Blessay:VTP Version 3.0 — Is VTP Making a Comeback ?
August 10, 2009 by Greg Ferro · 8 Comments
- VTP Version 3.0 — Is VTP making a comeback ?
- Features
- Where it would be useful ?
- VTP — Let’s Recap, Its been a painful journey
- Good things in VTPv3
- No automatic setup of VTP domain
- Support for all VLAN numbers
- Security
- Database Propagation Fixed
- MST Configuration
- What’s the bad news ?
- Limited Device/Software Support
- Interoperability
- Am I going to use it ?
- Anything Else ?
- Comments (8)
VTP Version 3.0 — Is VTP making a comeback ?
I found this document at Cisco.com today about VTPv3. What ? VTPv3 ? I had to dig into that.
Features
The document lists the following key features.
- Protection against data overwrites.
- Support for VLAN numbers up to 4096
- Support for exchanging information regarding PVLANs
- Support for propagation of other databases (not just VLAN data), specifically MST databases but there are hooks for more in the future.
There is a brilliant line here “VTP…is designed to simplify administration and to reduce unintended configuration errors.”. Without a doubt VTP is responsible for some of the biggest outages I have ever seen because of VTP revision problems when new switches are inserted into the network and not many networks today run VTP for exactly that reason.
The paper notes that VTPv3 uses an entirely new code base. This is Cisco-speak for new software and you should look out for bugs for a while.
Where it would be useful ?
One of the most common configuration errors in data centre occurs when someone fails to configure the VLAN database on all switches. In this case, everything works until a failover occurs and, because the VLAN isn’t available on the failover switch, a major problem occurs. This situation is difficult to detect quickly since the failover event often obscures the actual cause.
On the other hand, I have seen an entire data centres taken offline because a junior engineer plugged in a new switch at the top of a new rack and requiring physical intervention on every switch. For this reason, VTP is disabled in most places.
VTP — Let’s Recap, Its been a painful journey
In large campus-style LAN (Universities / Large Enterprise) the automatic propagation and consistency of VLAN allocation means that VTP is a valuable tool for reducing the cost of ownership. In is typical that hours we wasted maintaining and resolving VLAN numbering and allocation issues, especially in networks where documentation and records are not tightly maintained. The historical campus-wide outage is the stuff of legend and VTP is not usually enabled here either.
VTP was intended to make administration of Layer 2 switching domains easier by automatically propagating VLAN details to all switches in a domain. It would be fair to say that in 1999 switching domains were not that big, and administrative control was handled by very few people and often just one person. I think that VTP failed us when our networks got very large and the shortcomings of the protocol were exposed in a large team that would have at least some poorly trained people.
Then we had the change from a separate database in the vlan.dat file to the main IOS configuration which was handled badly. Because it seems to me that there was no consistent approach for the developers I conclude VTP wasn’t going anywhere. VTPv3 was introduced in CatOS 8.1, but only in Dec2008 was included in the C6500 IOS software. Therefore modifications were being made on the fly, not in a consistent planned way.
These problems, plus the huge outages I mentioned earlier, mean that VTPv3 will need a really good story to get engineers and management to agree on it’s implementation.
Good things in VTPv3
So what’s the goodness in VTPv3 that might make you interested ?
No automatic setup of VTP domain
In VTPv2, a factory default switch which receives a VTP message will automatically configure to be in the VTP domain. It’s counter-intuitively a good idea, isn’t it ? But, in the real world, automatic configruation makes you scared. VTPv3 forces manual configuration.
Support for all VLAN numbers
Well, except for 1000 – 1017 which are reserved, you can use VTP for propagating all VLAN numbers in accordance with the IEEE. This is the probably the most important feature.
Security
The VTP domain password is secured in the database and in transmission.
Database Propagation Fixed
The other vital ingredient. “With VTP version 3, only a specific device in a domain, a primary server, is allowed to update other devices.” Logically, only one server per domain can be a primary server. Secondary servers can be defined, but they can never be configured and the secondary server will update its database from the Primary exclusively.
When you configure the Primary VTPv3 server, its checks the VTP messages to determine if any other servers are Primary before asking for confirmation. See below (taken from the Cisco Web Site)
Catalyst6500-1#vtp primary vlan
This system is becoming primary server for feature vlan
No conflicting VTP3 devices found.
Do you want to continue? [confirm]
*Jul 8 12:34:20.047: %SW_VLAN-SP-4-VTP_PRIMARY_SERVER_CHG: 00d0.bcd2.0c00 has become the primary server for the VLAN VTP feature.
MST Configuration
The VTPv3 database is extensible, thus allowing other information to be exchanged and replicated. Currently this includes Multiple Spanning Tree configuration. Which is a good idea since it needs to be the same on all switches and it can be painful changing the configuration on a lot of devices when you don’t
What’s the bad news ?
Limited Device/Software Support
At time of writing, VTPv3 is only available for 12.2.33SXI releases on the C6500 for late models of Supervisor, 12.2.50SG2 on the C4500 with late model of Supervisor (Sup2+/4/5/6). This means that you need to carefully check all the modules in your chassis to make sure they are compatible with this code train.
