VTP – Understand, Configure and Verify

LinkedIn
Facebook
Facebook
Google+
http://netfixpro.com/vtp-config-lab/
RSS
Follow by Email

This article explains about the VTP, different VTP modes and key elements that you should know about the VTP. It also presents a lab on how to configure and verify the VTP version 2. You can replicate this lab on your switches to understand more about VTP.

Introduction

VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates the definition of Virtual Local Area Networks (VLAN) on the Ethernet domain(LAN).

VTP advertises the VLAN ID, VLAN name, and VLAN type for each VLAN dynamically to neighboring switches. However, VTP does not advertise any information about which ports (interfaces) should be in each VLAN.

VTP modes

You can configure a cisco switch to operate in any one of these VTP modes:

Server, Client, Transparent, Off.

The following table identifies the behavioral difference between each mode of VTP.

Server Client Transperant
  • In VTP server mode, you can create, modify, and delete VLANs. You can also specify other configuration parameters, such as VTP version and VTP pruning, for the entire VTP domain.
  • VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on advertisements received over trunk links.
  • VTP server is the default mode.
  • VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.
  • VTP transparent switches do not participate in VTP advertisements so all VLANs need to be manually created on all switches.
  • A switch running VTP transparent mode does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements, but transparent switches do forward VTP advertisements that they receive out their trunk ports in VTP.
VTP mode off (configurable only in CatOS switches or with VTP version 3)
In this mode, switches behave the same as in VTP transparent mode with the exception that VTP advertisements are not forwarded.
How VTP works ?

Cisco switches transmit VTP summary advertisements over the management VLAN (VLAN 1 by default) using a Layer 2 multicast frame every 5 minutes. VTP sends updates out all active trunk interfaces ONLY  (ISL or 802.1Q) so it is important to understand that the first step in running VTP is to ensure that the switches are trunking with each other (it can be ISL or 802.1q; VTP runs over both).

VTP Password

VTP password configuration is optional and it cannot be learned through VTP advertisements so it must be manually configured on all devices.

If you configure a password for VTP, you must configure the same password on all switches in the same VTP domain. The VTP password that you configure is translated by the algorithm into a 16-byte word (MD5 value) that is carried in all summary-advertisement VTP packets.

NOTE: The revision number and VTP domain name can be easily seen with a Sniffer trace; to prevent DoS attacks with VTP, set VTP passwords, which are encoded as message digests (MD5) in the VTP updates.

Configuration Revision Number

A configuration revision number is a 32-bit number that indicates the level of revision for a VTP packet. Each VTP device tracks the VTP configuration revision number that is assigned to it. Most of the VTP packets contain the VTP configuration revision number of the sender.

This information is used in order to determine whether the received information is more recent than the current version. Each time that you make a VLAN change(create or delete) on a switch, the configuration revision is incremented by one.

In order to reset the configuration revision of a switch, change the VTP domain name, and then change the name back to the original name.

Example lab

Now that we understood about the VTP, let’s configure and verify the VTP version 2 using this lab. In this example, we have 4 cisco switches running 15.x code and they are connected as shown in the above-mentioned diagram. We will configure SW1 in VTP transparentt mode, SW2 in VTP server mode (default mode in VTPv2), SW3 & SW4 in VTP client mode. We will also configure VTP domain as NetFixPro and VTP password as [email protected]$$W0rD on all 4 switches. Finally, we will create some VLANs to verify VTP is working or not as expected. So let’s get started.

The first step in configuration VTP is to ensure that the switches are trunking with each other (ISL or 802.1q; VTP runs over both).

Click here →

To view the configuration of switches for this article lab

SW1 to SW4

Enable dot1q trunking on necessary switchports.

conf t
interface range Ethernet0/0-1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no shut
end
write mem

Verify if trunk is formed or not

SWx# show interface trunk

Port        Mode             Encapsulation  Status        Native vlan
Et0/0       on               802.1q         trunking      1
Et0/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Et0/0       1-4094
Et0/1       1-4094

Port        Vlans allowed and active in management domain
Et0/0       1
Et0/1       1

Port        Vlans in spanning tree forwarding state and not pruned
Et0/0       1
Et0/1       none

Let’s verify the default VTP status

SWx# show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : 
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb. cc00. 0200
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 5
Configuration Revision            : 0
MD5 digest                        : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD 
                                    0x56 0x9D 0x4A 0x3E 0xA5 0x69 0x35 0xBC 

As you can see, switches are running VTP version 1 and VTP server mode by default with no domain name.

Next, configure the VTP domain name on VTP server, and all other switches without domain names configured should dynamically learn the domain name. VTP password cannot be learned through VTP, so you must manually configure it on all switches. Finally, create some VLANs on the VTP server (SW2 in this case).

Click here →

To view the configuration of switches for this article lab

SW2

Configure VTP as per the lab requirement.

vtp domain NetFixPro
vtp version 2
vtp password [email protected]$$W0rD
!
vlan 100-105

Verify the VTP status.

SW2#show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : NetFixPro
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc00.0200
Configuration last modified by 0.0.0.0 at 10-4-16 15:02:43
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 11
Configuration Revision            : 2
MD5 digest                        : 0x11 0xB7 0x23 0x63 0x39 0x57 0x10 0x82 
                                    0xFB 0x7A 0x13 0x5D 0xF1 0xAD 0x36 0xC6 

Note that when a switch is in VTP client/server mode, the configured VLANs do not appear in the running-configuration; these are kept in the VLAN database file.

