01-01-2020 01:31 AM
Good day,
Can you negate VTP once enabled ? It doesnt seem like it? The only option seems to be to add a password to prevent users from plugging in there own switches onto the network and rewriting your vlans. Very powerful but dangerous command i can see how this could take down networks easily. Just to add to this, when it comes to lets say hypothetical dealing with a 1000 switches. l enable vtp server on 1 switch it makes all other switches server mode, i dont want to make the other 999 switches server mode rather client do i have to go to every single one and change it? doesnt that disprove the whole point of vtp ?
01-01-2020 03:25 AM - edited 01-02-2020 03:28 AM
Hello
@Melvinb1981 wrote:
Good day,
Can you negate VTP once enabled ? It doesnt seem like it? The only option seems to be to add a password to prevent users from plugging in there own switches onto the network and rewriting your vlans. Very powerful but dangerous command i can see how this could take down networks easily. Just to add to this, when it comes to lets say hypothetical dealing with a 1000 switches.
In a production network ruining vtp1-2 you could have your vtp server(s) in transparent mode so their vtp database isnt accidentally overwritten and/or incorporate a vtp password (which by the way is in clear text so can be seen) as you stated,
However as you maybe aware even switches in a vtp mode of client can still overwrite the entire vtp database on a network if these switches had pre-existing vtp configuration on them and their revision number was higher than the existing vtp server on the network
So to prevent unauthorized switches being attached to the network then your L2 security needs to be tightened so this is something that cannot be be done easily ( shutdown unused ports, disable DTP for automatic trunking, define a native vlan other than vlan 1, bpduguard etc...)
l enable vtp server on 1 switch it makes all other switches server mode,
No this doesn't happen you need to define the vtp mode on each switch, however by default on an new switch or upon a reset of the vtp database of a switch the default vtp mode is set to server
i dont want to make the other 999 switches server mode rather client do i have to go to every single one and change it? doesnt that disprove the whole point of vtp ? - you need to define the vtp mode on each switch so if you have a 1000+ switches in production all ruining vtp server mode then I would say thats bad administration and without some central automation to push such a change (Cisco LMS/Prime ) then you would indeed need to visit each individual switch.
Vtp version 3 - All switches on the network could be vtp servers it doesn't matter, because only the designated promoted vtp primary server can change the vtp database with the added benefit of the vtp password is encrypted and hidden so switches can be added with more confidence that they are not going to overwrite the vtp database on attachment to the network
01-01-2020 06:15 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide