Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2042
Views
0
Helpful
11
Replies

VTP Settings

Go to solution
Jacob Berger
Level 2
Level 2

‎12-03-2012 12:17 AM - edited ‎03-07-2019 10:22 AM

my LAN is set up with default VTP settings

core switch cisco 6509 vtp server

access switches 2960 vtp server

no vtp domain set on any switches

no vtp password set

untill now i manually set the vlans on switches (didnt see anything  automatic created on switches)

is there any danger with the above settings , that a switch with domain name set and higher revision number

will delete my vlan settings?

if yes how can i protect/disable vtp in my LAN

thanks

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Jacob Berger

‎12-03-2012 02:37 AM

Hi,

What it will do is reset the configuration revision number to zero and so will change the MD5 hash, in your case I don't see which negative impact it could have( as far as i'm aware of) as you'll keep your vlans  and there shouldn't be any STP recalculation.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Jacob Berger

‎12-25-2012 04:30 PM

Hello Jacob,

When security is of utmost concern, then definitely, the VTP Transparent is the way to go. Unfortunately, with a large switched domain with tens or hundreds of switches, maintaining a consistent VLAN database on each switch will become a daunting task and a burden - and a source of many troubleshooting tickets. In this case, using VTP properly secured with a password is acceptable. You have to keep in mind that even with VTP protected by passwords, any single change on a VTP Server switch will be propagated throughout your domain. The VTP password prevents you against external attacks but it won't make the VTP foolproof against mistakes done by the network administrator.

Best regards,

Peter

View solution in original post

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎12-26-2012 03:03 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You don't see any propagation of VLANs?  You have trunk links between them?

Any danger?  Yes, if VTP is active across trunks, your current configuration sets you up for a newly introduced switch to flood your VTP topology with a new configuration.

The two ways to mitigate this risk, first you can deactivate VTP usage per switch by setting each switch to transparent mode (as noted by the other posters) or to off mode (a newer mode available in later IOS images).  Or you can set an explicit VTP domain name and VTP password. The former will propagate, the latter needs to be set per switch.  Also, if you do use VTP, it's best to only configure one switch as a VTP server.

View solution in original post

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Jacob Berger

‎12-27-2012 03:24 AM

Hi,

if you've got no domain configured it won't work.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎12-03-2012 12:32 AM

Hi,

set all devices as transparent.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Jacob Berger
Level 2
Level 2
In response to cadet alain

‎12-03-2012 01:43 AM

will there be a dissconection/outage when changing  this setting?

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Jacob Berger

‎12-03-2012 02:37 AM

Hi,

What it will do is reset the configuration revision number to zero and so will change the MD5 hash, in your case I don't see which negative impact it could have( as far as i'm aware of) as you'll keep your vlans  and there shouldn't be any STP recalculation.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to cadet alain

‎12-23-2012 01:02 PM

Hello Alain and Jacob,

One thing to be greatly cautious of is the VTP Pruning. If the VTP Pruning has been active in a VTP domain, and you start reconfiguring the switches to VTP Transparent mode, the switches will stop advertising which VLANs are active or inactive. As a result, the VTP Pruning will assume no VLANs are being used currently, and will prune all VLANs on trunk towards VTP Transparent switches.

It is therefore necessary to deactivate the VTP Pruning if it active, and only then start reconfiguring switches to VTP Transparent mode.

Best regards,

Peter

0 Helpful

Go to solution
Jacob Berger
Level 2
Level 2
In response to Peter Paluch

‎12-24-2012 12:03 AM

thanks for the info

if you could advise about the way to protect LAN (VTP not in use , VLANs set manually)

which is recommended transparent or  domain and password?.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Jacob Berger

‎12-25-2012 04:30 PM

Hello Jacob,

When security is of utmost concern, then definitely, the VTP Transparent is the way to go. Unfortunately, with a large switched domain with tens or hundreds of switches, maintaining a consistent VLAN database on each switch will become a daunting task and a burden - and a source of many troubleshooting tickets. In this case, using VTP properly secured with a password is acceptable. You have to keep in mind that even with VTP protected by passwords, any single change on a VTP Server switch will be propagated throughout your domain. The VTP password prevents you against external attacks but it won't make the VTP foolproof against mistakes done by the network administrator.

Best regards,

Peter

0 Helpful

Go to solution
Jacob Berger
Level 2
Level 2
In response to cadet alain

‎12-23-2012 11:06 AM

i read somthing about setting a vtp domain anme and password to protect the vtp config.

would that be a better choice (on a production environment) ?

or is setting transparent enough?

i also read somthing about transparent set switchs not saving the vlan data in the vlan.dat file

is this a problem?

thanks

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎12-26-2012 03:03 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You don't see any propagation of VLANs?  You have trunk links between them?

Any danger?  Yes, if VTP is active across trunks, your current configuration sets you up for a newly introduced switch to flood your VTP topology with a new configuration.

The two ways to mitigate this risk, first you can deactivate VTP usage per switch by setting each switch to transparent mode (as noted by the other posters) or to off mode (a newer mode available in later IOS images).  Or you can set an explicit VTP domain name and VTP password. The former will propagate, the latter needs to be set per switch.  Also, if you do use VTP, it's best to only configure one switch as a VTP server.

0 Helpful

Go to solution
Jacob Berger
Level 2
Level 2
In response to Joseph W. Doherty

‎12-27-2012 02:41 AM

Thanks

with the above config (all switches set to server and no domain set)

should i be seeing VLAN propagation?

there are trunk links between the core and access switches

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Jacob Berger

‎12-27-2012 03:24 AM

Hi,

if you've got no domain configured it won't work.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Jacob Berger
Level 2
Level 2
In response to cadet alain

‎12-27-2012 03:42 AM

thought so

thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card