Solved: VTP Domain - Server renames other servers?

joealbergo · ‎05-28-2010

I was doing some reading in my Cisco Academy Training - Chapter 4 of the Switching Fundamentals and they are going over VTP.

It showed an example where 3 VTP Server's existed. All 3 switches connected - and that all three are VTP Servers (not clients) - -The S1 VTP Server was able to send out the VTP Domain name (Cisco) to replace "null" entries on other VTP Domain Servers.

I was just trying to understand how that is possible? I thought that only Clients could be sent information and instructions.

Why would there be 3 VTP Servers on one network? The example did not make sense....

Of course I am sure I might have overlooked something -- hope to hear from anyone who can help. Thank you in advance - your knowledge is appreciated.

-Joe

rtjensen4 · ‎05-28-2010

Hi Joe,

The VTP server is the one that makes the changes to the VTP domain. By default, all switches are VTP servers in the (null) VTP domain. Once a VTP server has been configured with a VTP domain, it starts sending out VTP advertisements with that domain name, and other switches that have a (null) domain join it.

VTP clients can't make updates to their local VLAN database. VTP Servers accept updates from other VTP servers in the same VTP domain. VTP clients accept updates from the VTP servers in the same VTP domain.

There is one gotcha with VTP that would allow a VTP Client to make changes to the VLAN database of the VTP Server and it has to do with the Revision number.

When there's a change to the VLAN information, the VTP revision number is incremented by one and an update is sent out. If a switch recieves an update with a higher revision number, it processes the update. If the recieved update is lower than its revision number, it will simply ignore the message. The gotcha is that if a VTP domain has a revision number of X, if any switch is joined to the network that is configured with the same VTP domain name and its revision is higher even if if it's a VTP client, and that VTP client starts sending VTP messages... The VTP server will see the higher revision number coming from the VTP client switch and update its VLAN database. This could result in all the "Good" VLANs being replaced with junk information. It's important to ensure there is not any "linger" VTP data on a switch that you're adding to the network.

HTH

Ryan.

View solution in original post

Jon Marshall · ‎05-28-2010

Joe

Just to add to Ryan's post. In production network you will often find that at least 2 switches are assigned to be VTP servers. This does not create a problem for the reasons Ryan has covered but it does mean if one of the switches fails you still have an active VTP server to make your vlan updates on.

Jon

View solution in original post

Federico Coto Fajardo · ‎05-28-2010

Joseph,

If having multiple VTP servers, they will synchronize to the one that has the latest revision number (no DR/BDR concept).

Federico.

View solution in original post

Jon Marshall · ‎05-28-2010

Joe

As Federico says it is the highest revision number. In practice this means you can update the vlan info on either VTP server because once the switches have all been updated they should have the same VTP revision number. So if both VTP servers have the same revision number it doesn't matter which one you update because it will then have the higher revision number so all the other switches will synchronise to that one including the other VTP server.

Jon

View solution in original post

Jon Marshall · ‎05-28-2010

joealbergo wrote:

Alright -

1 VTP Domain has how many servers?

Joe

As a general rule in production networks you have 2 VTP servers per VTP domain.

Jon

View solution in original post

Federico Coto Fajardo · ‎05-28-2010

Joseph,

As Jon said.... usually 1 VTP server per domain, however you can have two (or more) for redundancy.

Federico.

View solution in original post

Jon Marshall · ‎05-28-2010

Joe

You generally wouldn't split up your VTP domain. You could end up with multiple VTP domains in the same company if your company merges with another one and you have to integrate 2 VTP domains into one.

But it's important to realise that a VTP domain is only relevant at L2. So at the last place i worked we had multiple sites and all the sites were connected by L3 routed links. Each site had it's own VTP domain so we had multiple VTP domains within the network but each VTP domain was independant of any of the other and separated by a L3 link.

However there may be times when you would want separate VTP domains within the same L2 network for security reasons ie. you don't want the same vlans on all switches but if you need that you may as well use VTP transparent mode and explicitly configure each switch with the vlans you want.

Jon

View solution in original post

Jon Marshall · ‎05-28-2010

joealbergo wrote:

Jon

So getting back to VLAN's -

Once I reach my first L3 Router - that is my boundry?

Basically outside of that router VLAN's are different.

S1>------S2>------S3>-------R1>----------S3>----S2>-----S1>

VLAN1-VLAN2-VLAN3-------------|---------VLAN4-VLAN5-VLAN6

These VLAN's are not going to be able to communicate outside the R1 boundry?

Joe

Correct. In your example R1 & R2 form a limit to vlans. So even if it was vlan1-vlan2-vlan3 on both sides they would not be the same vlans.

Bear in mind when you say they can't communicate with each other over a L3 boundary, that is they can't communicate at L2. Obviously devices in vlan 2 for example could communicate with devices in vlan 5 from your above example by routing between the sites.

Jon

View solution in original post

rtjensen4 · ‎05-28-2010

Hi Joe,

The VTP server is the one that makes the changes to the VTP domain. By default, all switches are VTP servers in the (null) VTP domain. Once a VTP server has been configured with a VTP domain, it starts sending out VTP advertisements with that domain name, and other switches that have a (null) domain join it.

VTP clients can't make updates to their local VLAN database. VTP Servers accept updates from other VTP servers in the same VTP domain. VTP clients accept updates from the VTP servers in the same VTP domain.

