VLAN Trunking Protocol (VTP)

VLAN Trunking Protocol (VTP) is a protocol that is used to distribute and synchronize information about VLAN databases configured throughout a switched network. This helps reduce the administration overhead within a switched network. While enabling switches to exchange and maintain consistent VLAN information. VTP is a Cisco proprietary Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on switches in the same VTP domain. Switches transmit VTP messages only on 802.1Q or ISL trunks. VTP minimizes misconfigurations and configuration inconsistencies that might result in various problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.

Switches transmit VTP summary advertisements over the management VLAN (VLAN 1 by default) using a Layer 2 multicast frame every 5 minutes. VTP packets are sent to the  destination MAC address 01-00-0C-CC-CCCC with a logical link control (LLC) code of Subnetwork Access Protocol (SNAP) (AAAA) and a type of 2003 (in the SNAP header).

For switches to be in the same domain and exchange VTP information they all must agree on the following;

  • Domain Name
  • VTP Modes
  • VTP Version
  • VTP Password

VTP Domain

The VTP domain consists of a group of adjacent connected switches that are part of the same VTP management domain. A switch can belong to only one VTP domain at any one time and will reject or drop any VTP packets received from switches in any other VTP domains. Two methods via which a switch can be configured within the VTP domain are dynamic domain assignment and, the most common method, manual configuration. Dynamic VTP domain configuration occurs on switches that have no default VTP domain configured, the no-management-domain state. When the switch is added to the switched network and establishes a trunk link (VTP will only communicate over trunk links, hence the name VLAN Trunking Protocol) with another switch in defined VTP domain, it becomes part of the VTP domain that is identified in the update that they receive from their adjacent connected switch.

Manual VTP domain configuration is the most commonly used method of assigning a switch to a VTP domain. This is performed by manually configuring the VTP domain name on each individual switch that will be in that domain via the vtp domain [name] global configuration command;

Switch(config)#vtp domain CCIE

The VTP domain can be any ASCII string from 1 to 32 characters. In addition to this, it is also important to remember that the domain name is case sensitive. Once configured, the VTP domain, as well as other VTP parameters can be viewed by issuing the show vtp status;

Switch#show vtp status

VTP Domain Name                 : CCIE
VTP Pruning Mode                : Enabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x3B 0x6E 0xE4 0x6A 0×41 0xE1 0xA5 0×73
Configuration last modified by 10.1.1.1 at 3-1-93 02:28:44
Local updater ID is 10.1.1.1 on interface Vl10 (lowest numbered VLAN interface found)

VTP Modes

In order to participate in the VTP domain, switches must be configured for a specific VTP mode, each with its own characteristics. A switch can be configured by one of the following VTP  modes;

  • Server mode
  • Client mode
  • Transparent Mode
  • Off mode

VTP Server mode is the default VTP mode for all Cisco switches. The VTP server controls VLAN creation, modification, and deletion for their respective VTP domain. Synchronizes VLAN configuration with latest information received from other switches in the management  domain. Switches that operating in VTP server mode store the VLAN database in NVRAM and advertise VTP information to all other switches within the VTP domain.

Switch(config)#vtp mode server

VTP Clients advertise and receive VTP information, forwards advertisements to other switches too. However, they do not allow VLAN creation, modification, or deletion. This means that VTP clients cannot modify or store the VTP database in NVRAM. Also VTP clients can receive VLAN information only from VTP server switches within the same VTP domain.

Switch(config)#vtp mode client

VTP Transparent mode is not a true VTP mode in that it is actually the disabling of VTP on the switch. While a switch that is configured for VTP transparent allows for the creation, modification, and deletion of VLANs in the same manner as on a VTP server switch, it is different in that it ignores VTP updates by not synchronizing its VLAN configuration with information received from other switches in the VTP domain.. All VLANs that are created on the transparent switch are locally significant and are not propagated to other switches in the VTP domain. Also if you want to run the extend VLAN number range in your network, your switch must be running in VTP Transparent mode and not in any other mode. When transparent mode switches are running in VTP version 1 they do not relay received VTP information to other switches unless the VTP domain names and VTP version numbers match those of the other switches. However, in VTP version 2, transparent mode switches will forward received VTP advertisements out of their trunk ports and act as VTP relays. This happens even if the VTP domain name is not the same.

