The Bryant Advantage BCMSN Study Guide

Chris Bryant, CCIE #12933 www.thebryantadvantage.com

Back To Index

VLAN Trunking Protocol (VTP)

Overview
The Need For VTP

Configuring VTP

VTP Modes

VTP Advertisement Process

Preventing VTP Synchronization Issues

VTP Advertisement Types

VTP Features

VTP Versions

The VLAN.DAT File

VTP Secure Mode

As a CCNP candidate, you know that when it comes to Cisco

technologies, there's always something new to learn! You learned about
the VLAN Trunking Protocol (VTP) in your CCNA studies, but now We're
going to review a bit and then build on your knowledge of both of these
important switching technologies.

Why Do We Need VTP?

VLAN Trunking Protocol (VTP) allows each switch in a network to have an

overall view of the active VLANs. VTP also allows network administrators
to restrict the switches upon which VLANs can be created, deleted, or
modified.

In our first example, we'll look at a simple two-switch setup and then add
to the network to illustrate the importance of VTP.
Here, the only two members of VLAN 10 are found on the same switch.
We can create VLAN 10 on SW1, and SW2 really doesn't need to know
about this new VLAN.

We know that the chances of all the hosts in a VLAN being on one switch
are very remote! More realistic is a scenario like the following, where the
center or "core" switch has no ports in a certain VLAN, but traffic destined
for that VLAN will be going through that very core switch.
SW2 doesn't have any hosts in VLAN 10, but for VLAN 10 traffic to
successfully travel from SW1 to SW3 and vice versa, SW2 has to know
about VLAN 10's existence.

SW2 could be configured manually with VLAN 10, but that's going to get
very old very fast. Considering that most networks have a lot more than
three switches, statically configuring every VLAN on every switch would
soon take up a lot of your time, as would troubleshooting the network
when you invariably leave a switch out!

Luckily, the major feature of VTP is the transmission of VTP

advertisements that notify neighboring switches in the same domain of
any VLANs in existence on the switch sending the advertisements.

The key phrase there is "in the same domain". By default, Cisco switches
are not in a VTP domain. Before working with VTP in a home lab or
production network, run show vtp status. (The official term for a VTP
domain is "management domain", but we'll just call them domains in this
section. The only place you'll probably see that full phrase is on the
exam.)

There's nothing next to "VTP Domain Name", so a VTP domain has not
yet been configured. We'll now change that by placing this switch into a
domain called CCNP. Watch this command - it is case sensitive.
After configuring the VTP domain "CCNP" on SW2, SW1 is also placed
into that domain. Each switch can now successfully advertise its VLAN
information to the other, and as switches are added to this VTP domain,
those switches will receive these advertisements as well.

A Cisco switch can belong to one and only one VTP domain.

VTP Modes

In the previous show vtp status readouts, the VTP Operating Mode is set
to Server. The more familiar term for VTP Operating Mode is simply VTP
Mode, and Server is the default. It's through the usage of VTP modes
that we can place limits on which switches can delete and create VLANs.

It's not unusual for edge switches such as SW1 and SW3 to be available
to more people that they should be. If SW2 is the only switch that's
physically secure, SW2 should be the only VTP Server. Let's review the
VTP Modes and then configure SW1 and SW3 appropriately.

In Server mode, a VTP switch can be used to create, modify, and delete
VLANs. This means that a VTP deployment has to have at least one
Server, or VLAN creation will not be possible. This is the default setting
for Cisco switches.

Switches running in Client mode cannot be used to create, modify, or

delete VLANs. Clients do listen for VTP advertisements and act
accordingly when VTP advertisements notify the Client of VLAN changes.

VTP Transparent mode actually means that the switch isn't participating in
VTP. (Bear with me here.) Transparent VTP switches don't synchronize
their VTP databases with other VTP speakers; they don't even advertise
their own VLAN information! Therefore, any VLANs created on a
Transparent VTP switch will not be advertised to other VTP speakers in
the domain, making them locally significant only.

I'm not saying that Transparent mode is evil, or even bad; I am saying that
you have to be careful when implementing Transparent mode into your
network.

There are two versions of VTP, V1 and V2, and the main difference
between the two versions affects how a VTP Transparent switch handles
an incoming VTP advertisement.

