Sam

Firstly we need to distinguish between a VTP server/client setup and VTP transparent.

VTP server and client switches use VTP updates to modify their vlan database.

VTP transparent does not use VTP updates although it does pass them on to other switches. If you want to modify the vlan database on a VTP transparent switch you have to do it locally on each switch.

When your guy says no one uses VTP he was referring to the VTP server and client setup because a lot of switches do not allow you to actually turn off VTP. The closest you can come to that is to run VTP transparent.

In terms of taking down the network again this only applies to where you have VTP server(s) and clients. With VTP updates there is a revision number. If a switch receives an update with a higher revision number than the one it currently has it uses that update to modify it's vlan database. So when you add a new switch to the VTP domain you need to be careful that it does not have a higher revision number than the one in use (note it shouldn't do but you never know).

If it does it would then send an update with the highest revision number and all the other switches would then modify their vlan databases. Considering the new switch would not have the correct vlan information this would mean all your switches lose the correct vlan information which clearly means your network stops working.

The simplest solution to make sure this doesnt happen is before you connect the new switch to the domain first change it to VTP transparent and then back to VTP client and this resets the revision number.

That aside it is also worth bearing in mind that it is still possible to impact the network by simply making a mistake when modifying the vlan database on the VTP server because that mistake is then passed to all other switches and they modify their own databases.

And once you create a vlan that vlan is then created on all your switches.

This is the reason some people prefer to run either VTP transparent or, where possible, turn off VTP altogether because it gives far more control in terms of which vlans are on which switches.

But to say "no one uses VTP" is a bit of a sweeping statement in my opinion. I have used both and neither have ever given me any problems.

It really is your choice in the end.

Jon

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Yea, not too long ago, a new senior network engineer was able to require VTP not be used as part of our standards.  In his opinion, VTP is a "virus".   (In theory, we're moving to all L3, so no VLAN trunks and so there's no need to share a common VLAN database.  Of course, we're years from that, and in the meantime, I have some active multiple switch L2 topologies, with VTP now deactivated.  So, I'm now often changing VLANs databases on multiple switches and doing manual pruning, what fun!)

Personally, I think VTP is great.  The horror stories, of erasing large VLAN topologies with it are true.  (I've seen it happen.)  Generally such happens when you just leave VTP (v1 or v2) with its default settings (especially with a null domain) and drop a switch on the network that someone has been using to experiment with, like in lab.

Besides the obvious, that devices shouldn't just be dropped on production networks without some change management, you can make it a bit harder for accidents to happen if you set an explicit VTP domain name and use VTP passwords.  (Both to help insure there's an explicit "agreed" configuration before sharing VLAN information.)

BTW, one common misunderstood feature with VTP v1 or v2, "clients" also replicate.  I.e. a VTP "client" can overwrite a VTP "server".

I've haven't use it, but I understand VTP v3 has features to make "accidents" much, much harder.

As many have stated there are obviously a lot of pro's and con's to it. While the current "best" practice is to extend L3 to the access layer, this is not always possible. Often times you will see end to end VLANs (VLANs that span the entirety of a campus). I've seen it on networks with 100+ switches in a spanned network. At this level- it becomes a very tedious process to configure a new VLAN across the network (even to a specific location). VTP v3 is a great tool to minimize the risk of breaking your network. A good practice when working on systems is NEVER use your production VTP domain/password on lab equipment. This will ensure that you never put a device on the network that has a higher revision number. Another good practice- to prevent unauthorized switches from being plugged in would be to configured BPDU guard on all access ports and shut all unused trunk ports.