I'm working on a network with a 4507 as the core switch, and a bunch of 3550's throughout the rest of the network. The core switch is configured as the VTP server, but every other switch is configured in Transparent mode. Is there some genius reason for this kind of configuration, or did some genius not know what he was doing?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
VTP Modes 4
- Thread starter FloDiggs
- Start date
-
1
- #2
jneiberger
Technical User
I think some genius didn't know what he was doing. Configured that way, you have to make VLAN changes manually on every switch. You might as well not be running VTP. I prefer leaving all of my switches set to server mode. Just make sure you never connect an older switch with a high configuration revision number to your network. It could mess up your VLAN configurations.
- Thread starter
- #3
-
1
- #4
Setting all your switches to server mode is insane. At most you should have 1 server and the rest should be clients. After any change I would change the server back to transparent mode. Also make sure you create a management domain and then use password authentication.
Personally I don't use VTP, thus I set all mine to transparent.
Personally I don't use VTP, thus I set all mine to transparent.
jneiberger
Technical User
I don't think server mode on all switches is insane. There is no real downside to it. It was actually a Cisco engineer who convinced me of that. I used to have one server and the rest clients. If they're all on the same revision number, you might as well have them all set to server.
-
1
- #6
- Thread starter
- #7
-
1
- #8
billyj1900
MIS
I really think it depends on the network. In a small network with 5 switches all switches could be set as a server. In a large network with 30 switches, server and clients is definitely needed. Also if you set a VTP server make sure you set a domain. If you don't someone else can plug their switch into your network and you will take on their domain and all their Vlans. Also if you don’t want to set a domain just only allow certain vlans to pass through the trunk ports. I hope this helps.
Running VTP at all is insane..... (IMO of course)
If you read the latest design guides on CCO having VLAN trunks between switches is now a bad idea apparently. Have a read of the design guides on CCO:
Andy
- Thread starter
- #10
Yes, the 'Campus Network for High Availability Design Guide'. To be honest Cisco have had this design guide since the late 1990's and why you haven't heard of it is odd as Cisco have been driving this into people for as long as I can remember - Core, Distribution & Access Campus LAN Topology.
Briefly - Each access switch connects to two distribtion switches and has unique VLAN's - i.e. access switch one has VLAN's 10 & 100, access switch two has VLAN's 11 and 101 etc. These are the only allowed VLANs on the uplink trunks to the distribution switches and VTP is disabled or set to transparent mode. The distribution and core switches interconnect using purely layer-3 P2P links.
Recently (last two years or so) Layer-3 is being pushed to the edge so the VLAN's don't even hit the distribution layer any more and are terminated in the access switch. The links between the access switch and the distribution are now Layer-3 P2P links and a routing protocol is run between them.
Andy
Get yourself off to Cisco Networkers and listen to Mark Montanez's presentation on Campus LAN design. If you can't get the Networkers presentation slides.
VTP is just a bad idea, leave it alone and set your switches to VTP transparent and just manage them well.
Andy
VTP is just a bad idea, leave it alone and set your switches to VTP transparent and just manage them well.
Andy
jneiberger
Technical User
I actually used to know Mark Montanez. Haven't talked to him in years. It's entirely possible that he was the guy who told me to go server mode on all my switches. 
It was either him or the other sales engineer I was working with at the time.
There are just to many variables. It's impossible to make any blanket statements like "Never use VTP", or "Always use only one or two VTP servers." It completely depends on the environment.
In one place I worked, we had everything set to server mode. At another, we had two core switches set to server and the rest to client. Use whichever method works best for you. There really isn't a right or a wrong, as long as you know the ramifications of each choice.
It was either him or the other sales engineer I was working with at the time.There are just to many variables. It's impossible to make any blanket statements like "Never use VTP", or "Always use only one or two VTP servers." It completely depends on the environment.
In one place I worked, we had everything set to server mode. At another, we had two core switches set to server and the rest to client. Use whichever method works best for you. There really isn't a right or a wrong, as long as you know the ramifications of each choice.
- Thread starter
- #14
Yes, but how long ago was that? I remember design guides where trunks were suggested everywhere with lots of Cat 5000's and then a single 7200 with a single fast ethernet trunk with lots of sub-interfaces doing all the inter-vlan routing. If you were really extravagant you would have two 7200's and use HSRP...
Things have moved on considerably now and since everything is IP and routing is possible even in the majority of access layer switches designs have changed (for the better). Unless you have specific Layer-2 requirements (i.e. clustering or VMWare) then I would go for a routed (layer-3 to the edge) design everytime. It so much more controllable, scalable, modular, plus fault foorprints are isolated within each node (no network-wide meltdowns due to a broadcast storm).
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns656/net_design_guidance0900aecd804ab689.pdf
Andy
jneiberger
Technical User
Oh, it was many years ago. Probably seven or eight years, at least. I guess I was just pointing out how funny it is that times change as do design suggestions.
In Cisco's case, their design suggestions typically help them sell product. How many times have you seen people buy WAY too much hardware in some strange effort to stick to the Access/Distribution/Core model? That model sold lots of switches for Cisco, largely by people shoe-horning that model into situations where it didn't necessarily apply.
In Cisco's case, their design suggestions typically help them sell product.
How many times have you seen people buy WAY too much hardware in some strange effort to stick to the Access/Distribution/Core model? That model sold lots of switches for Cisco, largely by people shoe-horning that model into situations where it didn't necessarily apply.I agree with you ADB, as I don't run VTP in my clients environments.
Additionally the Security and Network Attack Center division of the NSA recommends that you don't use VTP.
Additionally the Security and Network Attack Center division of the NSA recommends that you don't use VTP.
- Status