VTP Question

Futura · March 2011

My Experiment:

I sent up two switches and added some different vlans to each.

I plugged them together and created a trunk port on each.

I was waiting for the one with the newest revision number to overwrite the other vlan database.

It never happened until I set the VTP Domain name on one of the switches.

Is this normal?

Thanks for any input.

Chipsch · March 2011

Futura wrote: »

My Experiment:

I sent up two switches and added some different vlans to each.

I plugged them together and created a trunk port on each.

I was waiting for the one with the newest revision number to overwrite the other vlan database.

It never happened until I set the VTP Domain name on one of the switches.

Is this normal?

Thanks for any input.

It is actually perfectly normal. In order for VTP to propogate its vlan database there are some requirements that must be met. You must have atleast one switch set as a Server (the default) as well as having a domain name configured.

That being said I highly recommend using a password also in your VTP domain. I think we have all heard the horror stories of a rogue switch propogating a new VTP database when connected to the network via a workers cubicle. This can aid in the prevention of that, but then again if it is an end user jack why not just have spanning-tree bpduguard in place to stop that?

alan2308 · March 2011

Yes, perfectly normal as Chipsch already described.

Now try this:
Configure a vtp domain name on one switch and leave the second without one.
Configure a few VLANs on the switch with the domain name configured.
Configure a trunk between the two.
Now go to the switch that you didn't configure a domain name on and do a "show vtp status" then a "show vlan" and see what the output of those two commands tells you.
If resources allow, try this with a switch in VTP transparent mode between the two.

Futura · March 2011

Awesome,

So if they both have blank or diferent domains names they will not propogate.

If one has a domain name and the other is blank the one with the domain will propogate over.

If they have they same name and the trunks are set up after, then the highest revision will propogate.

Spent all day messing with this, heads a bit clearer now.

thanks guys

Another experiment was to have no trunks set up, created 4 different vlans on each switch, set the domain to be the same on each switch, make sure the revision number was 0 on each switch and then enabled the trunks. they did not propogate even though they had the same domain name.

CodeBlox · March 2011

Chipsch wrote: »

It is actually perfectly normal. In order for VTP to propogate its vlan database there are some requirements that must be met. You must have atleast one switch set as a Server (the default) as well as having a domain name configured.

That being said I highly recommend using a password also in your VTP domain. I think we have all heard the horror stories of a rogue switch propogating a new VTP database when connected to the network via a workers cubicle. This can aid in the prevention of that, but then again if it is an end user jack why not just have spanning-tree bpduguard in place to stop that?

Can I ask why bpduguard would stop vtp updates? I thought bpduguard was used to prevent spanning tree BPDUs from entering an access interfaces designated port

EDIT: OOHH wait, it(the rouge switch) won't be apart of the spanning tree without the propegation of BPDUs right? right?

pitviper · March 2011

CodeBlox wrote: »

Can I ask why bpduguard would stop vtp updates? I thought bpduguard was used to prevent spanning tree BPDUs from entering an access interfaces designated port

It doesn't, but it will shut down the switchport if it detects a switch on the other end of the link, (assuming that the rogue switch is even running spanning tree). But the question is, does this happen before the damage is done? I never tried it myself.

CodeBlox · March 2011

Just tried it. Port shuts down immediately. The port will be in a secure-down state.

Switch#show port-security int fa0/1
Port Security              : Disabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0
Switch#

Chipsch · March 2011

It does indeed work, use it on most end user facing ports personally. I have the pleasure of working in an environment where people just feel the need to hook up switches at their desk. The look on their faces when they realize not only did the switch not work but now they don't work because they violated policy.....tsk tsk tsk.

pitviper · March 2011

Chipsch wrote: »

It does indeed work, use it on most end user facing ports personally. I have the pleasure of working in an environment where people just feel the need to hook up switches at their desk. The look on their faces when they realize not only did the switch not work but now they don't work because they violated policy.....tsk tsk tsk.

Sure it works - I was only questioning if it err disables the port before a potentially damaging VTP update is propagated - This is of course assuming that it's a "lab" switch inadvertently popped into production (probably by a manager in a pinch

) with the correct domain name, mode, password, and highest revision number.

alan2308 · March 2011

pitviper wrote: »

Sure it works - I was only questioning if it err disables the port before a potentially damaging VTP update is propagated - This is of course assuming that it's a "lab" switch inadvertently popped into production (probably by a manager in a pinch ) with the correct domain name, mode, password, and highest revision number.

Interesting thought, and nothing I saw in a quick Googleing of BPDU guard really addresses any traffic except for BPDU's. I guess the question is which frame does a switch send first, the BPDU or the VTP update? And more importantly, does it happen the same way every time and if so, does every IOS on every switch behave the same way?

Futura · March 2011

Futura wrote: »

Another experiment was to have no trunks set up, created 4 different vlans on each switch, set the domain to be the same on each switch, make sure the revision number was 0 on each switch and then enabled the trunks. they did not propogate even though they had the same domain name.

In fact I could not get them to do anything at all, tried adding a few vlans, changing the domain names back and forth. Ended up having to change them to access ports and delete the vlan.dat.....then reload.

billyr · March 2011

alan2308 wrote: »

Interesting thought, and nothing I saw in a quick Googleing of BPDU guard really addresses any traffic except for BPDU's. I guess the question is which frame does a switch send first, the BPDU or the VTP update? And more importantly, does it happen the same way every time and if so, does every IOS on every switch behave the same way?

In order for a switchport to send a frame it would have to be in the forwarding state. So any spanning tree (BPDU) issues would have to be taken care of first.

alan2308 · March 2011

Nevermind, that can't happen.

Futura · March 2011

You may find this experiment interesting, I did.

I Kept creating vlans so they would transfer over the trunk,

Both switches had different limits on the ammount of vlans, I kept making them on the switch with the higher limit so that it exceeded the supported limit on the other switch. it came up with an error, and changed the other switch by itself to transparent. If i changed it back to server it changed automatically back.

I found this very interesting so thought I would share

VTP Question

Comments