Configuring VTP
VTP Modes
VTP Features
VTP Versions
In our first example, we'll look at a simple two-switch setup and then add
to the network to illustrate the importance of VTP.
Here, the only two members of VLAN 10 are found on the same switch.
We can create VLAN 10 on SW1, and SW2 really doesn't need to know
about this new VLAN.
We know that the chances of all the hosts in a VLAN being on one switch
are very remote! More realistic is a scenario like the following, where the
center or "core" switch has no ports in a certain VLAN, but traffic destined
for that VLAN will be going through that very core switch.
SW2 doesn't have any hosts in VLAN 10, but for VLAN 10 traffic to
successfully travel from SW1 to SW3 and vice versa, SW2 has to know
about VLAN 10's existence.
SW2 could be configured manually with VLAN 10, but that's going to get
very old very fast. Considering that most networks have a lot more than
three switches, statically configuring every VLAN on every switch would
soon take up a lot of your time, as would troubleshooting the network
when you invariably leave a switch out!
The key phrase there is "in the same domain". By default, Cisco switches
are not in a VTP domain. Before working with VTP in a home lab or
production network, run show vtp status. (The official term for a VTP
domain is "management domain", but we'll just call them domains in this
section. The only place you'll probably see that full phrase is on the
exam.)
There's nothing next to "VTP Domain Name", so a VTP domain has not
yet been configured. We'll now change that by placing this switch into a
domain called CCNP. Watch this command - it is case sensitive.
After configuring the VTP domain "CCNP" on SW2, SW1 is also placed
into that domain. Each switch can now successfully advertise its VLAN
information to the other, and as switches are added to this VTP domain,
those switches will receive these advertisements as well.
A Cisco switch can belong to one and only one VTP domain.
VTP Modes
In the previous show vtp status readouts, the VTP Operating Mode is set
to Server. The more familiar term for VTP Operating Mode is simply VTP
Mode, and Server is the default. It's through the usage of VTP modes
that we can place limits on which switches can delete and create VLANs.
It's not unusual for edge switches such as SW1 and SW3 to be available
to more people that they should be. If SW2 is the only switch that's
physically secure, SW2 should be the only VTP Server. Let's review the
VTP Modes and then configure SW1 and SW3 appropriately.
In Server mode, a VTP switch can be used to create, modify, and delete
VLANs. This means that a VTP deployment has to have at least one
Server, or VLAN creation will not be possible. This is the default setting
for Cisco switches.
VTP Transparent mode actually means that the switch isn't participating in
VTP. (Bear with me here.) Transparent VTP switches don't synchronize
their VTP databases with other VTP speakers; they don't even advertise
their own VLAN information! Therefore, any VLANs created on a
Transparent VTP switch will not be advertised to other VTP speakers in
the domain, making them locally significant only.
I'm not saying that Transparent mode is evil, or even bad; I am saying that
you have to be careful when implementing Transparent mode into your
network.
There are two versions of VTP, V1 and V2, and the main difference
between the two versions affects how a VTP Transparent switch handles
an incoming VTP advertisement.
To ensure that no one can create VLANs on SW1 and SW3, we'll
configure both of them as VTP Clients. SW1's configuration and the
resulting output of show vtp status is shown below.
This often leads to a situation where only the VTP Clients will have ports
that belong to a given VLAN, but the VLAN still has to be created on the
VTP Server. VLANs can be created and deleted in Transparent mode,
but those changes aren't advertised to other switches in the VTP domain.
Also, switches do not advertise their VTP mode.
You have to decide this for yourself in your production network, but I will
share a simple method that's always worked for me - if you can absolutely
secure a switch, make it a VTP server. If multiple admins will have
access to the switch, you may consider making that switch a VTP Client in
order to minimize the chance of unwanted or unauthorized changes being
made to your VLAN scheme.
The VTP Advertisement Process
VTP Advertisements are multicasts, but they are not sent out every port
on the switch. The only devices that need the VTP advertisements are
other switches that are trunking with the local switch, so VTP
advertisements are sent out trunk ports only. The hosts in VLAN 10 in the
following exhibit would not receive VTP advertisements.
If SW1's revision number had been higher than that in the VTP
advertisement from SW2, the advertisement would have been ignored.
In this example, SW2 is the root and is sending out an advertisement with
revision number 300. The three switches are running VLANs 10, 20, 30,
40, and 50, and everything's just fine. The VTP domain is CCNP.
Now, a switch that was at another client site is brought to this client and
installed in the CCNP domain. The problem is that the VTP revision
number on the newly installed switch is 500, and this switch only knows
about the default VLAN, VLAN 1.
I've seen this happen with switches that were brought it to swap out with a
downed switch. That revision number has to be reset to zero! If you ever
see VLAN connectivity suddenly lost in your network, but the switches are
all functional, you should immediately check to see if a new switch was
recently installed. If the answer is yes, I can practically guarantee that the
revision number is the issue.
