04-10-2014 01:04 PM - edited 03-07-2019 07:03 PM
I am new to VLANs and trunks. I had a conversation with an "expert" who told me that "no one uses VTP" and that if a switch gets replaced, that "it could take the whole network down". That seems absurd to me. Seems like if I had to replace a switch - even if it was the primary VTP server then I can promote the secondary server to the primary. We have a total of 12 switches. I was going to set up 2 VLANs and trunk ports for ESXi hosts in a VSA cluster. So I am trying to decide whether or not to use VTP. Am I better off staying away from VTP?
Solved! Go to Solution.
04-10-2014 04:26 PM
If you know the dangers of vtp and you have "control" over who is plugging things into the network then there is nothing wrong with it. If you have a large network and you need to have the same vlans across many different switches or you make many vlan changes on the switches it can be handy. We had a setup with 80 vlans that fed probably 60-80 client switches and we never had any issue . Also as the network has been in awhile and there have been a number of changes then it becomes less likely that someone is going to stick a switch in if your revision number is like 200 . If you have a small network and you don't make many changes then you don't really need it and transparent is safer.
04-10-2014 02:06 PM
A lot of networks still use VTP. Sure it's scary if you don't know what you're doing. But as long as you always check to make sure the VTP revision # isn't greater than the one you are replacing, you're good. But that can be said for anything on a network. Experts should know better than not to check to make sure a device isn't incorrectly configured.
I wouldn't call anyone an expert if they can't figure out how to not destroy their vlans when replacing a switch. Experts always know how a change is going to affect their network.
07-29-2014 03:17 PM
I ended up putting all the switches in transparent mode. Being new to VLANs, I possessed a very minimal understanding of the different types, and trunking, etc. So after learning a little bit about it, I still am no expert at all, but I understand enough to know that I did not need to use VTP at all. We have a small network with about 15 total switches - the most that are in any one data room is 5. Thanks again for all the helpful replies. This is a great forum.
04-10-2014 02:30 PM
Sam
Firstly we need to distinguish between a VTP server/client setup and VTP transparent.
VTP server and client switches use VTP updates to modify their vlan database.
VTP transparent does not use VTP updates although it does pass them on to other switches. If you want to modify the vlan database on a VTP transparent switch you have to do it locally on each switch.
When your guy says no one uses VTP he was referring to the VTP server and client setup because a lot of switches do not allow you to actually turn off VTP. The closest you can come to that is to run VTP transparent.
In terms of taking down the network again this only applies to where you have VTP server(s) and clients. With VTP updates there is a revision number. If a switch receives an update with a higher revision number than the one it currently has it uses that update to modify it's vlan database. So when you add a new switch to the VTP domain you need to be careful that it does not have a higher revision number than the one in use (note it shouldn't do but you never know).
If it does it would then send an update with the highest revision number and all the other switches would then modify their vlan databases. Considering the new switch would not have the correct vlan information this would mean all your switches lose the correct vlan information which clearly means your network stops working.
The simplest solution to make sure this doesnt happen is before you connect the new switch to the domain first change it to VTP transparent and then back to VTP client and this resets the revision number.
That aside it is also worth bearing in mind that it is still possible to impact the network by simply making a mistake when modifying the vlan database on the VTP server because that mistake is then passed to all other switches and they modify their own databases.
And once you create a vlan that vlan is then created on all your switches.
This is the reason some people prefer to run either VTP transparent or, where possible, turn off VTP altogether because it gives far more control in terms of which vlans are on which switches.
But to say "no one uses VTP" is a bit of a sweeping statement in my opinion. I have used both and neither have ever given me any problems.
It really is your choice in the end.
Jon
03-09-2017 10:44 PM
Good explanation.
04-18-2020 05:45 PM
That really helps. I am preparing for the CCNA and I stumbled on this topic as one that was removed and couldn't understand the logic. Thanks for this.
03-31-2021 09:04 AM
I am also studying to take the CCNA exam. Evidently there is some controversy surrounding this subject.
https://www.globed.net/courses/cisco-ccna-deluxe-200-301-volume-1-volume2?affcode=11661_xbglc-nkCopy
I'm using Learn with Laz as my main resource for studying? How about you?
