Word up!!!
-----Original Message-----
From: Paul Werner
To: [EMAIL PROTECTED]
Sent: 14/07/01 07:29
Subject: Re: Subject: RE: urgent question related to vtp [7:11687]
***VERBOSITY BIT IS SET***
Delete now if you are time challenged. Comments within and
below.
> I have been struggling with the evil VTP also. ;-) I have a
few
> questions.
>
> Is VTP required?
Evil VTP. I love it. Yes, for the uninitiated, VTP can
literally bring down an entire network if you are not careful.
It has happened. To answer your question above, no it is not
required in the strictest sense. Specifically, VTP can be set
to transparent mode. You cannot completely turn VTP off,
because to do so, would necessarily break the protocol's
operation and segment your network into different VTP domains.
You have a choice of three modes to use. They are VTP server,
VTP client, and VTP transparent. Think of VTP transparent as
the "manual mode" and VTP client and VTP server as semi-
automatic mode. There is never full automation, because
somebody still has to pull the trigger (in this case physically
add, modify, or delete a VLAN). Officially, Cisco says that
VTP functions in the following manner:
1. As a VTP server you can create, modify, and delete VLANs.
You can also specify other VTP parameters such as VTP version,
VTP pruning, MD5 password, etc. You also synchronize your VTP
information with other VTP servers and clients. It's
configuration is saved in some form of NVRAM.
2. As a VTP client, they are the same as the VTP server save
for the fact that you cannot add, delete or modify VLANs or
VLAN parameters:-) You can however synchronize with other VTP
devices and forward VTP advertisements. Your VTP configuration
is not saved in NVRAM.
3. A switch using VTP transparent can act just like a VTP
server. It can add, modify, and delete VLANs. It cannot
however synchronize with other VTP devices. It must however
forward all VTP advertisements (lest it break VTP's operation).
Cisco instructions regarding VLANs usually start with
> having you configure VTP, but do you need VTP? (assume a
small network
> with
> few VLANs)
As I mentioned previously, you cannot fully turn it off. I
challenge you to do so. Go ahead and get on the console of
your IOS based switch. If it is a CAT 2900XL or a CAT 3500XL,
go into the vlan database configuration mode. if you are on an
almost IOS based Catalyst 1900, go to global config and Type
the following command:
no vtp transparent
See what happens. Do a "sh vtp" and see what mode you are in.
If it reads VTP server, go back to global config and do a "no
vtp server". See what happens. I think you will find that it
complains just a tad:-)
So, to get to where I think you said you really wanted to go,
you might want to set your VTP mode to transparent on all of
your switches. If all of your switches happens to be 2
switches, it is no big deal. If all of your switches is 75
switches, that might be a little cumbersome. What will be even
more cumbersome is when you have to add VLAN 78 to all 75
switches. That will be very fun - NOT:-) That is why VTP was
created; namely to ease the administration of a large LAN
switched network.
Here's a design tip. Have a grand total of two VTP servers in
any given VTP domain. One is designated as the primary and the
other is the secondary. The primary is always used to
configure VTP information unless it is down for maintenance.
While down, the secondary is used, as long as the network did
no get partitioned with the other switch being down. Make sure
that the primary has its configuration revision number set to
zero prior to entering the VTP domain(more later on this). Once
the primary comes back up, it should synchronize with the
secondary. The primary is then used again for VTP
configuration.
>
> How does VTP interact with trunks, if at all?
No Trunk = no VTP advertisements. Trunking is a mandatory part
of VTP operation.
I can configure a trunk to
>
> carry traffic for a subset of the VLANs that VTP advertises,
can't I?
Sure. You can prune user VLANs from trunks. Here's the
catch. VTP advertisements are carried over the management
VLAN. That's not one you would necessarily prune from a trunk.
In many folks' networks, the management VLAN is VLAN 1. This
can be changed if needed for security reasons.
> (not
> sure why I would want to, but I'm just confirming your point
that VTP is
>
> misnamed, e.g. it is not a trunking protocol)
In all fairness, they had to give it some name 8-) Let's see,
we got this neat protocol that will keep all of the VLANs
synchronized over the entire network. Let's call it VSP (VLAN
synchronization protocol). That unfortunately doesn't speak to
the "transparent mode" which does not synchronize. "Hey, we
need a trunk to make this thing work. Whaddya say we call it
VLAN Trunking Protocol. If nothing else, at least the name will
remind everybody what to do to make it work (get trunking up) --
yeah, that's the ticket, we'll call it VTP" I don't know, but
that could have possibly been a late night naming session for a
protocol.
> Now, for my troubleshooting problem. I have two switches
connected
> back-to-back, with two VLANs that span the switches. I had my
switches
> in
> VTP transparent mode and manually configured the VLANs, VLAN
10 and 50,
> Engineering and Accounting on both of them. Then I put them
both in
> server
> mode and gave them both the VTP domain name "Lab."
But did you have a trunk set up between the two switches? If
not, all you had was just two switches connected with two
access (non-trunk) ports. If you have trunk, VTP will work if
properly configured. Now you have another issue involved with
having two VTP servers. One must be especially careful with
IOS based switches in this regard, particularly the CAT 2900XLs
and the CAT 3500XLs. VTP changes are not automatically applied
unless you do two things. You either type the "apply" command,
or you exit VLAN database configuration mode, whereby all
changes get applied. Did you verify that a VLAN added on one
switch showed up on the other switch? That is one of the
points of VTP.
