VTP 101

How it works

VTP (VLAN Trunking Protocol) is used to advertise VLAN information between connected switches in a network. VTP messages are sent only on trunk ports. VTP advertises the VLAN_ID, VLAN_NAME, VLAN_TYPE and VLAN_STATE information for each VLAN. VTP doesn’t send any information regarding port assignment to VLANs.

There are 3 modes VTP can run in: server, client and transparent. Switches running in client mode can’t make changes to the VLAN information and only changes on switches in server mode are advertised to the other switches.

VTP version 1 and 2

Changes on VTP servers result in the VTP revision number being incremented and the propagation of new VLAN information in VTP messages. Upon receiving the message, a VTP server or client verifies the received revision number against it’s stored revision number and if the received one is higher, will save the new information in the vlan.dat file.

Improvements in VTP version 3

Due to numerous issues that can occur if there are multiple VTP servers that can change the configuration in a domain, VPTv3 introduces the concept of Primary VTP Server, which is the only switch that can perform changes to the VLAN information (together with the transparent switches, but they are independent). All other VTP servers actually work like clients, the difference being that they can be promoted to a Primary Serer role. To make things safer, switches will only accept VTP changes from the primary server they know and will ignore changes if another primary server comes up, even if its updates have a higher revision number.

VTP Versions

Sw(config)# vtp version {1|2|3}
!Default: 1

Version 1

• supports only Normal Range VLANs: 1-1005

• In transparent mode, it forwards only version 1 advertisements received on trunk links if VTP domain is NULL or if it matches the domain in the message

Version 2

• supports only Normal Range VLANs: 1-1005

• In transparent mode, it forwards any VTP advertisements received on trunk links if VTP domain is NULL or if it matches the domain in the message

Version 3

• Supports Normal and Extended Range VLANs (1-4094), including Private VLANs, but is only available starting with IOS 12.2.(52)SE.

• In transparent mode, it forwards VTP advertisements received on trunk links if VTP domain is NULL or if it matches the domain in the message

• Passwords are not shown in clear text anymore.

• Supports an OFF mode where VTP is disabled (per switch, or per interface) and received VTP messages are dropped:

  Copy

  Sw(config-if)# no vtp

• Server role changed to support a single primary VTP server and several secondary VTP servers. Only the primary server can change the VLAN information, and only one can exist at one time. VTP primary server role is requested through an EXEC command

• Backwards compatibile to VTPv1 and v2 by falling back to the detected version on each port

• VTPv3 is a generalized protocol to exchange database information to other switches, so it is able to distribute MST region configurations as well

VTP Mode

To set the vtp mode, use:

Sw(config)# vtp mode {client|server|transparent|off}
! Default: server
! off is only available in VTPv3

To see the mode, use:

Sw# show vtp status

Server

• It can create, modify and delete VLANs

• It sends and receives VLAN configuration in VTP advertisements, over trunk links.

• It will accept configuration changes from other VTP Servers

In version 3, to make a VTP server primary, use:

Sw# vtp primary

Client

• It cannot create, modify and delete VLANs

• It sends and receives VLAN configuration in VTP advertisements, over trunk links.

• It will accept configuration changes from other VTP Servers

Transparent

• It can create, modify and delete VLANs, but they have local significance

• Forwards VLAN configuration in VTP advertisements, over trunk links, as long as the messages are for the same domain as the switch, or if the switch hasn’t been configured with a domain name (domain=NULL).

• It will not accept configuration changes from other VTP Servers

Domain

To accept VTP advertisements, switches must be in the same VTP Domain. By default, a switch is set up as a VTP Server, but with a NULL domain name and it will act like a transparent VTP switch. If the VTP Domain is NULL, the switch will set its VTP domain to the first Domain that it sees in a VTP advertisement. You can manually set the domain with:

Sw(config)# vtp domain VTP-DOMAIN

Passwords

For each VTP domain, a VTP password can be set in order to authenticate VTP advertisements.

Sw(config)# vtp password VTP-PASS [hidden]
! hidden is only available for VTPv3

To see the password used:

Sw(config)# show vtp password
!It will show either plain text or the encrypted password, depending on how it was configured

VTP Pruning

Pruning prevents VLANs from being carried over trunks where they are not needed. Pruning can be enabled only on one VTP server

Sw(config)# vtp pruning

VTP Pruning can only prune a list of pruning-eligible VLANs that are configured per interface:

Sw(config-if)# switchport trunk pruning vlan {add VLAN-LIST|remove VLAN-LIST|except VLAN-LIST|none}