The Bryant Advantage BCMSN Study Guide Chris Bryant, CCIE #12933 www.thebryantadvantage.com Back To Index
VLAN Trunking Protocol (VTP) Overview The Need For VTP Configuring VTP VTP Modes VTP Advertisement Process Preventing VTP Synchronization Issues VTP Advertisement Types VTP Features VTP Versions The VLAN.DAT File VTP Secure Mode
As a CCNP candidate, you know that when it comes to Cisco technologies, there's always something new to learn! You learned about the VLAN Trunking Protocol (VTP) in your CCNA studies, but now We're going to review a bit and then build on your knowledge of both of these important switching technologies.
Why Do We Need VTP? VLAN Trunking Protocol (VTP) allows each switch in a network to have an overall view of the active VLANs. VTP also allows network administrators to restrict the switches upon which VLANs can be created, deleted, or modified. In our first example, we'll look at a simple two-switch setup and then add to the network to illustrate the importance of VTP.
Here, the only two members of VLAN 10 are found on the same switch. We can create VLAN 10 on SW1, and SW2 really doesn't need to know about this new VLAN.
We know that the chances of all the hosts in a VLAN being on one switch are very remote! More realistic is a scenario like the following, where the center or "core" switch has no ports in a certain VLAN, but traffic destined for that VLAN will be going through that very core switch.
SW2 doesn't have any hosts in VLAN 10, but for VLAN 10 traffic to successfully travel from SW1 to SW3 and vice versa, SW2 has to know about VLAN 10's existence. SW2 could be configured manually with VLAN 10, but that's going to get very old very fast. Considering that most networks have a lot more than three switches, statically configuring every VLAN on every switch would soon take up a lot of your time, as would troubleshooting the network when you invariably leave a switch out! Luckily, the major feature of VTP is the transmission of VTP advertisements that notify neighboring switches in the same domain of any VLANs in existence on the switch sending the advertisements. The key phrase there is "in the same domain". By default, Cisco switches are not in a VTP domain. Before working with VTP in a home lab or production network, run show vtp status. (The official term for a VTP domain is "management domain", but we'll just call them domains in this section. The only place you'll probably see that full phrase is on the exam.)
There's nothing next to "VTP Domain Name", so a VTP domain has not yet been configured. We'll now change that by placing this switch into a domain called CCNP. Watch this command - it is case sensitive.
After configuring the VTP domain "CCNP" on SW2, SW1 is also placed into that domain. Each switch can now successfully advertise its VLAN information to the other, and as switches are added to this VTP domain, those switches will receive these advertisements as well. A Cisco switch can belong to one and only one VTP domain. VTP Modes In the previous show vtp status readouts, the VTP Operating Mode is set to Server. The more familiar term for VTP Operating Mode is simply VTP Mode, and Server is the default. It's through the usage of VTP modes that we can place limits on which switches can delete and create VLANs.
It's not unusual for edge switches such as SW1 and SW3 to be available to more people that they should be. If SW2 is the only switch that's physically secure, SW2 should be the only VTP Server. Let's review the VTP Modes and then configure SW1 and SW3 appropriately. In Server mode, a VTP switch can be used to create, modify, and delete VLANs. This means that a VTP deployment has to have at least one Server, or VLAN creation will not be possible. This is the default setting for Cisco switches. Switches running in Client mode cannot be used to create, modify, or delete VLANs. Clients do listen for VTP advertisements and act accordingly when VTP advertisements notify the Client of VLAN changes. VTP Transparent mode actually means that the switch isn't participating in VTP. (Bear with me here.) Transparent VTP switches don't synchronize their VTP databases with other VTP speakers; they don't even advertise their own VLAN information! Therefore, any VLANs created on a
Transparent VTP switch will not be advertised to other VTP speakers in the domain, making them locally significant only. I'm not saying that Transparent mode is evil, or even bad; I am saying that you have to be careful when implementing Transparent mode into your network. There are two versions of VTP, V1 and V2, and the main difference between the two versions affects how a VTP Transparent switch handles an incoming VTP advertisement. VTP Version 1: The Transparent switch will forward that advertisement's information only if the VTP version number and domain name on that switch is the same as that of downstream switches. VTP Version 2: The Transparent switch will forward VTP advertisements via its trunk port(s) even if the domain name does not match. To ensure that no one can create VLANs on SW1 and SW3, we'll configure both of them as VTP Clients. SW1's configuration and the resulting output of show vtp status is shown below.
Attempting to create a VLAN on a VTP client results in the following message:
This often leads to a situation where only the VTP Clients will have ports that belong to a given VLAN, but the VLAN still has to be created on the VTP Server. VLANs can be created and deleted in Transparent mode, but those changes aren't advertised to other switches in the VTP domain. Also, switches do not advertise their VTP mode. Which Switches Should Be Servers, Which Should Be Clients? You have to decide this for yourself in your production network, but I will share a simple method that's always worked for me - if you can absolutely secure a switch, make it a VTP server. If multiple admins will have access to the switch, you may consider making that switch a VTP Client in order to minimize the chance of unwanted or unauthorized changes being made to your VLAN scheme.
The VTP Advertisement Process VTP Advertisements are multicasts, but they are not sent out every port on the switch. The only devices that need the VTP advertisements are other switches that are trunking with the local switch, so VTP advertisements are sent out trunk ports only. The hosts in VLAN 10 in the following exhibit would not receive VTP advertisements.
Along with the VTP domain name, VTP advertisements carry a configuration revision number that enables VTP switches to make sure they have the latest VLAN information. VTP advertisements are sent when there has been a change in a switch's VLAN database, and this configuration revision number increments by one before it is sent. To illustrate, let's look at the revision number on Sw1.
The current revision number is 1. We'll now go to R2 to check the revision number, add a VLAN, and then check the revision number again.
The revision number was 1, then a VLAN was added. The revision number incremented to 2 before the VTP advertisement reflecting this change was sent to this switch's neighbors. Let's check the revision number on SW1 now.
The revision number has incremented to 2, as you'd expect. But what exactly happened? SW1 received a VTP advertisement from SW2. Before accepting the changes reflected in the advertisement, SW1 compares the revision number in the advertisement to its own revision number. In this case, the revision number on the incoming advertisement was 2 and SW1's revision number was 1. This indicates to SW1 that the information contained in this VTP advertisement is more recent than its own VLAN information, so the advertisement is accepted. If SW1's revision number had been higher than that in the VTP advertisement from SW2, the advertisement would have been ignored.
In this example, SW2 is the root and is sending out an advertisement with revision number 300. The three switches are running VLANs 10, 20, 30, 40, and 50, and everything's just fine. The VTP domain is CCNP.
Now, a switch that was at another client site is brought to this client and installed in the CCNP domain. The problem is that the VTP revision number on the newly installed switch is 500, and this switch only knows about the default VLAN, VLAN 1.
The switches will receive a VTP advertisement with a higher revision number than the one currently in their VTP database, so they'll synchronize their databases in accordance with the new advertisement. The problem is that the new advertisements don't list VLANs 10, 20, 30, 40, or 50, so connectivity for those VLANs is lost. I've seen this happen with switches that were brought it to swap out with a downed switch. That revision number has to be reset to zero! If you ever see VLAN connectivity suddenly lost in your network, but the switches are all functional, you should immediately check to see if a new switch was recently installed. If the answer is yes, I can practically guarantee that the revision number is the issue. Cisco theory holds that there are two ways to reset a switch's revision number to zero: 1. 2.
Change the VTP domain name to a nonexistent domain, then change it back to the original name. Change the VTP mode to Transparent, then change it back to
Server. In reality, resetting this number can be more of an art form than a science. The method to use often depends on the model. In the real world, you should use your favorite search engine for a phrase such as reset configuration revision number zero followed by the switch model. (Reloading the switch won't do the job, because the revision number is kept in NVRAM, and the contents of Non-Volatile RAM are kept on a reload.) It's a good practice to perform this reset with VTP Clients as well as Servers. In short, every time you introduce a switch to your network and that switch didn't just come out of the box, perform this reset. And if it did come out of the box, check it anyway. ;) To see the number of advertisements that have been sent and received, run show vtp counters.
I'm sure you noticed that there are different types of advertisements! There are three major types of VTP advertisements - here's what they are and what they do. Keep in mind that Cisco switches only accept VTP advertisements from other switches in the same VTP domain. Summary Advertisements are transmitted by VTP servers every 5 minutes, or upon a change in the VLAN database. Information included in the summary advertisement:
VTP domain name and version Configuration revision number MD5 hash code Timestamp Number of subset advertisements that will follow this ad
Subset Advertisements are transmitted by VTP servers upon a VLAN configuration change. Subset ads give specific information regarding the VLAN that's been changed, including:
Whether the VLAN was created, deleted, activated, or suspended The new name of the VLAN The new Maximum Transmission Unit (MTU) VLAN Type (Ethernet, Token Ring, FDDI)
Client Advertisement Requests are just that - a request for VLAN information from the client. Why would a client request this information? Most likely because the VLAN database has been corrupted or deleted. The VTP Server will respond to this request with a series of Summary and Subset advertisements.
Configuring VTP Features Earlier in this section, you saw how to place a switch into a VTP domain:
The VTP mode is changed with the vtp mode command.
VTP allows us to set a password as well. Naturally, the same password should be set on all switches in the VTP domain. Although this is referred to as secure VTP, there's nothing secure about it - the command show vtp password displays the password, and this password can't be encrypted with service password-encryption.
VTP Pruning Trunk ports belong to all VLANs, which leads to an issue involving broadcasts and multicasts. A trunk port will forward broadcasts and multicasts for all VLANs it knows about, regardless of whether the remote switch actually has ports in that VLAN or not! In the following example, VTP allows both switches to know about VLANs 2 - 19, even though neither switch has ports in all those VLANs. Since a trunk port belongs to every VLAN, they both forward broadcasts and multicasts for all those VLANs. Both switches are transmitting and receiving broadcasts and multicasts that they do not need.
Configuring VTP Pruning allows the switches to send broadcasts and multicasts to a remote switch only if the remote switch actually has ports that belong to that VLAN. This simple configuration will prevent a great deal of unnecessary traffic from crossing the trunk. vtp pruning enables pruning for all VLANs in the VTP domain, all VLANs from 2 - 1001 are eligible to be pruned. The reserved VLANs you see in show vlan brief - VLANs 1 and 1002 - 1005 - cannot be pruned.
Note that SW1 had to be changed to Server mode in order to enable pruning. Verify that pruning is enabled with show vtp status.
Enabling pruning on one VTP Server actually enables pruning for the entire domain, but I wanted to show you that a switch has to be in Server mode to have pruning enabled. It doesn't hurt anything to enter the command vtp pruning on all Servers in the domain, but it's unnecessary. Stopping unnecessary broadcasts might not seem like such a big deal in a two-switch example, but most of our networks have more than two switches! Consider this example:
If the three hosts shown in VLAN 7 are the only hosts in that VLAN, there's no reason for VLAN 7 broadcasts to reach the middle and bottom two switches. Without VTP pruning, that's exactly what will happen! Using VTP pruning here will save quite a bit of bandwidth. I'd like to share a real-world troubleshooting tip with you here. If you're having problems with one of your VLANs being able to send data across the trunk, run show interface trunk. Make sure that all vlans shown under "vlans allowed and active in management domain" match the ones shown under "vlans in spanning tree forwarding state and not pruned". SW2#show interface trunk Port Fa0/11 Fa0/12 Port Fa0/11 Fa0/12 Port Fa0/11 Fa0/12
Mode desirable desirable
Encapsulation 802.1q 802.1q
Status trunking trunking
Native vlan 1 1
Vlans allowed on trunk 1-4094 1-4094 Vlans allowed and active in management domain 1,10,20,30,40 1,10,20,30,40
Port Fa0/11 Fa0/12
Vlans in spanning tree forwarding state and not pruned 1,10,20,30 none
In this example, VLAN 40 is allowed and active, but it's been pruned. That's fine if you don't have hosts on both sides of the trunk in VLAN 40, but I have seen this happen in a production network where there were hosts on both sides of the trunk in a certain VLAN, and that VLAN had been pruned. It's a rarity, but now you know to look out for it!
VTP Versions By now, you've probably noticed that the first field in the readout of show vtp status is the VTP version. The first version of VTP was VTP Version 1, and that is the default of some older Cisco switches. The next version was Version 2, and that's the default on many newer models, including the 2950. As RIPv2 has advantages over RIPv1, VTP v2 has several advantages over VTPv1. Version 2 supports Token Ring VLANs and Token Ring switching, where Version 1 does not. When changes are made to VLANs or the VTP configuration at the command-line interface (CLI), Version 2 will perform a consistency check. So what's being checked? VLAN names and numbers. This helps to prevent incorrect / inaccurate names from being propagated throughout the network. A switch running VTPv2 and Transparent mode will forward VTP advertisements received from VTP Servers in that same domain. As with RIP, VTP versions don't work well together. Cisco switches run in Version 1 by default, although most newer switches are V2-capable. If you have a V2-capable switch such as a 2950 in a VTP domain with switches running V1, just make sure the newer switch has V2 disabled. The version can be changed with the vtp version command.
The VLAN.DAT File Those of you with switches in your home labs have probably run into this situation. You run a write erase on your routers, reload them, and since NVRAM is now empty, you're prompted to go into setup mode. All IP addressing, routing protocols, static routes - everything's gone. So now you do the same to your switches. You run write erase, reload, and you're prompted to go into setup mode. Funny thing, though - the VLAN information is still there! Below, we see a switch that had its NVRAM erased and was then reloaded. There is no startup configuration, but the VLAN information that was on the switch is still there!
How did the VLAN information survive the write erase? The startup configuration is gone, but the VLAN database still contains information about VLANs created before the write erase. That's because the write erase command erases the contents of NVRAM, the VLAN information is kept in a file called vlan.dat - and that file is kept in Flash.
If you want to truly initialize a switch, the vlan.dat file has to go. Deleting it can be a little tricky if you do it too quickly, though.
When a router or switch presents you with a question such as "Delete filename?", your first instinct may be to type "y" or "n". Don't do that here. If you type "y" or "yes", the switch will attempt to delete a file named "y" or "yes". Just hit the enter key for both questions to accept the defaults in the brackets. Then when you reload the router, you'll be prompted with the system configuration question you see in this example. Make sure to answer "n" to that question. Remember - when you do this, the prior VLAN information is gone from the switch. VTP "Secure Mode" By setting a VTP password, you place the entire VTP domain into Secure Mode. Every switch in the domain must have a matching password. SW1(config)#vtp domain CCNP Changing VTP domain name from NULL to CCNP SW1(config)#vtp password CCIE Setting device VLAN database password to CCIE
VTP Secure Mode isn't all that secure, though - here's how you discover the password:
SW1#show vtp password VTP Password: CCIE
Pretty secure, eh? :) Let's try to encrypt that password -SW1(config)#service password-encryption SW1#show vtp password VTP Password: CCIE
That's something to keep in mind! VTP Configuration Tips I've configured VTP many times, and while the following two tips aren't Cisco gospel, they've worked well for me. Unless you have a very good reason to put a switch into Transparent mode, stick with Server and Client. Not only does this ensure that the VTP databases in your network will be synchronized, but it causes less confusion in the future for other network admins who don't understand Transparent mode as well as you do. :) Some campus networks will have switches that can be easily secured the ones in your network control room, for example - and others that may be more accessible to others. Your VTP Servers should be the switches that are accessible only by you and a trusted few. Don't leave every switch in your VTP domain at the default of Server, or you've made it possible to create and delete VLANs on every switch in your network.
Copyright 2007 The Bryant Advantage. All Rights Reserved.