Scenario 3-1: Configuring VLAN Trunking Protocol

In Chapter 2, Scenario 2-2, you were introduced to VLAN Trunking Protocol (VTP), which was required in order to allow the configuration and creation of VLANs on a single Cisco Catalyst switch. You learned how to implement a basic VTP configuration so that you could create VLANs. In this scenario, you learn how to configure VTP in much more depth, because it is important when you start interconnecting switches via trunks and want to centralize your VLAN configuration.

Figure 3-11 shows the topology that is used for this scenario and the next two scenarios (Scenarios 3-1 to 3-3):

In Figure 3-11, six VLANs exist in the networkVLANs 1-5 and 10. The VLANs can be defined as follows:

• VLAN 1 The default VLAN on Cisco Catalyst switches that is used for a number of control communication protocols and cannot be disabled.

• VLAN 2, 3, and 4 User VLANs that host the actual data devices that make up the network. Data exchanged on these VLANs is referred to as user data.

• VLAN 5 Management VLAN used for managing network devices.

• VLAN 10 The native VLAN used on trunk between Switch-A and Switch-B. The native VLAN is used in 802.1Q trunks and defines the only VLAN over which traffic is sent untagged on the trunk.

NOTE

Many organizations commonly use VLAN 1 as the native VLAN and ensure user data is not present on this VLAN. This scenario uses VLAN 10 for the native VLAN to demonstrate how to change the native VLAN on trunks.

An 802.1Q trunk is to be configured between Switch-A and Switch-B for the purposes of extending each of these VLANs across both switches.

When configuring trunks, you normally configure VTP first, because that allows you to create all the appropriate VLANs required for the network. VTP also influences whether or not trunk interfaces operating in specific modes will form, so ensuring VTP configuration is in place first ensures trunks will form correctly.

Configuration Planning

With regards to VTP configuration, the following describes how the various VTP parameters need to be planned and how each parameter should be configured:

• VTP domain name The VTP domain name determines the administrative boundary, and all switches within the domain must be configured with an identical domain name throughout. In this scenario, the VTP domain name is configured as LANPS on Switch-A and Switch-B.

• VTP mode of operation VLAN configuration is performed on VTP servers, which then propagates the VLAN configurations to VTP clients. If you do not want to implement VTP on your network (more on this later), you can configure a VTP mode of transparent or off. If you are implementing VTP, you need to plan which switches are to be VTP servers. The ideal choices for VTP servers are core/distribution switches. You should always have at least one backup VTP server. In this scenario, Switch-A is configured as the VTP server, with Switch-B configured as a VTP client. This arrangement means that all VLAN configuration is implemented on Switch-A, with VTP updating the VLAN database on Switch-B.

• VTP version All VTP switches must use the same version throughout (version 1 or 2). Version 2 adds some enhancements and is required for Token Ring VLAN support. For this scenario, VTP version 2 is used.

• VTP password If you wish to secure the network against spoofed VTP advertisements, you can configure a password on each VTP switch. This password must be identical throughout the domain. In this scenario, a VTP password of cisco is configured.

• VTP pruning You can control the VLAN traffic transported over trunks automatically by using VTP pruning. This pruning is recommended because it optimizes the network by eliminating unnecessary traffic propagation. In this scenario, VTP pruning is not configured; instead it is configured in Scenario 3-2.

Scenario Prerequisites

To successfully commence the configuration tasks required to complete this scenario, Table 3-1 describes the prerequisite configurations required on each device in the scenario topology. Any configurations not listed can be assumed as being the default configuration.

When you first configure a switch that will be attaching to a VTP domain, do NOT connect the switch to the VTP domain until after the appropriate VTP configuration is in place. Waiting until after the configuration is in place ensures that the new switch does not accidentally overwrite the current VLAN database for the VTP domain with its own VLAN database.

Be aware that if a new switch is attached to an existing VTP domain and the new switch has the same VTP domain and has a VLAN database configuration revision that is higher than that which is currently present in the existing network, the existing VLAN database is overwritten with the VLAN database on the new switch, regardless of whether the switch is a VTP server or client. Yes, that's right; even if the switch is a VTP client, if it has the same VTP domain name and a higher VLAN database configuration revision number, the existing VLAN database is overwritten. If this happens, you will know about it quickly because the network usually comes to a grinding halt. This halt happens because any ports that belong to a VLAN that has been deleted by the new VLAN database introduced by the new switch are placed in an orphaned state, where they belong to no VLAN whatsoever and, thus, are not operational.

