Jump to content

VLAN Trunking Protocol

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Tech Nerd (talk | contribs) at 04:35, 6 December 2007 (updated link to avoid double redirect.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

VTP can also stand for Venturi Transport Protocol, Virtual Terminal Protocol or in some cases the Vista Transformation Pack.
File:VTP.gif
Example without and with VTP

VLAN Trunking Protocol (VTP) is a Cisco proprietary Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis. Virtual Local Area Network (VLAN) Trunk Protocol (VTP) reduces administration in a switched network. When you configure a new VLAN on one VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. To do this VTP carries VLAN information to all the switches in a VTP domain. VTP advertisements can be sent over ISL, 802.1q, IEEE 802.10 and LANE trunks. VTP traffic is sent over the management VLAN (VLAN1), so all VLAN trunks must be configured to pass VLAN1. VTP is available on most of the Cisco Catalyst Family products.[1]

The comparable IEEE standard in use by other manufacturers is GVRP.

VTP Modes

VTP operates in one of three modes:1:server;2:client;3:transparent .

  • Server – In this VTP mode you can create, remove, and modify VLANs. You can also set other configuration options like the VTP version and also turn on/off VTP pruning for the entire VTP domain. VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on messages received over trunk links. VTP server is the default mode.
  • Client – VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on the local device
  • Transparent – When you set the VTP mode to transparent, then the switches do not participate in VTP. A VTP transparent switch will not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received messages. VLANS can be created, changed or deleted when in transparent mode. However, in VTP version 2, transparent switches do forward VTP messages that they receive out their trunk ports.

VTP sends messages between trunked switches to maintain VLANs on these switches in order to properly trunk. VTP messages are exchanged between switches within a common VTP domain. If the domain name is different, the switch simply ignores the packet. If the name is the same then it checks by a revision number. If the revision number of an update received on a client or server VTP switch is higher than the previous revision, then the new configuration is applied. Otherwise, the configuration is ignored.

When new devices are added to a VTP domain, revision numbers should be reset on the entire domain to prevent conflicts. Utmost caution is advised when dealing with VTP topology changes, logical or physical. Exchanges of VTP information can be controlled by passwords. You need to put the password on every switch for it to work.

VTP Versions

VTP version 2 supports the following features not supported in version 1:[2]

VTP Functionality Support/Processing in Version 2
Token Ring Token Ring Bridge Relay Function (TrBRF) and Token Ring Concentrator Relay Function (TrCRF) VLAN are supported
Unrecognized Type-Length-Value (TLV) In V2, a server will propagate TLVs even those it does not understand. It also saves them in NVRAM when the switch is in VTP server mode. This could be useful if not all devices are at the same version or release level.
Version-Dependent Transparent Mode Version 1 supports multiple domains while Version 2 supports only 1. Normal behavior for V1 would be to forward messages only if they match the destination domain name and version. VTPv2 does not do this check before forwarding.
Consistency Checks VTPv1 does more consistency checking on messages, which can add overhead. As long as the MD5 digest on a message is correct, VTPv2 will forward it. VTPv2 will consistency-check new configuration information added through the configuration editor, Cluster Management Software or SNMP.

VTP version 3: is a protocol that is only responsible for distributing a list of opaque databases over an administrative domain. When enabled, VTP version 3 provides the following enhancements to previous VTP versions:

  • Support for extended VLANs.
  • Support for the creation and advertising of private VLANs.
  • Improved server authentication.
  • Protection from the "wrong" database accidentally being inserted into a VTP domain.
  • Interaction with VTP version 1 and VTP version 2.
  • Provides the ability to be configured on a per-port basis.
  • Provides the ability to propagate the VLAN database and other databases.[1]

VTP Version 1 and 2 Configuration Guidelines

This section describes the guidelines for implementing VTP in your network:

  • All switches in a VTP domain must run the same VTP version.
  • You must configure a password on each switch in the management domain when you are in secure mode.

Caution If you configure VTP in secure mode, the management domain will not function properly if you do not assign a management domain password to each switch in the domain.

  • A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP version 1 if VTP version 2 is disabled on the VTP version 2-capable switch (VTP version 2 is disabled by default).
  • Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version 2 capable. When you enable VTP version 2 on a switch, all of the version 2-capable switches in the domain enable VTP version 2.
  • In a Token Ring environment, you must enable VTP version 2 for Token Ring VLAN switching to function properly.
  • Enabling or disabling VTP pruning on a VTP server enables or disables VTP pruning for the entire management domain.
  • Making VLANs pruning eligible or pruning ineligible on a switch affects pruning eligibility for those VLANs on that device only (not on all switches in the VTP domain).[2]

Configuration Commands

Task Command
Step 1 Define the VTP domain name(Case sensitive) set vtp domain name
Step 3 Set which VTP version to run vtp version #
Step 4 (Optional) Set a password for the VTP domain. set vtp passwd passwd
Step 5 Verify the VTP configuration. show vtp domain

VLAN Pruning

File:Pruning.gif

VTP can prune unneeded VLANs from trunk links. VTP maintains a map of VLANs and switches, enabling traffic to be directed only to those switches known to have ports on the intended VLAN. This enables more efficient use of trunk bandwidth.

Each switch will advertise which VLAN's it has active to neighboring switches. The neighboring switches will then "prune" VLAN's that are not active across that trunk, thus saving bandwidth. If a VLAN is then added to one of the switches, the switch will then re-advertise it's active VLAN's so that pruning can be updated by its neighbors. For this to work, VLAN pruning must be enabled on both ends of the trunk. It is easiest to enable VLAN pruning for an entire VTP management domain by simply enabling it on one of the VTP servers for that domain. To enable VLAN pruning for a VTP domain, enter the following command on a VTP server for that domain...

VTP_Server_Sw1(config)# vtp pruning

This will then propagate to all switches in the vtp domain.

Configure VLAN Pruning

Task Command
Step 1 Enable VTP pruning in the management domain. set vtp pruning enable
Step 2 (Optional) Make specific VLANs pruning-ineligible on the device.

(By default, VLANs 2-1000 are pruning-eligible.)

clear vtp pruneeligible vlan_range
Step 3 (Optional) Make specific VLANs pruning-eligible on the device. set vtp pruneeligible vlan_range
Step 4 Verify the VTP pruning configuration. show vtp domain
Step 5 Verify that the appropriate VLANs are being pruned on trunk ports. show trunk

VTP security

VTP may operate unauthenticated, in which case an attacker can easily inject spoofed VTP packets in order to add/delete VLAN information. Tools such as Yersinia are freely available to do that. A password can be set for the VTP domain: it is used in conjunction with the MD5 hash function to provide authentication of VTP packets. However, this optional password authentication should not conceal the fact that it is very risky to use VTP in sensitive environments.

VTP Problems

When inserting a vtp client or server with a higher config revision number, the other switches will delete their configuration information and take the VLAN information from the inserted switch. The only way to get the deleted information back is to add the missing VLANs and delete the unwanted VLANs. To avoid this you should set the switch you're inserting into the network to transparent mode because that resets the configuration number, then switch it back to client or server mode. Another way of resetting the configuration number is to change the domain name to something else, like "test", then change it back.

Another problem can happen when you are inserting a switch with a different VTP domain name.

File:Vtp.JPG

As you can see in the image above switch B is on a different VTP domain than A and C. If on switch A more VLANs were added switch C wouldn't get the update because switch B would drop all the messages. To fix this, if you want to add switch B into the same cloud as the others then you would have to change the domain name to Cisco and then they would all synchronize to switch A. But you would have to re add any VLANs deleted on switch B.

References

  1. ^ a b http://www.javvin.com/protocolVTP.html
  2. ^ a b http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800e47e3.html

See also

Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=VLAN_Trunking_Protocol&oldid=176090577"