Skip to content

VTP Basics

June 18, 2012

VLAN Trunking Protocol (VTP) is a Cisco proprietary technology. Ask administrators whether they like VTP and you will get varying answers. I don’t think anyone will deny there is a convenience that VTP provides. However, dangers associated with VTP are enough to make an administrator shy away from VTP as well. I’ll go into these risks later and what can be done to avoid them.

VTP is a technology which assists in VLAN configuration and assignment in a layer 2 domain. Without VTP, proper VLANs must be assigned to each trunk port. If a network has 10 switches and a single VLAN is added, it has to be configured on each switch and each trunk port. Not too hard, but a little error prone and tedious. This is where VTP steps in. A VLAN configuration change is made on a switch the VLAN information is sent to all switches in that VTP domain.

A VTP domain defines which VTP enabled switches are allowed to send VLAN information to each other. VTP domains could be created for a data center, another for the first floor, and another for the second floor. A VTP domain is specified with the vtp domain VTPDomain command.

One or more switches in a VTP domain need to be the VTP Server. Switches are assigned the VTP server role by issuing the vtp mode server command. VTP servers can have VLANs configured on them and will push the configuration out to all VTP servers and clients on the VTP domain.

A VTP client is a switch which accepts configurations but doesn’t allow for manual VLAN configuration through its CLI. Any VLAN configuration needs to be done on the VTP server. Immediately after the vlan.dat file is updated on the server, VTP packets are sent through the layer 2 network and clients update their vlan.dat file.

In addition to server and client modes, a third type exists. Transport mode effectively disables VTP on the switch without completely turning it off. VTP packets will be sent through a transparent switch but the packets won’t be processed by the transparent switch.

VTP servers and clients have a “VTP configuration revision number”. When a switch enters VTP server mode, the revision number is set at zero. When a client or server receives a VTP packet, it compares the domain, passwords, and revision numbers. If the domain and passwords match, it accepts the new configuration if the received revision number is higher than the current revision number.

Lets say a brand new switch network is brought up. Four switches are configured as clients while one is a server. A VLAN is created on the server. The VTP server increments the revision number by one and sends the update out. Any switches on the network in that VTP domain receive the update request and accept it because their revision numbers were zero and the new number is one.

The beginning of this article mentioned dangers around VTP. When a switch in server or client mode joins a network it broadcasts its VTP information including its revision number. Pretend there is a stable network with the VTP domain “VTPDomain” and a revision number of 176. An office closed so one of the switches in the office is brought into the active office to add a new floor of employees. The closed office also used the “VTPDomain” name but had a revision of 216. The switch is configured to be a client and is plugged into the network. Immediately it broadcasts its VTP information. All properly configured switches see the higher revision number and replace their VLAN configurations with the VLAN configuration from the closed office. Support calls ensue (that is unless they’re using VoIP on these same switches).

There are a few steps which can be taken to prevent this from happening.

  1. Make sure unique VTP domain names are used for each domain.
  2. Each VTP domain should have a unique password. If unique passwords are set, even if there is a VTP domain conflict, it won’t accept the bad configuration because the password won’t be accepted.
  3. Before plugging any new switches into the network, set the switch to transparent mode and then to client or server mode. This action resets the VTP revision number to 0, guaranteeing it won’t broadcast bad VLAN information.

Configuring VTP is pretty straight forward so I won’t go into what each command does. Here is a basic configuration on a VTP server.

SW1(config)# vtp domain VTPDomain
Setting VTP domain name to VTPDomain.
SW1(config)# vtp mode server
Setting device to VTP Server mode for VLANS.
SW1(config)# vtp version 2
Setting device to VTP version 2.
SW1(config)# vtp password passw0rd
Setting device VLAN database password to passw0rd.

To verify configuration of VTP, run the show vtp status command.

VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 1
VTP Operating Mode : Server
VTP Domain Name : VTPDomain
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x46 0x61 0xA6 0xC8 0x1F 0x9B 0x64 0x6A
Configuration last modified by 0.0.0.0 at 3-1-93 01:34:49
Local updater ID is 10.10.0.2 on interface Vl55 (lowest numbered VLAN interface found)

When two switches on a single network aren’t running VTP properly, compare the MD5 digest on the switches. If they do not match, review the VTP version, the domain, password, and revision numbers.

Advertisements

From → Tutorial

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s