Transparent mode or VTP Server mode huh?

itdaddyitdaddy Senior MemberMember Posts: 2,089 ■■■■□□□□□□
We have vtp setup at each branch office site switches. I was told by another tech from another credit union that
he with his many many switches has them all in transparent mode. wow what is the reason for this ???
I have been taught for the most part use VTP Server\Client setup and not transparent. So what would be good reasons to use
transparent mode vs VTP-server\client??? thanksicon_redface.gif

Comments

  • NOC-NinjaNOC-Ninja Member Posts: 1,403
    VTP Server to VTP Client = If you make a mistake in the config of the VTP server then it will pass through to all the VTP client . Just imagine how much headache is that.
  • shodownshodown Member Posts: 2,271
    Most of the environments I've been in have been transparent as we usually keep VTP in transparent as we isolated VLANS to 1 or 2 switches and have no need to populate a VLAN to several switches. There also maybe some security issues as well. There's also the threat of someone plugging in a new switch with the same VTP domain and having a higher revision and having it populate through the network, but I'm pretty sure thats rare these days.
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
  • ColbyGColbyG Member Posts: 1,264
    Transparent or Off. VTP isn't worth the risks.
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    wow that cracks me up cause remember during training they use to say to use it so no other switch can change things but yeh if you use transparent then sure it is safe hahah but yeah I guess weird how old stuff is never used anymore weird i guess in large switch networks wow that is lot of work if you eeded to keep up the vlans ahaha well keeps us a job lots of practice huh! LOL! thanks guys.....super
  • shodownshodown Member Posts: 2,271
    Well best practice these days are to ISOLATE VLANS to a specific switch. If you need a lot of ports we usually stack 3750's, but we keep all the VLANS isolated to that switch and make them routable at the distro or core.
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
  • vinbuckvinbuck Member Posts: 785
    Another black mark against VTP is Private VLANs...if you want to use them, you have no choice but to run VTP transparent for versions 1 and 2. Not sure about 3 though...
    Cisco was my first networking love, but my "other" router is a Mikrotik...
  • TurgonTurgon Banned Posts: 6,308 ■■■■■■■■■□
    VTP has it's uses, but be cautious. Even a password is no defence against a switch introduced that becomes the server with old vlan config. Watch version numbers, old configs. Having a switch join a large network and wipe out your VLAN definitions could be a major outage and take a long time to fix. A potentially terrible day at the office.

    You have been warned.
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    okay so maybe I need to flip our switches to vtp transparent mode LOL! you guys scared the crap out of me. I do not want a bad day at the office! haahhahh thanks guys!
  • sides14sides14 Member Posts: 113
    Have I got a good VTP story on this very subject. A vendor once placed an old switch that was recovered from another site into the network. Well before loading the new configuration, they connected the switch to the router (7609). Before you knew it, a massive network (most of the midwest) was caused. To add insult to injury, the network hadn't been backed up in quite a while (understatement since it was 11 months). It took over two days to get everything working properly again (surprisingly.....nobody lost their job). Now it is mandatory to load the switch configuration before connecting to the network and VTP must always be set to transparent.

    To add in
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    wow next thing on my project list haahaahahah ;) thanksguys super! great story yikes!
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    what I don't get if the vtp is passworded out how can this other switch affect a vtp domain? am I missing something now that I think about it?
  • RoguetadhgRoguetadhg CompTIA A+, Network+. Member Posts: 2,489 ■■■■■■■■□□
    itdaddy wrote: »
    what I don't get if the vtp is passworded out how can this other switch affect a vtp domain? am I missing something now that I think about it?

    I thought vtp password is needed to be set and the new switch would need to equal the domain's password to attempt to overwrite the database.

