Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6071
Views
10
Helpful
5
Replies

Tranparent VTP vs. Server/null domain (default)

Go to solution
J.NIXON
Level 1
Level 1

‎07-27-2011 10:11 AM - edited ‎03-07-2019 01:26 AM

We have a small number of vlans (under 5) and according to Cisco's small business architecture documentation it is recommended to set VTP to transparent mode.   Transparent mode doesn't send VTP updates to other switches which is basically the same effective outcome that comes default on new switches which is server mode with a null domain.  Can someone clarify for me why I would want to choose transparent over the server/null domain setup when it seems to me that the difference is a zero sum calculation? 

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-27-2011 10:27 AM

Hello Jason,

A network with all switches in VTP Server mode and domain left to NULL is in a very unstable state. If a VTP-enabled switch with its domain left on NULL is connected to another switch with a non-NULL domain, it will immediately adopt the domain name and download the VLAN database from the neighbor. The same will happen if you, even by accident, set a particular VTP domain name on any of your switches - it will immediately propagate the domain name with its VLAN database, thereby spreading it through your entire switched network. Thus, leaving your network in in Server/NULL mode in fact means leaving it very vulnerable. I personally strongly urge you to put the VTP domain to Transparent mode, as suggested by the Cisco documentation.

Best regards,

Peter

View solution in original post

5 Replies 5

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-27-2011 10:27 AM

Hello Jason,

A network with all switches in VTP Server mode and domain left to NULL is in a very unstable state. If a VTP-enabled switch with its domain left on NULL is connected to another switch with a non-NULL domain, it will immediately adopt the domain name and download the VLAN database from the neighbor. The same will happen if you, even by accident, set a particular VTP domain name on any of your switches - it will immediately propagate the domain name with its VLAN database, thereby spreading it through your entire switched network. Thus, leaving your network in in Server/NULL mode in fact means leaving it very vulnerable. I personally strongly urge you to put the VTP domain to Transparent mode, as suggested by the Cisco documentation.

Best regards,

Peter

Go to solution
J.NIXON
Level 1
Level 1
In response to Peter Paluch

‎07-27-2011 12:10 PM

Thanks a ton Peter.  That was exactly what I was looking for.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to J.NIXON

‎07-27-2011 12:13 PM

Jason,

You are heartily welcome. Please do come back here to CSC with any other issues or questions you might have.

Best regards,

Peter

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎07-27-2011 05:49 PM

Disclaimer

The    Author of this posting offers the information contained within this    posting without consideration and with the reader's understanding that    there's no implied or expressed suitability or fitness for any  purpose.   Information provided is for informational purposes only and  should not   be construed as rendering professional advice of any kind.  Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In    no event shall Author be liable for any damages whatsoever  (including,   without limitation, damages for loss of use, data or  profit) arising  out  of the use or inability to use the posting's  information even if  Author  has been advised of the possibility of such  damage.

Posting

"Transparent mode doesn't send VTP updates", true for that switch, but it can relay another switch's VTP advertisements.  If you really want to lock down VTP, newer software supports an "off" option.

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Joseph W. Doherty

‎07-28-2011 12:14 AM

Joseph,

Good point. If the VTPv3 is supported, the off mode should be available, and definitely, that is the most secure setting. Thanks for joining this thread!

Best regards,

Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card