04-10-2014 04:26 PM
If you know the dangers of vtp and you have "control" over who is plugging things into the network then there is nothing wrong with it. If you have a large network and you need to have the same vlans across many different switches or you make many vlan changes on the switches it can be handy. We had a setup with 80 vlans that fed probably 60-80 client switches and we never had any issue . Also as the network has been in awhile and there have been a number of changes then it becomes less likely that someone is going to stick a switch in if your revision number is like 200 . If you have a small network and you don't make many changes then you don't really need it and transparent is safer.
04-10-2014 04:51 PM
04-11-2014 03:48 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Yea, not too long ago, a new senior network engineer was able to require VTP not be used as part of our standards. In his opinion, VTP is a "virus". (In theory, we're moving to all L3, so no VLAN trunks and so there's no need to share a common VLAN database. Of course, we're years from that, and in the meantime, I have some active multiple switch L2 topologies, with VTP now deactivated. So, I'm now often changing VLANs databases on multiple switches and doing manual pruning, what fun!)
Personally, I think VTP is great. The horror stories, of erasing large VLAN topologies with it are true. (I've seen it happen.) Generally such happens when you just leave VTP (v1 or v2) with its default settings (especially with a null domain) and drop a switch on the network that someone has been using to experiment with, like in lab.
Besides the obvious, that devices shouldn't just be dropped on production networks without some change management, you can make it a bit harder for accidents to happen if you set an explicit VTP domain name and use VTP passwords. (Both to help insure there's an explicit "agreed" configuration before sharing VLAN information.)
BTW, one common misunderstood feature with VTP v1 or v2, "clients" also replicate. I.e. a VTP "client" can overwrite a VTP "server".
I've haven't use it, but I understand VTP v3 has features to make "accidents" much, much harder.
04-19-2020 04:08 PM
As many have stated there are obviously a lot of pro's and con's to it. While the current "best" practice is to extend L3 to the access layer, this is not always possible. Often times you will see end to end VLANs (VLANs that span the entirety of a campus). I've seen it on networks with 100+ switches in a spanned network. At this level- it becomes a very tedious process to configure a new VLAN across the network (even to a specific location). VTP v3 is a great tool to minimize the risk of breaking your network. A good practice when working on systems is NEVER use your production VTP domain/password on lab equipment. This will ensure that you never put a device on the network that has a higher revision number. Another good practice- to prevent unauthorized switches from being plugged in would be to configured BPDU guard on all access ports and shut all unused trunk ports.
04-20-2020 01:27 AM
As a former Cisco TAC engineer, my recommendation is simple: DO NOT USE VTP.
Cheers,
Sergiu
04-20-2020 01:44 AM - edited 04-20-2020 01:45 AM
Hello
I would suggest the other way, VTP is a very useful protocol especially when you have a large estate of L2 devices and you need to make changes say regards creation of a few more L2/3 vlans on your cores and you then need to proper gate these changes throughout your LAN, unless you have some automation such a Prime then you would be stuck with visiting every related L2 node to accomplish adding the new vlans in your network.
As long as you have a good understanding of the protocol, change control and you implement some simple measures such as vtp password or vtp version 3 Id say its a good feature to have running on your LAN
04-20-2020 04:52 AM
Hi @paul driver
This is actually how the problems appear. A lot of the engineers do not get into all underlying details on how the protocol works. On top of that, a big majority of engineers do not read guidelines and limitations for all their switches/versions running in the network.
Now coming to the configuration part, if you want to speed it up in a safe, scalable and controlled manner, automation is the way to go forward. There are so many available methods: Ansible, Terraform, in-house made python scripts etc.
Once again, this is just my opinion, on different problems observed in the field.
Cheers,
Sergiu
04-20-2020 05:45 AM
Hello @Sergiu.Daniluk
Scripting is the way forward I do agree with that especially with SDN\ACI becoming a lot more mainstream however until every net engineer has the necessary skill set to program then they are reliant on the existing feature sets available to them, So if you cannot code and you don’t have any other forms of automation like a vast amount of company’s still out there don’t have then in this case VTP in a large lan estate is defiantly applicable.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide