VTP or Virtual Trunking Protocol, is a Cisco proprietary protocol that is used to share VLAN information between switches. In a small topology such as our little 3 switch topology or it a small office network where you might have 3 or 4 switches, configuring VLANs manually on each switch might not be such a big deal. But think about a large scale campus network or Datacenter network where you have hundreds or thousands of VLANs and having to manually configure those VLANs or make changes on each device. This is why Cisco invented VTP. VTP uses L2 trunking frames to communicate information to other VTP switches inside the VTP domain about VLAN adds, deletions, or modifications.
A switch enabled for VTP advertises specific information to other switches inside the VTP domain including the VTP version, the VTP revision number, the known VLANs, and any specific VLAN parameters. Note that VTP v1 and v2 only support the standard range of VLANs from 1 to 1005. VTP v3 has support for the extended range from 1 to 4094, When a change to a VLAN is made, the VTP Server will send a VTP Advertisement to all switches inside the VTP domain advertising the change. There are 4 modes of VTP:
- Server: A VTP Server has full control of the VLAN information inside the VTP domain. There must be at least 1 VTP server in a VTP domain.
- Client: A VTP Client receives VLAN information from the VTP Server. VLAN information cannot be modified on a switch configured as a VTP Client. Received VTP information is forwarded out all trunk ports to other VTP Neighbours making a VTP Client like a relay.
- Transparent: In this mode, the switch does not participate in VTP at all. I the switch is running VTPv2 it will forward VTP advertisements like a VTP Client, but will not take part in VTP. A network engineer can modify the VLAN information on VTP Transparent mode switches.
- Off: In this mode, the switch also does not participate in VTP however, unlike in transparent mode, the switch will NOT forward any VTP advertisements.
For this article I will only cover VTP version 1 and 2, I will go through VTP v3 in another article. Switches send VTP advertisements as multicast frames to the well-known multicast address 0100.0ccc.cccc. When a VTP switch receives these advertisements they process them locally and forward the advertisement out all other Trunk ports. There are 3 types of VTP advertisements:
- Summary Advertisement: These advertisements are sent every 300 seconds, or when a VLAN is added, modified or removed and includes the VTP version, domain, revision number and a time stamp.
- Subset Advertisement: These advertisements are sent when a VLAN change occurs and contains all the relevant information for the switch to make the required changes to the VLAN.
- Client Request Advertisement: This advertisement is sent by the VTP client to request more detailed information about the subset advertisement. These are usually send when a VTP Client has a lower VTP revision number than the received VTP advertisement.
Below is a packet capture of a VTP summary advertisement head. Here you can see the information that is sent in a VTP advertisement.
As mentioned above, VTP uses revision numbers to determine which VTP Server (there can be multiple inside a VTP domain) has the latest information. Each time a change to the VLAN database on the VTP server is made, the revision number is incremented and an advertisement sent. Whenever a switch receives a VTP advertisement with a higher revision number than its own, the VLAN information on that switch is overwritten regardless of how relevant the changes are. This is why when adding a new switch to the VTP domain, it is important to remember to reset the revision number to 0. When using VTP, the VLAN database information is not stored in the running config in NVRAM like it is with VTP transparent or off mode. Instead it is stored in a file on the flash called vlan.dat. If you delete the vlan.dat file, all VTP cached information is lost excluding the revision number. In order to reset the VTP revision number you must do one of two things:
- Change the VTP mode to transparent or off, and then back to client or server
- Change the VTP domain to something else and then change it back.
There have been many a network engineer who have plugged in an old switch with a really old VLAN database and a high revision number, forgetting to reset it, into the network and completely wiped the VLAN database. Configuring the switch as a VTP Client does not actually protect the network from this issue. When a VTP client joins the VTP domain and hears an advertisement with a lower revision number than its own, it will send out a subset advertisement which even a VTP server will accept as it has a higher revision number . This is why resetting the revision number is so important. It can quite easily bring a production network to its knees. Resetting the revision number protects against accidental attacks but what about a malicious user? VTP v1 and v2 allow the use of a password to help protect against this type of attack. You can configure a VTP Server or Client to use a password hash that is exchanged in all VTP Summary advertisements using the global configuration command vtp password <password>.
