to VTP or not to VTP

catthrasher · ‎04-14-2008

this may sound funny but I am in an environment that does NOT have a vtp domain. I have 2 6509's and multiple stacked 3750 at the edge. Why would my predecessor not design or implement a VTP domain? Are there pros and cons? I've alway had VTP running in the enterprises I manage. Thanks for your input.-

lamav · ‎04-14-2008

Hi:

I don't know why your predecessor did not configure a VTP domain, but I can share with you my own thoughts about VTP.

My personal preference is to effectively disable VTP by using Transparent mode. A VTP transparent mode switch does not require a VTP domain name.

For a management tool that is supposed to facilitate things, I think it adds an unnecessary layer of complexity whose benefits are outweighed by its disadvantages and potential for disaster.

I know this opinion can stir a broadcast storm of responses and indignation, especially from Ciscophiles (lol), but I just thought I would share my honest opinion given my experience and exposure.

But if you're interested in the official Cisco viewpoint regarding a best practice, read the following from their website.

Recommendation

There is no specific recommendation on whether to use VTP client/server modes or VTP transparent mode. Some customers prefer the ease of management of VTP client/server mode despite some considerations noted later. The recommendation is to have two server mode switches in each domain for redundancy, typically the two distribution-layer switches. The rest of the switches in the domain must be set to client mode. When you implement client/server mode with the use of VTPv2, be mindful that a higher revision number is always accepted in the same VTP domain. If a switch that is configured in either VTP client or server mode is introduced into the VTP domain and has a higher revision number than the existing VTP servers, this overwrites the VLAN database within the VTP domain. If the configuration change is unintentional and VLANs are deleted, the overwrite can cause a major outage in the network. In order to ensure that client or server switches always have a configuration revision number that is lower than that of the server, change the client VTP domain name to something other than the standard name. Then revert back to the standard. This action sets the configuration revision on the client to 0.

There are pros and cons to the VTP ability to make changes easily on a network. Many enterprises prefer the cautious approach of VTP transparent mode for these reasons:

It encourages good change control practice, as the requirement in order to modify a VLAN on a switch or trunk port has to be considered one switch at a time.

It limits the risk of an administrator error that impacts the entire domain, such as the deletion of a VLAN by accident..

There is no risk that a new switch introduced into the network with a higher VTP revision number can overwrite the entire domain VLAN configuration.

It encourages VLANs to be pruned from trunks running to switches that do not have ports in that VLAN. This makes frame flooding more bandwidth-efficient. Manual pruning is also beneficial because it reduces the spanning tree diameter (see the DTP section of this document). Before pruning unused VLANs on port channel trunks, ensure that any ports connected to IP phones are configured as access ports with voice VLAN.

The extended VLAN range in CatOS 6.x and CatOS 7.x, numbers 1025 through 4094, can only be configured in this way. For more information, see the Extended VLAN and MAC Address Reduction section of this document.

VTP transparent mode is supported in Campus Manager 3.1, part of Cisco Works 2000. The old restriction that required at least one server in a VTP domain has been removed.

HTH

Victor

bvsnarayana03 · ‎04-14-2008

Hi,

Its good to be aware of Pro's & Con's of technology. But then its the choice of administrator to decide what to put in use & what not to. VTP & CDP are much debated topics in our field. Some can't live without them & some don't want to think of them.

Victor has already share the necessary information.

I have around 50 switches in my network. Everytime user comes up with a new environment, I need to create a separate VLAN for them. if i don't have a VTP, then i'll have to manually create same vlan on all 50 switches in order to have a synch among all switches. VTP helps avoid this rework on multiple switches. For security, you can use md5 authentication with VTP.