The safest method of configuring VTP for a new switch that is connecting to an existing VTP domain is to ensure it is disconnected from the network, configure the appropriate VTP domain name, ensure the VLAN database configuration revision number is lower than that of the current VTP domain, and then attach the switch to the network. Although this mechanism protects the VTP domain from accidental misconfiguration, it does not protect the VTP domain from intentional misconfiguration. Another mechanism that can be used to prevent against intentional misconfiguration is to implement VTP passwords on your domain to protect against rogue VTP servers intentionally erasing all or parts of your VLAN database.

NOTE

Out of the box, a new Cisco Catalyst switch has a VTP domain name set to NULL, but if you are redeploying old switches, the VTP domain might already be set. Be especially cautious with Cisco IOS switches because the VTP configuration is stored in the VLAN database file (VLAN.DAT), which is separate from the switch configuration file. When you erase the switch configuration file, the VTP and VLAN configuration, including VTP password configuration, is NOT erased, meaning just using VTP passwords to protect against the accidental deletion of VLANs might not be sufficient.

To configure VTP, you must perform the following tasks:

• Configure VTP servers

• Configure VTP clients

• Verify VTP operation

Configuring VTP Servers

VTP servers are the most important component of the VTP domain because they have full access to the VLAN database and are responsible for propagating VLAN database information to VTP clients. The following describes how you configure a VTP server:

• Configure a VTP domain

• Configure VTP server mode

• Configure VTP parameters such as VTP version, password, and pruning

In Figure 3-11, Switch-A is the VTP server and is Cisco IOS-based. You can configure VTP parameters on Cisco IOS switches from the following configuration modes:

• VLAN configuration mode This is the original configuration mode for configuring the VLAN database and is supported on all Cisco IOS Catalyst switches.

• Privileged EXEC mode On newer Cisco IOS Catalyst switches, you can configure the VTP password, VTP version, and VTP pruning from privileged EXEC mode. Using this mechanism is not recommended because it has been superseded by VTP configuration via global configuration mode.

• Global configuration mode On newer Cisco IOS Catalyst switches, you can configure most or all VTP parameter names from global configuration mode, depending on the IOS version (the latest IOS supports the configuration of all VTP parameters). If supported, this mode is the recommended method of configuring VTP.

Configuring VTP via VLAN Configuration Mode

All Cisco IOS Catalyst switches support configuring VTP via VLAN configuration mode. To enter VLAN configuration mode, you must specify the vlan database privilege EXEC command, which places you into VLAN configuration mode, as demonstrated on Switch-A in Example 3-1.

Example 3-88. Accessing VLAN Configuration Mode on Cisco IOS

 Switch-A# vlan database Switch-A(vlan)# 

The (vlan) portion of the prompt indicates that you are currently in VLAN configuration mode.

Once you are in VLAN configuration mode, the vtp command is used to configure each of the various VTP parameters.

 Switch(vlan)# vtp {domain domain-name | password password | pruning | v2-mode |   {server | client | transparent}} 

Each of the keywords shown is self explanatory, except for v2-mode, which enables VTP version 2. The following bullet list describes the default VTP configuration on a Cisco IOS switch:

• Domain name No domain name is defined

• Mode Server mode

• Password No password is defined

• Pruning Disabled

• Version Version 1 is enabled

When configuring a VTP server, you should configure all of the VTP parameters listed. When configuring a VTP client, you need to configure all the parameters listed except for the VTP version because it is propagated from the VTP server.

Example 3-2 demonstrates configuring VTP on Switch-A for this scenario.

Example 3-89. Configuring VTP via VLAN Configuration Mode on Cisco IOS

 Switch-A# vlan database Switch-A(vlan)# vtp domain LANPS Changing VTP domain name from NULL to LANPS Switch-A(vlan)# vtp server Device mode already VTP SERVER. Switch-A(vlan)# vtp password cisco Setting device VLAN database password to cisco. Switch-A(vlan)# vtp v2-mode V2 mode enabled. Switch-A(vlan)# exit APPLY completed. Exiting.... 