There are only a few differences between VTP v1 and V2. These are:
- Support for Token ring VLANs
- V2 supports consistency checking
- in V2, transparent mode forwards VTP frames but not in v1
To run through configuring VTP, I will use the same 3 switch topology I always use.
Configuring VTP is very straight forward and a Cisco switch will even work using VTP v1 out of the box as the default mode for VTP is server and the version is 1. To show how VTP works we will use the same three switch topology that I always use. SW1 will be the VTP server with SW2 and SW3 VTP clients. The VTP version is first set to 1 using the command vtp version 1, the VTP domain set to WRMEM using the command vtp domain <name> and a password set to mysecret as above.
To verify your VTP configuration use the show command show VTP status and also show VTP counters
On some platforms/IOS versions, f you forget what the VTP password, you can log into the switch and use the command show VTP password. If the switch does not support this command you can look at the vlan.dat file on the switches flash and obtain the password from there.
Now let's take a look at the VLANs currently configured on all switches to ensure they are the same.
Since we can now only create VLANs on the VTP sever, let's create VLANs 40 and 50 on SW1 and check the VLAN database and VTP status on SW2 and SW3 to confirm the VLANs were automatically created.
Now let's remove VLAN 50 from SW1.
Changing to VTP v2 is as simple as using the global configuration command VTP version 2. VTP v1 and v2 are not completely backward compatible so you will need to change it on all switches. The good thing is that you only need to change it on the VTP server (actually you can't even change it on a VTP Client), Once the VTP server is configured as V2, it sends a VTP advertisement out advising other switches to use VTP v2.
Let's now see what happens when SW3 has a higher revision number than the server and is introduced into the network as a VTP client. First, let's reset SW1's revision number by changing the VTP mode to transparent. I will also alter the VLAN database by removing VLAN 60 from SW1 so that when it is reset back to VTP server and participating we can see that the VTP Clients have updated the VLAN database on SW1 configured as a Server.
No let's confirm that SW2 still has the revision number of 7 the same as SW1 had before it was reset.
And finally, let's change SW1 back to VTP server and check the revision and number of VLANs.
As you can see, the revision number was set from 0 to 7 and the number of VLANs increased from 9 to 10.
VTP pruning can be used to restrict the Broadcast VLAN traffic that is sent over a Trunk port. A switch must forward all broadcast, multicast and unknown unicast frames on a VLAN to all other ports in are that VLAN, including Trunk ports as by default Trunk ports are members of all configured VLANs. But what if we have a scenario where a Switch Trunk port is configured to include a VLAN, but there are no hosts on that switch in that VLAN? The Broadcast frame is still forwarded to that switch and the switch still has to use CPU processing power to process the broadcast frame. VTP Pruning allows the switch to find out what VLANs are enabled on neighbouring devices and with that knowledge, prevent unnecessary broadcast, multicast and unknown unicast frames from being sent.
VTP Pruning works by utilising a VTP advertisement in order to advertise to other switches that it has an active port in a VLAN. VTP Switches store this information and use it to determine if a frame should be forwarded to that switch. Because VTP Pruning uses additional advertisements, it is important that it is enabled on all switches inside the VTP domain. Say we have the blow network with the Top switch being SW1 and then left to right SW2, SW3, and SW4. By default, all trunk links between switches are enabled for all VLANs so that all broadcast multicast, and unknown unicast frames are forwarded.
By enabling VTP Pruning on all switches in the network, SW2 will advise to all other switches (SW1 in this case) that it only has hosts on VLAN 10 and 20, SW3 will advertise it only has hosts on VLAN 10, and SW4 will advertise it has hosts for all VLANs. This will tell SW1 not to forward frames destined for VLAN 30 to SW2, VLAN 10 and 20 to SW3 and to forward all frames to SW4.
That's how easy it can be to bring a network down with VTP. It's for this reason that a lot of network engineers stay away from it. Personally I think when configured correctly and with care and proper understanding, it's a great tool that can save a lot of time. To enable VTP pruning use the global configuration command vtp pruning. Just like with changing the VTP version, enabling pruning only needs doing on the VTP server.
As you can see VTP makes managing VLANs in a network much simpler but it also introduces the possibility of accidentally bringing down a network. It's for this reason that a lot of network engineers tend to steer clear of VTP. Personally, I think it is a great tool when used correctly and shouldn't be feared as long as you're careful.