Section 3.5: VLAN Trunking Protocol (VTP)

Campus network environments are usually made up of many interconnected switches which make administration complicated. Cisco has developed a method to manage VLANs across the campus network using the VLAN Trunking Protocol (VTP). VTP uses Layer 2 trunk frames to communicate VLAN information among a group of switches. VTP also manages the addition, deletion, and renaming of VLANs across the network from a central point of control.

VTP is organized into management domains or areas with common VLAN requirements. A switch can belong to only one VTP domain. Switches in different VTP domains do not share VTP information. Switches in a VTP domain advertise several attributes to their domain neighbors. Each advertisement contains information about the VTP management domain, VTP revision number, known VLANs, and specific VLAN parameters.

3.5.1: VTP Modes

To participate in a VTP management domain, each switch must be configured to operate in one of several modes. The VTP mode will determine how the switch processes and advertises VTP information. The VTP modes are: server mode, client mode, and transparent mode. Server Mode

Server mode is the default mode. In this mode, VTP servers have full control over VLAN creation and modification for their domains. All VTP information is advertised to other switches in the domain, while all received VTP information is synchronized with the other switches. Because it is the default mode, server mode can be used on any switch in a management domain, even if other server and client switches are in use. This mode provides some redundancy in the event of a server failure in the domain. Client Mode

Client mode is a passive listening mode. Switches listens to VTP advertisements from other switches and modify their VLAN configurations accordingly. Thus the administrator is not allowed to create, change, or delete any VLANs. If other switches are in the management domain, a new switch should be configured for client mode operation. In this way, the switch will learn any existing VTP information from a server. If this switch will be used as a redundant server, it should start out in client mode to learn all VTP information from reliable sources. If the switch was initially configured for server mode instead, it might propagate incorrect information to the other domain switches. Once the switch has learned the current VTP information, it can be reconfigured for server mode. Transparent Mode

Transparent mode does not allow the switch to participate in VTP negotiations. Thus, a switch does not advertise its own VLAN configuration, and a switch does not synchronize its VLAN database with received advertisements. VLANs can still be created, deleted, and renamed on the transparent switch. However, they will not be advertised to other neighboring switches. VTP advertisements received by a transparent switch will be forwarded on to other switches on trunk links.

3.5.2: VTP Advertisements

Each switch participating in VTP advertises VLANs, revision numbers, and VLAN parameters on its trunk ports to notify other switches in the management domain. VTP advertisements are sent as multicast frames. Because all switches in a management domain learn of new VLAN configuration changes, a VLAN need only be created and configured on just one VTP server switch in the domain.

By default, management domains are set to use non-secure advertisements without a password. A password can be added to set the domain to secure mode. The same password has to be configured on every switch in the domain so that all switches exchanging VTP information will use identical encryption methods.

VTP Advertisements can originate as requests from client-mode switches that want to learn about the VTP database at boot-up time. They can also originate from server-mode switches as VLAN configuration changes occur. The VTP advertisement process starts with VTP revision number 0 (zero). This VTP revision number is stored in nonvolatile random-access memory (NVRAM) and is not altered by a power cycle of the switch.

Catalyst switches in server mode use a separate nonvolatile random-access memory (NVRAM) for VTP. All VTP information, including the VTP configuration revision number, is retained even when the switch power is off. In this manner, a switch is able to recover the last known VLAN configuration from its VTP database once it reboots.

When subsequent changes are made, the revision number is incremented before advertisements are sent out. When listening switches receive an advertisement with a greater revision number than is locally stored, its database will be updated with the new information. Therefore, any newly added network switches should be initialized to VTP revision number zero. This can be done by changing the VTP mode of the switch to transparent and then change the mode back to server, or by changing the VTP domain of the switch to a non-existent VTP domain and then change the VTP domain back to the original name. VTP advertisements can occur as summary advertisements, subset advertisements or clientadvertisement requests. Summary Advertisements

VTP domain servers send summary advertisements every 300 seconds and every time a VLAN topology change occurs. The summary advertisement lists information about the management domain, including VTP version, domain name, configuration revision number, timestamp, MD5 encryption hash code, and the number of subset advertisements to follow. For VLAN configuration changes, summary advertisements are followed by one or more subset advertisements, with more specific VLAN configuration data. Subset Advertisements

VTP domain servers send subset advertisements after a VLAN configuration change occurs. These advertisements list the specific changes that have been performed, such as creation or deletion of a VLAN, suspending or activating a VLAN, changing the name of a VLAN, and changing the MTU of a VLAN. Subset advertisements can list the following VLAN parameters: status of the VLAN, VLAN type, MTU, length of the VLAN name, VLAN number, SAID value, and the VLAN name. Client Request Advertisements

A VTP client can request any VLAN information that it lacks. After a client advertisement request, the VTP domain servers respond with summary and subset advertisements.