Interoperability
“VTP3 interoperates with VTP version 2 but not VTP version 1. For devices that are capable of running VTP version 2 but are running in VTP version 1 mode, a change to VTP version 2 is triggered by the VTP version 3 device. Before considering VTP version 3 for your network it is recommended that you verify if all switches in the existing or prospective VTP domain are capable of running in VTP version 2 mode.” — got that ? For a big network with old bits in it, it gonna be painful.
Am I going to use it ?
Yes, in DMZ’s that use PVLANs this is going to be a fantastic way to
- solve my problems with firewall/security people who don’t understand VLANs and especially PVLANs.
- more consistent operation for VLANs leading to less outages when people don’t configure the VLANs correctly.
And because DMZ’s are reasonably small networks (you DMZ’s are on physically separate switches aren’t they ? ), it will be easy to implement on just a few pieces of kit that are tightly controlled.
Anything Else ?
I would be just about guessing here. But I think that VTPv3 will be a vital part of the Data Center Ethernet and the Shortest Path Bridging standards from the IEEE. There needs ot be a lot of synchrony between switches that are going to exchange QoS, SPBB and all the other information that Data Center Ethernet (or Converged Enhanced Ethernet, or Data Center Bridging — whatever you want to call it) will need to function. I suspect that we will all see a lot more of VTPv3 in the next couple of years.
- VTP Version 3.0 — Is VTP making a comeback ?
- Features
- Where it would be useful ?
- VTP — Let’s Recap, Its been a painful journey
- Good things in VTPv3
- No automatic setup of VTP domain
- Support for all VLAN numbers
- Security
- Database Propagation Fixed
- MST Configuration
- What’s the bad news ?
- Limited Device/Software Support
- Interoperability
- Am I going to use it ?
- Anything Else ?
- Comments (8)
Please rate this post:
Why Rate Posts?
(4 votes, average: 7.00 out of 10)
Loading ...Probably Related Posts on the Same Topic
On Layer 2 Access Designs and MPLS
I looking closely at Data Centre Designs at the moment, and been considering whether a looped triangle or a looped square is the best for edge switches. I find it difficult to detect a difference that makes a clear purchasing decision. So I sat down to think about this. I did some pictures and thinking.
…
Blue Coat ProxySG VIP and Cisco Switches Need Multicast Enabled
You have a pair of shiny new ProxySG boxen that you want to setup in active / standby for high availability. You configure it up and everything seems to work, and then it doesn’t, or other equipment on the same network experiences random problems.
What you are having is a Multicast problem with your Ethernet switches, most likely your Cisco switches, that has the problem. How to understand and solve the problem after the jump.
Read the full articleBlessay: Autonegotiation on Ethernet — It Works, It Should Be Mandatory!
EVERYONE — Autosensing on ethernet works just fine, and all manufacturers recommend using autosensing. Why aren’t you !
Lets look at how it works and why you should be using it.
Read the full articleCisco IOS Load Balancing for Blue Coat SGOS
Some time ago I used IOS SLB feature on a C6500 to load balance a pair of Blue Coat ProxySG. Here the confuguration and some notes.
Read the full article
Still have the same campus wide outage issue when someone promotes a switch to primary when it’s offline and then put it online or puts an old ‘primary’ switch back online.
Ah, the guns kill people view of VTP.
I take the view that “guns don’t kill people, people kill people”. By your reckoning VTP should not exist in case you make bad mistake, whereas I would take the view that you shouldn’t employ morons.
VTP is not the problem. It saves a lot money in operational costs, provided that it is used correctly.
Correct.
It should just be part of a basic process to go through before plugging a switch into a live network: “sh vtp status” — now is it a Client and is it in the correct (Case sensitive!) Domain? If not don’t plug it in!
Nice article..
It’s not only supported on the Catalyst 6500 platform anymore, Cisco VTP version 3 is now supported in IOS 12.2(52)SE for the Catalyst 3750, 3560, 2975, and 2960 Switches.
https://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/release/notes/OL19708.html
Looks like Cisco is giving VTP another chance, a very decision in my opinion.
HI Nico,
either I am blind or Cisco has changed their webpage, but there is nothing mentioned in the release notes for 12.2(52)SE about VTPv3.
Hi Pavel,
My fault, you’re right. It’s not mentioned in the previous link I’ve posted.
Just Googled the right url:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5532/product_bulletin_c25-561469_ps5012_Products_Bulletin.html
Greetz, Nico
Thanks Nico,
have been searching for this quite long — I should have looked under “Bulletins” not under “Release Notes”
I see another future for VTPv3 besides DMZs — in the deployement of the PVLANs in the ISP environments — see http://www.rfc-editor.org/internet-drafts/draft-sanjib-private-vlan-10.txt as an example.
Too bad VTPv3 is currently not implemented for Metro (34xx, 375x) switches.
–pavel