Pages

CCNP Switch - VLAN Trunking Protocol VTP

 - Two VTP  versions are not interoperable (same VTP version must be configured on every switch in a domain) 
 - VTP version 1 is the default protocol on a switch
 - VTP advertisements are sent only over trunks. 
 - if Sw is configured as VTP server  without "VTP domain name", VLANs cannot be created

*Mar  1 00:28:03.216: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa1/0/15 because of VTP domain mismatch.

In server and client switches, V1 and V2 are not interoperable.
* VTP transparent mode V1 and V2 act exactly the same in forwarding VTP.
* If a domain name is set, then the domain name must match for the advertisment to be forwarded.
* If domain name is NULL, then everything is forwarded.

Using the VLAN Trunking Protocol (VTP) makes VLAN administration more organized and manageable.
A similar standards-based VLAN-management protocol for IEEE 802.1Q trunks is called GARP VLAN Registration Protocol (GVRP).
At press time, GVRP was not supported in any of the Cisco IOS Software–based Catalyst switches. Therefore, it is not covered in this text or in the SWITCH course.

VTP Domains
VTP is organized into management domains,or areas with common VLAN requirements.
A switch can belong to only one VTP domain, in addition to sharing VLAN information with other switches in the domain. Switches in different VTP domains, however, do not share VTP information.
Switches in a VTP domain advertise several attributes to their domain neighbors.

VTP Advertisement

Each advertisement contains information about
 - the VTP management domain,
 - VTP revision number,
 - known VLANs, and
 - specific VLAN parameters.

When a VLAN is added to a switch in a management domain, other switches are notified of the new VLAN through VTP advertisements.
In this way, all switches in a domain can prepare to receive traffic on their trunk ports using the new VLAN.

VTP Modes
To participate in a VTP management domain, each switch must be configured to operate in one of several modes.
The VTP mode determines how the switch processes and advertises VTP information.
■ Server mode
 - VTP servers have full control over VLAN creation and modification for their domains.
 - VTP domain names are Case-Sensitive.
 - Switches  can only be part of ONE (single) domain name,
 - Switch is listening to VTP advertisments from their domain ONLY,
 - All VTP information is advertised to other switches in the domain, while all received VTP information is synchronized with the other switches.
 - By default, a switch is in VTP server mode. Note that each VTP domain must have at least one server so that VLANs can be created, modified, or deleted, and VLAN information can be propagated.
 - Catalyst switches in server mode store VTP information separately from the switch configuration in NVRAM.
 - VLAN and VTP data are saved in the vlan.dat file on the switch’s flash memory file system. All VTP information, including the VTP configuration revision number, is retained even when the switch power is off. In this manner, a switch can recover the last known VLAN configuration from its VTP database after it reboots.

■ Client mode
 - VTP clients do not allow the administrator to create, change, or delete any VLANs.
 - Instead, they listen to VTP advertisements from other switches and modify their VLAN configurations accordingly. In effect, this is a passive listening mode.
 - Received VTP information is forwarded out trunk links to neighboring switches in the domain, so the switch also acts as a VTP relay.
 - Switch will store the last known VTP information—including the configuration revision number. Don’t assume that a VTP client will start with a clean slate when it powers up.

■ Transparent mode
 - VTP transparent switches do not participate in VTP.
 - While in transparent mode, a switch does not advertise its own VLAN configuration.
 - always has a configuration revision number = 0.
 - From VTP version 2, transparent switches do forward received VTP advertisements out of their trunk ports, acting as VTP relays.

VTP Advertisements
By default, management domains are set to use nonsecure advertisements without a password.
You can add a password to set the domain to secure mode. The same password must be configured on every switch in the domain so that all switches exchanging VTP information use identical encryption methods.

VTP switches use an index called the VTP configuration revision number to keep track of the most recent information.
The VTP advertisement process always starts with configuration revision number 0 (zero).
When subsequent changes are made on a VTP server, the revision number is incremented before the advertisements are sent.
The VTP revision number is stored in NVRAM and is not altered by a power cycle of the switch.
Because of this, it is very important to always force any newly added network switches to have revision number 0 before being attached to the network. 
Otherwise, a switch might have stored a revision number that is greater than the value currently in use in the domain.

VTP synchronization problem
A new server switch might inadvertently cause every other working switch to flush all records of every VLAN in production.
For critical portions of your network, you should consider using transparent VTP mode to prevent the synchronization problem from ever becoming an issue.

VTP advertisements can occur in three forms:
1) Summary advertisements—VTP domain servers send summary advertisements every 300 seconds and every time a VLAN database change occurs.
The summary advertisement lists information about the management domain, including VTP version, domain name, configuration revision number, time stamp, MD5 encryption hash code, and the number of subset advertisements to follow. 
2) Subset advertisements—VTP domain servers send subset advertisements after a VLAN configuration change occurs (creating or deleting a VLAN, suspending or activating a VLAN, changing the name of a VLAN, and changing a VLAN’s maximum transmission unit (MTU))
3) Advertisement requests from clients—A VTP client can request any VLAN information it lacks.
After a client advertisement request, the VTP domain servers respond with summary and subset advertisements to bring it up to date.

Difference between VTP versions
VTP version 1:
 - Supports normal VLAN numbers (1-1001)
 - Supports pruning of unused VLANs (no longer sends broadcasts and unknown unicasts)
 - supports cleartext and MD5 digest password

VTP version 2:
 - Forwards the VTP messages without checking the version number or domain in transparent mode
 - Supports Token Ring
 - Performs consistency check on the VTP / VLAN parameters (from CLI or SNMP)
 - Pass on Unrecognised TLVs (Type-length-value)

VTP version 3:
 - Supports extended VLAN numbers (1-4095)
 - Transfer information regarding Private VLAN structure
 - Support for databases other than VLAN (for example MST)
 - Protection from unintended database overrides during insertion of new switches
 - Hidden password protection


VTP Configuration
By default, every switch operates in VTP server mode for the management domain NULL (a blank string), with no password or secure mode.
You should get into the habit of double-checking the VTP configuration of any switch before you add it into your network.
If the switch hears a VTP summary advertisement on a trunk port from any other switch, it automatically learns the VTP domain name, VLANs, and the configuration revision number it hears.
Switch# show vtp counters
VTP statistics:
Summary advertisements received  : 1
Subset advertisements received : 2
Request advertisements received  : 1
Summary advertisements transmitted : 1630
Subset advertisements transmitted  : 0
Request advertisements transmitted : 4
Number of config revision errors : 0
Number of config digest errors  : 0
Number of V1 summary errors  : 0

Switch# show vtp status
VTP Version  : 2
Configuration Revision  : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs  : 5
VTP Operating Mode  : Server
VTP Domain Name :
VTP Pruning Mode  : Disabled
VTP V2 Mode  : Disabled
VTP Traps Generation  : Disabled
MD5 digest  : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Switch#
Note: Multiple VTP servers can coexist in a domain. This usually is recommended for redundancy. The servers do not elect a primary or secondary server; they all simply function as servers. If one server is configured with a new VLAN or VTP parameter, it advertises the changes to the rest of the domain. All other servers synchronize their VTP databases to this advertisement, just as any VTP client would.