    Understanding VLAN Trunk Protocol (VTP) - Cisco Systems

    "f you configure a password for VTP, you must configure the password on all switches in the VTP domain. The password must be the same password on all those switches. The VTP password that you configure is translated by algorithm into a 16-byte word (MD5 value) that is carried in all summary-advertisement VTP packets."
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

  • ZartanasaurusZartanasaurus Member Posts: 2,008 ■■■■■■■■■□
    Transparent. It's not like we modify VLANs so often that it'd be a headache to do it manually. And I could do it in bulk with Orion NCM.
    Currently reading:
    IPSec VPN Design 44%
    Mastering VMWare vSphere 5​ 42.8%
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    exactly Roguetadhg

    so by adding a new switch with some kind of old config huh?wouldnt be able to change it unless you added password and make sure it is a client switch.
    ahhhh I don't understand I guess I will have learn the hard way hahahahah ;)
  • mensmens Member Posts: 69 ■■■□□□□□□□
    Hey, for some reason I came to think about a story about a network outage at a hospital when reading this thread. It's about STP though, not VTP. Check it out: All Systems Down - CIO
  • itdaddyitdaddy Senior Member Member Posts: 2,089 ■■■■□□□□□□
    wow mens that was awesome story lots learned in the heat of battle; many lessons learned
    one for me it to make sure I follow on a cycle to replace.

    what is the cycle on cisco gear 10 years? replace
  • NetworkVeteranNetworkVeteran Member Posts: 2,338 ■■■■■■■■□□
    itdaddy wrote: »
    what is the cycle on cisco gear 10 years? replace
    Writing "replace equipment after X years" may look nice on paper, the general reality is that you will be allocated resources for new equipment if and only if you can establish a concrete business reason for purchasing it. I've seen companies successfully using gear 20+ years old--because they're asking the network to do no more than it did decades ago. I've also seen companies with cutting edge equipment because they think specific new features will give them a competitive edge. The exception tends to be when the economy is soaring and folks have a hard time figuring out how to spend their entire financial quarter buget.
  • martell1000martell1000 Member Posts: 389
    have been playing around with vtp the last days and i guess the big danger here is not an attacker with evil intension but every person thet has the vtp password.

    imagine a switch going boom and someone gets a replacement from a test lab into the production enviroment, sets the vtp password and doesnt check if it is a server and what revision number it hast. if things turn out bad you have your whole network down. is it likely to happen? not really - but i guess even if it happen every 10 years or so its not woth the risk...
    And then, I started a blog ...
  • RoguetadhgRoguetadhg CompTIA A+, Network+. Member Posts: 2,489 ■■■■■■■■□□
    The VTP password isn't transmitted with a VTP update, so I the odds of someone cracking away at the VTP passwords would have to be pretty slim if you made a half-decent password behind it. At that point, i'd be more worried as to how the unauthorized person gained access to the cisco switch to get to the password, and then make the changes.

    It's not like cisco recommends using VTP anyways :P

    If someone has the vtp password, I would be more worried as to the persons that have the knowledge to go in my cisco device after resetting the Rev Number.
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

  • reloadedreloaded Member Posts: 235
    itdaddy wrote: »
    We have vtp setup at each branch office site switches. I was told by another tech from another credit union that
    he with his many many switches has them all in transparent mode. wow what is the reason for this ???
    I have been taught for the most part use VTP Server\Client setup and not transparent. So what would be good reasons to use
    transparent mode vs VTP-server\client??? thanksicon_redface.gif

    It's pretty standard fare to use transparent mode when you have local VLANs configured. You might want to use VTP for campus-wide VLANs, but it's generally better from a management prospective to use local VLANs. Transparent mode allows you to configure the IP/VLAN space however you want for any location, without having to worry about what lurks campus-wide.
    Reloaded~4~Ever
  • lanrexng2lanrexng2 Member Posts: 74 ■■□□□□□□□□
    This is awesome! Exactly where I was in studying for ICND2 + the added benefit of experience and best practices icon_smile.gif
    I'd so buy you ladies and or gents a cold one or two!icon_thumright.gif

    Mucho Gracios
    M Sc Computer Science == 1% completeA+, Network+, Security+, CCENT == 100% complete
    ICND2, RHCSA, C/C++, Python, x86,
Sign In or Register to comment.