VTP Version 1: The Transparent switch will forward that advertisement's

information only if the VTP version number and domain name on that
switch is the same as that of downstream switches.

VTP Version 2: The Transparent switch will forward VTP advertisements

via its trunk port(s) even if the domain name does not match.

To ensure that no one can create VLANs on SW1 and SW3, we'll
configure both of them as VTP Clients. SW1's configuration and the
resulting output of show vtp status is shown below.

Attempting to create a VLAN on a VTP client results in the following

message:

This often leads to a situation where only the VTP Clients will have ports
that belong to a given VLAN, but the VLAN still has to be created on the
VTP Server. VLANs can be created and deleted in Transparent mode,
but those changes aren't advertised to other switches in the VTP domain.
Also, switches do not advertise their VTP mode.

Which Switches Should Be Servers, Which Should Be Clients?

You have to decide this for yourself in your production network, but I will
share a simple method that's always worked for me - if you can absolutely
secure a switch, make it a VTP server. If multiple admins will have
access to the switch, you may consider making that switch a VTP Client in
order to minimize the chance of unwanted or unauthorized changes being
made to your VLAN scheme.
The VTP Advertisement Process

VTP Advertisements are multicasts, but they are not sent out every port
on the switch. The only devices that need the VTP advertisements are
other switches that are trunking with the local switch, so VTP
advertisements are sent out trunk ports only. The hosts in VLAN 10 in the
following exhibit would not receive VTP advertisements.

Along with the VTP domain name, VTP advertisements carry a

configuration revision number that enables VTP switches to make sure
they have the latest VLAN information. VTP advertisements are sent
when there has been a change in a switch's VLAN database, and this
configuration revision number increments by one before it is sent. To
illustrate, let's look at the revision number on Sw1.

The current revision number is 1. We'll now go to R2 to check the

revision number, add a VLAN, and then check the revision number again.
The revision number was 1, then a VLAN was added. The revision
number incremented to 2 before the VTP advertisement reflecting this
change was sent to this switch's neighbors. Let's check the revision
number on SW1 now.

The revision number has incremented to 2, as you'd expect. But what

exactly happened?

SW1 received a VTP advertisement from SW2. Before accepting the

changes reflected in the advertisement, SW1 compares the revision
number in the advertisement to its own revision number. In this case, the
revision number on the incoming advertisement was 2 and SW1's revision
number was 1. This indicates to SW1 that the information contained in
this VTP advertisement is more recent than its own VLAN information, so
the advertisement is accepted.

If SW1's revision number had been higher than that in the VTP
advertisement from SW2, the advertisement would have been ignored.

In this example, SW2 is the root and is sending out an advertisement with
revision number 300. The three switches are running VLANs 10, 20, 30,
40, and 50, and everything's just fine. The VTP domain is CCNP.
Now, a switch that was at another client site is brought to this client and
installed in the CCNP domain. The problem is that the VTP revision
number on the newly installed switch is 500, and this switch only knows
about the default VLAN, VLAN 1.

The switches will receive a VTP advertisement with a higher revision

number than the one currently in their VTP database, so they'll
synchronize their databases in accordance with the new advertisement.
The problem is that the new advertisements don't list VLANs 10, 20, 30,
40, or 50, so connectivity for those VLANs is lost.

I've seen this happen with switches that were brought it to swap out with a
downed switch. That revision number has to be reset to zero! If you ever
see VLAN connectivity suddenly lost in your network, but the switches are
all functional, you should immediately check to see if a new switch was
recently installed. If the answer is yes, I can practically guarantee that the
revision number is the issue.

Cisco theory holds that there are two ways to reset a switch's revision
number to zero:

1. Change the VTP domain name to a nonexistent domain, then

change it back to the original name.
2. Change the VTP mode to Transparent, then change it back to
 Server.

In reality, resetting this number can be more of an art form than a

science. The method to use often depends on the model. In the real
world, you should use your favorite search engine for a phrase such as
reset configuration revision number zero followed by the switch model.
(Reloading the switch won't do the job, because the revision number is
kept in NVRAM, and the contents of Non-Volatile RAM are kept on a
reload.)