Configuration
Switch(config)# vtp domain <domain-name>    <--- Configuring a VTP Management Domain
Switch(config)# vtp mode {server | client | transparent}
Switch(config)# vtp password <password>
The password is a string of 1 to 32 characters (case sensitive).
An MD5 digest or hash code is computed from password and sent in VTP advertisements
Switch(config)# vtp version {1 | 2}

Catalyst switches are capable of running either VTP version 1 or VTP version 2.
Within a management domain, the two versions are not interoperable. Therefore, the same VTP version must be configured on every switch in a domain.
If a switch is capable of running VTP version 2, however, a switch can coexist with other version 1 switches, as long as its VTP version 2 is not enabled.
A third version of VTP addresses some of the traditional shortcomings. For example, VTP version 3 supports extended VLAN numbers (1 to 4095) that are compatible with the IEEE 802.1Q trunking standard. At the time of this writing, VTPv3 is available only on Cisco Catalyst platforms running the CatOS (non-IOS) operating system. Therefore, only VTP versions 1 and 2 are covered on the SWITCH exam and in this text.
VTP Pruning
By default, a trunk link transports traffic from all VLANs, unless specific VLANs are removed from the trunk.
VTP pruning makes more efficient use of trunk bandwidth by reducing unnecessary flooded traffic. Broadcast and unknown unicast frames on a VLAN are forwarded over a trunk link only if the switch on the receiving end of the trunk has ports in that VLAN.
Even when VTP pruning has determined that a VLAN is not needed on a trunk, an instance of the STP will run for every VLAN that is allowed on the trunk link. To reduce the number of STP instances, you manually should “prune” unneeded VLANs from the trunk and allow only the needed ones.
 - VLAN 1, 1001-1005 are always pruning-ineligible.

Enabling VTP Pruning
By default, VTP pruning is disabled on IOS-based switches. 
Switch(config)# vtp pruning
Switch(config)# interface type mod/num
Switch(config-if)# switchport trunk pruning vlan {{{add | except | remove}  vlan-list} | none}
  vlan-list - An explicit list of eligible VLAN numbers (anything from 2 to 1001), separated by commas or by dashes.
  none - No VLAN will be eligible for pruning
Because of these historical reasons, VLAN 1 is never eligible for pruning. 
VTP Pruning

Troubleshooting VTP
If a switch does not seem to be receiving updated information from a VTP server, consider these possible causes:
■ The switch is configured for VTP transparent mode (incoming VTP advertisements are not processed but they are relayed only to other switches in the domain)
■ If the switch is configured as a VTP client, there might not be another switch functioning as a VTP server. In this case, configure the local switch to become a VTP server itself.
■ The link toward the VTP server is not in trunking mode. VTP advertisements are sent only over trunks. Use the show interfacetype mod/numswitchportto verify the operational mode as a trunk.
■ Make sure the VTP domain name is configured correctly to match that of the VTP server.
■ Make sure the VTP version is compatible with other switches in the VTP domain.
■ Make sure the VTP password matches others in the VTP domain. If the server doesn’t use a password, make sure the password is disabled or cleared on the local switch

Commands
show vtp status    <--- Displays current VTP parameters, including the last advertising server
show vtp counters    <--- Displays VTP advertisement and pruning statistics
show vlan brief    <--- Displays defined VLANs
show interface <type mod/num> switchport    <--- Displays trunk status, including pruning eligibility
show interface <type mod/num> pruning     <--- Displays VTP pruning state 
Commands Examples:
Switch# show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : SW12
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 0018.7330.7e00
Configuration last modified by 0.0.0.0 at 3-1-93 00:33:57
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 7
Configuration Revision            : 41
MD5 digest                        : 0x65 0x26 0x8A 0x78 0xEA 0xCD 0x0D 0xFA
                                    0xF4 0xC8 0xA2 0x87 0x9A 0x74 0x2B 0x51
Switch#

SW8# show vtp counters
VTP statistics:
Summary advertisements received    : 131
Subset advertisements received     : 28
Request advertisements received    : 0
Summary advertisements transmitted : 70
Subset advertisements transmitted  : 12
Request advertisements transmitted : 0
Number of config revision errors   : 0
Number of config digest errors     : 0
Number of V1 summary errors        : 0

VTP pruning statistics:

Trunk            Join Transmitted Join Received    Summary advts received from
                                                   non-pruning-capable device
---------------- ---------------- ---------------- ---------------------------
SW8#