Notice that you must exit VLAN configuration mode by issuing the exit command, which ensures the configuration changes made in VLAN configuration mode are written to the VLAN.DAT database file.

Once you have configured VTP, you should verify your configuration using the show vtp status command, as demonstrated in Example 3-3.

Example 3-90. Verifying VTP Configuration on Cisco IOS

 Switch-A# show vtp status VTP Version                     : 2 Configuration Revision          : 1 Maximum VLANs supported locally : 1005 Number of existing VLANs        : 5 VTP Operating Mode              : Server VTP Domain Name                 : LANPS VTP Pruning Mode                : Disabled VTP V2 Mode                     : Enabled VTP Traps Generation            : Disabled MD5 digest                      : 0xF8 0x79 0x2E 0x2D 0xF9 0xC1 0xCE 0x9E Configuration last modified by 0.0.0.0 at 3-1-93 00:27:49 Local updater ID is 192.168.1.2 on interface Vl1     (lowest numbered VLAN interface found) 

In Example 3-3, you can see that the configuration of Example 3-2 has been implemented, as indicated by the shaded output. The MD5 digest line represents the current VTP configuration revision hashed with the configured password.

Configuring a VTP server that is connecting to an existing VTP domain should always be performed offline, with careful attention paid to the configuration revision numbers on the new VTP server and the existing VTP domain. Always ensure that the configuration revision number on the new VTP server is lower than the configuration revision number of the existing VTP domain so that when the new VTP server connects to the VTP domain, it accepts the VLAN database of the existing VTP domain instead of overwriting the existing VLAN database. You can use the show vtp status command on Cisco IOS (see Example 3-3) or the show vtp domain command on CatOS (see Example 3-6) to determine the current VLAN database revision number. If you find that the configuration revision number of the new VTP server is higher, you must reset the configuration revision number to zero. This reset is achieved by temporarily changing the VTP domain on the new VTP server to a temporary value and then changing the VTP domain name back to the appropriate value. Every time the VTP domain name is changed, the VLAN database configuration revision number is reset to zero.

Configuring VTP via Global Configuration Mode

NOTE

Although you can use privileged EXEC mode to configure some VTP parameters, using this mode is not recommended. Hence, no coverage is provided for using privileged EXEC mode configuration.

Newer Cisco IOS Catalyst switches support configuring VTP via global configuration mode. The vtp global configuration command is used to configure VTP, with most of the command syntax identical to the vtp VLAN configuration command. Example 3-4 demonstrates configuring VTP via global configuration mode on Switch-A.

Example 3-91. Configuring VTP via Global Configuration Mode on Switch-A

 Switch-A# configure terminal Switch-A(config)# vtp domain LANPS Domain name already set to LANPS. Switch-A(config)# vtp mode server Device mode already VTP SERVER. Switch-A(config)# vtp password cisco Password already set to cisco. Switch-A(config)# vtp version 2 VTP mode already in V2. 

You can see that some of the VLAN configuration commands vary slightly from the global configuration commands shown in Example 3-4.

TIP

Although global configuration mode is used to configure VTP in Example 3-4, the configuration is stored only in the switch configuration file if the VTP mode is set to transparent. Regardless of how VTP is configured, all VTP parameters are stored in the VLAN database. In the case of VTP transparent operation, when a switch boots up, it reads the VTP configuration parameters from the switch configuration file and overwrites the VTP configuration in the VLAN database. If the VTP mode is server or client, the switch configuration file will not include the VTP commands. Instead, the VLAN database is used to read the VTP configuration.

Configuring VTP Clients

Once the VTP servers for the network are in place, you can configure VTP clients. In Figure 3-11, Switch-B is a VTP client and, hence, requires CatOS configuration of VTP. For this reason, this section demonstrates configuration of CatOS for VTP. However, be aware that on Cisco IOS, configuring VTP clients follows the same concepts for configuring VTP servers on Cisco IOS.

To configure VTP parameters on a CatOS switch, use the set vtp command:

 Console> (enable) set vtp [domain domain-name] [mode {client | server |   transparent | off}] [passwd password] [pruning {enable | disable}]   [v2 {enable | disable}] 

Notice that CatOS supports the additional VTP mode of off, unlike Cisco IOS, which does not support this mode.

