The VLAN Trunking Protocol (VTP) uses Layer 2 trunk frames to communicate VLAN information among a group of switches. VTP manages the addition, deletion, and renaming of VLANs across the network from a central point of control.
VTP is organized into management domains, or areas with common VLAN requirements.
A switch can belong to only one VTP domain. Switches in different VTP domains do not share VTP information.
When a VLAN is added to a switch in a management domain, other switches are notified of the new VLAN through VTP advertisements.
The VTP mode determines how the switch processes and advertises VTP information:
- Server mode - VTP servers have full control over VLAN creation and modification for their domains. Each VTP domain must have at least one server so that VLANs can be created, modified, or deleted, and VLAN information can be propagated. By default, a switch is in VTP server mode.
- Client mode - VTP clients do not allow the administrator to create, change, or delete any VLANs. They listen to VTP advertisements from other switches and modify their VLAN configurations. Received VTP information is forwarded out trunk links to neighboring switches in the domain, so the switch also acts as a VTP relay.
- Transparent mode - VTP transparent switches do not participate in VTP. While in transparent mode, a switch does not advertise its own VLAN configuration and a switch does not synchronize its VLAN database with received advertisements. In VTP version 2, transparent switches do forward received VTP advertisements out of their trunk ports, acting as VTP relays.
Note: While a switch is in VTP transparent mode, it can create and delete VLANs that are local only to itself. These VLAN changes, however, are not propagated to any other switch.
VTP switches use an index called the VTP configuration revision number to keep track of the most recent information. Every switch in a VTP domain stores the configuration revision number that it last heard from a VTP advertisement.
The VTP advertisement process always starts with configuration revision number 0 (zero).
Note: By default, management domains are set to use nonsecure advertisements without a password. You can add a password to set the domain to secure mode.
Recommendation: A new server switch might inadvertently cause every other working switch to flush all records of every VLAN in production.
The VLANs would be deleted from the VTP database and from the switches, causing any switch port assigned to them to become inactive.
This is referred to as a VTP synchronization problem. For critical portions of your network, you should consider using transparent VTP mode to prevent the synchronization problem from ever becoming an issue.
VTP Configuration
Note: By default, every switch operates in VTP server mode for the management domain NULL (a blank string), with no password or secure mode.
Let's use switches AS1, DS1 and DS2 to configure VTP. We should first configure trunking between the three switches.
We will start with the default vlans on each switch.
AS1-DS1 trunk:
AS1(config)#interface fastEthernet 1/2
AS1(config-if)#switchport
AS1(config-if)#switchport trunk allowed vlan all (optional, default is all)
AS1(config-if)#switchport trunk encapsulation dot1q
AS1(config-if)#switchport trunk native vlan 1 (optional, default is 1)
AS1(config-if)#switchport mode trunk
DS1(config)#interface fastEthernet 1/2
DS1(config-if)#switchport trunk allowed vlan all
DS1(config-if)#switchport trunk encapsulation dot1q
DS1(config-if)#switchport trunk native vlan 1
DS1(config-if)#switchport mode trunk
DS1-DS2 trunk:
DS1(config)#interface fastEthernet 1/1
DS1(config-if)#switchport
DS1(config-if)#switchport trunk allowed vlan all
DS1(config-if)#switchport trunk encapsulation dot1q
DS1(config-if)#switchport trunk native vlan 1
DS1(config-if)#switchport mode trunk
DS2(config)#interface fastEthernet 1/1
DS2(config-if)#switchport
DS2(config-if)#switchport trunk allowed vlan all
DS2(config-if)#switchport trunk encapsulation dot1q
