cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2032
Views
0
Helpful
8
Replies

VTP Client with no VTP Server

lcaruso
Level 6
Level 6

Hi,

I'm trying to clean up some switches, so one thing I'm doing is analyzing vlans seen on these switches.

I'm seeing Access switches connected to a Core (not a true core) where the Core is VTP Transparent and the Access switch is VTP Client. All of the same vlans defined on the Core are also on this Access switch even though the Access switch only has ports in 2 of those 10 vlans. My guess is at some time previous the Core was setup as a VTP Server (later changed to Transparent) and propagated all of the vlans to this particular Access switch.

I should probably change the VTP mode to Transparent if there is no VTP Server in this network.

I know VTP makes this propagation automatic and is preferred in some larger networks, but in a smaller network with high security needs is it a best practice to only have vlans actually used on a switch defined on a given switch?

Another way of stating question is: when I do a show int trunk on a given access switch and I see vlans being forwarded on a trunk port when this switch has no ports in those vlans, does that make any sense other than to say it might be convienent if someday you want to move ports on that switch into those vlans?

Thanks.

2 Accepted Solutions

Accepted Solutions

Hello Joshua,

In theory, I agree with you that the VTP Pruning can also, to a limited extend, increase the security as it prevents flooding unknown unicast/multicast/broadcast into parts of network where there are no active receivers. I have personally never considered it a security measure, though - to me, it was more about flooding efficiency - why should we flood frames into parts of network about which we know there is nobody to listen to them? VTP Pruning primaily optimizes the flooding in switched networks, thereby also having a security impact. However, the VTP Pruning feature has proven over years to be a fragile mechanism, often ending up in a partitioned network. Personally, after trying to solve a couple of issues here on CSC that boiled down to misbehaving VTP Pruning, I do not recommend running it (although I appreciate very much the goal VTP Pruning is trying to achieve).

Best regards,

Peter

View solution in original post

Hello,

Peter again provided excellent answer.

Following is one of the old documents about VLAN security:

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf

IMHO when it comes to security setup without VTP server it is more secure.

Also if you are going to use VLANs from the extended range this will not work you need transparent.

HTH,

Alex

View solution in original post

8 Replies 8

network_guy
Level 1
Level 1

Yes it is convienent if they are already there. I wouldn't say it is a best security practice, if you are a security detailed network admin you should have vtp pruning enabled. It will pass vtp info but will only let traffic come across the trunks if there are switchports that are assigned to that vlan.

Thanks for your reply. I've generally avoided VTP other than Transparent Mode, so didn't know about the pruning feature.

I should also have mentioned you can manually prune vlans if you don't want to use the vtp pruning depending on how big the network is it might be easier. The command is switchport trunk allowed vlan X, X, X  I believe.

Hello Joshua,

In theory, I agree with you that the VTP Pruning can also, to a limited extend, increase the security as it prevents flooding unknown unicast/multicast/broadcast into parts of network where there are no active receivers. I have personally never considered it a security measure, though - to me, it was more about flooding efficiency - why should we flood frames into parts of network about which we know there is nobody to listen to them? VTP Pruning primaily optimizes the flooding in switched networks, thereby also having a security impact. However, the VTP Pruning feature has proven over years to be a fragile mechanism, often ending up in a partitioned network. Personally, after trying to solve a couple of issues here on CSC that boiled down to misbehaving VTP Pruning, I do not recommend running it (although I appreciate very much the goal VTP Pruning is trying to achieve).

Best regards,

Peter

Thanks for your perspective on this Peter.

Hello,

Peter again provided excellent answer.

Following is one of the old documents about VLAN security:

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf

IMHO when it comes to security setup without VTP server it is more secure.

Also if you are going to use VLANs from the extended range this will not work you need transparent.

HTH,

Alex

Thanks for the link.

I noticed in the 15.x IOS there is now an option for VTP Mode OFF.

Didn't recall seeing that in IOS 12.x

Hello,

The vtp off in global configuration mode, and no vtp in interface-level mode, have arrived together with VTPv3 support somewhere around 12.2(55)SE1 or similar.

@Alexander - thank you very much for your kind words!

Best regards,

Peter

Review Cisco Networking for a $25 gift card