrate clients from several formerly distinct VLANs into a single new VLAN. The impact of doing so, however, has more aspects than just suddenly having the stations in a single IP subnet.

Best regards,
Peter

nick.jackson1 · ‎09-09-2015

Hi Peter,

Here is the output from the core showing the vtp status -

*********#show vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : ******
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : ccef.48f8.99c0

Feature VLAN:
--------------
VTP Operating Mode : Primary Server
Number of existing VLANs : 57
Number of existing extended VLANs : 0
Maximum VLANs supported locally : 4094
Configuration Revision : 11
Primary ID : ccef.48f8.99c0
Primary Description : *********-4510
MD5 digest : 0x8E 0xC6 0x82 0x26 0x1D 0x3E 0x36 0x7C
0x72 0xF4 0x03 0x13 0x41 0x44 0x45 0x2C

Feature MST:
--------------
VTP Operating Mode : Transparent
--More--

Feature UNKNOWN

VTP Operating Mode :Transparent

We aren't currently running RIP checking the IP routing protocols on the core returns a message of NSF aware.

With regard to retiring the other subnets you are right it is a major network change I was wondering if in this instance the better thing to do might be to create a new network and a new VLAN for that network. Then create a DHCP scope for that network on the DC and then add the VLAN for the new network to the switchports for the relevant floors before beginning to disable the old DHCP scopes for the smaller subnetted networks and removing the VLAN's associated with them. As you say there would definitely be an outage here so that would obviously take place out of hours.

With that in mind though the creation of a new network would allow me to test that as such before rolling out to prod. I am also assuming that with a new network creation I would have to create new NAT rules on the ASA to allow traffic from that VLAN to pass through the firewall both incoming and outgoing correct?

Thanks for all your help on this so far it has been greatly appreciated.

Kind Regards,

Nick