3.5.3: VTP Configuration

Before VLANs can be configured, VTP must be configured. By default, every switch will operate in VTP server mode for the management domain NULL, with no password or secure mode. The following sections discuss the commands and considerations that should be used to configure a switch for VTP operation. Configuring a VTP Management Domain

Before a switch is added into a network, the VTP management domain should be identified. If this switch is the first one on the network, the management domain will need to be created. Otherwise, the switch may have to join an existing management domain with other existing switches.

The following command can be used to assign a switch to a management domain on an IOS-based switch:

Switch# vlan database

Switch(vlan)# vtp domain domain_name

To assign a switch to a management domain on a CLI-based switch, use the following command:

Switch(enable) set vtp [ domain domain_name ] Configuring the VTP Mode

Once you have assigned the switch to a VTP management domain, you need to select the VTP mode for the new switch. There are three VTP modes that can be selected: server mode, client mode and transparent mode. These VTP modes were discussed in Section 3.4.1.

On an IOS-based switch, the following commands can be used to configure the VTP mode:

Switch# vlan database

Switch(vlan)# vtp domain domain_name

Switch(vlan)# vtp { server | client | transparent } Switch(vlan)# vtp password password

On a CLI-based switch, the following command can be used to configure the VTP mode:

Switch(enable) set vtp [ domain domain_name ]

[ mode{ server | client | transparent }] [ passwd password ]

If the domain is operating in secure mode, a password can be included in the command line. The password can have 8 to 64 characters. Configuring the VTP Version

Two versions of VTP, VTP version 1 and VTP version 2, are available for use in a management domain. Although VTP version 1 is the default protocol on a Catalyst switch, Catalyst switches are capable of running both versions, however, the two versions are not interoperable within a management domain. Thus, the same VTP version must be configured on each switch in a domain. However, a switch running VTP version 2 may coexist with other version 1 switches, if its VTP version 2 is not enabled. This situation becomes important if you want to use version 2 in a domain. Then, only one server mode switch needs to have VTP version 2 enabled. The new version number is propagated to all other version 2-capable switches in the domain, causing them to enable version 2 for use. By default, VTP version 1 is enabled. Version 2 can be enabled or disabled using the v2 option. The two versions of VTP differ in the features they support. VTP version 2 offers the following additional features over version 1:

• In transparent mode VTP version 1 matches the VTP version and domain name before forwarding the information to other switches using VTP. On the other hand, VTP version 2 in transparent mode forwards the VTP messages without checking the version number.

• VTP version 2 performs consistency checks on the VTP and VLAN parameters entered from the CLI or by Simple Network Management Protocol (SNMP). This checking helps prevent errors in such things as

VLAN names and numbers from being propagated to other switches in the domain. However, no consistency checks are performed on VTP messages that are received on trunk links or on configuration and database data that is read from NVRAM.

• VTP version 2 has Unrecognized Type-Length-Value (TLV) support, which means that VTP version 2 switches will propagate received configuration change messages out other trunk links, even if the switch supervisor is not able to parse or understand the message.

On an IOS-based switch, the VTP version number is configured using the following commands:

Switch# vlan database Switch(vlan)# vtp v2-mode

On a CLI-based switch, the VTP version number is configured using the following command:

Switch(enable) set vtp v2 enable

3.5.4: VTP Pruning

A switch must forward broadcast frames out all available ports in the broadcast domain because broadcasts are destined everywhere there is a listener. Multicast frames, unless forwarded by more intelligent means, follow the same pattern. In addition, frames destined for an address that the switch has not yet learned or has forgotten must be forwarded out all ports in an attempt to find the destination. These frames are referred to as unknown unicast. When forwarding frames out all ports in a broadcast domain or VLAN, trunk ports are included. By default, a trunk link transports traffic from all VLANs, unless specific VLANs are removed from the trunk with the clear trunk command. In a network with several switches, trunk links are enabled between switches and VTP is used to manage the propagation of VLAN information. This causes the trunk links between switches to carry traffic from all VLANs.

VTP pruning makes more efficient use of trunk bandwidth by reducing unnecessary flooded traffic. Broadcast and unknown unicast frames on a VLAN are forwarded over a trunk link only if the switch on the receiving end of the trunk has ports in that VLAN. VTP pruning occurs as an extension to VTP version 1. When a Catalyst switch has a port associated with a VLAN, the switch sends an advertisement to its neighbor switches that it has active ports on that VLAN. The neighbors keep this information, enabling them to decide if flooded traffic from a VLAN should use a trunk port or not.

By default, VTP pruning is disabled on IOS-based and CLI-based switches. On IOS-based switches, the vtp pruning command in the VLAN database configuration mode, the can be used to enable pruning while the set vtp pruning enable command can be used to enabled VTP pruning on CLI-based switches.