There is one gotcha with VTP that would allow a VTP Client to make changes to the VLAN database of the VTP Server and it has to do with the Revision number.

When there's a change to the VLAN information, the VTP revision number is incremented by one and an update is sent out. If a switch recieves an update with a higher revision number, it processes the update. If the recieved update is lower than its revision number, it will simply ignore the message. The gotcha is that if a VTP domain has a revision number of X, if any switch is joined to the network that is configured with the same VTP domain name and its revision is higher even if if it's a VTP client, and that VTP client starts sending VTP messages... The VTP server will see the higher revision number coming from the VTP client switch and update its VLAN database. This could result in all the "Good" VLANs being replaced with junk information. It's important to ensure there is not any "linger" VTP data on a switch that you're adding to the network.

HTH

Ryan.

Jon Marshall · ‎05-28-2010

Joe

Just to add to Ryan's post. In production network you will often find that at least 2 switches are assigned to be VTP servers. This does not create a problem for the reasons Ryan has covered but it does mean if one of the switches fails you still have an active VTP server to make your vlan updates on.

Jon

joealbergo · ‎05-28-2010

Jon

How do the servers know which information to propogate from? One or the other? Does one take presidence over the other? like BR/BDR type deal?

Joe

Federico Coto Fajardo · ‎05-28-2010

Joseph,

If having multiple VTP servers, they will synchronize to the one that has the latest revision number (no DR/BDR concept).

Federico.

Jon Marshall · ‎05-28-2010

Joe

As Federico says it is the highest revision number. In practice this means you can update the vlan info on either VTP server because once the switches have all been updated they should have the same VTP revision number. So if both VTP servers have the same revision number it doesn't matter which one you update because it will then have the higher revision number so all the other switches will synchronise to that one including the other VTP server.

Jon

joealbergo · ‎05-28-2010

Everyone,

Forgive me however, I was taught to only use one VTP Domain Server and that you could only have one. I am fully understanding the VTP and really appreciate your replies to my post. Your time is valuable and I thank you for explaining it to me.

I want to run over just quickly and ask another question....

If I have a network, where would I want to use more then just 1 VTP Domain? Thanks again...

Jon Marshall · ‎05-28-2010

Joe

I think there is a misunderstanding. We are talking about 2 VTP servers for the same domain. Not 2 different domains. You are right that generally speaking you only want one VTP domain per L2 switched network.

Jon

joealbergo · ‎05-28-2010

Alright -

1 VTP Domain has how many servers?

Jon Marshall · ‎05-28-2010

joealbergo wrote:

Alright -

1 VTP Domain has how many servers?

Joe

As a general rule in production networks you have 2 VTP servers per VTP domain.

Jon

Federico Coto Fajardo · ‎05-28-2010

Joseph,

As Jon said.... usually 1 VTP server per domain, however you can have two (or more) for redundancy.

Federico.

joealbergo · ‎05-28-2010

Okay so two servers or more for redundancy - got it.

Then how about splitting up the Domain, what situation would cause for more then one Domain?

Jon Marshall · ‎05-28-2010

Joe

You generally wouldn't split up your VTP domain. You could end up with multiple VTP domains in the same company if your company merges with another one and you have to integrate 2 VTP domains into one.

But it's important to realise that a VTP domain is only relevant at L2. So at the last place i worked we had multiple sites and all the sites were connected by L3 routed links. Each site had it's own VTP domain so we had multiple VTP domains within the network but each VTP domain was independant of any of the other and separated by a L3 link.

However there may be times when you would want separate VTP domains within the same L2 network for security reasons ie. you don't want the same vlans on all switches but if you need that you may as well use VTP transparent mode and explicitly configure each switch with the vlans you want.

Jon

joealbergo · ‎05-28-2010

I understand the placement of VTP Domains and when I can seperate them.

Your example really made a lot of sense to me.

--If I am trying to be extra secure with my VLAN setup I can:

1. Setup VLAN's (xx) and (xxx) on one group of switches

2. This group of switches will be seperate and have their own VTP Domain.

-and-

3. Setup VLAN's (aa) and (aaa) on another group of switches

4. These will have their own VTP Domain as well.

Complete seperation of VLAN's - easier to manage perhaps in case of an outage.

-------------------------------------------------------------------------------------------------------

If I was working with different sites, each site will have different cable and equipment setups so I would have to maintain VTP Domains at each site.

If seperated at Level 3 Router at each site - I can still communicate through the VLAN's - just my VTP Domains will be controlled by the Server dedicated to each site.

I think Im following...

Jon Marshall · ‎05-28-2010

Joe

If I was working with different sites, each site will have different cable and equipment setups so I would have to maintain VTP Domains at each site.

Whether you need to run different VTP domains at each site depends on the connectivity between sites ie. if they are L2 connections then yes you could run a common VTP domain. If L3 you can't.

If seperated at Level 3 Router at each site - I can still communicate through the VLAN's - just my VTP Domains will be controlled by the Server dedicated to each site.

If 2 sites are separated by a L3 link you can't have the same vlan in both places. You can use the same vlan number but they won't be the same L2 vlan.

If you really want to be secure you are better looking to use VTP transparent which gives you ultimate control over which vlans are on which switch.

Jon