DS2(config-if)#switchport trunk native vlan 1
DS2(config-if)#switchport mode trunk
AS1-DS2 trunk:
AS1(config)#interface fastEthernet 1/4
AS1(config-if)#switchport
AS1(config-if)#switchport trunk encapsulation dot1q
AS1(config-if)#switchport mode trunk
DS2(config)#interface fastEthernet 1/4
DS2(config-if)#switchport
DS2(config-if)#switchport trunk encapsulation dot1q
DS2(config-if)#switchport mode trunk
Further more, we will disable any FastEthernet interfaces besides the ones used for trunking on all three switches:
AS1(config)#interface range fastEthernet 1/0 - 15
AS1(config-if-range)#shutdown
AS1(config)#interface fastEthernet 1/2
AS1(config-if)#no shutdown
AS1(config)#interface fastEthernet 1/4
AS1(config-if)#no shutdown
DS1(config)#interface range fastEthernet 1/0 - 15
DS1(config-if-range)#shut
DS1(config)#int fastEthernet 1/1
DS1(config-if)#no shutdown
DS1(config)#int fastEthernet 1/2
DS1(config-if)#no shutdown
DS2(config)#interface range fastEthernet 1/0 - 15
DS2(config-if-range)#shutdown
DS2(config)#interface fastEthernet 1/1
DS2(config-if)#no shutdown
DS2(config)#interface fastEthernet 1/4
DS2(config-if)#no shutdown
As a result of the above configurations and STP operation (which blocked DS1's Fa1/1), the trunk links have formed:
DS1#show spanning-tree blockedports
Name Blocked Interfaces List
-------------------- ------------------------------------
VLAN1 Fa1/1
Number of blocked ports (segments) in the system : 1
AS1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa1/2 on 802.1q trunking 1
Fa1/4 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/2 1-1005
Fa1/4 1-1005
Port Vlans allowed and active in management domain
Fa1/2 1
Fa1/4 1
Port Vlans in spanning tree forwarding state and not pruned
Fa1/2 1
Fa1/4 1
DS1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa1/1 on 802.1q trunking 1
Fa1/2 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/1 1-1005
Fa1/2 1-1005
Port Vlans allowed and active in management domain
Fa1/1 1
Fa1/2 1
Port Vlans in spanning tree forwarding state and not pruned
Fa1/1 none
Fa1/2 1
DS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa1/1 on 802.1q trunking 1
Fa1/4 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/1 1-1005
Fa1/4 1-1005
Port Vlans allowed and active in management domain
Fa1/1 1
Fa1/4 1
Port Vlans in spanning tree forwarding state and not pruned
Fa1/1 1
Fa1/4 1
Notice that DS1 shows "Fa1/1 none" in the "Vlans in spanning tree forwarding state and not pruned" section, due to the STP Blocking (not Forwarding) state of that interface.
Now let's check default VTP settings on the switches:
DS1#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 256
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xBF 0x86 0x94 0x45 0xFC 0xDF 0xB5 0x70
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)
Since no VLAN changes have been made on the switch, the configuration revision value is 0.
VTP default mode is Server and VTP Domain Name is NULL.
Note: In order to reset the Virtual Trunking Protocol (VTP) information when a switch is added to an existing VTP domain, the best option is to change the VTP mode to transparent.
To do this, issue the vtp mode transparent command.
Now let's make AS1 as VTP Transparent, DS1 as VTP Server and DS2 as VTP Client.
Also, we'll configure the VTP mode, domain and password on every switch.
VTP Version is 2 by default.
The configurations will be made from the vlan database mode. The VTP mode syntax is slightly different than the usual CLI: Switch(config)# vtp mode {server | client | transparent}
AS1#vlan database
AS1(vlan)#vtp transparent
Setting device to VTP TRANSPARENT mode.
AS1(vlan)#vtp domain CCNPSW
Changing VTP domain name from NULL to CCNPSW
AS1(vlan)#vtp password CISCO
Setting device VLAN database password to CISCO.
AS1(vlan)#exit
APPLY completed.
Exiting....
DS1#vlan database
DS1(vlan)#vtp server
Device mode already VTP SERVER.
DS1(vlan)#vtp domain CCNPSW
Changing VTP domain name from NULL to CCNPSW
DS1(vlan)#vtp password CISCO
Setting device VLAN database password to CISCO.
DS1(vlan)#exit
APPLY completed.
Exiting....
DS2#vlan database
DS2(vlan)#vtp client
Setting device to VTP CLIENT mode.
DS2(vlan)#vtp domain CCNPSW
Domain name already set to CCNPSW .
DS2(vlan)#vtp password CISCO
Setting device VLAN database password to CISCO.
DS2(vlan)#exit
In CLIENT state, no apply attempted.
Exiting....
AS1#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 256
Number of existing VLANs : 5
VTP Operating Mode : Transparent
VTP Domain Name : CCNPSW
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x60 0x6C 0x75 0x11 0x11 0x53 0xBD 0x94
Configuration last modified by 0.0.0.0 at 3-1-02 00:03:14
DS1#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 256
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : CCNPSW
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x60 0x6C 0x75 0x11 0x11 0x53 0xBD 0x94
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)
DS2#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 256
Number of existing VLANs : 5
VTP Operating Mode : Client
VTP Domain Name : CCNPSW
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x60 0x6C 0x75 0x11 0x11 0x53 0xBD 0x94
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
If we try adding a VLAN on DS2 which is a VTP Client:
DS2#vlan database
DS2(vlan)#vlan 2
VLAN 2 added:
Name: VLAN0002
DS2(vlan)#exit
In CLIENT state, no apply attempted.
Exiting....
If we try adding a VLAN on AS1 which is a VTP Transparent, the VLAN will be added, but not advertised to other switches.
Let's add some VLANs to VTP Server DS1 and see if they are advertised to other switches (AS1 should ignore the updates and keep its Revision to 0; DS2 should accept the updates passed along by AS1 and increment its Revision number to reflect the number of changes made on the server).
DS1#vlan database
DS1(vlan)#vlan 2 name vl2
VLAN 2 added:
Name: vl2
DS1(vlan)#vlan 3 name vl3
VLAN 3 added:
Name: vl3
DS1(vlan)#vlan 4 name vl4
VLAN 4 added:
Name: vl4
DS1(vlan)#vlan 5 name vl5
VLAN 5 added:
Name: vl5
DS1(vlan)#exit
APPLY completed.
Exiting....
DS1(vlan)#vlan 6 name vl6
VLAN 6 added:
Name: vl6
DS1(vlan)#exit
APPLY completed.
Exiting....
DS1#vlan database
DS1(vlan)#vlan 7 name vl7
VLAN 7 added:
Name: vl7
DS1(vlan)#exit
APPLY completed.
Exiting....
Note: When adding VLANs with the usual IOS "vlan x" command, each change (added or removed or renamed VLAN) modifies the Revision number.
When changing the VLAN configuration via the vlan database mode, each exit/APPLY operation modifies the Revision number, no matter how many VLANs were added, deleted or renamed in a single vlan database session.
So, judging by the above rule, the Revision number on DS1 and DS2 should be 3 and the Revision number on AS1 should still be 0.
DS1#show vtp status
VTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 256
Number of existing VLANs : 11
VTP Operating Mode : Server
VTP Domain Name : CCNPSW
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x4E 0x5A 0x1C 0xF4 0x2B 0x22 0x09 0xDE
Configuration last modified by 0.0.0.0 at 3-1-02 00:49:31
Local updater ID is 0.0.0.0 (no valid interface found)
AS1#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 256
Number of existing VLANs : 5
VTP Operating Mode : Transparent
VTP Domain Name : CCNPSW
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x60 0x6C 0x75 0x11 0x11 0x53 0xBD 0x94
Configuration last modified by 0.0.0.0 at 3-1-02 00:03:14
DS2#show vtp status
VTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 256
Number of existing VLANs : 11
VTP Operating Mode : Client
VTP Domain Name : CCNPSW
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x4E 0x5A 0x1C 0xF4 0x2B 0x22 0x09 0xDE
Configuration last modified by 0.0.0.0 at 3-1-02 00:49:31
Now, let's consider the last two rows of show vtp status command on DS1 (and DS2):
Configuration last modified by 0.0.0.0 at 3-1-02 00:49:31
Local updater ID is 0.0.0.0 (no valid interface found)
In order to have more specific values instead of 0.0.0.0 we should have an IP address configured on this switch, so it can be identified by a valid IP:
DS1(config)#int vlan 1
DS1(config-if)#ip address 1.1.1.1 255.255.255.0
We should also make another VLAN config change, so we can see updated VTP statuses on both DS1 and DS2:
DS1(vlan)#vlan 8 name vl8
VLAN 8 added:
Name: vl8
DS1(vlan)#exit
APPLY completed.
