Cisco – VTP Mode Automatically Changing to Server

ciscocisco-catalystswitchswitchingvtp

Really hoping you can help me shed some light on some serious issues I've been experiencing on our production network. I'll give a quick background and explain the issue.

Background:
Our network consists of mainly 2960 & 3750 Cisco switches last year we experienced a complete network outage when a new switch stack was added with VTP server made enabled and a new VLAN added which propagated and wiped our all other VLANS.

The outcome was to change the VTP mode on all switches to transparent, problem solved… or so we thought.

Friday Last Week:
I setup two new stacks (Ensuring both had VTP mode set to transparent) then we had a vendor add an additional VLAN onto their managed switch (Which connects our internal switches) to allow traffic from a new site. As soon as we opened the trunk port, 2 of our floors lost connectivity. I quickly logged on and found not only my new switch stack but 3 completely separate other stacks had their VTP mode set to server and it had propagated VLAN's again!

Question:
Has anyone seen this behaviour before? I'm certain all switch stacks were set to transparent so I'm gob smacked as well as freaking out as to how this could have happened again…

Any insight would be greatly appreciated!

Cheers,
D

Best Answer

It sounds like someone removed the domain name and password on the switches in question. This leaves them with no VTP set, just like a new switch, which will auto-configure VTP from VTP advertisements it sees, even from new switches added. The VTP domain name is also carried in DTP messages. A best practice is to use the set switchport mode trunk and switchport nonegotiate commands to disable DTP on the trunk links and unconditionally trunk.

You should set the domain name, password, and Transparent mode, and insist that all new or replacement switches be set that way prior to connecting to your network.

Another Cisco best practice it to only use a VLAN on one access switch, rather than have VLANs across multiple switches. This will prevent many STP problems. It used to be, "switch where you can, route where you must," but that is now obsolete. It is now a layer-3 world, and almost nothing requires hosts to be on the same layer-2 broadcast domain.

By the way, switches in Client mode could have done that to you, too. It is not only Server mode switches which can override the VLAN database (see highlighted text):

Add a Switch to the VTP Domain

A recently added switch can cause problems in the network. It can be a switch that was previously used in the lab, and a good VTP domain name was entered. The switch was configured as a VTP client and was connected to the rest of the network. Then, you brought the trunk link up to the rest of the network. In just a few seconds, the whole network can go down.

If the configuration revision number of the switch that you inserted is higher than the configuration revision number of the VTP domain, it propagates its VLAN database through the VTP domain.

This occurs whether the switch is a VTP client or a VTP server. A VTP client can erase VLAN information on a VTP server. You can tell this has occurred when many of the ports in your network go into the Inactive state but continue to assign to a nonexistent VLAN.

Related Topic