SW2# show running-config | i vlan
vlan internal allocation policy ascending

SW1

Configure VTP as per the lab requirement.

vtp domain NetFixPro
vtp version 2
vtp mode transparent
vtp password [email protected]$$W0rD
!
vlan 100-105

NOTE: Since SW1 is running VTP transparent mode, it will not take participation in VTP advertisement hence all VLANs need to manually created.

Verify the VTP status.

SW1#show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : NetFixPro
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc00.0100
Configuration last modified by 0.0.0.0 at 10-4-16 15:00:30

Feature VLAN:
--------------
VTP Operating Mode                : Transparent
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 11
Configuration Revision            : 0
MD5 digest                        : 0xE6 0xEC 0x88 0x1A 0xE7 0x39 0xB6 0x4E 
                                    0x3E 0xA5 0x74 0xFD 0x72 0xF3 0x80 0x50 

Also note that, when a switch is in VTP transparent mode, the VLAN configuration statements appear in the running configuration.

SW1# show running-config | i vlan
vlan internal allocation policy ascending
vlan 100-105 

SW3 & SW4

Configure VTP as per the lab requirement.

vtp domain NetFixPro
vtp version 2
vtp mode client
vtp password [email protected]$$W0rD

NOTE: Since SW3 and SW4 are running VTP client mode, all VLANs will be created automatically using VTP advertisements from SW2.

Verify the VTP status.

SW3/4# show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : NetFixPro
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc00.0300
Configuration last modified by 0.0.0.0 at 10-4-16 15:02:43

Feature VLAN:
--------------
VTP Operating Mode                : Client
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 11
Configuration Revision            : 2
MD5 digest                        : 0x11 0xB7 0x23 0x63 0x39 0x57 0x10 0x82 
                                    0xFB 0x7A 0x13 0x5D 0xF1 0xAD 0x36 0xC6 

Note that when a switch is in VTP client/server mode, the configured VLANs do not appear in the running configuration; these are kept in the VLAN database file.

SW3/4# show running-config | i vlan
vlan internal allocation policy ascending

SW1 to SW4

Verify the VTP password

SWx# show vtp password 
VTP Password: [email protected]$$W0rD

NOTE: VTP password is never sent in VTP messages; an MD5 hash is sent instead.

Verify the VLAN status

SWx#show vlan brief 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/2, Et0/3, Et1/0, Et1/1
                                                Et1/2, Et1/3, Et2/0, Et2/1
                                                Et2/2, Et2/3, Et3/0, Et3/1
                                                Et3/2, Et3/3
100  VLAN0100                         active    
101  VLAN0101                         active    
102  VLAN0102                         active    
103  VLAN0103                         active    
104  VLAN0104                         active    
105  VLAN0105                         active    
1002 fddi-default                     act/unsup 
1003 trcrf-default                    act/unsup 
1004 fddinet-default                  act/unsup 
1005 trbrf-default                    act/unsup 

Sure enough, VTP advertisements worked as expected. Now for the final verification, let’s verify that the change in the rest of the VTP domain, such as VLAN creation or removal, does not actually affect the transparent switches (SW1 in this case), which  just relay VTP messages.

To verify that first, enable the VTP debug on SW1 as follows.

SW1# debug sw-vlan vtp events
vtp events debugging is on

Now let’s create a new VLAN on SW2 so it generates VTP advertisements.

SW2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#vlan 200
SW2(config-vlan)#end
SW2#

You should receive following debug messages on your terminal screen of SW1. As you can see, SW1 is relaying or forwarding the VTP advertisement messages to other switches.

SW1#
*Oct  4 16:26:13.531: VTP LOG RUNTIME: Relaying packet received on trunk Et0/0 - in TRANSPARENT MODE (nc = false)
*Oct  4 16:26:13.532: VTP LOG RUNTIME: Relaying packet received on trunk Et0/0 - in TRANSPARENT MODE (nc = false)
*Oct  4 16:26:13.533: VTP LOG RUNTIME: Relaying packet received on trunk Et0/1 - in TRANSPARENT MODE (nc = false)
*Oct  4 16:26:13.534: VTP LOG RUNTIME: Relaying packet received on trunk Et0/1 - in TRANSPARENT MODE (nc = false)

On SW3 and SW4, you should be able to verify VLAN 200 is created automatically using VTP advertisements.

SW3/4# show vlan | i 200 
200  VLAN0200                         active    
200  enet  100200     1500  -      -      -        -    -        0      
Gotchas
  • If a switch is configured as a VTP server without a VTP domain name, you cannot configure a VLAN on the switch.
  • When VTP domain name is configured on VTP server, all other switches without domain names configured will dynamically learn the domain name.
  • Dynamic Trunking Protocol (DTP) sends the VTP domain name in a DTP packet. Therefore, if you have two ends of a link that belong to different VTP domains, the trunk does not come up if you use DTP. In this special case, you must configure the trunk mode as on or nonegotiate, on both sides, in order to allow the trunk to come up without DTP negotiation agreement.
  • If the domain has a single VTP server and it crashes, the best and easiest way to restore the operation is to change any of the VTP clients in that domain to a VTP server. The configuration revision still remains the same in the rest of the clients, even if the server crashes. Therefore, VTP works properly in the domain.

I hope you enjoyed this article. Please feel free to leave any comment or feedback.

LinkedIn
Facebook
Facebook
Google+
http://netfixpro.com/vtp-config-lab/
RSS
Follow by Email

Ashutosh Patel

Ashutosh Patel is the Author and editor of netfixpro.com. He currently works as a Network Security Architect. Follow him on following social media to know more about him.

2 thoughts on “VTP – Understand, Configure and Verify

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons

Enjoy this article? Please spread the word :)