Vtp

control

Hi All,

Not able to lab this at the moment due to lack of xover cables. Just been watching CBT Nuggets vids on VTP. Jeremy talks about a situation where guy hooks his own switch into company network, which then in turn overwrites the Vlan databses of all the other switches. Would the rogue switch not have to be in the same VTP domain as the company for the other switches to pay attention to it?

ayori

Correct and on top of that, VTP only runs on trunk ports so IF we're following good practice here this shouldn't happen as cable drops going to cubicles should be hardcoded to access ports with bpduguard/portfast.

Mrock4

I made a quick demonstration video in response to this post. Hopefully this helps.

VTP Client overwrites VTP Server - YouTube

I highly recommend viewing in 720p at full screen. Anything else and it's hard to read the CLI. Also- I could have swore there was a "video" button when responding to insert a video in the post, but couldn't find it. Anyone know the code to insert a video directly in the post?

control

Mrock4 wrote: »

I made a quick demonstration video in response to this post. Hopefully this helps.

VTP Client overwrites VTP Server - YouTube

I highly recommend viewing in 720p at full screen. Anything else and it's hard to read the CLI. Also- I could have swore there was a "video" button when responding to insert a video in the post, but couldn't find it. Anyone know the code to insert a video directly in the post?

Thanks a lot for that Mike, was great to see it in action.

So in the scenario, your "company" switch had no VTP domain. Can VTP still work without this e.g, sending of VTP information to other switches within the company (without a VTP Domain)?

Mrock4

No, we'd need to configure a VTP domain of some sort on the "Company" switch I mentioned for it to send VTP. This scenario is really far out. Perhaps a better example would have been:

A) Switch from Company A's other location is pulled (with the same VTP domain, ie: cisco123, and a high revision number since it had been in use a while..configured as VTP client)

A switch crashes at Company A's main location, and the switch from Company A's old location is used as a quick replacement. It's plugged in, and it blows away the VTP server's VLAN's. Of course, this would be odd since at different locations, we'd likely be using different VTP domain names/passwords.

I only did a video of the example I selected to illustrate that the server will pick up the client's domain name if not configured.

NetworkVeteran

And, for all the stars that need to align, ask anyone who administers a network where VTP is/was widely deployed for a few years and they've likely encountered that perfect storm at least once. Usually just before swearing never to use VTP v1/v2 again! The most common case is a switch taken out of production and then returned again.. perhaps due to repairs, perhaps due to being used in a lab, perhaps due to being used for education. True, your best admin would never make this mistake on a good day, but would your worst admin make this mistake on a bad day? Is there even a single client who under the right circumstances violate your safeguards?

PS - I will add, this has of course, never occured under my watch. I learn from others' misery.

martell1000

nice video. it might be a lil unrealistic but shows that vtp might be a ticking bomb in your production network.

another issue is that some admins tend to extend the number of vtp servers in the network over the years, which makes it even worse.

control

All clear now! Great thread, amazing how a couple of posts can clear things up for me. Cheers All.