Transparent mode or VTP Server mode huh?
We have vtp setup at each branch office site switches. I was told by another tech from another credit union that
he with his many many switches has them all in transparent mode. wow what is the reason for this ???
I have been taught for the most part use VTP Server\Client setup and not transparent. So what would be good reasons to use
transparent mode vs VTP-server\client??? thanks
he with his many many switches has them all in transparent mode. wow what is the reason for this ???
I have been taught for the most part use VTP Server\Client setup and not transparent. So what would be good reasons to use
transparent mode vs VTP-server\client??? thanks
Comments
-
NOC-Ninja Member Posts: 1,403VTP Server to VTP Client = If you make a mistake in the config of the VTP server then it will pass through to all the VTP client . Just imagine how much headache is that.
-
shodown Member Posts: 2,271Most of the environments I've been in have been transparent as we usually keep VTP in transparent as we isolated VLANS to 1 or 2 switches and have no need to populate a VLAN to several switches. There also maybe some security issues as well. There's also the threat of someone plugging in a new switch with the same VTP domain and having a higher revision and having it populate through the network, but I'm pretty sure thats rare these days.Currently Reading
CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related -
itdaddy Member Posts: 2,089 ■■■■□□□□□□wow that cracks me up cause remember during training they use to say to use it so no other switch can change things but yeh if you use transparent then sure it is safe hahah but yeah I guess weird how old stuff is never used anymore weird i guess in large switch networks wow that is lot of work if you eeded to keep up the vlans ahaha well keeps us a job lots of practice huh! LOL! thanks guys.....super
-
shodown Member Posts: 2,271Well best practice these days are to ISOLATE VLANS to a specific switch. If you need a lot of ports we usually stack 3750's, but we keep all the VLANS isolated to that switch and make them routable at the distro or core.Currently Reading
CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related -
vinbuck Member Posts: 785 ■■■■□□□□□□Another black mark against VTP is Private VLANs...if you want to use them, you have no choice but to run VTP transparent for versions 1 and 2. Not sure about 3 though...Cisco was my first networking love, but my "other" router is a Mikrotik...
-
Turgon Banned Posts: 6,308 ■■■■■■■■■□VTP has it's uses, but be cautious. Even a password is no defence against a switch introduced that becomes the server with old vlan config. Watch version numbers, old configs. Having a switch join a large network and wipe out your VLAN definitions could be a major outage and take a long time to fix. A potentially terrible day at the office.
You have been warned. -
itdaddy Member Posts: 2,089 ■■■■□□□□□□okay so maybe I need to flip our switches to vtp transparent mode LOL! you guys scared the crap out of me. I do not want a bad day at the office! haahhahh thanks guys!
-
sides14 Member Posts: 113Have I got a good VTP story on this very subject. A vendor once placed an old switch that was recovered from another site into the network. Well before loading the new configuration, they connected the switch to the router (7609). Before you knew it, a massive network (most of the midwest) was caused. To add insult to injury, the network hadn't been backed up in quite a while (understatement since it was 11 months). It took over two days to get everything working properly again (surprisingly.....nobody lost their job). Now it is mandatory to load the switch configuration before connecting to the network and VTP must always be set to transparent.
To add in -
itdaddy Member Posts: 2,089 ■■■■□□□□□□wow next thing on my project list haahaahahah thanksguys super! great story yikes!
-
itdaddy Member Posts: 2,089 ■■■■□□□□□□what I don't get if the vtp is passworded out how can this other switch affect a vtp domain? am I missing something now that I think about it?
-
Roguetadhg Member Posts: 2,489 ■■■■■■■■□□what I don't get if the vtp is passworded out how can this other switch affect a vtp domain? am I missing something now that I think about it?
I thought vtp password is needed to be set and the new switch would need to equal the domain's password to attempt to overwrite the database.
Understanding VLAN Trunk Protocol (VTP) - Cisco Systems
"f you configure a password for VTP, you must configure the password on all switches in the VTP domain. The password must be the same password on all those switches. The VTP password that you configure is translated by algorithm into a 16-byte word (MD5 value) that is carried in all summary-advertisement VTP packets."In order to succeed, your desire for success should be greater than your fear of failure.
TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams -
Zartanasaurus Member Posts: 2,008 ■■■■■■■■■□Transparent. It's not like we modify VLANs so often that it'd be a headache to do it manually. And I could do it in bulk with Orion NCM.Currently reading:
IPSec VPN Design 44%
Mastering VMWare vSphere 5 42.8% -
itdaddy Member Posts: 2,089 ■■■■□□□□□□exactly Roguetadhg
so by adding a new switch with some kind of old config huh?wouldnt be able to change it unless you added password and make sure it is a client switch.
ahhhh I don't understand I guess I will have learn the hard way hahahahah -
mens Member Posts: 69 ■■■□□□□□□□Hey, for some reason I came to think about a story about a network outage at a hospital when reading this thread. It's about STP though, not VTP. Check it out: All Systems Down - CIO
-
itdaddy Member Posts: 2,089 ■■■■□□□□□□wow mens that was awesome story lots learned in the heat of battle; many lessons learned
one for me it to make sure I follow on a cycle to replace.
what is the cycle on cisco gear 10 years? replace -
NetworkVeteran Member Posts: 2,338 ■■■■■■■■□□what is the cycle on cisco gear 10 years? replace
-
martell1000 Member Posts: 389have been playing around with vtp the last days and i guess the big danger here is not an attacker with evil intension but every person thet has the vtp password.
imagine a switch going boom and someone gets a replacement from a test lab into the production enviroment, sets the vtp password and doesnt check if it is a server and what revision number it hast. if things turn out bad you have your whole network down. is it likely to happen? not really - but i guess even if it happen every 10 years or so its not woth the risk...And then, I started a blog ... -
Roguetadhg Member Posts: 2,489 ■■■■■■■■□□The VTP password isn't transmitted with a VTP update, so I the odds of someone cracking away at the VTP passwords would have to be pretty slim if you made a half-decent password behind it. At that point, i'd be more worried as to how the unauthorized person gained access to the cisco switch to get to the password, and then make the changes.
It's not like cisco recommends using VTP anyways :P
If someone has the vtp password, I would be more worried as to the persons that have the knowledge to go in my cisco device after resetting the Rev Number.In order to succeed, your desire for success should be greater than your fear of failure.
TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams -
reloaded Member Posts: 235We have vtp setup at each branch office site switches. I was told by another tech from another credit union that
he with his many many switches has them all in transparent mode. wow what is the reason for this ???
I have been taught for the most part use VTP Server\Client setup and not transparent. So what would be good reasons to use
transparent mode vs VTP-server\client??? thanks
It's pretty standard fare to use transparent mode when you have local VLANs configured. You might want to use VTP for campus-wide VLANs, but it's generally better from a management prospective to use local VLANs. Transparent mode allows you to configure the IP/VLAN space however you want for any location, without having to worry about what lurks campus-wide.Reloaded~4~Ever -
lanrexng2 Member Posts: 74 ■■□□□□□□□□This is awesome! Exactly where I was in studying for ICND2 + the added benefit of experience and best practices
I'd so buy you ladies and or gents a cold one or two!
Mucho GraciosM Sc Computer Science == 1% completeA+, Network+, Security+, CCENT == 100% complete
ICND2, RHCSA, C/C++, Python, x86,