> After hours of troubleshooting reachability problems between
hosts
> connected to the switches, and using a sniffer on a monitor
port that
> was
> monitoring the trunk, I was beginning to suspect problems
with flooding
> of
> unknown unicasts. I finally ran into the documentation about
VTP
> pruning.
> Despite the fact that this feature is not enabled, the only
thing that
> fixed my reachability problems was to configure the following
on each
> side
> of the trunk:
>
> vtp trunk pruning-disable 10 50
I think the effect of this was to have only VLAN1 span both
switches. Somehow, I am still wondering if you got a trunk
established. For a CAT 1900, the command is at port
configuration mode as follows:
switchA(config)#int fa0/26
switchA(config-if)trunk on
switchA(config)#end
switchA#
Note that trunking can only happen on a FastEthernet port.
Since you have a whopping choice of two of these on a CAT 1900,
your choices are FastEthernet 26 or 27. Remember, ports 1-24
are all on the front (whether you bought them or not:-) Port 25
is on the back (AUI). Ports 26 and 27 are on the far right on
the front. They are typically labeled A and B.
If you are using a CAT 2900XL, then all ports can potentially
be trunked. The configuration for that is as follows:
switchB(config)#int fa0/1
switchB(config-if)#switchport mode trunk
switchB(config-if)#end
switchB
> The implication is that my switches thought they were not in
the same
> domain and so were pruning. Evil things. I checked the VTP
domain name
> over
> and over again. They are both in "Lab."
>
> SwitchC#show vtp
> VTP version: 1
> Configuration revision: 2
> Maximum VLANs supported locally: 1005
> Number of existing VLANs: 7
> VTP domain name : Lab
> VTP password :
> VTP operating mode : Server
> VTP pruning mode : Disabled
> VTP traps generation : Enabled
> Configuration last modified by: 172.16.10.3 at 00-00-
0000 00:00:00
> SwitchC#
>
> SwitchA>en
> SwitchA#show vtp
> VTP version: 1
> Configuration revision: 2
> Maximum VLANs supported locally: 1005
> Number of existing VLANs: 7
> VTP domain name : Lab
> VTP password :
> VTP operating mode : Server
> VTP pruning mode : Disabled
> VTP traps generation : Enabled
> Configuration last modified by: 172.16.10.3 at 00-00-
0000 00:00:00
If you had no trunk up, you created two "VTP islands" They
both do their own thing and don't really know about the other
switch from a VTP perspective.
Before I depart this thread, let me cover a topic I said would
have "more later", namely VTP synchronization. Synchronization
needs only to be understood from one perspective. He who has
the higher number wins. What does this mean? In a typical
network with all going well, the highest VTP configuration
revision number rests with the primary VTP server. This is
where I recommended you add, delete, and modify VLANs. What
happens if you decided not to listen to me. Let's say somebody
decided to add a VLAN from the primary VTP server and somebody
else added a VLAN from the secondary VTP server? Technically,
it is no big deal. What if I told you that the main/only trunk
that connected between these two switches was down? In effect,
you would create two VTP domains. What happens when the trunk
comes back up? Here's the scenario:
On the primary VTP server, you added the following VLANs:
Start Config revision number: 98
Add: VLAN 55
Add: VLAN 123
Add: VLAN 4
DELETE: VLAN 41
On the secondary VTP server, you added the following VLANs:
Start Config revision number: 98
Add: VLAN 65
Add: VLAN 133
Add: VLAN 14
DELETE: VLAN 51
Whose configuration would win out, the primary or the
secondary? The answer may not be obvious. In fact it is a
tie. So nothing would immediately change however, you have a
time bomb waiting to go off. With the network in its present
form, all it takes is to add, delete or modify one VLAN, and
the other Configurations from the "losing side" will be wiped
out. How do you prevent this? Never use more than one VTP
server at a time.
If you really want to know the evil wicked ways of VTP, think
about how a VTP client could add, delete, and modify the entire
VTP domain, even though VTP clients cannot do this. Hint -
synchronization and a high VTP configuration revision number
will be key to the answer.
> SwitchA#
>
> I think I ran into a bug. Notice that pruning is supposedly
disabled.
> I'll
> keep troubleshooting and try to reproduce the problem. Any
advice,
> though?
Have trunk, will VTP:-)
> Should I have started with the switches in server mode
perhaps? That
> might
> have helped.
I would recommend starting off putting one in server and the
rest (the other one) in client mode. Once you sniff the
traffic, then play with different combinations to see the
effect of it all. I don't know what version of IOS you have,
but if you have a CAT 2900XL, running I blieve 11.x code, try
out setting a VTP domain name that is 37 characters long (5
more than allowed). **DO NOT DO THIS IN A PRODUCTION NETWORK**
I was able to discover a real bug in the IOS that caused a
fatal exception and got the switch to reload. You can also get
the same effect by placing a VTP password longer than 234
characters (if my memory serves me right). If you have very
late 11.x software or 12.x software, it will not do this.
Or one in client, although the documentation claims that
> Catalyst 1900s can't be configured for client, (which seems
to be wrong,
That would be wrong. The CAT 1900s can do all three modes.
> though. I am able to configure client mode.)
>
> Thanks. Sorry for the length of this message! :-]
Same here :-)
HTH,
Paul Werner
p.s. If you want to get the definitive text that really covers
LAN Switching, than you need to get the Cisco LAN Switching
book by Kennedy Clark and Kevin Hamilton. If there is a better
book out there on LAN Switching, I have not seen it.
________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=12358&t=11687
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
