cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
779
Views
4
Helpful
10
Replies

Thoughts on VTP Mode

cjinfantino
Level 1
Level 1

Hey all,

I am redoing the network where I work and have been thinking heavily about either a transparent network or running server/client for VTP mode. I have read all the best practices telling me to use transparent. I have laid out the pros and cons but I still feel like server/client is the better way to go. The network setup that we have is 12 buildings in a town (I work for a school district) and 9 layer 3 switches throughout the district.

Thank you in advanced for your thoughts.

2 Accepted Solutions

Accepted Solutions

Hi,

there are pros and cons of both (Transparent and Client-Server), In my view client-Server is better option. There is no need to worry too much about overwriting the vlan database when adding a new/old switch to the environment. You just to tighten up some controls like for example physical access, admin access, security and backup of vlan database.

Physical= who has access to comms rack etc..

admin= protect/limit administrator passwords, try using user based authentications, so you know who is responsible. ACS servers are excellant.

Security: vlan database can be password protected and i have always used this option and have never had any failure.

Backup= make a backup of vlan.dat file, it will come handy incase if you ever need it.

last thing in Client-server based model, you should always have at least 2 servers, in case if your 1 VTP server switch is failed, you have a server, and also it does not matter which VTP server switch you use to add/delete vlans, they will sync/update. You can also promote a client to be a server if needed as well as demote a VTP Server switch to be a client.

Hope this Helps

Shaheen

View solution in original post

jpoplawski
Level 1
Level 1

I'm a huge VTP Client/Server guy. Password protect it and make sure you have knowledgeable people installing your gear. Some of the pro's I like about it are; verifying your trunk links are working. If VTP propagates the VLANs to your client switches then you know your uplink/trunk is working appropriately. The other thing I like is the standardization. Adding VLANs per switch, there's more of a chance that you name a VLAN wrong, etc. More cosmetic sure, but it sure sucks when you look at your VLANs on a switch and it shows VLAN0008. If you want to be safe(r), crank your revision number up, add/delete a VLAN a couple times to get that revision number up there. Don't forget to enable pruning!

Cheers!

JB

View solution in original post

10 Replies 10

francisco_1
Level 7
Level 7

If you are not going to SPAN VLAN's across multiple access layer switches, then my advice is no need for VTP then make all access switches transparent so you dont broadcast unnessary broadcast traffic down towards your access layer.

On the other hand VTP can make life easier on when managing large VLAN database.

Francisco

Thanks for your response. On each of the layer 3 switches (4506s and 6506s) we define roughly about 5 - 12 vlans that are used with that portion of the network. Although for each layer2 switch I would only need to add to one vlan when using transparent I feel like it is more work and overhead to manage the vlans on every switch in the network instead of just managing 8-9 l3 switches which will then propagate the changes to the various switches within that subnetwork.

More work but you have more control and also you preventing the risk from overwrting your vlan database. With VTP when adding a new switch in to your network, you can easily overwite the vlan database depending on the VTP revison number on your switches.

Francisco

Hi,

there are pros and cons of both (Transparent and Client-Server), In my view client-Server is better option. There is no need to worry too much about overwriting the vlan database when adding a new/old switch to the environment. You just to tighten up some controls like for example physical access, admin access, security and backup of vlan database.

Physical= who has access to comms rack etc..

admin= protect/limit administrator passwords, try using user based authentications, so you know who is responsible. ACS servers are excellant.

Security: vlan database can be password protected and i have always used this option and have never had any failure.

Backup= make a backup of vlan.dat file, it will come handy incase if you ever need it.

last thing in Client-server based model, you should always have at least 2 servers, in case if your 1 VTP server switch is failed, you have a server, and also it does not matter which VTP server switch you use to add/delete vlans, they will sync/update. You can also promote a client to be a server if needed as well as demote a VTP Server switch to be a client.

Hope this Helps

Shaheen

I'll just endorse one bit in there. If you use VTP, PASSWORD IT!

Yea, that is one of the things I was thinking about. I guess I am just wondering what everyone else is doing. Although every written thing about vtp says transparent is the best practice...is everyone actually using transparent?

EDIT: But anyways I really appreciate your comments and it is nice to see how everyone else is thinking.

Thanks All

I am sure there a hundred opinions on this .Both work well. We have a large client/server setup with like 80 vlans in it and its been there for like 8 years and we have never had a problem . It certainly helps if the network people have an idea whats going on with the vlan database etc...

If you are only having 1 o 2 VLANs per access switch, manually creating them is no great hardship.

jpoplawski
Level 1
Level 1

I'm a huge VTP Client/Server guy. Password protect it and make sure you have knowledgeable people installing your gear. Some of the pro's I like about it are; verifying your trunk links are working. If VTP propagates the VLANs to your client switches then you know your uplink/trunk is working appropriately. The other thing I like is the standardization. Adding VLANs per switch, there's more of a chance that you name a VLAN wrong, etc. More cosmetic sure, but it sure sucks when you look at your VLANs on a switch and it shows VLAN0008. If you want to be safe(r), crank your revision number up, add/delete a VLAN a couple times to get that revision number up there. Don't forget to enable pruning!

Cheers!

JB

Yes! That is my feelings exactly. Because I have no one else to bounce any ideas off of I wanted to get some opinions from other people. I am just glad I am not the only one. Thanks for your input.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco