VTP: VLAN Trunking Protocol

Today, before taking the test, guess a good way to review is to apply what I've said in my previous blog. Today I'll be writing about VTP. VTP stands for VLAN(virtual local area network) Trunking Protocol. VTP is a Cisco proprietary protocol. They run mostly on all Cisco Catalyst Switches available. So the switches that I'll be pertaining to are all Cisco Catalyst switches.

The purpose of the VTP is to simplify management of VLAN information and trunk settings on a group of switches. You see, as the network gets bigger (the number of switches that are to be deployed increases), you would have to configure the VLAN information and trunk settings on every switches --thats going to be very tedious. But thanks to VTP, we don't have to configure VLAN information and trunk settings on every switches.

VTP provides VLAN configuration consistency on all switches of the same domain when you add, delete, or rename VLANs. So we get a lot of benefits when we use VTP in our switched network:
1. we don't have to worry about adding/deleting/renaming of VLANs on each switch in the domain to have consistency because all switches in the same domain dynamically learn changes on a switch's VLAN configuration.
- to make it clearer, if we add/delete/rename a VLAN on a switch, all other switches in the same domain will have that VLAN added/deleted/renamed. sweet right?
2. the trunk ports are dynamically configured to allow the new VLANs to be forwarded. why is this important?
- a switch's trunk port will drop a packet from a particular VLAN if the switch doesn't have that particular VLAN in its VLAN database.

Ok, so what does VTP need in order for it to work? Better yet, what are VTP's components? Let's go explore it one by one!

First component is the VTP modes which a switch will have to play. There are three modes available: the server, client, and transparent mode. By default, all Cisco Catalyst switches are running on VTP server mode. On server mode, you will be able to add/delete/rename VLANs for a domain on just one switch. The VTP server also listens to VTP advertisements by other switches on the same domain and then advertise it to other switches on the same domain as well. With switches running on VTP client mode on the other hand, it's pretty much the same as the VTP server but we can't add/delete/rename VLANs on that switch. I know you'll be asking why not just have all switches run on VTP server mode. Ok, first, VTP server switches needs more memory to keep track of all VLAN information. Secondly, not all switches in your organization would be a distribution class switch (a higher performance switch). With switches running on VTP transparent mode, the switch could add/delete/rename VLANs locally and it would not affect the VLAN configuration of the domain it belongs to. VTP transparent mode also forwards VLAN advertisements of other switches to other switches of the same domain, but it doens't advertise and synchronize its own VLAN configuration with the domain. So basically, this is what Cisco says that VTP transparent mode doesn't participate in VTP. So if you have VLAN configurations that have local significance and don't want to share it to the rest of the network, you can configure your switch in VTP transparent mode.

Oh just a side note: remember that VTP only propagates VLANs that are in the VLAN ID range from 1 to 1005. The extended VLAN IDs are not propagated. Moreover, VLAN IDs from 1 to 1005 are stored in the NVRAM under the vlan.dat file (this only applies to switches running on VTP server mode), while the extended VLAN IDs are stored in the running-configuration. For switches running on VTP client mode, the VLAN IDs are all stored in the VLAN database (RAM) and not in the NVRAM since VTP clients cannot input VLAN configurations but it dynamically learn VLAN configurations from other switches(then based from what it has learned, it propagates that information). Yeah, when you power off the switch running on VTP client mode, it would lose all the VLAN configuration, but not to worry, it can learn it again.

Sorry really if I give to much emphasis about switches being on the same VTP domain. This is because the domain name plays a big big role on VTP --and this is the second component of VTP. Because if a switch has a different domain name, and you expect that switch to learn VLAN configurations of another domain, not in a million years you'll get that to work. But if your plan is to have a VTP server that is on domain B, but the switch is connected to switches on domain A, you don't have to worry about VTP advertisements, they won't screw either domain's VLAN configurations =) More of the design part later. VTP domains determines the logical group of switches that would participate in VTP and determines the limit of the VTP propagation (separate your network into smaller management domains). Another note: yes we could have more than one VTP domain for your network. It really depends on how you design your network for an organization's needs.

The third component of VTP is the VTP advertisements. Without this, how do you think switches learn about VLAN configurations? VTP uses different forms (or should I say a heirarchy) of advertisements to synchronize and maintain the consistency of VLAN configurations over the domain. So let's dig deeper regarding VTP advertisements. VTP is a Layer 2 (OSI model) protocol, thus its messages are sent by frames. VTP frames consist of the VTP header and VTP content/message, and both are located at the data/payload field of an ethernet frame. Then the whole ethernet frame is not encapsulated as a 802.1q or ISL frame. The destination address of the encapsulated frame would be a multicast address, so that all VTP enable switches would receive the advertisement message.

There are three different types of VTP advertisement messages: summary, subset, and request. VTP header contains the following: VTP domain name, domain name length, VTP version, and the configuration revision number. Other information are added based on the type of advertisement message. The VTP message on the other hand first contains this fixed-length global domain information; VTP domain name, identity of the switch (IP address) sending the message and the time it was sent, MD5 digest for VTP checksum and MTU size of each VLAN, and the frame format (either ISL or 802.1q). Then for each VLAN, the VTP message contains the: VLAN ID (for 802.1q), VLAN name, VLAN type, VLAN state, and additional VLAN configurations based on the VLAN type. To clear things about the three different VTP advertisement messages, I'll go ahead and discuss them too. The summary message contains the domain name, revision number, and the rest of the VLAN configuration. The summary messages are being sent every five minutes interval and sent when there is a VLAN configuration change. The subset message contains VLAN informations and is sent when triggered by one of the following events: VLAN addition, deletion, activation, suspension, renaming, and changing of the VLAN's MTU size. Lastly, the request message is a message sent to the VTP server to request for the VLAN configuration information. The VTP server responds with a summary and subset message to this request message. The request message are sent when triggered by one of the following events: the switch reloaded/power-cycled, the switch's VTP domain has been changed, or the switch receives a higher revision number of a summary message.

