Introduction to VTP (VLAN Trunking Protocol)

Lessons Discussion
187

Hello,

I’ve got a couple of questions, can someone help me out please?

  1. Even if using VTP doesn’t lead to any issues, is there a point to using it? All it does is save some effort by creating the VLANs, but that doesn’t sound like such a win if we consider that you have to log in to each switch anyway to add the switchports to their needed VLANs. So not a lot of manual labor (therefore, manual errors) is saved by VTP, and in exchange, it can easily bring the network down. Doesn’t sound like a good tradeoff to me, but I might be missing something.

  2. I’ve read an interesting article that discusses some VTP best practices:
    https://www.firewall.cx/cisco/cisco-switches/cisco-switches-vlan-security.html?highlight=WyJ2dHAiXQ==

The article promises that VTP won’t causes any issues if you configure the following on the intended VTP Server:

CoreSwitch(config)# vtp domain firewall.cx
CoreSwitch(config)# vtp password fedmag secret
CoreSwitch(config)# vtp mode server
CoreSwitch(config)# vtp version 2
CoreSwitch(config)# vtp pruning

However, I don’t understand why any of these would avoid the issue caused by introducing a new switch with a higher revision number into the network.

The only solution I could think of was to add and remove the same VLAN a couple thousand(!) times on the intended VTP Server. Since it’s pretty unlikely that anyone would accidentally modify the VLANs thousands of times, it’s a safe (but not certain) bet that the intended Server would have the highest revision number.

All I’d do is copypaste around 3000 lines of the following commands into the Server:

CoreSwitch(config)# vlan 111
CoreSwitch(config-vlan)# exit
CoreSwitch(config)# no vlan 111

A couple of things to note:

  • I’d do this to a switch while it’s not connected to the network and I’m connected to it via a console cable.
  • There’s no need for this with VTP 3 if you set up a primary server.
  • I’ve chosen that VLAN number randomly. The important thing would be to make sure that it’s a VLAN that doesn’t actually exist.
  • Creating thousands of copies of these three commands in Notepad++ took me around 5 seconds. (Notepad++ is good because it shows the number of lines.) All I did was copypaste them into a new tab a couple of times, then select them all with Ctrl+A, then I pressed Ctrl+C, then Ctrl+V, and I’ve repeated these three commands in this order a couple of times to get around 3000 lines.
  • All I’d do then is select all 3000 and paste them into the Server.
  • I’d rather not use VTP at all, but with versions 1 and 2, I couldn’t think of a better way to decrease the likelihood of an issue. Even so, I’m not a huge fan of this solution, but is there a better way to decrease the chance of someone wiping out all VLANs by accident, if using VTP version 1 or 2 is mandatory?

Wouldn’t that ensure a high enough revision number?

  1. What happens when the highest revision number is reached?

I found only one post about this question here:

I’d be very happy to read a response.
Thank you for reading my long comment.
Attila