Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4005
Views
20
Helpful
7
Replies

VTP database information and best practices

Go to solution
jeetkulkarni
Level 1
Level 1

‎06-15-2017 08:42 PM - edited ‎03-08-2019 10:59 AM

We have VTP version 2 running in our environments. Few days back had an incident with remote site wiping out headoffice vlans due to VTP update done by a new layer 2 link between the sites. How can we prevent this from happening again? Understand that we can create separate vtp domains for each site or scrap vtp completely from the infrastructure. Are there any benefits of moving to vtp version 3? Can we make head office core switch as the primary and not update vtp database if any other revision updates are received from remote sites?\

Thanks for the support.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
devils_advocate
Level 7
Level 7

‎06-16-2017 02:09 AM

Best practice from a mistake mitigation perspective is to use VTP transparent mode has others have suggested.

This will completely prevent the issue you experienced as everything is done manually.

The downside is the fact everything is done manually so any new switches will require all Vlans creating one by one, although you could copy/paste them. Plus if you create a new Vlan and you need all the switches to have it, that could be a lengthy process if you have 100 switches in your campus. 

VTP is balancing the risk against the benefit for most network people.

If you secure VTP with a domain name and password, you are only really at risk if somebody bring online a previously used switch that has both the correct Domain/Password AND has a different set of Vlans to the current environment.

In a small network where new switches/vlans are rarely added, VTP transparent mode.

In a larger network or one which is rapidly expanding, VTP with a domain/password for me but its down to personal preference.

If using a domain/password for VTP and having proper change processes in place, the benefit of using the client/server model outweighs the risk for me but others would disagree.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
johnd2310
Level 8
Level 8

‎06-15-2017 09:03 PM

Hi

Best practice is to run all your switches in vtp transparent mode. Have a look at the vtp section of the following doc:

http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6800-series-switches/guide-c07-733457.html#_Toc406542428

Thanks

John

**Please rate posts you find helpful**

Go to solution
Julio E. Moisa
VIP
VIP

‎06-15-2017 09:39 PM

Hi, As John mentioned previously the best practice is use vtp transparent mode. To be honest I like VTP but it could be a risk if the protocol is not known deeply. If you are going to keep VTP ver 2, you should keep different domains per site. 

If you want to disable VTP on the link between 2 sites, you can configure under the specific interfaces: no vtp

Now if you are thinking to migrate to VTP version 3 you need to know which switch models can support it. 

Benefits of VTP Version 3

Much work has gone into improving the usability of VTP version 3 in three major areas:

• The new version of VTP offers better administrative control over which device is allowed to update other devices' view of the VLAN topology. The chance of unintended and disruptive changes is significantly reduced, and availability is increased. The reduced risk of unintended changes will ease the change process and help speed deployment.

• Functionality for the VLAN environment has been significantly expanded. Two enhancements are most beneficial for today's networks:

– In addition to supporting the earlier ISL VLAN range from 1 to 1001, the new version supports the whole IEEE 802.1Q VLAN range up to 4095.

– In addition to supporting the concept of normal VLANs, VTP version 3 can transfer information regarding Private VLAN (PVLAN) structures.

• The third area of major improvement is support for databases other than VLAN (for example, MST).

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/solution_guide_c78_508010.html

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Go to solution
jeetkulkarni
Level 1
Level 1
In response to Julio E. Moisa

‎06-16-2017 01:04 AM

Thanks for your inputs.

Our core switch model is 4500. Access layers are mostly 3650 and 3560.

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to jeetkulkarni

‎06-16-2017 03:53 AM

Hi

I think VTP v3 is supported on 4500 and 3650 but I have my doubts about 3560. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Julio E. Moisa

‎06-16-2017 05:29 AM

I agree with Johnd transparent is the way to go and lock down all your vlans at your uplinks to only whats required

3560s do support vtp3 after software version 12.2(52) from looking at this doc

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swvtp.html

Go to solution
devils_advocate
Level 7
Level 7

‎06-16-2017 02:09 AM

Best practice from a mistake mitigation perspective is to use VTP transparent mode has others have suggested.

This will completely prevent the issue you experienced as everything is done manually.

The downside is the fact everything is done manually so any new switches will require all Vlans creating one by one, although you could copy/paste them. Plus if you create a new Vlan and you need all the switches to have it, that could be a lengthy process if you have 100 switches in your campus. 

VTP is balancing the risk against the benefit for most network people.

If you secure VTP with a domain name and password, you are only really at risk if somebody bring online a previously used switch that has both the correct Domain/Password AND has a different set of Vlans to the current environment.

In a small network where new switches/vlans are rarely added, VTP transparent mode.

In a larger network or one which is rapidly expanding, VTP with a domain/password for me but its down to personal preference.

If using a domain/password for VTP and having proper change processes in place, the benefit of using the client/server model outweighs the risk for me but others would disagree.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎06-19-2017 02:01 AM

In addition to what the others have posted, if you opt to not use VTP, later devices also now support an "off" mode.

If you every get into a mixed mode environment, i.e. Cisco and Brand X, Brand X will very likely not support VTP.

Are there any benefits of moving to vtp version 3?

Although already answered in another post, again the answer is yes, as VTP v3 is designed to preclude the problem of a newly added switch changing the VLAN database as can VTP v1 or v2.

Can we make head office core switch as the primary and not update vtp database if any other revision updates are received from remote sites?

Hmm, interesting question.  I presume you're asking whether you could have VTP work with updates just going outbound?  I don't know whether you could block VTP info from remotes and whether VTP will still work correctly.  If it could be made to work, probably you're just creating a problem waiting to happen.

Another approach not mentioned would be review of your change management procedures.  I work in a Fortune 100 company, and due to production problems caused by network staff not following change management procedures, we all had to sign a notification that doing so, going forward, we're subject to termination.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card