This should be a quick one. If you are studying for your CCIE, you’ve likely heard of the horrors of VTP. I for one, haven’t ever worked anywhere that used it, but it still needs to be covered.
The idea of VTP is to help keep the VLAN configuration in sync across a layer 2 domain. You can join several switches to a VTP domain and they will all know about the same VLANs.
There are 3 VTP modes that a switch can be in.
Server – A VTP server is where you create, modify, and update the VLANs. The configuration of the VLANs is no different regardless of if you use or don’t use VTP.
Client – A VTP client is a switch that receives, forwards, and processes VTP advertisements. VLAN configuration changes are NOT allowed on switches that are in VTP client mode.
Transparent – A VTP transparent switch will still forward VTP advertisements it receives, but it will NOT process any of them. If you wish to configure VLANs separately on each switch you should configure the switches for transparent mode.
I believe in more current IOS releases you can actually completely disable VTP but I don’t know all of the details on that. At any rate, let’s take a quick look and see how it works. Let’s start with an example of how VTP can work on it’s own. Let’s start with a switch that has been ‘write erased’ (a verb I’m sure) but still has it’s VLANs’ defined from the vlan.dat file…
Switch1#show vlan
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3
Gi1/0/4, Gi1/0/5, Gi1/0/6
Gi1/0/7, Gi1/0/8, Gi1/0/9
Gi1/0/10, Gi1/0/11, Gi1/0/12
Gi1/0/13, Gi1/0/14, Gi1/0/15
Gi1/0/16, Gi1/0/17, Gi1/0/18
Gi1/0/19, Gi1/0/20, Gi1/0/21
Gi1/0/22, Gi1/0/23, Gi1/0/24
Gi1/0/25, Gi1/0/26, Gi1/0/27
Gi1/0/28
10 users0 active
11 users1 active
12 users2 active
13 users3 active
20 prod0 active
21 prod1 active
As you can see, the switch has 6 local VLANs defined. Now, let’s plug this into a switch that has one VLAN defined…
Switch1#show vlan
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Gi1/0/1, Gi1/0/3, Gi1/0/4
Gi1/0/5, Gi1/0/6, Gi1/0/7
Gi1/0/8, Gi1/0/9, Gi1/0/10
Gi1/0/11, Gi1/0/12, Gi1/0/13
Gi1/0/14, Gi1/0/15, Gi1/0/16
Gi1/0/17, Gi1/0/18, Gi1/0/19
Gi1/0/20, Gi1/0/21, Gi1/0/22
Gi1/0/23, Gi1/0/24, Gi1/0/25
Gi1/0/26, Gi1/0/27, Gi1/0/28
10 client active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
That one VLAN happed to be VLAN 10 but it was called client instead of users0. So, how did this happen? Cisco list’s these requirements for VTP to work…
-The link connecting switches must be trunking
-Switches must have the same VTP domain name
-The switches must have the same password if one has been configured
So how did this happen? Through the magic of DTP the port’s automagically trunked. In addition, you don’t actually have to define the VTP domain the first time around. New switches will learn the domain through the first update they hear. Since both switches were servers, it took the VTP information from the one with the best (highest) VTP revision number.