Switch(config)#vtp mode transparent

VTP Advertisements

When a switch receives a VTP summary advertisement, it checks various parameters before incorporating the received VLAN information. First, the management domain name and password in the advertisement must match those configured in the local switch. Next, if the configuration revision number indicates that the message was created after the configuration currently in use, the switch incorporates the advertised VLAN information if the switch is a VTP server or client. One of the most critical components of VTP is the configuration revision number. Each time a VTP server modifies its VLAN information, it increments the configuration revision number by 1. It then sends out a VTP subnet advertisement with the new configuration revision number. If the configuration revision number that is advertised is higher than the number stored on the other switches in the VTP domain, the rest of the switches in the domain overwrite their VLAN configurations with the new information advertised. Within the VTP domain, the switch with the highest configuration revision number is considered the switch with the most up-to-date information. This means that if a new, non-configured switch is introduced into the VTP domain and it has a configuration revision number that is greater than the other switches in the domain, they will all overwrite their local VLAN information and replace it with the information received in the advertisement message. This is referred to as a VTP synchronization problem and it can wreak havoc in the VTP domain if administrators do not reset the configuration revision number of any new switches to 0 prior to integrating them into the network. This is done by performing one of two actions on the new switch;

  • Changing the switch to VTP transparent mode and then changing it back to VTP server mode.
  • Changing the VTP domain name to a temporary name and then changing it back to the desired VTP domain name.

Although VTP clients do not store VLAN information in NVRAM, they still retain the VTP configuration number. Therefore, simply rebooting a VTP client will not reset the configuration revision number. In other words, even on a VTP client, the configuration revision number must be manually reset.

VLAN Trunking Protocol uses three types of messages to communicate VLAN information throughout the VTP domain;

  1. VTP Advertisement Requests – Requests for configuration information. These messages are sent by VTP clients to VTP servers to request VLAN and VTP information they may be missing.
  2. VTP Summary Advertisements – Request is sent out, every 5 min by default. If the VTP domain name changes, or in the event that the switch has received a VTP summary advertisement frame with a higher configuration revision than its own.
  3. VTP Subset Advertisements – contains a list of VLAN information. If there are several VLANs, more than one subset advertisement can be required to advertise all the VLANs.

VTP Advertisement Request

VTP Advertisement Request

  • Version field – Used to indicate the VTP version number, version 1 or version 2
  • Type or code – Contains the value 0×03, indicates that this is an advertisement request frame
  • Management domain length – Used to specify the length of the VTP management domain
  • Management domain name – Specifies the actual name of the VTP management domain
  • Starting advertisement field – the starting VLAN ID of the first VLAN for which  information is requested

VTP Summary Advertisement

  • Type or code – indicates a summary advertisement, value contained is 0×01
  • Followers – indicates that this packet is followed by a VTP Subset Advertisement packet
  • Updater identity field – the IP address of the switch that is the last to have incremented the  configuration revision
  • Update timestamp – timestamp of the last update, which is essentially the date and time of the last increment of the configuration revision
  • MD5 digest – carries the VTP password, if MD5 is configured and is used for VTP authentication

VTP Subset Advertisement

VTP Subset Advertisement

  • Type or code – Indicates a subset advertisement, value contained is 0×02
  • VLAN information field – Contains information for a different VLAN

VTP Passwords

VTP passwords are embedded in the VTP messages and are authenticate by the receiver of the VTP messages. Although a password is configured locally on the switch, the actual password itself is not actually sent out. Instead, an MD5 hash code is generated and sent out in VTP advertisements. This hash code is then used by the local switch to validate incoming VTP messages.

To enable your VTP password, apply the following command from global configuration mode;

Switch(config)#vtp password CCIE

VTP Versions

There are three versions of VTP. VTP version 2 is similar in basic operation to version 1 but does have additional capabilities.Version 2 does support Token Ring support, unrecognized Type-Lenght-Value (TLV) support, Version-independent transparent mode and consistency checks.

VTP version 3 differs from earlier VTP versions in that it does not directly handle VLANs. VTP version 3 has the same features as VTP versions 1 and 2 except for the addition of the modes of
primary and secondary server and the concept of database consistency.VTP version 3 is responsible for distributing a list of databases over the VTP domain. VTP version 3 supports the following enhancements, support for extended VLANs (1025 to 4094), support for the creation and advertising of Private VLANs, improved server authentication, enhancements to a  mechanism for protection from the “wrong” database accidentally being inserted into a VTP domain, interaction with VTP versions 1 and 2, and is configurable on a per-port basis.

To enable what VTP version you want to run within your domain apply the following command from global configuration mode;

Switch(config)#vtp version {1,2,3}

VTP Pruning

VTP pruning is the process of removing VLANs from the VLAN database of the local switch when no local ports are part of that VLAN. The primary goal of VTP pruning is to increase the efficiency of trunk links by eliminating unnecessary Broadcast, Multicast, and unknown traffic from being propagated across the network. By default, a trunk connection carries traffic for all VLANs in the VTP management domain. When VTP pruning is enabled on the VTP server, pruning is enabled for the entire management domain. Each switch will advertise which VLANs it has active to neighboring switches. The neighboring switches will then prune VLANs that are not active across that trunk, thus saving bandwidth. To enable VTP Pruning on a server switch apply the following command from global configuration mode;

Switch(config)#vtp pruning