VTP Scenario

Melvinb1981 · ‎01-01-2020

Good day,

Can you negate VTP once enabled ? It doesnt seem like it? The only option seems to be to add a password to prevent users from plugging in there own switches onto the network and rewriting your vlans. Very powerful but dangerous command i can see how this could take down networks easily. Just to add to this, when it comes to lets say hypothetical dealing with a 1000 switches. l enable vtp server on 1 switch it makes all other switches server mode, i dont want to make the other 999 switches server mode rather client do i have to go to every single one and change it? doesnt that disprove the whole point of vtp ?

paul driver · ‎01-01-2020

Hello

@Melvinb1981 wrote:

Good day,

Can you negate VTP once enabled ? It doesnt seem like it? The only option seems to be to add a password to prevent users from plugging in there own switches onto the network and rewriting your vlans. Very powerful but dangerous command i can see how this could take down networks easily. Just to add to this, when it comes to lets say hypothetical dealing with a 1000 switches.
In a production network ruining vtp1-2 you could have your vtp server(s) in transparent mode so their vtp database isnt accidentally overwritten and/or incorporate a vtp password (which by the way is in clear text so can be seen) as you stated,

However as you maybe aware even switches in a vtp mode of client can still overwrite the entire vtp database on a network if these switches had pre-existing vtp configuration on them and their revision number was higher than the existing vtp server on the network

So to prevent unauthorized switches being attached to the network then your L2 security needs to be tightened so this is something that cannot be be done easily ( shutdown unused ports, disable DTP for automatic trunking, define a native vlan other than vlan 1, bpduguard etc...)

l enable vtp server on 1 switch it makes all other switches server mode,
No this doesn't happen you need to define the vtp mode on each switch, however by default on an new switch or upon a reset of the vtp database of a switch the default vtp mode is set to server

i dont want to make the other 999 switches server mode rather client do i have to go to every single one and change it? doesnt that disprove the whole point of vtp ? - you need to define the vtp mode on each switch so if you have a 1000+ switches in production all ruining vtp server mode then I would say thats bad administration and without some central automation to push such a change (Cisco LMS/Prime ) then you would indeed need to visit each individual switch.

Vtp version 3 - All switches on the network could be vtp servers it doesn't matter, because only the designated promoted vtp primary server can change the vtp database with the added benefit of the vtp password is encrypted and hidden so switches can be added with more confidence that they are not going to overwrite the vtp database on attachment to the network

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎01-01-2020

Re: VTP versions 1 and 2, VTP ver. 3 is almost a different animal.

Can you negate VTP once enabled? Sure, either use mode transparent (as also mentioned by Paul) or, in later IOS variants, use mode off.

Yes, because VTP is considered "dangerous" by many, some shops insure it's deactivated. However, if your network is properly configured to secure it, it's much less likely that someone will take down your whole network, at least by accident.

Yes, alas, you need to touch all your switch to change their VTP configurations. If needed, this is best accomplished through some form of automation. (Normally, VTP is configured as desired as switches are added to a network, so you often don't face we need to change 1,000 at any one point.)

Oh, and any one VTP switch doesn't impact/change the mode of any other VTP switch. Also know, both server and client mode VTP switches share their VLAN database alike, the difference is, you can only reconfigure VLANs on a server mode switch. (Normally you only have one so configured to avoid "race condition" configuration changes from multiple VTP server switches.)