So you have to be careful when using VTP. I mentioned the horror of VTP in the first couple sentences of this blog post. Let’s walk through a real VTP horror story so you see what I mean…
Let’s say you have an existing VTP domain. Two access switches out at a remote site that you’ve configured correctly and are using VTP as you’d expect. One’s configured as the VTP server and one as the VTP client. In addition, the VTP server hosts the SVI (layer 3) interfaces for each of these VLANs. Let’s take a look and see what things look like…
Switch – 3750_1
3750_1#show ip int brief | ex unass
Interface IP-Address OK? Method Status Protocol
Vlan10 10.10.10.1 YES manual up up
Vlan20 10.10.20.1 YES manual up up
Vlan30 10.10.30.1 YES manual up up
3750_1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : interubernet.local
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 000d.2818.af00
Configuration last modified by 0.0.0.0 at 3-1-93 00:25:40
Local updater ID is 10.10.10.1 on interface Vl10 (lowest numbered VLAN interface found)
Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
Configuration Revision : 16
MD5 digest : 0x24 0x7D 0xC8 0xFA 0x84 0x55 0x59 0xFC
0x43 0x34 0x06 0x42 0x35 0x13 0x0E 0xE6
3750_1#show vlan
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Gi1/0/1, Gi1/0/2
10 floor1 active Fa1/0/2, Fa1/0/3, Fa1/0/4
Fa1/0/5, Fa1/0/6, Fa1/0/7
Fa1/0/8, Fa1/0/9
20 floor2 active Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20
30 floor3 active Fa1/0/21, Fa1/0/22, Fa1/0/23
Fa1/0/24
So things on switch 1 look pretty normal. You have your layer 3 interfaces, VTP mode in server, and the switch ports split up between VLANs. Let’s look at the second switch…
Switch – 3750_2
3750_2#show vtp status
VTP Version : running VTP2
Configuration Revision : 16
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Client
VTP Domain Name : interubernet.local
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x24 0x7D 0xC8 0xFA 0x84 0x55 0x59 0xFC
Configuration last modified by 0.0.0.0 at 3-1-93 00:25:40
3750_1#show vlan
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Gi1/0/1, Gi1/0/2
10 floor1 active Fa1/0/2, Fa1/0/3, Fa1/0/4
Fa1/0/5, Fa1/0/6, Fa1/0/7
Fa1/0/8, Fa1/0/9
20 floor2 active Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20
30 floor3 active Fa1/0/21, Fa1/0/22, Fa1/0/23
Fa1/0/24
Things look normal on switch 2 as well. VTP client mode and the access ports split up between the VLANs. Now let’s say that you need some extra capacity. Floor 3 is expanding and they want you to install a third switch to handle the capacity. You happen to have one laying around that you weren’t using at the time so you write erase the box and reboot it. When it comes back up, you do the following configuration to get it ready for install…
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname 3750_3
3750_3(config)#vtp domain interubernet.local
3750_3(config)#vtp mode client
3750_3(config)#exit
3750_3#write
Building configuration…
[OK]
3750_3#
You also configure interface faste1/0/2 on 3750_1 as a trunk so you’ll have a place to plug 3750_3 into it when it arrives on site.
You ship 3750_3 off to the site with directions on how to cable the device when it arrives. The box shows up, the local guy racks, powers, and plugs in the cabling as you asked. Then, your pager starts going off. The entire building just lost network connectivity. You try to remote into the VLAN10 interface on 3750_1 but can’t. You drive over to the site and console into the switches. This is what you see on switch 3750_1…
3750_1#show ip int brief | ex unass
Interface IP-Address OK? Method Status Protocol
Vlan10 10.10.10.1 YES manual up down
Vlan20 10.10.20.1 YES manual up down
Vlan30 10.10.30.1 YES manual up down
3750_1#
A quick ‘show vlan’ confirms that the VLANs are entirely gone…
3750_1#show vlan
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Gi1/0/1, Gi1/0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
So what happened? Turns out that the switch you shipped to the site had been used by a CCIE candidate for studying. They had used it for over a year configuring and un-configuring VLANs until the revision number got all the way up to 300. The instant you plugged it into the network, despite the fact that it was a client, the VTP database got overwritten.
Quick note on this. This only happened because the VTP domain was configured on the 3rd switch. If it hadn’t been configured, the third switch would inherit the domain name as well as the revision number from the VTP server.
Neat huh? Bottom line, VTP (in my opinion) is more trouble than it’s worth. Ok enough of me talking about why I hate VTP, let’s talk about some of it’s other features…
Extended VLANs
VTP Version 1 and 2 only support the normal range VLANs (1-1005). If you try and configure an extended range VLAN VTP it won’t work…
Switch3#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch3(config)#vlan 1006
Switch3(config-vlan)#end
% Failed to create VLANs 1006
Extended VLAN(s) not allowed in current VTP mode.
%Failed to commit extended VLAN(s) changes.
Switch3#
Supposedly VTP version 3 supports extended VLANs but I don’t know much (read, anything) about version 3.
VLAN Storage
Your VTP configuration affects where VLANs are stored. If you have VTP configured in server mode, the VLAN information is stored in the vlan.dat file. If you have VTP configured in transparent mode, the VLANs are stored both in vlan.dat as well as in the running configuration file. That being said, if you delete the vlan.dat file while in VTP transparent mode, the VLANs will persist through reboot since they also live in the running config.
Extended VLANs (1006-4094) are only allowed to be used while in transparent mode and then they are only stored in the running config.
VTP pruning
VTP allows for certain VLANs to be pruned off of trunks for downstream switches that don’t need to see a particular VLAN. Sort of handy to automatically limit VLAN broadcast and unknown unicast traffic.