NOTE

The VTP off mode is supported from CatOS 7.x.

When configuring a VTP client, if the switch is to be connected to an existing VTP domain, ensure that VTP configuration is performed offline before the switch is connected to the network. This safeguard is to ensure that the VLAN database of the existing VTP domain is not overwritten accidentally by the VTP client (same concept as for VTP servers).

When configuring a VTP client, you must ensure that you configure VTP version and pruning parameters in VTP server or transparent mode, because CatOS (and Cisco IOS) does not allow you to modify these parameters in VTP client mode. Once these parameters have been defined, you can then enable VTP client mode. You can configure the VTP password and VTP domain name at any time, regardless of the VTP mode.

NOTE

VTP clients can automatically learn the appropriate VTP version and VTP pruning settings from VTP servers, meaning you don't necessarily need to explicitly configure these settings on VTP clients.

Example 3-5 demonstrates configuring Switch-B as a VTP client.

Example 3-92. Configuring VTP Client Operation on Switch-B

 Switch-B> (enable) set vtp v2 enable This command will enable the version 2 function in the entire management domain. All devices in the management domain should be version2-capable before enabling. Do you want to continue (y/n) [n]? y VTP domain modified Switch-B> (enable) set vtp mode client VTP domain  modified Switch-B> (enable) set vtp passwd cisco Generating MD5 secret for the password .... Switch-B> (enable) set vtp domain LANPS VTP domain LANPS modified 

To verify VTP configuration on CatOS, use the show vtp domain command, as demonstrated in Example 3-6 on Switch-B.

Example 3-93. Verifying VTP Configuration on Switch-B

 Switch-B> (enable) show vtp domain Domain Name                      Domain Index VTP Version Local Mode  Password -------------------------------- ------------ ----------- ----------- ---------- LANPS                            1            2           server      configured Vlan-count Max-vlan-storage Config Revision Notifications ---------- ---------------- --------------- ------------- 5          1023             1               disabled Last Updater    V2 Mode  Pruning  PruneEligible on Vlans --------------- -------- -------- ------------------------- 0.0.0.0         enabled  disabled 2-1000 

In Example 3-6, the shaded line verifies the various parameters configured in Example 3-5.

Verifying VTP Operation

Once you have implemented VTP on each switch in the network, assuming all switches are connected via trunks, you should be able to modify the VLAN database on your VTP server(s) and verify that the modifications are propagated to all VTP clients.

NOTE

VTP advertisements are sent only over trunk ports and are not sent over access ports (ports that belong only to a single VLAN).

In the topology of Figure 3-11, when you connect Switch-A and Switch-B, by default, the connections between each switch will actually form a trunk automatically, as the DTP mode of a Cisco IOS switch is desirable by default, and the DTP mode of a CatOS switch is auto by default. This means that without even configuring trunks on either Switch-A or Switch-B, both switches should be able to communicate via VTP.

NOTE

If you are connecting two CatOS switches, a trunk will not automatically form, because both sides are set to auto by default. If you are connecting two Cisco IOS switches, a trunk will automatically form, because both sides are set to dynamic by default.

Based upon this default behavior, you can now see how each of the VLANs in Figure 3-11 can be created on Switch-A (the VTP server), which is then propagated to Switch-B via VTP. Example 3-7 shows the creation of VLANs 2, 3, 4, and 10 on Switch-A:

Example 3-94. Creating VLANs on Switch-A (VTP Server)

 Switch-A# configure terminal Switch-A(config)# vlan 2 Switch-A(config-vlan)# name Sales Switch-A(config-vlan)# exit Switch-A(config)# vlan 3 Switch-A(config-vlan)# name Marketing Switch-A(config-vlan)# exit Switch-A(config)# vlan 4 Switch-A(config-vlan)# name Engineering Switch-A(config-vlan)# exit Switch-A(config)# vlan 5 Switch-A(config-vlan)# name Management Switch-A(config-vlan)# exit Switch-A(config)# vlan 10 Switch-A(config-vlan)# name Native Switch-A(config-vlan)# exit 

After the creation of the VLANs in Example 3-7, Switch-A should increment the VTP configuration revision number by 5 (one for each VLAN modification) and send VTP advertisements containing the VLAN modifications to Switch-B. Example 3-8 shows the output of the show vlan command on Switch-B after the configuration of Example 3-7 is implemented.

