03-02-2013 07:43 PM - edited 03-07-2019 12:01 PM
Hi,
I'm trying to clean up some switches, so one thing I'm doing is analyzing vlans seen on these switches.
I'm seeing Access switches connected to a Core (not a true core) where the Core is VTP Transparent and the Access switch is VTP Client. All of the same vlans defined on the Core are also on this Access switch even though the Access switch only has ports in 2 of those 10 vlans. My guess is at some time previous the Core was setup as a VTP Server (later changed to Transparent) and propagated all of the vlans to this particular Access switch.
I should probably change the VTP mode to Transparent if there is no VTP Server in this network.
I know VTP makes this propagation automatic and is preferred in some larger networks, but in a smaller network with high security needs is it a best practice to only have vlans actually used on a switch defined on a given switch?
Another way of stating question is: when I do a show int trunk on a given access switch and I see vlans being forwarded on a trunk port when this switch has no ports in those vlans, does that make any sense other than to say it might be convienent if someday you want to move ports on that switch into those vlans?
Thanks.
Solved! Go to Solution.
03-03-2013 01:03 AM
Hello Joshua,
In theory, I agree with you that the VTP Pruning can also, to a limited extend, increase the security as it prevents flooding unknown unicast/multicast/broadcast into parts of network where there are no active receivers. I have personally never considered it a security measure, though - to me, it was more about flooding efficiency - why should we flood frames into parts of network about which we know there is nobody to listen to them? VTP Pruning primaily optimizes the flooding in switched networks, thereby also having a security impact. However, the VTP Pruning feature has proven over years to be a fragile mechanism, often ending up in a partitioned network. Personally, after trying to solve a couple of issues here on CSC that boiled down to misbehaving VTP Pruning, I do not recommend running it (although I appreciate very much the goal VTP Pruning is trying to achieve).
Best regards,
Peter
03-03-2013 12:31 PM
Hello,
Peter again provided excellent answer.
Following is one of the old documents about VLAN security:
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf
IMHO when it comes to security setup without VTP server it is more secure.
Also if you are going to use VLANs from the extended range this will not work you need transparent.
HTH,
Alex
03-02-2013 07:48 PM
Yes it is convienent if they are already there. I wouldn't say it is a best security practice, if you are a security detailed network admin you should have vtp pruning enabled. It will pass vtp info but will only let traffic come across the trunks if there are switchports that are assigned to that vlan.
03-02-2013 07:56 PM
Thanks for your reply. I've generally avoided VTP other than Transparent Mode, so didn't know about the pruning feature.
03-02-2013 09:48 PM
I should also have mentioned you can manually prune vlans if you don't want to use the vtp pruning depending on how big the network is it might be easier. The command is switchport trunk allowed vlan X, X, X I believe.
03-03-2013 01:03 AM
Hello Joshua,
In theory, I agree with you that the VTP Pruning can also, to a limited extend, increase the security as it prevents flooding unknown unicast/multicast/broadcast into parts of network where there are no active receivers. I have personally never considered it a security measure, though - to me, it was more about flooding efficiency - why should we flood frames into parts of network about which we know there is nobody to listen to them? VTP Pruning primaily optimizes the flooding in switched networks, thereby also having a security impact. However, the VTP Pruning feature has proven over years to be a fragile mechanism, often ending up in a partitioned network. Personally, after trying to solve a couple of issues here on CSC that boiled down to misbehaving VTP Pruning, I do not recommend running it (although I appreciate very much the goal VTP Pruning is trying to achieve).
Best regards,
Peter
03-03-2013 11:12 AM
Thanks for your perspective on this Peter.
03-03-2013 12:31 PM
Hello,
Peter again provided excellent answer.
Following is one of the old documents about VLAN security:
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.pdf
IMHO when it comes to security setup without VTP server it is more secure.
Also if you are going to use VLANs from the extended range this will not work you need transparent.
HTH,
Alex
03-03-2013 01:24 PM
Thanks for the link.
I noticed in the 15.x IOS there is now an option for VTP Mode OFF.
Didn't recall seeing that in IOS 12.x
03-03-2013 02:00 PM
Hello,
The vtp off in global configuration mode, and no vtp in interface-level mode, have arrived together with VTPv3 support somewhere around 12.2(55)SE1 or similar.
@Alexander - thank you very much for your kind words!
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide