07-27-2011 10:11 AM - edited 03-07-2019 01:26 AM
We have a small number of vlans (under 5) and according to Cisco's small business architecture documentation it is recommended to set VTP to transparent mode. Transparent mode doesn't send VTP updates to other switches which is basically the same effective outcome that comes default on new switches which is server mode with a null domain. Can someone clarify for me why I would want to choose transparent over the server/null domain setup when it seems to me that the difference is a zero sum calculation?
Thanks.
Solved! Go to Solution.
07-27-2011 10:27 AM
Hello Jason,
A network with all switches in VTP Server mode and domain left to NULL is in a very unstable state. If a VTP-enabled switch with its domain left on NULL is connected to another switch with a non-NULL domain, it will immediately adopt the domain name and download the VLAN database from the neighbor. The same will happen if you, even by accident, set a particular VTP domain name on any of your switches - it will immediately propagate the domain name with its VLAN database, thereby spreading it through your entire switched network. Thus, leaving your network in in Server/NULL mode in fact means leaving it very vulnerable. I personally strongly urge you to put the VTP domain to Transparent mode, as suggested by the Cisco documentation.
Best regards,
Peter
07-27-2011 10:27 AM
Hello Jason,
A network with all switches in VTP Server mode and domain left to NULL is in a very unstable state. If a VTP-enabled switch with its domain left on NULL is connected to another switch with a non-NULL domain, it will immediately adopt the domain name and download the VLAN database from the neighbor. The same will happen if you, even by accident, set a particular VTP domain name on any of your switches - it will immediately propagate the domain name with its VLAN database, thereby spreading it through your entire switched network. Thus, leaving your network in in Server/NULL mode in fact means leaving it very vulnerable. I personally strongly urge you to put the VTP domain to Transparent mode, as suggested by the Cisco documentation.
Best regards,
Peter
07-27-2011 12:10 PM
Thanks a ton Peter. That was exactly what I was looking for.
07-27-2011 12:13 PM
Jason,
You are heartily welcome. Please do come back here to CSC with any other issues or questions you might have.
Best regards,
Peter
07-27-2011 05:49 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
"Transparent mode doesn't send VTP updates", true for that switch, but it can relay another switch's VTP advertisements. If you really want to lock down VTP, newer software supports an "off" option.
07-28-2011 12:14 AM
Joseph,
Good point. If the VTPv3 is supported, the off mode should be available, and definitely, that is the most secure setting. Thanks for joining this thread!
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: