[c-nsp] VTP domain.

Adam Greene maillist at webjogger.net
Wed Feb 11 09:04:54 EST 2009 

In light of all the disasters that can happen with VTP, do people in general 
think it's worth the risk of deploying?

We're getting pretty tired of adding / removing VLANs manually throughout 
various parts of our network, and find that it is prone to sloppiness (i.e. 
vlans being left on links where they don't belong).

Not sure which is the greater evil ....

----- Original Message ----- 
From: "Paul Cosgrove" <paul.cosgrove at heanet.ie>
To: <Steven.Glogger at swisscom.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Wednesday, February 11, 2009 5:43 AM
Subject: Re: [c-nsp] VTP domain.


> The behaviour regarding forwarding vtp messages is identical between 
> transparent mode in either VTP versions;  if the domain name is null all 
> VTP messages are forwarded, while if it is set only messages for that 
> domain are forwarded. Apparently this changed sometime in the distant past 
> but the documentation was not updated (at least it wasn't the last time I 
> looked).  You can find more information about this here:-
>  http://www.groupstudy.com/archives/ccielab/200704/msg01533.html
>
> You can see that there is also a mention there, apparently from a member 
> of cisco TAC, that a capability to set a VTP domain name to Null had been 
> considered but a decision was made not to implement it.
>
> To stop any VTP messages being forwarded, if you really need to, you can 
> use mac acls matching the destination address(0100.0ccc.cccc) and 
> ethertype (0x2003).  If on the other hand you need the VTP messages to be 
> forwarded for multiple domains, without affecting this switch, then you 
> may need to delete the vlan.dat, change to transparent mode and reload.
>
> Paul.
>
> Steven.Glogger at swisscom.com wrote:
>> VTP transparent switches DO forward vtp messages (if using version 2). 
>> see:
>> "VTP transparent switches do not participate in VTP. A VTP transparent 
>> switch does not advertise its VLAN configuration and does not synchronize 
>> its VLAN configuration based on received advertisements. However, in VTP 
>> version 2, transparent switches do forward VTP advertisements that they 
>> receive from other switches from their trunk interfaces. "
>>
>> dont forget: the VTP domain can be learned if NO domain is given - the 
>> switch takes the first domain he sees in a VTP message.
>>
>> make sure that you put switches in transparent mode if you want to 
>> prevent disasters. we all know that the highest revision number in a 
>> domain wins. a client can overwrite all other switches (incl. server) if 
>> the revision number is highter and if he has the same domain name....
>> vtp is evil as we all know ,-)
>>
>> to remove the domain name just set another one.
>> -steven
>>
>>
>> ps: your guide for any VTP questions:
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/swvtp.html
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net 
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka
>> Sent: Wednesday, February 11, 2009 12:54 AM
>> To: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] VTP domain.
>>
>> On Wednesday 11 February 2009 03:02:41 am Keith wrote:
>>
>>
>>> The 3550 being replaced has no vtp domain name. Is it possible to remove 
>>> the vtp domain name without deleting the vlan.dat file? I have looked 
>>> over the TAC but see nothing really regarding removing a vtp domain 
>>> name. Lots about adding one, not about removing one.
>>>
>>
>> No clear way to do this, today, without deleting the 'vlan.dat' file. 
>> Wish that could be fixed.
>>
>> But like you and others have said, maintaining VTP Transparent mode will 
>> ensure it stays away from VTP.
>>
>> We used to "manually" clear VTP domain names, but recently found a batch 
>> of switches that had them configured. It's too much work to clear that, 
>> but we just say "no" to VTP anyway.
>>
>> Cheers,
>>
>> Mark.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list