Exiting....
DS1#show vtp status
VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 256
Number of existing VLANs : 12
VTP Operating Mode : Server
VTP Domain Name : CCNPSW
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xCE 0xA1 0x50 0x78 0x6A 0xFC 0x88 0xB3
Configuration last modified by 1.1.1.1 at 3-1-02 00:56:33
Local updater ID is 1.1.1.1 on interface Vl1 (lowest numbered VLAN interface found)
DS2#show vtp status
VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 256
Number of existing VLANs : 12
VTP Operating Mode : Client
VTP Domain Name : CCNPSW
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xCE 0xA1 0x50 0x78 0x6A 0xFC 0x88 0xB3
Configuration last modified by 1.1.1.1 at 3-1-02 00:56:33
Other verification commands:
DS2#show vtp counters
VTP statistics:
Summary advertisements received : 23
Subset advertisements received : 12
Request advertisements received : 0
Summary advertisements transmitted : 18
Subset advertisements transmitted : 10
Request advertisements transmitted : 2
Number of config revision errors : 0
Number of config digest errors : 2
Number of V1 summary errors : 0
VTP pruning statistics:
Trunk Join Transmitted Join Received Summary advts received from
non-pruning-capable device
---------------- ---------------- ---------------- ---------------------------
Fa1/1 1 0 0
Fa1/4 1 1 0
VTP Pruning
When forwarding frames out all ports in a broadcast domain or VLAN, trunk ports are included if they transport that VLAN.
By default, a trunk link transports traffic from all VLANs, unless specific VLANs are removed from the trunk.
VTP pruning makes more efficient use of trunk bandwidth by reducing unnecessary flooded traffic.
Rule: Broadcast and unknown unicast frames on a VLAN are forwarded over a trunk link only if the switch on the receiving end of the trunk has ports in that VLAN.
Note: By default, VTP pruning is disabled on IOS-based switches.
Enabling VTP Pruning:
Switch(config)# vtp pruning
When pruning is enabled, all general-purpose VLANs become eligible for pruning on all trunk links, if needed.
However, you can modify the default list of pruning eligibility with the following interface-configuration command:
Switch(config)# interface type mod/num
Switch(config-if)# switchport trunk pruning vlan {{{add | except | remove} vlan-list} | none}
Note: VTP pruning has no effect on switches in the VTP transparent mode. Instead, those switches must be configured manually to “prune” VLANs from trunk links.
Note: By default, VLANs 2 to 1001 are eligible for pruning.
Note: VLANs 1 and 1002-1005 are never eligible for pruning.
Note: If when modifying the vlan database you encounter the following error you can erase the flash to resolve this issue:
% not enough space on flash to store vlan database. trying squeeze...First create squeeze log by erasing the entire device
% error squeezing flash - (Missing or corrupted log)
Error on database apply 40: NV storage failure
Use 'abort' command to exit
AS1(vlan)#abort
Aborting....
AS1#erase flash:
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Note: Although we reload the switches whenever we want new default configs, the VLAN and VTP information is still present.
The reason is that this VLAN and VTP information is actually kept in the VLAN.DAT file in Flash memory, and the contents of Flash are kept on a reload. The file has to be deleted manually.
More info at: http://www.mcmcse.com/cisco/guides/vlandat.shtml
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment