[nsp] vlans and VTP

Lars Erik Gullerud lerik at nolink.net
Thu May 29 22:15:56 EDT 2003


On Wed, 2003-05-28 at 21:27, Stephen J. Wilcox wrote:
> I personally quite like the vlan replication features that vtp brings, its 
> difficult to do what you say above, you have to connect a switch which by 
> default will be in server mode but with a different domain & password so thats 
> not a problem and in a production environment your config revision should be 
> reasonably high enough that any new swtich (which we assume has just been 
> powered up) isnt going to find a conflict.

There is a lot of potential for foot-shooting if you don't use a VTP
password, so I'd recommend for everyone to set a password. For instance,
with no domain password set, a new switch connected to the VTP domain
will automatically learn the correct VTP domain from CDP announcements
(if you haven't turned CDP off) and happily "join the gang", viping any
local VLAN info it might have in the process, if the revision is higher
on the switches in the VTP cloud.

Learned this the hard way due to a patching mistake where a standalone
switch (where noone had set any VTP info) was briefly connected to the
VTP cloud - long enough to receive CDP announcements and then
subsequently pull in the VTP database. Since access-ports already set up
in a VLAN that suddenly disappears from the VLAN database goes into
"Up/Down" state, there was suddenly a lot of red showing on the
management systems...

/leg




More information about the cisco-nsp mailing list