What is the purpose of the command

Unanswered Question
Aug 8th, 2007

What is the purpose of the command shown below?

vtp password Cisco

A. It allows two VTP servers to exist in the same domain, each configured with different passwords.

B. It is the password required when promoting a switch from VTP client mode to VTP server mode.

C. It is used to prevent a switch newly added to the network from sending incorrect VLAN information to the

other switches in the domain.

D. It is used to validate the sources of VTP advertisements sent between switches.

E. It is used to access the VTP server to make changes to the VTP configuration.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (3 ratings)
Loading.
Sundayfat Thu, 08/09/2007 - 00:39

Hi

Many thanks for the response. Anyway, some popular opinion seems to have a different answer from the one you have.

Actually, I've chosen the same one as you : Answer C. But, some authority says it's incorrect.

Pavel Bykov Thu, 08/09/2007 - 00:38

Well, actually C is not correct answer. It is possible all the other switches in VTP domain also use this password, so then it wouldn't stop VTP server to send information. Also, it does not say that the switch is SERVER. Only servers can send information. It could be client.

Correct answer is D.

You set up VTP password to authenticate devices in your VTP domain. Device without correct password does not enter VTP.

Here is description of VTP password:

http://www.cisco.com/en/US/customer/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml#vtp_pw

ankbhasi Thu, 08/09/2007 - 01:07

Hi Slidersv,

C cannot be wrong as any new switch comes into the network can send a wrong vlan information let it be client or server and if it has higher revision number all switches in network will update themselves.

So if your switches are configured with VTP password any new switch connected to the network will still send an update but your switches may not accept because of password mismatch.

Now answer D can be right because only switches configured with correct VTP password can exchange VLAN information and update themselves so we can say it validates the sources.

Answer D is correct does not mean answer C is wrong and authority which says it is wrong need to recheck the doc.

Regards,

Ankur

Sundayfat Thu, 08/09/2007 - 01:24

Hi Ankur,

Very good explanation there. I'd thought as much but, when Cisco Authority has chosen answer D; who am I, to dispute that? I have found your explanation very convincing, though

ankbhasi Thu, 08/09/2007 - 01:34

Hi Sundayfat,

Can you please fwd me the doc. and answer which says C is wrong, I will take it up further.

Regards,

Ankur

Sundayfat Thu, 08/09/2007 - 01:49

Hi Ankur,

Not really a doc. But, some CCNA certified were discussing that, around here. They're 2 camps of Answer C & D anyway. So, sorry no docs.

Pavel Bykov Thu, 08/09/2007 - 05:03

Hello Ankur and Sunday.

Imagine that the switch we are talking about is a server, with a lot of bad VLANs configured and a low revision number. The VTP domain in our network uses password "Cisco".

We connect that switch to our network, and BOOM, all of our information is deleted, and rewritten by the information in the new switch.

The point is, we don't know where we are connecting the switch - it's not specified in the question. So we cannot assume ANY scenario, and cannot be sure of anything. There is a good chance that our VTP does not use password Cisco, but what if it does? We just don't know that. Also, what if the switch is a client? We can't know that for sure either.

So we need to work with what we can be absolutely sure about.

We are sure about the purpose of the command - to secure our VTP sources.

That's the Cisco logic. And that's why they ask for the "Best Answer". That's the answer that will work in every case, not only with certain assumptions.

Hope this clears my answer.

Regards,

Pavlo

ankbhasi Thu, 08/09/2007 - 07:10

Hi Pavlo,

Taking your example if you connect a new switch which is a VTP server with some bad vlan information with LOW REVISION number first my question is WHY will your network update itself with the VTP information which has low revision number?

Now it really does not matter if new switch is a server or a client, whatever mode it is if it has a higher revision number than the server existing in network they will update themselves even if new switch added is in VTP client mode.

Now if you have VTP password configured in your network and any new switch comes into network none of the switches willl update themselves if there is a password mismatch and that is what explained in answer C.

Hope I clear my answer.

Regards,

Ankur

Francois Tallet Thu, 08/09/2007 - 12:51

Ankur, I'd vote also for D.

You can technically insert a new switch with the same password, a higher revision and a different vlan database in the network. I don't mean this is likely or makes sense, but this is possible and it will wipe out the current configuration in place in the VTP domain. In this regard, C is wrong.

Beside the propagation of the information for 4k vlan, this problem was one of the main reason for VTP3. I perfectly agree with you that the password make the scenario much less likely (I think the typical issue we had was an operator inserting a spare with the configuration from another network with a higher revision).

Regards,

Francois

ankbhasi Thu, 08/09/2007 - 21:22

Hi Francois,

If we are presuming the password of the newly inserted switch matches the password we have in network then there is no use of password like thing.

Then we should also presume for option D that even if password is same there can be mismatch domain name so not only password is required to validate the source of vtp traffic , domain name should also match and in option D it never says domain name is same.

So I believe the main reason for having password in VTP network is that no new or unauthorized switch should populate its bad vlan database which is true from option C and this answer also lead to answer D which says to validate the source. So when I am validating source I am also not allowing new switches with wrong password to get into my VTP network.

Keeping all the presumptions aside I believe C and D both are correct.

Regards,

Ankur

Pavel Bykov Fri, 08/10/2007 - 03:15

Hello Ankur.

I accidentally wrote low revision number instead of high revision number in my previous post.

Ok, how about this logic:

C is correct, except the circumstance when new switch is configured with correct domain name, it's configured as a server, it has correct VTP password as the rest of the VTP domain (Cisco) and has a very high revision number.

D is correct under any circumstance.

Using this logic, the best answer is D, since it is correct unconditionally.

Actions

This Discussion