It's a good practice to perform this reset with VTP Clients as well as
Servers. In short, every time you introduce a switch to your network and
that switch didn't just come out of the box, perform this reset. And if it did
come out of the box, check it anyway. ;)

To see the number of advertisements that have been sent and received,
run show vtp counters.

I'm sure you noticed that there are different types of advertisements!
There are three major types of VTP advertisements - here's what they are
and what they do. Keep in mind that Cisco switches only accept VTP
advertisements from other switches in the same VTP domain.

Summary Advertisements are transmitted by VTP servers every 5

minutes, or upon a change in the VLAN database. Information included in
the summary advertisement:

VTP domain name and version

Configuration revision number

MD5 hash code

Timestamp

Number of subset advertisements that will follow this ad

Subset Advertisements are transmitted by VTP servers upon a VLAN

configuration change. Subset ads give specific information regarding the
VLAN that's been changed, including:

Whether the VLAN was created, deleted, activated, or suspended

The new name of the VLAN

The new Maximum Transmission Unit (MTU)

VLAN Type (Ethernet, Token Ring, FDDI)
Client Advertisement Requests are just that - a request for VLAN
information from the client. Why would a client request this information?
Most likely because the VLAN database has been corrupted or deleted.
The VTP Server will respond to this request with a series of Summary and
Subset advertisements.

Configuring VTP Features

Earlier in this section, you saw how to place a switch into a VTP domain:

The VTP mode is changed with the vtp mode command.

VTP allows us to set a password as well. Naturally, the same password

should be set on all switches in the VTP domain. Although this is referred
to as secure VTP, there's nothing secure about it - the command show vtp
password displays the password, and this password can't be encrypted
with service password-encryption.

VTP Pruning

Trunk ports belong to all VLANs, which leads to an issue involving

broadcasts and multicasts. A trunk port will forward broadcasts and
multicasts for all VLANs it knows about, regardless of whether the remote
switch actually has ports in that VLAN or not!

In the following example, VTP allows both switches to know about VLANs
2 - 19, even though neither switch has ports in all those VLANs. Since a
trunk port belongs to every VLAN, they both forward broadcasts and
multicasts for all those VLANs. Both switches are transmitting and
receiving broadcasts and multicasts that they do not need.
Configuring VTP Pruning allows the switches to send broadcasts and
multicasts to a remote switch only if the remote switch actually has ports
that belong to that VLAN. This simple configuration will prevent a great
deal of unnecessary traffic from crossing the trunk.

vtp pruning enables pruning for all VLANs in the VTP domain, all VLANs
from 2 - 1001 are eligible to be pruned. The reserved VLANs you see in
show vlan brief - VLANs 1 and 1002 - 1005 - cannot be pruned.

Note that SW1 had to be changed to Server mode in order to enable

pruning. Verify that pruning is enabled with show vtp status.
Enabling pruning on one VTP Server actually enables pruning for the
entire domain, but I wanted to show you that a switch has to be in Server
mode to have pruning enabled. It doesn't hurt anything to enter the
command vtp pruning on all Servers in the domain, but it's unnecessary.

Stopping unnecessary broadcasts might not seem like such a big deal in
a two-switch example, but most of our networks have more than two
switches! Consider this example:

If the three hosts shown in VLAN 7 are the only hosts in that VLAN,
there's no reason for VLAN 7 broadcasts to reach the middle and bottom
two switches. Without VTP pruning, that's exactly what will happen!
Using VTP pruning here will save quite a bit of bandwidth.

I'd like to share a real-world troubleshooting tip with you here. If you're
having problems with one of your VLANs being able to send data across
the trunk, run show interface trunk. Make sure that all vlans shown under
"vlans allowed and active in management domain" match the ones shown
under "vlans in spanning tree forwarding state and not pruned".
SW2#show interface trunk

Port Mode Encapsulation Status Native vlan

Fa0/11 desirable 802.1q trunking 1
Fa0/12 desirable 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/11 1-4094
Fa0/12 1-4094

Port Vlans allowed and active in management domain

Fa0/11 1,10,20,30,40
Fa0/12 1,10,20,30,40
Port Vlans in spanning tree forwarding state and not pruned
Fa0/11 1,10,20,30
Fa0/12 none

In this example, VLAN 40 is allowed and active, but it's been pruned.
That's fine if you don't have hosts on both sides of the trunk in VLAN 40,
but I have seen this happen in a production network where there were
hosts on both sides of the trunk in a certain VLAN, and that VLAN had
been pruned. It's a rarity, but now you know to look out for it!