Just some final notes on VTP advertisements, one of the key factors about VTP advertisement message are the configuration revision number. Every time there is a change in the VLAN configuration (e.g. addition/deletion of VLANs), the configuration revision number increments. This is to notify other switches and the switch checking the VTP advertisement message that the VTP advertisement message is a new or old one. The configuration revision number is a 32-bit number. Thus it could increment up to 2^32 (go get a calculator).

The fourth component of VTP is the VTP pruning. VTP pruning prevents unecessary broadcast on all trunk ports. I'll give an example so that you could understand it better. Let's say we have three switches and the ports that connects them are trunk ports (802.1q). Let's name the switches S1, S2 and S3 with S2 as the switch that connects S1 to S3. Say S1 have access ports ranging from VLAN 1 to VLAN 10, and S3 have access ports ranging from VLAN 11 to VLAN 20. Assuming that all three switches are on the same VTP domain, they should have all the VLAN configuration synchronized. Ok, here comes the VTP pruning part. Let's say that a host on S1 with VLAN 10 sends a broadcast. Without VTP pruning, the broadcast would be sent to all VLAN 10 ports, plus all trunk ports. But with VTP pruning, S2 will not forward the broadcast to the trunk port where S3 is connected since S3 has no access port configured with VLAN 10. That's how VTP pruning save bandwidth on your VLAN switched network! Oh yeah, to enable VTP pruning (only on one VTP server), you have to go to the global configuration mode CLI of the switch, then type in vtp pruning.

To view VTP information/status on the switch, type in show vtp status on the privelage mode of the switch CLI (command line interface). There you will see the following:
- vtp version (the version number, usually 1 or 2)
- vtp domain (the domain name)
- vtp password (the password for the domain, and yes it is shown in plain text form)
- number of existing VLANs on the switch
- current revision number (reflects the number of changes done)
- vtp pruning (if it is turned on or not)
- vtp version 2 (indicates whether is using version 2 of VTP)
- maximum number of VLANs supported by the switch
- vtp trap generation (indicates whether the switch is sending VTP traps to a network managment system)
- MD5 digest (this is a checksum for the VTP configuration)
- configuration last modified (the date/time the configuration was last change)

To see if VTP advertisement took place, use show vtp counters.

To configure VTP settings, you must be on the global configuration mode of the switch.
1. configure VTP domain name:
- vtp domain
2. configure VTP password
- vtp password
3. configure VTP mode
- vtp mode
4. configure VTP pruning
- vtp pruning
5. configure VTP version
- vtp version <1,>

How to configure VTP on your network:
1. always make sure that all switches are in their factory default settings, if your adding a new switch to a configure VTP domain, make sure that switch is in its default settings or atleast reset the configuration revision number OR ELSE!
2. configure trunk ports for switch-to-switch connections (don't expect VTP to work on access ports! I wasted an hour of debugging because of that).
3. atleast have two VTP servers for redundancy purposes, if one fails, you could still manage your VLANs.
4. configure the VTP domain on the server so it would advertise its domain name to other swithces with default settings.
5. configure password (if you want to, and I suggest you do for security purposes | I won't discuss why anymore, we're gonna branch out to Information Security here. If you wanna know, just leave a comment asking me why and I'll answer).
6. configure VTP clients for the rest of the switches, and configure the password for the VTP domain on them.
7. check the VTP status to make sure everything is working fine on each switch, use show vtp status in the privelage mode of the switch's CLI.
8. when your done, you can start adding/deleting/renaming VLANs.

Ok, time for some real life design tips and scenarios about VTP. These are some of the few things I've tried with VTP, and it might be useful information someday. First, let's say you have an existing switched network and you wanted to add a new switch on the network. You must make sure that the switch is in its factory default settings, why? Because if the switch has VLAN configurations that you unconsiously don't want and it has the same domain name as your switched network's domain name, the unwanted VLAN configurations would then be propagated. Just make sure that when adding new switches it is in its factory default settings or it has a different domain name so that it won't propagate wrong/unwanted VLAN configurations.

Here is another scenario given that all switches are on the same domain. If there are two switches running on VTP server mode and is separated by a VTP transparent mode switch. Then all switches would have VLAN 10 in their VLAN database, would the VTP transparent mode switch be able to forward a packet to other switches that has VLAN 10? Yes, assuming that all trunk ports allow VLAN 10 to pass. And yes, VTP advertisements would reach the VTP client even though the VTP server and VTP client is separated by a VTP transparent switch because VTP transparent switches still forwards VTP adverstisements.

For other VTP or VLAN configuration/troubleshooting/weird experience scenarios that I'll be encountering, I'll make it a point to publish it.

For any CCNA or Cisco knowledgable peeps who are reading this, please do check if what I wrote is correct (including typos or wrong grammar haha). And if you guys have any questions regarding VTP or VLANs, please do ask, I'll be glad to help and find the answers.