cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2040
Views
0
Helpful
11
Replies

VTP Settings

Jacob Berger
Level 2
Level 2

my LAN is set up with default VTP settings

core switch cisco 6509 vtp server

access switches 2960 vtp server

no vtp domain set on any switches

no vtp password set

untill now i manually set the vlans on switches (didnt see anything  automatic created on switches)

is there any danger with the above settings , that a switch with domain name set and higher revision number

will delete my vlan settings?

if yes how can i protect/disable vtp in my LAN

thanks

4 Accepted Solutions

Accepted Solutions

Hi,

What it will do is reset the configuration revision number to zero and so will change the MD5 hash, in your case I don't see which negative impact it could have( as far as i'm aware of) as you'll keep your vlans  and there shouldn't be any STP recalculation.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Hello Jacob,

When security is of utmost concern, then definitely, the VTP Transparent is the way to go. Unfortunately, with a large switched domain with tens or hundreds of switches, maintaining a consistent VLAN database on each switch will become a daunting task and a burden - and a source of many troubleshooting tickets. In this case, using VTP properly secured with a password is acceptable. You have to keep in mind that even with VTP protected by passwords, any single change on a VTP Server switch will be propagated throughout your domain. The VTP password prevents you against external attacks but it won't make the VTP foolproof against mistakes done by the network administrator.

Best regards,

Peter

View solution in original post

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You don't see any propagation of VLANs?  You have trunk links between them?

Any danger?  Yes, if VTP is active across trunks, your current configuration sets you up for a newly introduced switch to flood your VTP topology with a new configuration.

The two ways to mitigate this risk, first you can deactivate VTP usage per switch by setting each switch to transparent mode (as noted by the other posters) or to off mode (a newer mode available in later IOS images).  Or you can set an explicit VTP domain name and VTP password. The former will propagate, the latter needs to be set per switch.  Also, if you do use VTP, it's best to only configure one switch as a VTP server.

View solution in original post

Hi,

if you've got no domain configured it won't work.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

11 Replies 11

cadet alain
VIP Alumni
VIP Alumni

Hi,

set all devices as transparent.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

will there be a dissconection/outage when changing  this setting?

Hi,

What it will do is reset the configuration revision number to zero and so will change the MD5 hash, in your case I don't see which negative impact it could have( as far as i'm aware of) as you'll keep your vlans  and there shouldn't be any STP recalculation.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hello Alain and Jacob,

One thing to be greatly cautious of is the VTP Pruning. If the VTP Pruning has been active in a VTP domain, and you start reconfiguring the switches to VTP Transparent mode, the switches will stop advertising which VLANs are active or inactive. As a result, the VTP Pruning will assume no VLANs are being used currently, and will prune all VLANs on trunk towards VTP Transparent switches.

It is therefore necessary to deactivate the VTP Pruning if it active, and only then start reconfiguring switches to VTP Transparent mode.

Best regards,

Peter

thanks for the info

if you could advise about the way to protect LAN (VTP not in use , VLANs set manually)

which is recommended transparent or  domain and password?.

Hello Jacob,

When security is of utmost concern, then definitely, the VTP Transparent is the way to go. Unfortunately, with a large switched domain with tens or hundreds of switches, maintaining a consistent VLAN database on each switch will become a daunting task and a burden - and a source of many troubleshooting tickets. In this case, using VTP properly secured with a password is acceptable. You have to keep in mind that even with VTP protected by passwords, any single change on a VTP Server switch will be propagated throughout your domain. The VTP password prevents you against external attacks but it won't make the VTP foolproof against mistakes done by the network administrator.

Best regards,

Peter

i read somthing about setting a vtp domain anme and password to protect the vtp config.

would that be a better choice (on a production environment) ?

or is setting transparent enough?

i also read somthing about transparent set switchs not saving the vlan data in the vlan.dat file

is this a problem?

thanks

Joseph W. Doherty
Hall of Fame
Hall of Fame

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

You don't see any propagation of VLANs?  You have trunk links between them?

Any danger?  Yes, if VTP is active across trunks, your current configuration sets you up for a newly introduced switch to flood your VTP topology with a new configuration.

The two ways to mitigate this risk, first you can deactivate VTP usage per switch by setting each switch to transparent mode (as noted by the other posters) or to off mode (a newer mode available in later IOS images).  Or you can set an explicit VTP domain name and VTP password. The former will propagate, the latter needs to be set per switch.  Also, if you do use VTP, it's best to only configure one switch as a VTP server.

Thanks

with the above config (all switches set to server and no domain set)

should i be seeing VLAN propagation?

there are trunk links between the core and access switches

Hi,

if you've got no domain configured it won't work.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

thought so

thanks

Review Cisco Networking for a $25 gift card