Example 3-95. Verifying the VLAN Database is Synchronized with the VTP Server on Switch-B

 Switch-B> (enable) show vlan VLAN Name                             Status    IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- ------------------------ 1    default                          active    72      1/1-2,2/1-48 2    Sales                            active    77 3    Marketing                        active    78 4    Engineering                      active    79 5    Management                       active    80 10   Native                           active    81 1002 fddi-default                     active    73 1003 trcrf-default                    active    76 1004 fddinet-default                  active    74 1005 trbrf-default                    active    75      1003 ... <Output truncated> ... 

Notice in Example 3-8 that VLAN 2 (Sales), VLAN 3 (Marketing), VLAN 4 (Engineering), VLAN 5 (Management), and VLAN 10 (Native) are present in the VLAN database. Example 3-9 shows the output of the show vtp domain command on Switch-B after the configuration of Example 3-7 is implemented.

Example 3-96. Viewing VTP Domain Information on Switch-B

 Switch-B> (enable) show vtp domain Domain Name                      Domain Index VTP Version Local Mode  Password -------------------------------- ------------ ----------- ----------- ---------- LANPS                            1            2           client      configured Vlan-count Max-vlan-storage Config Revision Notifications ---------- ---------------- --------------- ------------- 10         1023             6               disabled Last Updater    V2 Mode  Pruning  PruneEligible on Vlans --------------- -------- -------- ------------------------- 192.168.1.2     enabled  disabled 2-1000 

If you compare Example 3-6 (VTP domain information prior to configuration of VLANs) and Example 3-9 (VTP domain information after the configuration of VLANs), you might notice in Example 3-9 that the Config Revision field indicates that the revision number of the VLAN database is now 6, compared with 1 in Example 3-6. This change represents the five VLAN configuration changes that were made on Switch-A in Example 3-7. You can also see that the VLAN count has increased from 5 to 10, indicating new VLANs are present in the VLAN database.

VTP Recommendations

Although VTP has many positive benefits on the surface, many organizations do not implement VTP. As with making any decision about a feature, arguments exist both for and against implementing the feature. The following lists reasons why VTP should be implemented:

• VLAN administrative overhead is reduced because the VLAN database is configured and managed from a central location and distributed automatically to all switches in the VTP domain.

• VTP ensures VLAN databases on each switch are identical.

• VTP pruning enables the dynamic clearing of allowed VLANs on a trunk, increasing network efficiency.

The following lists reasons why many organizations do not implement VTP:

• The ability of VTP to distribute VLAN database information throughout the network means any configuration errors affect the entire network. For example, if a VLAN is accidentally deleted on a VTP server, the change is immediately propagated to all VTP clients, which causes loss of network connectivity for all devices attached to the deleted VLAN. Without VTP, the configuration error has local significance only.

• The risk of a VTP server or VTP client being added to the network with a higher revision number and overwriting the VLAN database is eliminated.

• If VTP passwords are not configured, the network is vulnerable to denial-of-service (DoS) attacks, where an attacker injects spoofed VTP messages that delete VLANs, causing network outages.

• Not having VTP requires the manual pruning of trunks, which has benefits over VTP pruning. With VTP pruning, even if trunks are cleared for VLANs, spanning tree still operates over the pruned VLANs. Spanning tree must operate throughout the entire network because pruned VLANs may need to be added back to trunks dynamically. With manual pruning, the spanning-tree topology for pruned VLANs stops where pruning is implemented, reducing spanning-tree diameter and eliminating the need for spanning-tree instances to be maintained on all switches for pruned VLANs.

As a general recommendation, it is best to not implement VTP in an ongoing fashion for the reasons just listed . If you are configuring a new network that has a large number of switches, you can use VTP for a temporary amount of time as a convenient method to distribute VLAN configuration to each switch. Once the VLAN configuration is in place, disable VTP by configuring VTP transparent mode on each switch. If you need to make VLAN configuration changes in the future and are worried about the administrative overhead of doing so without VTP, LAN management platforms such as CiscoWorks 2000 enable you to distribute VLAN configuration changes via alternative mechanisms (i.e., SNMP or Telnet) in an automated fashion. If you must implement VTP, always configure a VTP password and always preconfigure VTP before adding new switches to the network.