Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Yes or No to VTP?

Hi all.

In a case where you are managing 100+ switches, is it ideal to run VTP or not? If not or if you were to set all switches to Transparent mode, I imagine it would be very daunting to provison VLANs. Can anyone recommend what the best practice is?

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

It depends on you.Here are

It depends on you.

Here are few methods from my side which I can think of:

1- Implement VTP in inital stage and configure all the required VLAN which you want to be availabe all the side and then change it to transparent .

 

2- To implement VTP in transparent mode and configure vlans on required switches. In this way you will be configuring vlans on the switches which/were ever you required.

 

HTH

8 REPLIES
Cisco Employee

It depends on you.Here are

It depends on you.

Here are few methods from my side which I can think of:

1- Implement VTP in inital stage and configure all the required VLAN which you want to be availabe all the side and then change it to transparent .

 

2- To implement VTP in transparent mode and configure vlans on required switches. In this way you will be configuring vlans on the switches which/were ever you required.

 

HTH

New Member

Thanks for the inputs. As for

Thanks for the inputs.

 

As for #1, I believe this is where efficient planning makes much more sense. If I'm not mistaken, you are referring to provisioning all required VLANs and some "extra" or "spare" VLANs for future purposes and then setting all switches to transparent afterwards.

Cisco Employee

Yes you are correct. HTH

Yes you are correct.

 

HTH

It depends, f you take the

It depends, if you take the relevant steps to secure your network and configure VTP securely then it will be fine in my opinion.

Running VTP is a risk if you do not have a properly configured network.

We run VTP on up to 25 switches as it would take a fairly long time to manually configure each vlan on every switch but our networks are not business critical.

Its entirely down to personal preference to be honest.

Lots of people will avoid VTP due to its risks but it depends how much administrative time you have on your hands and how many vlans you have to configure.

New Member

Thanks for chiming in. So you

Thanks for chiming in. So you're running VTP. Even though you don't have a business critical network, I believe you are still taking the necessary precautions. Aside from setting a VTP password, do you have any more security configuration in mind that relates to VTP?

The major risk when running

The major risk when running VTP is that somebody could plug a Cisco switch into the network which is running VTP in Server mode and it will overwrite the VLAN database on all your switches.

Whilst this is a risk, its a very small one in my opinion.

Always ensure you are using a VTP domain name and password - The chances of someone knowing or guessing these is fairly small.

The most likely danger when running VTP is if someone were to get an old switch out of storage which has previously been used in the network so has the domain name and password programmed into the config. If this switch had a higher revision number then it could, in theory, overwrite the Vlan databases if plugged into the network.

VTP only works over Trunk links, it will not send the Vlan database over an Access Link so best practice is to set all your user facing ports to be Access Ports (switchport mode access). That way, if any random person does plug in a Cisco switch, it would not form a Trunk and would not cause a problem with VTP.

 

 

 

 

Hi.

Hi. additionally to your post: a) Even a switch running VTP in client mode could overwrite the VLAN database on all your switches if its revision number is higher than the current one in your LAN. b) Another example of the "VTP bomb" is following: It could happen somebody would disconnect a switch from a productive LAN, make some lab on it (deleting VLANs) and then connect it back to the LAN. In that case the revision number would get increased and the VLANs would be deleted from the productive LAN finally. Best regards, MIlan
Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of   the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

As Milan notes, older versions of VTP will also allow a "client" to update your VTP VLAN database.  VTP v3, though, generally precludes this type of "bomb".  So, using it would much better protect your VTP domain from "accidental" VLAN database resets.

However, as devils_advocate also notes, if you keep trunk ports away from user edges (and you have some kind of change management control), you reduce the chances of switches being added to the VTP domain, unintentionally resetting the VLAN database.

BTW, VTP password really should be thought more of something that needs to be properly configured for two switches to be within the same VTP domain, not so much a real security feature on older VTP versions (this because, I believe, older VTP versions transmit the VTP password in the clear).

Oh, also having VTP domain name defined too, rather than running with a default, would be a good practice.

529
Views
10
Helpful
8
Replies
CreatePlease to create content