cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

5306
Views
10
Helpful
5
Replies
Highlighted
Beginner

Tranparent VTP vs. Server/null domain (default)

We have a small number of vlans (under 5) and according to Cisco's small business architecture documentation it is recommended to set VTP to transparent mode.   Transparent mode doesn't send VTP updates to other switches which is basically the same effective outcome that comes default on new switches which is server mode with a null domain.  Can someone clarify for me why I would want to choose transparent over the server/null domain setup when it seems to me that the difference is a zero sum calculation? 

Thanks.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Cisco Employee

Tranparent VTP vs. Server/null domain (default)

Hello Jason,

A network with all switches in VTP Server mode and domain left to NULL is in a very unstable state. If a VTP-enabled switch with its domain left on NULL is connected to another switch with a non-NULL domain, it will immediately adopt the domain name and download the VLAN database from the neighbor. The same will happen if you, even by accident, set a particular VTP domain name on any of your switches - it will immediately propagate the domain name with its VLAN database, thereby spreading it through your entire switched network. Thus, leaving your network in in Server/NULL mode in fact means leaving it very vulnerable. I personally strongly urge you to put the VTP domain to Transparent mode, as suggested by the Cisco documentation.

Best regards,

Peter

View solution in original post

5 REPLIES 5
Hall of Fame Cisco Employee

Tranparent VTP vs. Server/null domain (default)

Hello Jason,

A network with all switches in VTP Server mode and domain left to NULL is in a very unstable state. If a VTP-enabled switch with its domain left on NULL is connected to another switch with a non-NULL domain, it will immediately adopt the domain name and download the VLAN database from the neighbor. The same will happen if you, even by accident, set a particular VTP domain name on any of your switches - it will immediately propagate the domain name with its VLAN database, thereby spreading it through your entire switched network. Thus, leaving your network in in Server/NULL mode in fact means leaving it very vulnerable. I personally strongly urge you to put the VTP domain to Transparent mode, as suggested by the Cisco documentation.

Best regards,

Peter

View solution in original post

Beginner

Tranparent VTP vs. Server/null domain (default)

Thanks a ton Peter.  That was exactly what I was looking for.

Hall of Fame Cisco Employee

Tranparent VTP vs. Server/null domain (default)

Jason,

You are heartily welcome. Please do come back here to CSC with any other issues or questions you might have.

Best regards,

Peter

VIP Expert

Tranparent VTP vs. Server/null domain (default)

Disclaimer

The    Author of this posting offers the information contained within this    posting without consideration and with the reader's understanding that    there's no implied or expressed suitability or fitness for any  purpose.   Information provided is for informational purposes only and  should not   be construed as rendering professional advice of any kind.  Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In    no event shall Author be liable for any damages whatsoever  (including,   without limitation, damages for loss of use, data or  profit) arising  out  of the use or inability to use the posting's  information even if  Author  has been advised of the possibility of such  damage.

Posting

"Transparent mode doesn't send VTP updates", true for that switch, but it can relay another switch's VTP advertisements.  If you really want to lock down VTP, newer software supports an "off" option.

Hall of Fame Cisco Employee

Tranparent VTP vs. Server/null domain (default)

Joseph,

Good point. If the VTPv3 is supported, the off mode should be available, and definitely, that is the most secure setting. Thanks for joining this thread!

Best regards,

Peter

CreatePlease to create content
Content for Community-Ad