VTP Questions

Answered Question
Apr 14th, 2008

In a campus scenario where each switch will have one dedicated subnet, is there a best practice to follow to implement VTP?

I was reading in the BCMSN book that VTP pruning should not be enabled on the access layer switches. I understand that enabling VTP pruning on the VTP server will advertise that pruning needs to be enabled for the entire VTP domain. In the example above, with one subnet per switch, do you prune "all except" the switch vlan? How exactly does that work?

In a campus scenario where each access layer switch will have a dedicated subnet, should I even worry about VTP pruning or just set the "allowed vlans" on the trunk port?

I have this problem too.
0 votes
Correct Answer by lamav about 8 years 9 months ago

Jason:

My personal preference is to effectively disable VTP by using Transparent mode. For a management tool that is supposed to facilitate things, I think it adds an unnecessary layer of complexity whose benefits are outweighed by its disadvantages and potential for disaster.

I know this opinion can stir a broadcast storm of responses and indignation, especially from Ciscophiles (lol), but I just thought I would share my honest opinion given my experience and exposure.

But since you did ask for a best practice recommendation, here is the recommendation from the Cisco web site.

Recommendation

There is no specific recommendation on whether to use VTP client/server modes or VTP transparent mode. Some customers prefer the ease of management of VTP client/server mode despite some considerations noted later. The recommendation is to have two server mode switches in each domain for redundancy, typically the two distribution-layer switches. The rest of the switches in the domain must be set to client mode. When you implement client/server mode with the use of VTPv2, be mindful that a higher revision number is always accepted in the same VTP domain. If a switch that is configured in either VTP client or server mode is introduced into the VTP domain and has a higher revision number than the existing VTP servers, this overwrites the VLAN database within the VTP domain. If the configuration change is unintentional and VLANs are deleted, the overwrite can cause a major outage in the network. In order to ensure that client or server switches always have a configuration revision number that is lower than that of the server, change the client VTP domain name to something other than the standard name. Then revert back to the standard. This action sets the configuration revision on the client to 0.

There are pros and cons to the VTP ability to make changes easily on a network. Many enterprises prefer the cautious approach of VTP transparent mode for these reasons:

It encourages good change control practice, as the requirement in order to modify a VLAN on a switch or trunk port has to be considered one switch at a time.

It limits the risk of an administrator error that impacts the entire domain, such as the deletion of a VLAN by accident..

There is no risk that a new switch introduced into the network with a higher VTP revision number can overwrite the entire domain VLAN configuration.

It encourages VLANs to be pruned from trunks running to switches that do not have ports in that VLAN. This makes frame flooding more bandwidth-efficient. Manual pruning is also beneficial because it reduces the spanning tree diameter (see the DTP section of this document). Before pruning unused VLANs on port channel trunks, ensure that any ports connected to IP phones are configured as access ports with voice VLAN.

The extended VLAN range in CatOS 6.x and CatOS 7.x, numbers 1025 through 4094, can only be configured in this way. For more information, see the Extended VLAN and MAC Address Reduction section of this document.

VTP transparent mode is supported in Campus Manager 3.1, part of Cisco Works 2000. The old restriction that required at least one server in a VTP domain has been removed.

HTH

Victor

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
Jon Marshall Mon, 04/14/2008 - 09:33

Jason

If the access-layer switch will only have one subnet then you do not need to use trunks at all, you can simply configure it as an access port in the relevant vlan so you are not running VTP across the links at all.

If you don't want to do that then i would personally configure the trunks to only allow the specific vlans which limits STP to only those allowed vlans across the trunk link.

Jon

Correct Answer
lamav Mon, 04/14/2008 - 09:37

Jason:

My personal preference is to effectively disable VTP by using Transparent mode. For a management tool that is supposed to facilitate things, I think it adds an unnecessary layer of complexity whose benefits are outweighed by its disadvantages and potential for disaster.

I know this opinion can stir a broadcast storm of responses and indignation, especially from Ciscophiles (lol), but I just thought I would share my honest opinion given my experience and exposure.

But since you did ask for a best practice recommendation, here is the recommendation from the Cisco web site.

Recommendation

There is no specific recommendation on whether to use VTP client/server modes or VTP transparent mode. Some customers prefer the ease of management of VTP client/server mode despite some considerations noted later. The recommendation is to have two server mode switches in each domain for redundancy, typically the two distribution-layer switches. The rest of the switches in the domain must be set to client mode. When you implement client/server mode with the use of VTPv2, be mindful that a higher revision number is always accepted in the same VTP domain. If a switch that is configured in either VTP client or server mode is introduced into the VTP domain and has a higher revision number than the existing VTP servers, this overwrites the VLAN database within the VTP domain. If the configuration change is unintentional and VLANs are deleted, the overwrite can cause a major outage in the network. In order to ensure that client or server switches always have a configuration revision number that is lower than that of the server, change the client VTP domain name to something other than the standard name. Then revert back to the standard. This action sets the configuration revision on the client to 0.

There are pros and cons to the VTP ability to make changes easily on a network. Many enterprises prefer the cautious approach of VTP transparent mode for these reasons:

It encourages good change control practice, as the requirement in order to modify a VLAN on a switch or trunk port has to be considered one switch at a time.

It limits the risk of an administrator error that impacts the entire domain, such as the deletion of a VLAN by accident..

There is no risk that a new switch introduced into the network with a higher VTP revision number can overwrite the entire domain VLAN configuration.

It encourages VLANs to be pruned from trunks running to switches that do not have ports in that VLAN. This makes frame flooding more bandwidth-efficient. Manual pruning is also beneficial because it reduces the spanning tree diameter (see the DTP section of this document). Before pruning unused VLANs on port channel trunks, ensure that any ports connected to IP phones are configured as access ports with voice VLAN.

The extended VLAN range in CatOS 6.x and CatOS 7.x, numbers 1025 through 4094, can only be configured in this way. For more information, see the Extended VLAN and MAC Address Reduction section of this document.

VTP transparent mode is supported in Campus Manager 3.1, part of Cisco Works 2000. The old restriction that required at least one server in a VTP domain has been removed.

HTH

Victor

Jason Fraioli Mon, 04/14/2008 - 09:46

Jon, Victor,

Thank you for the responses, it was exactly the feedback I needed.

Actions

This Discussion