VTP Version 3.0 – Is VTP making a comeback ?
I found this document at Cisco.com today about VTPv3. What ? VTPv3 ? I had to dig into that.
The document lists the following key features.
- Protection against data overwrites.
- Support for VLAN numbers up to 4096
- Support for exchanging information regarding PVLANs
- Support for propagation of other databases (not just VLAN data), specifically MST databases but there are hooks for more in the future.
There is a brilliant line here “VTP…is designed to simplify administration and to reduce unintended configuration errors.”. Without a doubt VTP is responsible for some of the biggest outages I have ever seen because of VTP revision problems when new switches are inserted into the network and not many networks today run VTP for exactly that reason.
The paper notes that VTPv3 uses an entirely new code base. This is Cisco-speak for new software and you should look out for bugs for a while.
Where it would be useful ?
One of the most common configuration errors in† data centre occurs when someone fails to configure the VLAN database on all switches. In this case, everything works until a failover occurs and, because the VLAN isn’t available on the failover switch, a major problem occurs. This situation is difficult to detect quickly since the failover event often obscures the actual cause.
On the other hand, I have seen an entire data centres taken offline because a junior engineer plugged in a new switch at the top of a new rack and requiring physical intervention on every switch. For this reason, VTP is disabled in most places.
VTP – Let’s Recap, Its been a painful journey
In large campus-style LAN (Universities / Large Enterprise) the automatic propagation and consistency of VLAN allocation means that VTP is a valuable tool for reducing the cost of ownership. In is typical that hours we wasted maintaining and resolving VLAN numbering and allocation issues, especially in networks where documentation and records are not tightly maintained. The historical campus-wide outage is the stuff of legend and VTP is not usually enabled here either.
VTP was intended to make administration of Layer 2 switching domains easier by automatically propagating VLAN details to all switches in a domain. It would be fair to say that in 1999 switching domains were not that big, and administrative control was handled by very few people and often just one person. I think that VTP failed us when our networks got very large and the shortcomings of the protocol were exposed in a large team that would have at least some poorly trained people.
Then we had the change from a separate database in the vlan.dat file to the main IOS configuration which was handled badly. Because it seems to me that there was no consistent approach for the developers I conclude VTP wasn’t going anywhere. VTPv3 was introduced in CatOS 8.1, but only in Dec2008 was included in the C6500 IOS software. Therefore modifications were being made on the fly, not in a consistent planned way.
These problems, plus the huge outages I mentioned earlier, mean that VTPv3 will need a really good story to get engineers and management to agree on it’s implementation.
Good things in VTPv3
So what’s the goodness in VTPv3 that might make you interested ?
No automatic setup of VTP domain
In VTPv2, a factory default switch which receives a VTP message will automatically configure to be in the VTP domain. It’s counter-intuitively a good idea, isn’t it ? But, in the real world, automatic configruation makes you scared. VTPv3 forces manual configuration.
Support for all VLAN numbers
Well, except for 1000-1017 which are reserved, you can use VTP for propagating all VLAN numbers in accordance with the IEEE. This is the probably the most important feature.
The VTP domain password is secured in the database and in transmission.
Database Propagation Fixed
The other vital ingredient. “With VTP version 3, only a specific device in a domain, a primary server, is allowed to update other devices.” Logically, only one server per domain can be a primary server. Secondary servers can be defined, but they can never be configured and the secondary server will update its database from the Primary exclusively.
When you configure the Primary VTPv3 server, its checks the VTP messages to determine if any other servers are Primary before asking for confirmation. See below (taken from the Cisco Web Site)
Catalyst6500-1#vtp primary vlan
This system is becoming primary server for feature vlan
No conflicting VTP3 devices found.
Do you want to continue? [confirm]
*Jul 8 12:34:20.047: %SW_VLAN-SP-4-VTP_PRIMARY_SERVER_CHG: 00d0.bcd2.0c00 has become the primary server for the VLAN VTP feature.
The VTPv3 database is extensible, thus allowing other information to be exchanged and replicated. Currently this includes Multiple Spanning Tree configuration. Which is a good idea since it needs to be the same on all switches and it can be painful changing the configuration on a lot of devices when you don’t
What’s the bad news ?
Limited Device/Software Support
At time of writing, VTPv3 is only available for 12.2.33SXI releases on the C6500 for late models of Supervisor, 12.2.50SG2 on the C4500 with late model of Supervisor (Sup2+/4/5/6). This means that you need to carefully check all the modules in your chassis to make sure they are compatible with this code train.
“VTP3 interoperates with VTP version 2 but not VTP version 1. For devices that are capable of running VTP version 2 but are running in VTP version 1 mode, a change to VTP version 2 is triggered by the VTP version 3 device. Before considering VTP version 3 for your network it is recommended that you verify if all switches in the existing or prospective VTP domain are capable of running in VTP version 2 mode.” – got that ? For a big network with old bits in it, it gonna be painful.
Am I going to use it ?
Yes, in DMZ’s that use PVLANs this is going to be a fantastic way to
- solve my problems with firewall/security people who don’t understand VLANs and especially PVLANs.
- more consistent operation for VLANs leading to less outages when people don’t configure the VLANs correctly.
And because DMZ’s are reasonably small networks (you DMZ’s are on physically separate switches aren’t they ? ), it will be easy to implement on just a few pieces of kit that are tightly controlled.
Anything Else ?
I would be just about guessing here. But I think that VTPv3 will be a vital part of the Data Center Ethernet and the Shortest Path Bridging standards from the IEEE. There needs ot be a lot of synchrony between switches that are going to exchange QoS, SPBB and all the other information that Data Center Ethernet (or Converged Enhanced Ethernet, or Data Center Bridging – whatever you want to call it) will need to function. I suspect that we will all see a lot more of VTPv3 in the next couple of years.