Cisco theory holds that there are two ways to reset a switch's revision
number to zero:
It's a good practice to perform this reset with VTP Clients as well as
Servers. In short, every time you introduce a switch to your network and
that switch didn't just come out of the box, perform this reset. And if it did
come out of the box, check it anyway. ;)
To see the number of advertisements that have been sent and received,
run show vtp counters.
I'm sure you noticed that there are different types of advertisements!
There are three major types of VTP advertisements - here's what they are
and what they do. Keep in mind that Cisco switches only accept VTP
advertisements from other switches in the same VTP domain.
Earlier in this section, you saw how to place a switch into a VTP domain:
VTP Pruning
In the following example, VTP allows both switches to know about VLANs
2 - 19, even though neither switch has ports in all those VLANs. Since a
trunk port belongs to every VLAN, they both forward broadcasts and
multicasts for all those VLANs. Both switches are transmitting and
receiving broadcasts and multicasts that they do not need.
Configuring VTP Pruning allows the switches to send broadcasts and
multicasts to a remote switch only if the remote switch actually has ports
that belong to that VLAN. This simple configuration will prevent a great
deal of unnecessary traffic from crossing the trunk.
vtp pruning enables pruning for all VLANs in the VTP domain, all VLANs
from 2 - 1001 are eligible to be pruned. The reserved VLANs you see in
show vlan brief - VLANs 1 and 1002 - 1005 - cannot be pruned.
Stopping unnecessary broadcasts might not seem like such a big deal in
a two-switch example, but most of our networks have more than two
switches! Consider this example:
If the three hosts shown in VLAN 7 are the only hosts in that VLAN,
there's no reason for VLAN 7 broadcasts to reach the middle and bottom
two switches. Without VTP pruning, that's exactly what will happen!
Using VTP pruning here will save quite a bit of bandwidth.
I'd like to share a real-world troubleshooting tip with you here. If you're
having problems with one of your VLANs being able to send data across
the trunk, run show interface trunk. Make sure that all vlans shown under
"vlans allowed and active in management domain" match the ones shown
under "vlans in spanning tree forwarding state and not pruned".
SW2#show interface trunk
In this example, VLAN 40 is allowed and active, but it's been pruned.
That's fine if you don't have hosts on both sides of the trunk in VLAN 40,
but I have seen this happen in a production network where there were
hosts on both sides of the trunk in a certain VLAN, and that VLAN had
been pruned. It's a rarity, but now you know to look out for it!
VTP Versions
By now, you've probably noticed that the first field in the readout of show
vtp status is the VTP version. The first version of VTP was VTP Version
1, and that is the default of some older Cisco switches. The next version
was Version 2, and that's the default on many newer models, including
the 2950.
Version 2 supports Token Ring VLANs and Token Ring switching, where
Version 1 does not.
As with RIP, VTP versions don't work well together. Cisco switches run in
Version 1 by default, although most newer switches are V2-capable. If
you have a V2-capable switch such as a 2950 in a VTP domain with
switches running V1, just make sure the newer switch has V2 disabled.
The version can be changed with the vtp version command.
Those of you with switches in your home labs have probably run into this
situation. You run a write erase on your routers, reload them, and since
NVRAM is now empty, you're prompted to go into setup mode. All IP
addressing, routing protocols, static routes - everything's gone.
So now you do the same to your switches. You run write erase, reload,
and you're prompted to go into setup mode. Funny thing, though - the
VLAN information is still there! Below, we see a switch that had its
NVRAM erased and was then reloaded. There is no startup configuration,
but the VLAN information that was on the switch is still there!
How did the VLAN information survive the write erase? The startup
configuration is gone, but the VLAN database still contains information
about VLANs created before the write erase. That's because the write
erase command erases the contents of NVRAM, the VLAN information is
kept in a file called vlan.dat - and that file is kept in Flash.
If you want to truly initialize a switch, the vlan.dat file has to go. Deleting it
can be a little tricky if you do it too quickly, though.
Just hit the enter key for both questions to accept the defaults in the
brackets. Then when you reload the router, you'll be prompted with the
system configuration question you see in this example. Make sure to
answer "n" to that question. Remember - when you do this, the prior
VLAN information is gone from the switch.
By setting a VTP password, you place the entire VTP domain into Secure
Mode. Every switch in the domain must have a matching password.
SW1(config)#vtp domain CCNP
Changing VTP domain name from NULL to CCNP
SW1(config)#vtp password CCIE
Setting device VLAN database password to CCIE
VTP Secure Mode isn't all that secure, though - here's how you discover
the password:
SW1#show vtp password
VTP Password: CCIE
I've configured VTP many times, and while the following two tips aren't
Cisco gospel, they've worked well for me.
Unless you have a very good reason to put a switch into Transparent
mode, stick with Server and Client. Not only does this ensure that the
VTP databases in your network will be synchronized, but it causes less
confusion in the future for other network admins who don't understand
Transparent mode as well as you do. :)
Some campus networks will have switches that can be easily secured -
the ones in your network control room, for example - and others that may
be more accessible to others. Your VTP Servers should be the switches
that are accessible only by you and a trusted few. Don't leave every
switch in your VTP domain at the default of Server, or you've made it
possible to create and delete VLANs on every switch in your network.