Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vtp server / vtp client revision numbers

Is there a good way to protect the vlan definition on vtp servers ?

I want to assure that vtp clients with higher revision numbers cannot overwrite the information on the vtp server ?

e.g. set the definition file to read only, etc ?

Thanks, Wolfgang

1 ACCEPTED SOLUTION

Accepted Solutions

Re: vtp server / vtp client revision numbers

I don't agree.

There is no way how to prevent VTP database from overiding in the moment you connect a switch with higher revision number to the VTP domain.

You just have to be careful. The best practice it to clear the revision number via changing the VTP domain name on the new switch to "something-else" and back to "your-VTP-domain" before connecting the new switch to your network.

BUT there is NO DIFFERENCE between VTP server and client from this point of view. If you have a network with one VTP server and all other switches VTP clients and you connect a new VTP client with a higher revision number, the VTP database on the VTP server WILL be changed!

So my recommendation is to have at least two VTP servers (one as a backup for a case of hardware failure) and once again be careful when connecting a new switch.

Regards,

Milan

8 REPLIES
Bronze

Re: vtp server / vtp client revision numbers

Unfortunately not. The best way is simply to have only the one VTP server in a network and ensure all the other switches are VPN clients.

Re: vtp server / vtp client revision numbers

I don't agree.

There is no way how to prevent VTP database from overiding in the moment you connect a switch with higher revision number to the VTP domain.

You just have to be careful. The best practice it to clear the revision number via changing the VTP domain name on the new switch to "something-else" and back to "your-VTP-domain" before connecting the new switch to your network.

BUT there is NO DIFFERENCE between VTP server and client from this point of view. If you have a network with one VTP server and all other switches VTP clients and you connect a new VTP client with a higher revision number, the VTP database on the VTP server WILL be changed!

So my recommendation is to have at least two VTP servers (one as a backup for a case of hardware failure) and once again be careful when connecting a new switch.

Regards,

Milan

New Member

Re: vtp server / vtp client revision numbers

hi,

vtp clients can't write on the vtp server database. only other vtp servers can write to other vtp servers database if its revision number is higher.

regards,

Gurkan

Re: vtp server / vtp client revision numbers

Hi,

VTP client CAN overwrite VTP server database.

I've just tested it in my lab with two 3548s running IOS 12.0(5)WC5a.

I've configured a VTP server on one switch, created some VLANs. The final VTP revision version was 2.

I've made the same on the second switch, created VLANs with different numbers, the final VTP version was 8.

I changed the second switch to VTP client. The VTP version remained 8.

Finally I connected these two switches via a trunk. (I simulated connecting a new switch - VTP client with higher revision version - to the network.)

After approximately five minutes the VTP version on the server changed to 8 and the VLAN database changed - VLANs which have not been defined on the client were removed and the VLANs defined on the client only have been added.

So VTP client definitely can overwrite VTP server database.

The most dangerous thing is the fact that even switching the power off doesn't clear the revision number and VLAN database on the Cat3548 client.

It is necessary either to clear the revision number via the steps I described in my previous message or to delete the VLAN.DAT file from the client flash and reboot the client switch to be able to connect it to the production network safely.

Regards,

Milan

Re: vtp server / vtp client revision numbers

Hi,

VTP client CAN overwrite VTP server database.

I've just tested it in my lab with two 3548s running IOS 12.0(5)WC5a.

I've configured a VTP server on one switch, created some VLANs. The final VTP revision version was 2.

I've made the same on the second switch, created VLANs with different numbers, the final VTP version was 8.

I changed the second switch to VTP client. The VTP version remained 8.

Finally I connected these two switches via a trunk. (I simulated connecting a new switch - VTP client with higher revision version - to the network.)

After approximately five minutes the VTP version on the server changed to 8 and the VLAN database changed - VLANs which have not been defined on the client were removed and the VLANs defined on the client only have been added.

So VTP client definitely can overwrite VTP server database.

The most dangerous thing is the fact that even switching the power off doesn't clear the revision number and VLAN database on the Cat3548 client.

It is necessary either to clear the revision number via the steps I described in my previous message or to delete the VLAN.DAT file from the client flash and reboot the client switch to be able to connect it to the production network safely.

Regards,

Milan

New Member

Re: vtp server / vtp client revision numbers

I typically use VTP password as part of the VTP domain configuration.

If a device is plugged in and is not configured with the VTP password configured on the domain it cannot corrupt the database.

Re: vtp server / vtp client revision numbers

What I'm trying to explain is the fact it's necessary to be careful when connecting a new switch to VTP domain.

Of course if you use incorrect password the VTP client can't change the database. It can't communicate with the other switches in the VTP domain at all.

But when you connect a client switch to the VTP domain (i.e. correct VTP domain name) and the new client has higher revision number accidently (a remain of previous lab testing, if you are lazy and using the same VTP domain in your production network and your lab, e.g.) it can rewrite your domain VTP database in the moment you configure correct VTP password on it.

The reasonable practice is to use different VTP domains in lab and production network and to use VTP passwords, too. And for sure doublecheck VTP revision number before connecting a new switch to the network.

Some people recommend not to use VTP at all (i.e. configure all switches as transparent (or off in the latest CatOS)) and configure VLANs manually on each switch.

Regards,

Milan

Purple

Re: vtp server / vtp client revision numbers

Milan is correct , if you connect a client (does not have to be a server) and it has a higher revision number it will change the vlan database , we got bit once on this a long time ago .

1745
Views
0
Helpful
8
Replies
CreatePlease login to create content