Using VLAN Trunk Protocol (VTP)

VLAN Trunk Protocol (VTP) was created by Cisco to manage all the configured VLANs across a switched internetwork and to maintain consistency throughout the network. VTP enables an administrator to add, delete, and rename VLANs. These changes are then propagated to all switches.

VTP provides the following benefits to a switched network:

• Consistent configuration of global VLANs across all switches in the network

• Enabling VLANs to be trunked over mixed networks—for example, Ethernet to ATM LANE or FDDI

• Accurate tracking and monitoring of VLANs

• Dynamic reporting when VLANs are added to all switches

• Plug-and-play VLAN adding to the switched network

To enable VTP to manage your VLANs across the network, you must first create a VTP server. All servers that need to share VLAN information must use the same domain name, and a switch can be in only one domain at a time. This means that a switch can share VTP domain information only with switches configured in the same VTP domain.

A VTP domain can be used if you have more than one switch connected in a network. If all switches in your network are in only one VLAN, then VTP doesn’t need to be used. VTP information is sent between switches via a trunk port between the switches.

Switches advertise VTP management domain information, such as the name, as well as a configuration revision number and all known VLANs with any specific parameters.

You can configure switches to receive and forward VTP information through trunk ports but not process information updates nor update their VTP database. This is called VTP transparent mode.

You can set up a VTP domain with security by adding passwords, but remember that every switch must be set up with the same password, which might be difficult. However, if you are having problems with users adding switches to your VTP domain, then a password can be used.

Switches detect the additional VLANs within a VTP advertisement and then prepare to receive information on their trunk ports with the newly defined VLAN in tow. The information would be VLAN ID, 802.10 SAID fields, or LANE information. Updates are sent out as revision numbers that are notification +1. Anytime a switch sees a higher revision number, it knows the information it receives is more current and will overwrite the current database with the new one.

Do you remember the clear config all command we talked about in Chapter 2, “Connecting the Switch Block”? Well, guess what? It really doesn’t “clear all” after all. It seems that VTP has its own NVRAM, which means that VTP information as well as the revision number would still be present if you perform a clear config all. You can clear the revision number by power-cycling the switch.

Real World Scenario—The Threat of High Revision Numbers

Many organizations have discovered the need for physical security when a device with only VLAN 1 but a high configuration revision number is added to the network. If a switch is a part of a test lab and then needs to be placed into production, it is best to clear everything and then power-cycle it. There have been instances of wiped switches erasing the VLAN setup of large organizations because the new device had a higher configuration revision number but had only VLAN 1. If a port belongs to a VLAN and that VLAN is removed, the port shuts down until the VLAN exists again. Adding the VLANs back and propagating them is a snap. The hassle and stress occur with discovering the problem. Using a VTP password is encouraged to prevent people from accidentally causing problems.

VTP Modes of Operation

There are three modes of operation within a VTP domain: server, client, and transparent. Figure 3.4 shows the three VTP modes.

Figure 3.4: VTP modes

Server

VTP server mode is the default for all Catalyst switches. You need at least one server in your VTP domain to propagate VLAN information throughout the domain. The following must be completed within server mode:

• Create, add, or delete VLANs on a VTP domain.

• Change VTP information. Any change made to a switch in server mode is advertised to the entire VTP domain.

Global VLANs must be configured on a server. The server adds the VLANs to the switch configuration, so every time the switch boots up, the VLAN knowledge is propagated.

Client

VTP clients receive information from VTP servers and send and receive updates, but they can not make any changes to the VTP configuration as long as they are clients. No ports on a client switch can be added to a new VLAN before the VTP server notifies the client switch about the new VLAN. If you want a switch to become a server, first make it a client so that it receives all the correct VLAN information and then change it to a server. No global VTP information is kept if the switch loses power.

Transparent

VTP transparent switches do not participate in the VTP domain, but they still receive and forward VTP advertisements through the configured trunk links. However, for a transparent switch to advertise the VLAN information out the configured trunk links, VTP version 2 must be used. If not, the switch does not forward anything. VTP transparent switches can add and delete VLANs because they keep their own database and do not share it with other switches. Transparent switches are considered locally significant.

