VLAN trunking protocol (VTP)

  • Reduce admin work by distributing VLAN information from VTP server to clients.
  • Works only on trunk interface. Packets are sent either in ISL frames or IEEE802.1q frames.
  • VTP packets are addressed to the destination MAC address: 01-00-0C-CC-CC-CC
    • Encapsulated as: DA-SA-EtherType-Tag-Data[VTP header and message]-FCS
  • VTP header:
    • VTP protocol version: 1,2 or 3
    • VTP message types:
      • Summary advertisement
      • Subset advertisement
      • Advertisement requests
      • VTP join messages
    • Management Domain length
    • Management Domain name
  • Configuration revision number:
    • 32-bit value used to determine the latest VTP information.
    • Adding/deleting/modifying any VLAN on VTP server, increments the revision number by 1. Starting value: 0 (default)
    • To reset revision number:
      • Change domain name
      • Change VTP mode(from server to transparent and back to server mode)
      • Reload the switch

VTP messages:

  • Summary advertisement:
    • All VTP enabled devices (server and client) send summary advertisement every 5 minutes to check whether the vlan database is in sync.
    • It has following important fields:
      • Version – 1,2 or 3
      • Followers: Indicates whether this packet is followed by subset advertisement.
      • Domain name
      • Configuration revision number.
      • Updater identity – IP address of the switch that increments the revision number.
      • Update Timestamp – time of last increment.
      • Md5 Digest – Carries VTP password.
  • subset advertisement:
    • When any VLAN changes done on server, it increments the revision number and sends Summary advertisement followed by one or more subset advertisement.
    • This message has VLAN database information. Important fields are:
      • Vlan status
      • VLAN type
      • VLAN name
      • ISL Vlan-ID
      • VLAN MTU size
  • Advertisement requests:
    • Above message is sent when;
      • Switch is reset
      • VTP domain name is changed
      • Switch received VTP summary which has higher revision number than its own
    • On receiving an Advertisement requests, switch will send Summary advertisement, followed by subset advertisement.

VTP Modes:

  • Server:
    • Default mode. Switch can add, delete and modify VLANs. Can change VTP version, pruning parameters. There can be more than one server in a VTP domain for redundancy.  All VTP devices in domain syn to have same VLAN database.
    • Can accept vlan information from client, if the received revision number is higher than its own. (So, Caution when adding new switch (server/client) to the network).
    • Stores VLAN information in NVRAM. Hence, VLAN info is preserved even when the switch reloads. If any problem in writing to NVRAM, switch moves to client mode.
  • Client:
    • Cannot add, delete and modify VLANs.
    • VLAN information is not stored in NVRAM (only in RAM). So, Vlan information is lost if reloaded. In VTP3, VLAN configurations are saved in NVRAM.
  • Transparent:
    • Doesn’t not involve in VTP. Just forwards VTP information received on an trunk interface to other trunk ports.
    • In v1 and v2, switches should be transparent mode, if extended vlan/private vlan need to be configured.
    • VLAN configuration saved in NVRAM. Domain name, version, vlans can be viewed in running configuration.
    • VTP pruning will not work in transparent mode.
  • Off:
    • Same as transparent but all VTP packets will be dropped and not forwarded.

VTP versions:

  • VTP-Version1:
    • Default version when the switch boots up.
    • VTP transparent switch forwards VTP messages after inspecting domain name and version number. Messages will be dropped if there is domain name mismatch.
  • VTP-Version2:
    • Support for token ring VLAN is added
    • Both v1 and v2 doesn’t support extended VLAN (above 1005 to 4095). User has to manually configure extended Vlans on all switches.
    • V1 and v2 doesn’t interop. Enable v2 only when all switches supports v2.
    • Unrecognized TLV support: Switch still stores and forwards TLV which is unrecognized.
    • Switches in transparent mode, forwards VTP messages without version check. Ie, it can relay V1 VTP updates. But it does check domain name and drops if there is mismatch.

VTP-Version3:

  • First implemented in CatOs. Now IOS 12.2 supports v3.
  • Control over which device can update VLAN database in VTP domain(Primary server)
  • Advertisement has primary server ID, instance number and start index.
  • Included support for VLAN and MST database. In addition to vlan configuration, mstp configuration will also be sync-ed. Independent instances. Third instance called “unknown instance”. (Only transparent or off mode).
    • Two TLVs are used to exchange the MSTP configuration. One TLV carries MST domain name and revision number. Another TLV carries mapping table which has MST instance::vlan mapping.
    • Configuration from primary server is advertised to all other v3 devices.
  • If pruning is enabled, it is local to the switch and not propagated to entire vtp domain.
  • Supports extended vlan, RSPAN and private vlan. But still pruning works for 1-1005 vlan only.
  • “domain-name discovery” option is not available in v3.
  • Can interop with v2 devices but not with v1-only capable device. And per-port (trunk) configuration available, but per-port vtp mode should be same for both vlan and mst instances.
  • Enhanced authentication: Hidden or secret password.
  • Server mode:
    • Default role is “secondary server”. There can be only one primary server per domain.
    • Secondary server stores the received VTP information in NVRAM (not as in client). VLANs cannot be configured in secondary server.
    • Only primary server can make configuration change and increment the revision number and advertise.
    • There can be no primary server in a domain. We can initiate a secondary server to primary by issuing takeover command: “vtp primary” on exec mode. Primary status lost when device reloads or domain parameter changes.
  • Summary advert message is sent every 300 sec or if any of the vlan parameters are changed (add/delete/modify vlan, vlan state change, vlan name change, MTU change etc)
  • VTPv3 White paper
  • If v2 capable switch runs v1 and receives v3 update, it is automatically moves to v2. V3 switch sends scaled-down version of VTP packets along with v3 update.
  • Any v2 is configured in any one switch, all v2 capable switches will move to v2. Cannot interop with v1-only capable devices.
  • v1/v2 switches do not forward v3 advertisement.
  • V3 device doesn’t not accept configuration from v2/v1 device.