VTP Versions

By now, you've probably noticed that the first field in the readout of show
vtp status is the VTP version. The first version of VTP was VTP Version
1, and that is the default of some older Cisco switches. The next version
was Version 2, and that's the default on many newer models, including
the 2950.

As RIPv2 has advantages over RIPv1, VTP v2 has several advantages

over VTPv1.

Version 2 supports Token Ring VLANs and Token Ring switching, where
Version 1 does not.

When changes are made to VLANs or the VTP configuration at the

command-line interface (CLI), Version 2 will perform a consistency check.
So what's being checked? VLAN names and numbers. This helps to
prevent incorrect / inaccurate names from being propagated throughout
the network.

A switch running VTPv2 and Transparent mode will forward VTP

advertisements received from VTP Servers in that same domain.

As with RIP, VTP versions don't work well together. Cisco switches run in
Version 1 by default, although most newer switches are V2-capable. If
you have a V2-capable switch such as a 2950 in a VTP domain with
switches running V1, just make sure the newer switch has V2 disabled.
The version can be changed with the vtp version command.

The VLAN.DAT File

Those of you with switches in your home labs have probably run into this
situation. You run a write erase on your routers, reload them, and since
NVRAM is now empty, you're prompted to go into setup mode. All IP
addressing, routing protocols, static routes - everything's gone.

So now you do the same to your switches. You run write erase, reload,
and you're prompted to go into setup mode. Funny thing, though - the
VLAN information is still there! Below, we see a switch that had its
NVRAM erased and was then reloaded. There is no startup configuration,
but the VLAN information that was on the switch is still there!
How did the VLAN information survive the write erase? The startup
configuration is gone, but the VLAN database still contains information
about VLANs created before the write erase. That's because the write
erase command erases the contents of NVRAM, the VLAN information is
kept in a file called vlan.dat - and that file is kept in Flash.

If you want to truly initialize a switch, the vlan.dat file has to go. Deleting it
can be a little tricky if you do it too quickly, though.

When a router or switch presents you with a question such as "Delete

filename?", your first instinct may be to type "y" or "n". Don't do that here.
If you type "y" or "yes", the switch will attempt to delete a file named "y" or
"yes".

Just hit the enter key for both questions to accept the defaults in the
brackets. Then when you reload the router, you'll be prompted with the
system configuration question you see in this example. Make sure to
answer "n" to that question. Remember - when you do this, the prior
VLAN information is gone from the switch.

VTP "Secure Mode"

By setting a VTP password, you place the entire VTP domain into Secure
Mode. Every switch in the domain must have a matching password.
SW1(config)#vtp domain CCNP
Changing VTP domain name from NULL to CCNP
SW1(config)#vtp password CCIE
Setting device VLAN database password to CCIE

VTP Secure Mode isn't all that secure, though - here's how you discover
the password:
SW1#show vtp password
VTP Password: CCIE

Pretty secure, eh? :) Let's try to encrypt that password --

SW1(config)#service password-encryption

SW1#show vtp password

VTP Password: CCIE

That's something to keep in mind!

VTP Configuration Tips

I've configured VTP many times, and while the following two tips aren't
Cisco gospel, they've worked well for me.

Unless you have a very good reason to put a switch into Transparent
mode, stick with Server and Client. Not only does this ensure that the
VTP databases in your network will be synchronized, but it causes less
confusion in the future for other network admins who don't understand
Transparent mode as well as you do. :)

Some campus networks will have switches that can be easily secured -
the ones in your network control room, for example - and others that may
be more accessible to others. Your VTP Servers should be the switches
that are accessible only by you and a trusted few. Don't leave every
switch in your VTP domain at the default of Server, or you've made it
possible to create and delete VLANs on every switch in your network.

Copyright 2007 The Bryant Advantage. All Rights Reserved.