Believe me, it saves a lot of work.

catthrasher · ‎04-15-2008

Thank you for your lengthy response. I appreciate the point of view and I never really considered the "cons". I just know it's so much easier to use VTP. Thanks again

Cat

HansBakker420 · ‎02-02-2021

1. Ontwerp de VLAN en de netwerken verdeling voor de Access Switches.
VERDELING WIE WAAR WAT
==================================================================================
2. Sluit alle (test) Devices aan de goede poorten. (Denk aan range)
AS(config)# Interface range fa 0/1-8 (voorbeeld)
AS(config)# In interface range ---> Switchport access Vlan 10 (voorbeeld)
==================================================================================
3. Configureer VTP. Verdeel de server en clients en maak alle VLAN’s aan op de server.
MLS(config)# int range fai 0/1-5
MLS(config-if)#switchport trunk enq dot1
MLS(config)#VTP domain <naam>
MLS(config)#Vlan 10
MLS(config)#name inkoop
Dit doe je voor alle vlans
AS(config)#vtp mode client
AS(config)#int gi 0/1
AS(config-if)# switchport mode trunk
==================================================================================
4. Configureer alle IP-adressen(gateways geven in de interface vlan.) + Gateways.DNS-server. MLS naar router, router naar mls.( Int gig0/0#no switchport bij MLS). ( en NAT maar doe dat maar later
MLS onder Router
DS-BE(config)#interface vlan 10
DS-BE(config-if)#ip address < gateway van vlan >

DS-BE(config)#int gig 0/1 (Voorbeeld)
DS-BE(config-if)#no switchport (Voorbeeld)
DS-BE(config-if)# no shutdown (Voorbeeld)
DS-BE(config-if)# ip address < de ip die je aangereikt krijgt>
Router boven MLS
GW-BE(config)#int gig 0/1 (die naar router gaat)
GW-BE(config-if)# no shutdown
GW-BE(config-if)# ip address < de ip die je aangereikt krijgt>
GW-BE(config)#int gig 0/2 (die naar modem gaat)
GW-BE(config-if)#no shutdown
GW-BE(config-if)#ip address dhcp
GW-BE(config)# int gig <die naar modem gaat>
GW-BE(config-if)# ip nat outside
GW-BE(config)# int gig <die naar MLS gaat>
GW-BE(config-if)# ip nat inside
GW-BE(config)# access-list 1 permit any
GW-BE(config)# ip nat inside source list 1 interface <DIE NAAR MODEM GAAT> overload

==================================================================================
5. Routeer alle interne netwerken waar nodig. ( Bij mls IP routing aan zetten)
GW-BE(config)# ip route <vlan netwerken> 255.255.255.0 <ip add van DS-BE ofterwel MLS>
^
|
Dit doe je voor alle vlans
DS-BE(config)# ip route 0.0.0.0 0.0.0.0 <ip add van GW-BE>

==================================================================================
6. Configureer de DHCP-servers voor alle clients.( ip dhcp pool op MLS)
MLS(config)# ip dhcp pool v10
MLS(dhcp-config)#network < vlan 10 ip laatste cijfer .0 >
MLS(dhcp-config)# default-router < gateway vlan 10 >
MLS(dhcp-config)# dns-server <200.0.0.10>

==================================================================================
7. Configure Web Server, Spanning Tree en DMZ (access list)
Webserver DMZ
Ga naar Webserver nederland -----> klik op http ------> klik vervolgens op index en kopieer heel de script en plak deze bij de index van Webserver die in DMZ zit

Spanning tree:
Van AS1 naar AS2 kabel leggen en deze in backup krijgen:
Ga naar MLS en zet bridge priority op 4096

==================================================================================
8. Configureer telnet(username,beheer voor alle systemen die in beheer moeten worden genomen.
Op Router
Beheer account
GW-BE(config)#username Beheer privilege 15 password (wat gevraagd wordt)
GW-BE(config)#line vty 0 4
GW-BE(config-line)#login local

Op Switch
DS-BE(config)#interface vlan 99
DS-BE(config-if)#ip address (geef hier een een beheer ip gateway, elke switch krijgt zijn eigen. Voorbeeld AS1 krijgt gateway 192.168.99.5 en AS2 192.168.99.6