VTP Advertisements

After the different types of VTP switches are defined, the switches can start advertising VTP information between them. VTP switches advertise information they know about only on their trunk ports. They advertise the following:

• Management domain name

• Configuration revision number

• VLANs the switch knows about

• Parameters for each VLAN

The switches use multicast MAC addresses so all neighbor devices receive the frames. A VTP server creates new VLANs, and that information is propagated through the VTP domain.

Figure 3.5 shows the three VTP advertisements: client, summary, and subset.

Figure 3.5: VTP advertisement content

The three types of messages are as follows:

Client requests Clients can send requests for VLAN information to a server. Servers respond with both summary and subset advertisements.

Summary These advertisements are sent out every 300 seconds on VLAN 1 and every time a change occurs.

Subset These advertisements are VLAN specific and contain details about each VLAN.

The summary advertisements can contain the following information:

Management domain name The switch that receives this advertisement must have the name that is in this field or the update is ignored.

Configuration revision number Receiving switches use this to identify whether the update is newer than the one they have in their database.

Updater identity The name of the switch from which the update is sent.

Updater timestamp Might or might not be used.

MD5Digest The key sent with the update when a password is assigned to the domain. If the key doesn’t match, the update is ignored.

Subset Advertisements

The subset advertisements contain specific information about a VLAN. After an administrator adds, deletes, or renames a VLAN, the switches are notified that they are about to receive a VLAN update on their trunk links via the VLAN-info field 1. Figure 3.6 shows the VTP subset advertisement inside this field.

Figure 3.6: Subset advertisement

The following list includes some of the information that is advertised and distributed in the VLAN-info field 1:

VLAN ID Either ISL or 802.1Q

802.10 SAID field that identifies the VLAN ID in FDDI

VTP VTP domain name and revision number

MTU Maximum transmission size for each VLAN

Configuration Revision Number

The revision number is the most important piece in the VTP advertisement. Figure 3.7 shows an example of how a revision number is used in an advertisement.

Figure 3.7: VTP revision number

Figure 3.7 shows a configuration revision number as N. As a database is modified, the VTP server increments the revision number by 1. The VTP server then advertises the database with the new configuration revision number.

When a switch receives an advertisement that has a higher revision number, then the switch overwrites the database in NVRAM with the new database being advertised.

Configuring VTP

There are several options that you need to be aware of before attempting to configure the VTP domain:

1. Consider the version number of the VTP you will run.

2. Decide if the switch is going to be a member of an already existing domain or if you are creating a new one. To add it to an existing domain, find the domain name and password, if used.

3. Choose the VTP mode for each switch in the internetwork.

After everything is configured, the new setup should be verified to ensure that the connections work properly.

Configuring the VTP Version

There are two versions of VTP that are configurable on Cisco switches. Version 1 is the default VTP version on all switches and is typically used. No VTP version configuration is needed if you will be running version 1. Version 1 and version 2 are not compatible, so it is an all-or-nothing configuration for your switches. However, if all your switches are VTP version 2 compatible, changing one switch changes all of them. Be careful if you are not sure whether all your switches are version 2 compatible.

You would configure version 2 for the following reasons:

Token Ring VLAN support To run Token Ring, you must run version 2 of the VTP protocol. This means that all switches must be capable of running version 2.

TLV support Unrecognized type-length-value (TLV) support. If a VTP advertisement is received and has an unrecognized type-length-value, the version 2 VTP switches will still propagate the changes through their trunk links.

Transparent mode Switches can run in transparent mode, which means that they only forward messages and advertisements, not add them to their own database. In version 1, the switch checks the domain name and version before forwarding, but in version 2, the switches forward VTP messages without checking the version.

Consistency checks Consistency checks are run when an administrator enters new information in the switches, either with the CLI or other management software. If information is received by an advertisement or read from NVRAM, a consistency check is not run. A switch checks the digest on a VTP message, and if it is correct, no consistency check is made.

To configure VTP version 2 on a 4000 series, use the set vtp v2 enable command:

Terry_4000> (enable) set vtp v2 enable This command will enable the version 2 function in the entire management domain. All devices in the management domain should be version2-capable before enabling. Do you want to continue (y/n) [n]? y VTP domain modified Terry_4000> (enable)

The IOS-based switches once again demand that you access the VLAN database in order to configure VTP. Both versions are supported, as shown next:

Terry_2950#vlan database Terry_2950(vlan)#? VLAN database editing buffer manipulation commands:  abort  Exit mode without applying the changes  apply  Apply current changes and bump revision number  exit   Apply changes, bump revision number, and exit mode  no     Negate a command or set its defaults  reset  Abandon current changes and reread current database  show   Show database information  vlan   Add, delete, or modify values associated with a single VLAN  vtp    Perform VTP administrative functions. Terry_2950(vlan)#vtp ?  client      Set the device to client mode.  domain      Set the name of the VTP administrative domain.  password    Set the password for the VTP administrative domain.  pruning     Set the administrative domain to permit pruning.  server      Set the device to server mode.  transparent Set the device to transparent mode.  v2-mode     Set the administrative domain to V2 mode.

Configuring the Domain

After you decide which version to run, set the VTP domain name and password on the first switch. The VTP name can be up to 32 characters long. On both the 4000 and the IOS-based switches, you can set the VTP domain password. The password is a minimum of 8 characters and a maximum of 64 on the 4000, and although truncated to 64 characters on the IOS-based switches, it has no minimum value.

Terry_4000> (enable) set vtp domain ? Usage: set vtp [domain <name>] [mode <mode>] [passwd <passwd>] [pruning <enable|disable>] [v2 <enable|disable>     (mode = client|server|transparent     Use passwd '0' to clear vtp password) Usage: set vtp pruneeligible <vlans>     (vlans = 2..1000     An example of vlans is 2-10,1000) Terry_4000> (enable) set vtp domain Globalnet VTP domain Globalnet modified Terry_4000> (enable) Terry_2950(vlan)#vtp password ?  WORD The ascii password for the VTP administrative domain. Terry_2950(vlan)#vtp password globalnet Setting device VLAN database password to globalnet. Terry_2950(vlan)#

Configuring the VTP Mode

Create your first switch as a server, and then create the connected switches as clients, or whatever you decided to configure them as. You don’t have to do this as a separate command as we did; you can configure the VTP information in one line, including passwords, modes, and versions:

Terry_4000> (enable) set vtp domain Usage: set vtp [domain <name>] [mode <mode>] [passwd <passwd>]pruning <enable|disable>] [v2 <enable|disable> (mode = client|server|transparent     Use passwd '0' to clear vtp password) Usage: set vtp pruneeligible <vlans>     (vlans = 2..1000     An example of vlans is 2-10,1000) Terry_4000> (enable) set vtp domain Globalnet mode server VTP domain Globalnet modified

On the 2950 and 3550 switches, the commands are as follows:

Terry_2950#conf t Enter configuration commands, one per line. End with CNTL/Z. Terry_2950(config)#vtp ?  domain    Set the name of the VTP administrative domain.  file      Configure IFS filesystem file where VTP configuration is stored.  interface Configure interface as the preferred source for the VTP IP            updater            address.  mode      Configure VTP device mode.  password  Set the password for the VTP administrative domain.  pruning   Set the adminstrative domain to permit pruning.  version   Set the adminstrative domain to VTP version. Terry_2950(config)#vtp mode ?  client    Set the device to client mode.  server    Set the device to server mode.  transparent Set the device to transparent mode.

Verify the VTP Configuration

You can verify the VTP domain information by using the commands show vtp domain and show vtp statistics.

The show vtp domain command shows you the domain name, mode, and pruning information:

Terry_4000> (enable) show vtp domain Domain Name       Domain Index  VTP Version Local Mode Password ----------------  ------ -----  -------------------------------- Globalnet    1      2          server Vlan-count Max-vlan-storage    Config Revision Notifications ---------- ---------------- --------------- -------------------- 5     1023       1             disabled Last Updater  V2 Mode Pruning PruneEligible on Vlans --------------- -------- -------- ------------------------------ 172.16.10.14  disabled disabled 2-1000 Terry_4000> (enable)

4000 Series

The show vtp statistics command shows a summary of VTP advertisement messages sent and received. It also shows configuration errors if detected:

Terry_4000> (enable) show vtp statistics VTP statistics: summary  advts received       0 subset   advts received       0 request  advts received       0 summary  advts transmitted    5 subset   advts transmitted    2 request  advts transmitted    0 No of config revision errors  0 No of config digest errors    0 VTP pruning statistics: Trunk    Join Transmitted Join Received   Summary advts received from                                           non-pruning-capable device -------- ---------------- -------------   ---------------------------  2/12    0                0               0 Terry_4000> (enable)

