[c-nsp] VTP war stories (was Re: EoMPLS or VPLS loop prevention/storm control)

Gert Doering gert at greenie.muc.de
Thu Feb 10 05:06:05 EST 2011 

Hi,

On Thu, Feb 10, 2011 at 09:23:08AM +0000, Alan Buxey wrote:
> i dont think these scare stories are useful... yes, VTP can be dangerous - but so can 
> MST, MPLS, access routers remotely and running commands, new person in job, PVST, 
> spanning tree itself, OVT, etc etc.   all can break the network if not configured
> or prepared for.

Well, the point is that there are not enough saveguards in VTP v1 and v2
to require some "more active" wrongdoing to make it explode - and if it
explodes, it usually requires "walking to the some of the affected 
devices to get it fixed".

Things like "plugging in a switch that was used for lab purposes and
after that nicely cleaned of all the VLANs configured on it, because
it was only for labbing" should never bring down a complete production
network - and things like that just don't happen with the other protocols
you mentioned.

> i know of many sites that have thousands of switches in campus environments that 
> have been happily using VTP (v1, v2 and now v3) - perhaps the first thing to do is
> ensure that a 'naked' switch is never anywhere near the production network - ensure

So how exactly do you prevent "naked" switches in areas that you do not
control, but that are (being the nature of things) connected to your
network?

Yes, it can be done, expecially with VTPv3 being much better controlled...

(Another reason why we don't use VTP anymore is that most of the ~1000 VLANs
in use "somewhere in our network" have limited scope to sometimes only 
a single switch, or a group of just a few switches - and with VTP, all
VLANs end up everywhere, overloading the 29xx switch VLAN limits, etc.)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20110210/61cda14e/attachment.pgp>

More information about the cisco-nsp mailing list