Show 59 – Design Clinic 1 – Is This Virtual Whiteboard On ?

Play

About Design Clinics

People send in their questions, we share them using an online meeting service and then use diagrams, open microphones, and lots of discussion to answer questions.

We are still working out how to hold, run and manage the Design Clinic as show. This is our second, but the first to include screen recording. Only problem is that we didn’t handle questions with diagrams until somewhere around the 40 minute mark.

We will be changing the format of future shows to be better organised, more focussed content based on the lessons learned. So please, bear with us, while we develop the show. Feedback to those attended the live event was positive about the concept and delivery – thanks for your emails.

Topics Covered

Tom had this question:

I just had a quick question regarding VTP. In L2 design, is VTP a) relevant and b) can VTP be leveraged in a campus LAN? Having gone thru CCNA and recently CCNP switch, it seems like nowadays all Vlans are local to the access switches, making VTP obsolete. is there any point to VTP other than another Cisco proprietary protocol and legacy knowledge from previous generations? Spanning Tree has enough issues without having to worry if a new VTP switch will take down ur entire network with a higher Config Register. I wonder what its real world use is (if any).

And we talked about this and the different reasons for it. During the discussing we referenced Fate Sharing, Failure Domains and Why VTP Is Awesome this blog post with different ideas on how to make VTP work for you.

The we talked about VXLAN that was announced with much hoohaa this week.

Then we look at CJ’s Question:

Attached is the physical connections of our core. We have an ASR that currently is sitting in one of our CO’s…the question is how do we design the new core network. I currently work for a Service Provider and we have SONNET and Ethernet rings. We provide MPLS to customers and also QinQ circuits.

So the questions are:

 1. Do we move some routers to the other city COs for L3 services in those cities? 
2. How do we introduce the ASR? 
3. Depending on the design of the four routers, where should we run BGP and MPLS? 
4. Anything else that comes to mind.

As always, please tell your friends, colleagues about us. Send your feedback and design questions to [email protected] for future show. We can’t promise we will answer them but we will try. See Setting Up for the Next Design Clinic – A Call for Questions for some tips on how to ask questions. And think about getting a microphone headset for your computer.

Greg Ferro
Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count. He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.
Greg Ferro
Greg Ferro
  • http://blog.masker.net Jason Masker

    A quick correction to add on the VTP discussion. A switch in VTP client mode can and will hose up your VTP environment. Highest revision number wins. Period. The only exception is VTP transparent mode which is the closest thing you have to an off switch for VTP–the device will pass VTP packets, but not act on them or participate in any way with the VTP domain. This is the single biggest mistake, I think, with VTP which can result in disaster. You cannot assume that putting by putting a switch into VTP client mode, you will ensure it downloads the VTP database instead of updates it. The client and server modes merely determine if you can edit VLANs on the switch or not. There can be multiple servers and clients. You are allowed to edit VLANs for the entire VTP domain on the server nodes, but not on the clients.

    Also, the VTP password mostly protects against someone connecting an evil switch or software to your network and trying to hose up your VLANs. I believe the VTP domain name is passed in the clear in updates and so is not any form of security. The VTP password is MD5 hashed along with details about the revision in an update in order to authenticate the source. Passwords do not protect you much from misconfiguration because typically the name and the password will be sitting next to each other in the same script. Also, until VTP 3 there was no way to keep a VTP password from being displayed to anyone with access to the ‘show vtp password’ command. It may protect against misconfiguration when a general, common VTP domain name is employed, but I think it is mostly there to ensure updates are coming from a source you intended. 

    So the way to make sure you don’t hose up your VLANs with VTP is to either set VTP transparent mode or ensure that your VTP revision number is lower than the revision number of VTP on switches already present. You can reset the VTP revision number by changing the VTP domain name. Personally, if I have complete control of every device on the network, I’ve found VTP can be very convenient. If I share that control with anyone at all, I tend to prefer VTP mode transparent on any device I care about.

  • Matt Carter

    Really liked this show, so glad you did this type of show and would like to see more. But don’t stop the podcasts, otherwise i’d have to dust of the old Dianna Ross CD’s.