Really hoping you can help me shed some light on some serious issues I've been experiencing on our production network. I'll give a quick background and explain the issue.
Background:
Our network consists of mainly 2960 & 3750 Cisco switches last year we experienced a complete network outage when a new switch stack was added with VTP server made enabled and a new VLAN added which propagated and wiped our all other VLANS.
The outcome was to change the VTP mode on all switches to transparent, problem solved… or so we thought.
Friday Last Week:
I setup two new stacks (Ensuring both had VTP mode set to transparent) then we had a vendor add an additional VLAN onto their managed switch (Which connects our internal switches) to allow traffic from a new site. As soon as we opened the trunk port, 2 of our floors lost connectivity. I quickly logged on and found not only my new switch stack but 3 completely separate other stacks had their VTP mode set to server and it had propagated VLAN's again!
Question:
Has anyone seen this behaviour before? I'm certain all switch stacks were set to transparent so I'm gob smacked as well as freaking out as to how this could have happened again…
Any insight would be greatly appreciated!
Cheers,
D
Best Answer
It sounds like someone removed the domain name and password on the switches in question. This leaves them with no VTP set, just like a new switch, which will auto-configure VTP from VTP advertisements it sees, even from new switches added. The VTP domain name is also carried in DTP messages. A best practice is to use the
set switchport mode trunk
andswitchport nonegotiate
commands to disable DTP on the trunk links and unconditionally trunk.You should set the domain name, password, and Transparent mode, and insist that all new or replacement switches be set that way prior to connecting to your network.
Another Cisco best practice it to only use a VLAN on one access switch, rather than have VLANs across multiple switches. This will prevent many STP problems. It used to be, "switch where you can, route where you must," but that is now obsolete. It is now a layer-3 world, and almost nothing requires hosts to be on the same layer-2 broadcast domain.
By the way, switches in Client mode could have done that to you, too. It is not only Server mode switches which can override the VLAN database (see highlighted text):