2950 and 3550 Series Switches

On the IOS-based switches, you have to use the show vtp counters command to achieve the same result:

Terry_2950#show vtp counters VTP statistics: Summary advertisements received     : 0 Subset advertisements received      : 0 Request advertisements received     : 0 Summary advertisements transmitted  : 0 Subset advertisements transmitted   : 0 Request advertisements transmitted  : 0 Number of config revision errors    : 0 Number of config digest errors      : 0 Number of V1 summary errors         : 0 VTP pruning statistics: Trunk      Join Transmitted Join Received    Summary advts received from                                              non-pruning-capable device ---------  -------------------------------   ---------------------------

Adding to a VTP Domain

You need to be careful when adding a new switch into an existing domain. If a switch is inserted into the domain and has incorrect VLAN information, the result could be a VTP database propagated throughout the internetwork with false information.

Before inserting a switch, make sure that you follow these three steps:

1. Perform a clear config all to remove any existing VLAN configuration on a set-based switch. On the IOS-based switches, you must ensure that the new switch has no VTP configuration. If it has, you should erase the startup-config (after saving it to a TFTP server or as a text file).

2. Power-cycle the switch to clear the VTP NVRAM.

3. Configure the switch to perform the mode of VTP that it will participate in. Cisco’s rule of thumb is that you create several VTP servers in the domain, with all the other switches set to client mode.

VTP Pruning

To preserve bandwidth, you can configure the VTP to reduce the number of broadcasts, multicasts, and other unicast packets. This is called VTP pruning. VTP restricts broadcasts to only trunk links that must have the information. If a trunk link does not need the broadcasts, the information is not sent. VTP pruning is disabled by default on all switches.

Figure 3.8 shows that if a switch does not have any ports configured for VLAN 5 and a broadcast is sent throughout VLAN 5, the broadcast would not traverse the trunk link going to the switch without any VLAN 5 members.

Enabling pruning on a VTP server enables pruning for the entire domain, and by default, VLANs 2 through 1005 are eligible for pruning. VLAN 1 can never prune.

Figure 3.8: VTP pruning

Use the following command to set VLANs to be eligible for pruning:

Terry_4000> (enable) set vtp pruneeligible ? Usage: set vtp [domain <name>] [mode <mode>] [passwd <passwd>] [pruning <enable|disable>] [v2 <enable|disable> (mode = client|server|transparent     Use passwd '0' to clear vtp password) Usage: set vtp pruneeligible <vlans>     (vlans = 2..1000     An example of vlans is 2-10,1000) Terry_4000> (enable) set vtp pruneeligible 2 Vlans 2-1000 eligible for pruning on this device. VTP domain Globalnet modified.

Notice once again that when you enable a VLAN for pruning, by default, it configures all the VLANs. Use the following command to clear the unwanted VLANs:

Terry_4000> (enable) clear vtp pruneeligible 3-1005 Vlans 1,3-1005 will not be pruned on this device. VTP domain Globalnet modified. Terry_4000> (enable)

To verify the pruned state of a trunk port, use the show trunk command.

To set pruning on the 2950 and 3550, head into VLAN database mode. The command vtp pruning enables the pruning process while the command switchport trunk pruning vlan remove vlan-id removes VLANs from the list of pruning-eligible VLANs:

Terry_2950#vlan database Terry_2950(vlan)#vtp ?  client      Set the device to client mode.  domain      Set the name of the VTP administrative domain.  password    Set the password for the VTP administrative domain.  pruning     Set the administrative domain to permit pruning.  server      Set the device to server mode.  transparent Set the device to transparent mode.  v2-mode     Set the administrative domain to V2 mode. Terry_2950(vlan)#vtp pruning ?  v2-mode     Set the administrative domain to V2 mode.  <cr> Terry_2950(vlan)#vtp pruning Pruning switched ON Terry_2950(vlan)# Terry_2950# Terry_2950#configure terminal Terry_2950   (config)#interface fa 0/10 Terry_2950   (config-if)#switchport trunk pruning vlan remove 2-5,10