DS-BE(config)#username Beheer privilege 15 password (wat gevraagd wordt)
DS-BE(config)#line vty 0 4
DS-BE(config-line)#login local

ENABLE PASSWORD OVERAL (waar gevraagd wordt)
Switch(config)#enable password (wachtwoord die gegeven wordt)

==================================================================================
9. Voeg, waar nodig, de draadloze netwerken toe.
-.- D:< O_O
==================================================================================
10. Configureer de VPN-verbinding. Omdat nu ook buiten de pirvénetwerken gecommuniceerd gaat worden, zijn default staticroutes nodig.
GRE Tunnel
GW-BE(config)# interface tunnel 1
GW-BE(config)#ip address <prive ip address voor GRE tunnel
GW-BE(config)#tunnel source (eigen interface die naar internet gaat)
GW-BE(config)#tunnel destination (overkant publiek ip address)

(Dit voor NL kant router ook doen)

GW-BE(config)#ip route 0.0.0.0 0.0.0.0 <ip van de ISP>
GW-BE(config)#ip route < ip van netwerk tegenover> subnet <tunnel prive ip van tegenover

Doe dit voor beide kanten

==================================================================================
Port security.
switch(config)#int range fa 0/24 (beheer interface)
switch(config-if)# switchport mode access
Switch(config-if-range)#switchport port-security maximum 1
Switch(config-if-range)#switchport port-security violation shutdown Switch(config-if-range)#switchport port-security mac-address sticky

--------------------------------------------------------------------------------------------------------------------------------------
Interne poorten
80 ( http )
443 (https)
53 (dns)
#show vlan brief
#show vtp status
#show running connfig

Addresses Hosts Netmask Amount of a Class C
/30 4 2 255.255.255.252 1/64
/29 8 6 255.255.255.248 1/32
/28 16 14 255.255.255.240 1/16
/27 32 30 255.255.255.224 1/8
/26 64 62 255.255.255.192 1/4
/25 128 126 255.255.255.128 1/2
/24 256 254 255.255.255.0 1
/23 512 510 255.255.254.0 2
/22 1024 1022 255.255.252.0 4
/21 2048 2046 255.255.248.0 8
/20 4096 4094 255.255.240.0 16
/19 8192 8190 255.255.224.0 32
/18 16384 16382 255.255.192.0 64
/17 32768 32766 255.255.128.0 128
/16 65536 65534 255.255.0.0 256

JohnVerst42089 · ‎02-03-2021

Ewa niks aan te doen

YOOOOOOOOOOOOO KIJKKK DAANN

Backups voor routers and switches

Ga eerst naar die server en klik tftp aan bij services(hoort al aan te staan)

Stap 1. ga naar die router/switch waarvan je de config wil kopiëren

Stap 2. Doe in enable commando #copy running-config tftp: (niet in terminal)

Stap 3. Ze vragen naar de ip van die server typ die in ( ip van die kabel die daar aangesloten staat ) daarna vragen ze nog naam maak niet uit wat je daar zet zolang je weet welke welke is

Georg Pauwen · ‎02-03-2021

Just out of curiosity, what is this discussion about ?

Joseph W. Doherty · ‎02-03-2021

Georg you might try one of the free on-line translation programs. Last couple of posting appear to be in Dutch.

Georg Pauwen · ‎02-03-2021

Hello Joseph,

actually, I am Dutch (sort of), but I was just wondering what this post is about. The original question is from 2008 and is about VTP. Then some replies have been added (now, 13 years later) which seem to answer a completely different question, so it looks like something has been mixed up...

HansBakker420 · ‎02-02-2021

OSPF = shortest router.

Internet router (config)#Router OSPF

#network <ip van alle netwerken die eraan verbonden zijn ( net als RIP)> <wildcard> area 0

ip helper address: op de MLS

MLS# interface<nummer > ip-helper-address <ip van server/webserver>

acceslist permit udp any any eq boots