Default configuration:

  • Domain name: Null,
  • Mode: server (for v1 and v2), For v3: previous mode before changing to v3
  • Version: v1
  • MST database mode: transparent
  • v3 server type: secondary.
  • VTP password: none
  • Pruning disabled.

How VTP works:

  • Configure a switch as VTP server and other switches as client with same domain name, password and version. For every modification of VLAN on server, it increments the revision number and sends summary advertisement followed by subset advertisement via trunk.
  • Other switches which receive advertisement with higher revision number than its own, updates its VLAN database and revision number and forward the update to other switches.
  • If the advertisement has revision number less than its own, it ignores that packet and send its summary advertisement to the trunk on which it received old advertisement.
  • If switch reaches hardware limitation to save the received update, it sends an error message and shuts down the vlan.
  • When device is reloaded, configuration is selected based on “startup-config” and vlan database information. If VTP mode in vlan database and startup-config are ‘transparent’ and domain name matches, configuration is selected from “startup-config” and vlan database is erased.
  • If VTP mode/domain name is mis-matched, the VTP mode and domain name from vlan database is used along with first 1005 vlan.

VTP Pruning:

  • Helps to avoid unknown unicast and broadcast packets of a vlan to trunks, whose other end doesn’t have that VLAN.
  • When enabled on server, pruning is enabled for entire management domain. (for v1/v2)
  • VLAN 1 and VLAN 1002-1005 (reserved vlans), extended vlans are prune-ineligible.
  • Command: “vtp pruning”. Enter this command on only one switch in server mode.
  • When a switch received vtp advertisement via trunk which has vlan status as inactive, it will not trunk that received interface to the inactive vlan. Packet life.

Observations:

  • We cannot manually configure VLAN on VTP server if domain name is not acquired. It should have domain name either by local configuration or receiving first summary advertisement. (only in CatOs)
  • DTP fails to bring up trunk, if the domain name configured on two ends is different.
  • Once a domain name is configured, it cannot be removed. It can only be changed.

Scenarios:

  • Switch is configured as VTP transparent with 3 vlans already configured. Moved to VTP server and received an update. Save the configuration and reload. Will those 3 vlans exist after reload?
    • YES
  • Domain name effect in transparent mode. Old VTP Myth.
  • Add a vtp client switch whose configuration revision is higher than that of the server in a domain
    • All vlan information is erased in the domain and replaced by new switch config. Will not happen in v3.
  • Way to block VTP packets. Packet life
  • How well do you know VTP

Configuration:

Router(config)#vtp domain CISCO

Domain name already set to CISCO.

Router(config)#vtp password cIsCo

Setting device VTP password to cIsCo

Router(config)#vtp interface GigabitEthernet2/48 only

Router(config)#vtp mode client

Setting device to VTP Client mode for VLANS.

Router#show vtp password

VTP Password: cIsCo

Router#show vtp status

VTP Version                     : 3 (capable)

Configuration Revision          : 2

Maximum VLANs supported locally : 1005

Number of existing VLANs        : 10

VTP Operating Mode              : Client

VTP Domain Name                 : CISCO

VTP Pruning Mode                : Disabled

VTP V2 Mode                     : Disabled

VTP Traps Generation            : Disabled

MD5 digest                      : 0xC8 0x41 0x46 0xFD 0xFD 0x4B 0x77 0x7B

Configuration last modified by 10.16.151.211 at 12-12-32 03:22:42

VTP version running             : 1

Router#

Self-explanatory logs:

  • VTP VLAN configuration not allowed when device is in CLIENT mode.
  • VTP mode cannot be set to server because there’re private vlans configured on this device.
  • Mode change not allowed. VTP VLAN is in use internally.Features using internal VLANs in 1..1005 range must first be removed.
  • VTP VLAN configuration not allowed when device is not the primary server for vlan database.
  • %SW_VLAN-SP-6-OLD_CONFIG_FILE_READ: Old version 2 VLAN configuration file detected and read OK.  Version 3vtp files will be written in the future.
  • %SW_VLAN-SP-4-VTP_PRIMARY_SERVER_CHG: 0013.5229.e800 has become the primary server for the VLAN VTP feature
  • System can become primary server for Vlan feature only when configured as a server

Show vtp counters:

  • In the output of above command, “Number of config revision errors” increments when, we configure different vlan on two VTP servers at the same time. This causes those servers to generate update with same revision number but different MD5 value. Can be overcome, by making another change to vlan database.
  • Switch increments “Number of config digest errors”, when the calculated MD5 value for the subset advertisement is different than the MD5 in summary advertisement.

References:

Advertisements
This entry was posted in IOS, L2 switch and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s