VTP – Understand, Configure and Verify
This article explains about the VTP, different VTP modes and key elements that you should know about the VTP. It also presents a lab on how to configure and verify the VTP version 2. You can replicate this lab on your switches to understand more about VTP.
Introduction
VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates the definition of Virtual Local Area Networks (VLAN) on the Ethernet domain(LAN).
VTP advertises the VLAN ID, VLAN name, and VLAN type for each VLAN dynamically to neighboring switches. However, VTP does not advertise any information about which ports (interfaces) should be in each VLAN.
VTP modes
You can configure a cisco switch to operate in any one of these VTP modes:
Server, Client, Transparent, Off.
The following table identifies the behavioral difference between each mode of VTP.
Server | Client | Transperant |
---|---|---|
|
|
|
VTP mode off (configurable only in CatOS switches or with VTP version 3) |
---|
In this mode, switches behave the same as in VTP transparent mode with the exception that VTP advertisements are not forwarded. |
How VTP works ?
Cisco switches transmit VTP summary advertisements over the management VLAN (VLAN 1 by default) using a Layer 2 multicast frame every 5 minutes. VTP sends updates out all active trunk interfaces ONLY (ISL or 802.1Q) so it is important to understand that the first step in running VTP is to ensure that the switches are trunking with each other (it can be ISL or 802.1q; VTP runs over both).
VTP Password
VTP password configuration is optional and it cannot be learned through VTP advertisements so it must be manually configured on all devices.
If you configure a password for VTP, you must configure the same password on all switches in the same VTP domain. The VTP password that you configure is translated by the algorithm into a 16-byte word (MD5 value) that is carried in all summary-advertisement VTP packets.
NOTE: The revision number and VTP domain name can be easily seen with a Sniffer trace; to prevent DoS attacks with VTP, set VTP passwords, which are encoded as message digests (MD5) in the VTP updates.
Configuration Revision Number
A configuration revision number is a 32-bit number that indicates the level of revision for a VTP packet. Each VTP device tracks the VTP configuration revision number that is assigned to it. Most of the VTP packets contain the VTP configuration revision number of the sender.
This information is used in order to determine whether the received information is more recent than the current version. Each time that you make a VLAN change(create or delete) on a switch, the configuration revision is incremented by one.
In order to reset the configuration revision of a switch, change the VTP domain name, and then change the name back to the original name.
Example lab
Now that we understood about the VTP, let’s configure and verify the VTP version 2 using this lab. In this example, we have 4 cisco switches running 15.x code and they are connected as shown in the above-mentioned diagram. We will configure SW1 in VTP transparentt mode, SW2 in VTP server mode (default mode in VTPv2), SW3 & SW4 in VTP client mode. We will also configure VTP domain as NetFixPro and VTP password as P@$$W0rD on all 4 switches. Finally, we will create some VLANs to verify VTP is working or not as expected. So let’s get started.
The first step in configuration VTP is to ensure that the switches are trunking with each other (ISL or 802.1q; VTP runs over both).
Click here →
To view the configuration of switches for this article lab
SW1 to SW4
Enable dot1q trunking on necessary switchports.
conf t interface range Ethernet0/0-1 switchport trunk encapsulation dot1q switchport mode trunk no shut end write mem
Verify if trunk is formed or not
SWx# show interface trunk Port Mode Encapsulation Status Native vlan Et0/0 on 802.1q trunking 1 Et0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Et0/0 1-4094 Et0/1 1-4094 Port Vlans allowed and active in management domain Et0/0 1 Et0/1 1 Port Vlans in spanning tree forwarding state and not pruned Et0/0 1 Et0/1 none
Let’s verify the default VTP status
SWx# show vtp status VTP Version capable : 1 to 3 VTP version running : 1 VTP Domain Name : VTP Pruning Mode : Disabled VTP Traps Generation : Disabled Device ID : aabb. cc00. 0200 Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00 Local updater ID is 0.0.0.0 (no valid interface found) Feature VLAN: -------------- VTP Operating Mode : Server Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 Configuration Revision : 0 MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD 0x56 0x9D 0x4A 0x3E 0xA5 0x69 0x35 0xBC
As you can see, switches are running VTP version 1 and VTP server mode by default with no domain name.
Next, configure the VTP domain name on VTP server, and all other switches without domain names configured should dynamically learn the domain name. VTP password cannot be learned through VTP, so you must manually configure it on all switches. Finally, create some VLANs on the VTP server (SW2 in this case).
Click here →
To view the configuration of switches for this article lab
SW2
Configure VTP as per the lab requirement.
vtp domain NetFixPro vtp version 2 vtp password P@$$W0rD ! vlan 100-105
Verify the VTP status.
SW2#show vtp status VTP Version capable : 1 to 3 VTP version running : 2 VTP Domain Name : NetFixPro VTP Pruning Mode : Disabled VTP Traps Generation : Disabled Device ID : aabb.cc00.0200 Configuration last modified by 0.0.0.0 at 10-4-16 15:02:43 Local updater ID is 0.0.0.0 (no valid interface found) Feature VLAN: -------------- VTP Operating Mode : Server Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 Configuration Revision : 2 MD5 digest : 0x11 0xB7 0x23 0x63 0x39 0x57 0x10 0x82 0xFB 0x7A 0x13 0x5D 0xF1 0xAD 0x36 0xC6
Note that when a switch is in VTP client/server mode, the configured VLANs do not appear in the running-configuration; these are kept in the VLAN database file.
SW2# show running-config | i vlan vlan internal allocation policy ascending
SW1
Configure VTP as per the lab requirement.
vtp domain NetFixPro vtp version 2 vtp mode transparent vtp password P@$$W0rD ! vlan 100-105
NOTE: Since SW1 is running VTP transparent mode, it will not take participation in VTP advertisement hence all VLANs need to manually created.
Verify the VTP status.
SW1#show vtp status VTP Version capable : 1 to 3 VTP version running : 2 VTP Domain Name : NetFixPro VTP Pruning Mode : Disabled VTP Traps Generation : Disabled Device ID : aabb.cc00.0100 Configuration last modified by 0.0.0.0 at 10-4-16 15:00:30 Feature VLAN: -------------- VTP Operating Mode : Transparent Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 Configuration Revision : 0 MD5 digest : 0xE6 0xEC 0x88 0x1A 0xE7 0x39 0xB6 0x4E 0x3E 0xA5 0x74 0xFD 0x72 0xF3 0x80 0x50
Also note that, when a switch is in VTP transparent mode, the VLAN configuration statements appear in the running configuration.
SW1# show running-config | i vlan vlan internal allocation policy ascending vlan 100-105
SW3 & SW4
Configure VTP as per the lab requirement.
vtp domain NetFixPro vtp version 2 vtp mode client vtp password P@$$W0rD
NOTE: Since SW3 and SW4 are running VTP client mode, all VLANs will be created automatically using VTP advertisements from SW2.
Verify the VTP status.
SW3/4# show vtp status VTP Version capable : 1 to 3 VTP version running : 2 VTP Domain Name : NetFixPro VTP Pruning Mode : Disabled VTP Traps Generation : Disabled Device ID : aabb.cc00.0300 Configuration last modified by 0.0.0.0 at 10-4-16 15:02:43 Feature VLAN: -------------- VTP Operating Mode : Client Maximum VLANs supported locally : 1005 Number of existing VLANs : 11 Configuration Revision : 2 MD5 digest : 0x11 0xB7 0x23 0x63 0x39 0x57 0x10 0x82 0xFB 0x7A 0x13 0x5D 0xF1 0xAD 0x36 0xC6
Note that when a switch is in VTP client/server mode, the configured VLANs do not appear in the running configuration; these are kept in the VLAN database file.
SW3/4# show running-config | i vlan vlan internal allocation policy ascending
SW1 to SW4
Verify the VTP password
SWx# show vtp password VTP Password: P@$$W0rD
NOTE: VTP password is never sent in VTP messages; an MD5 hash is sent instead.
Verify the VLAN status
SWx#show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Et0/2, Et0/3, Et1/0, Et1/1 Et1/2, Et1/3, Et2/0, Et2/1 Et2/2, Et2/3, Et3/0, Et3/1 Et3/2, Et3/3 100 VLAN0100 active 101 VLAN0101 active 102 VLAN0102 active 103 VLAN0103 active 104 VLAN0104 active 105 VLAN0105 active 1002 fddi-default act/unsup 1003 trcrf-default act/unsup 1004 fddinet-default act/unsup 1005 trbrf-default act/unsup
Sure enough, VTP advertisements worked as expected. Now for the final verification, let’s verify that the change in the rest of the VTP domain, such as VLAN creation or removal, does not actually affect the transparent switches (SW1 in this case), which just relay VTP messages.
To verify that first, enable the VTP debug on SW1 as follows.
SW1# debug sw-vlan vtp events vtp events debugging is on
Now let’s create a new VLAN on SW2 so it generates VTP advertisements.
SW2#conf t Enter configuration commands, one per line. End with CNTL/Z. SW2(config)#vlan 200 SW2(config-vlan)#end SW2#
You should receive following debug messages on your terminal screen of SW1. As you can see, SW1 is relaying or forwarding the VTP advertisement messages to other switches.
SW1# *Oct 4 16:26:13.531: VTP LOG RUNTIME: Relaying packet received on trunk Et0/0 - in TRANSPARENT MODE (nc = false) *Oct 4 16:26:13.532: VTP LOG RUNTIME: Relaying packet received on trunk Et0/0 - in TRANSPARENT MODE (nc = false) *Oct 4 16:26:13.533: VTP LOG RUNTIME: Relaying packet received on trunk Et0/1 - in TRANSPARENT MODE (nc = false) *Oct 4 16:26:13.534: VTP LOG RUNTIME: Relaying packet received on trunk Et0/1 - in TRANSPARENT MODE (nc = false)
On SW3 and SW4, you should be able to verify VLAN 200 is created automatically using VTP advertisements.
SW3/4# show vlan | i 200 200 VLAN0200 active 200 enet 100200 1500 - - - - - 0 0
Gotchas
- If a switch is configured as a VTP server without a VTP domain name, you cannot configure a VLAN on the switch.
- When VTP domain name is configured on VTP server, all other switches without domain names configured will dynamically learn the domain name.
- Dynamic Trunking Protocol (DTP) sends the VTP domain name in a DTP packet. Therefore, if you have two ends of a link that belong to different VTP domains, the trunk does not come up if you use DTP. In this special case, you must configure the trunk mode as on or nonegotiate, on both sides, in order to allow the trunk to come up without DTP negotiation agreement.
- If the domain has a single VTP server and it crashes, the best and easiest way to restore the operation is to change any of the VTP clients in that domain to a VTP server. The configuration revision still remains the same in the rest of the clients, even if the server crashes. Therefore, VTP works properly in the domain.
I hope you enjoyed this article. Please feel free to leave any comment or feedback.
Nice article! 👍
Pingback: Best Practice: Securing Layer 2 Cisco IOS switch – NetFixPro