VTP – Understand, Configure and Verify

This article explains about the VTP, different VTP modes and key elements that you should know about the VTP. It also presents a lab on how to configure and verify the VTP version 2. You can replicate this lab on your switches to understand more about VTP.
Introduction
VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates the definition of Virtual Local Area Networks (VLAN) on the Ethernet domain(LAN).
VTP advertises the VLAN ID, VLAN name, and VLAN type for each VLAN dynamically to neighboring switches. However, VTP does not advertise any information about which ports (interfaces) should be in each VLAN.
VTP modes
You can configure a cisco switch to operate in any one of these VTP modes:
Server, Client, Transparent, Off.
The following table identifies the behavioral difference between each mode of VTP.

VTP mode off (configurable only in CatOS switches or with VTP version 3)
In this mode, switches behave the same as in VTP transparent mode with the exception that VTP advertisements are not forwarded.
How VTP works ?
Cisco switches transmit VTP summary advertisements over the management VLAN (VLAN 1 by default) using a Layer 2 multicast frame every 5 minutes. VTP sends updates out all active trunk interfaces ONLY (ISL or 802.1Q) so it is important to understand that the first step in running VTP is to ensure that the switches are trunking with each other (it can be ISL or 802.1q; VTP runs over both).
VTP Password
VTP password configuration is optional and it cannot be learned through VTP advertisements so it must be manually configured on all devices.
If you configure a password for VTP, you must configure the same password on all switches in the same VTP domain. The VTP password that you configure is translated by the algorithm into a 16-byte word (MD5 value) that is carried in all summary-advertisement VTP packets.
NOTE: The revision number and VTP domain name can be easily seen with a Sniffer trace; to prevent DoS attacks with VTP, set VTP passwords, which are encoded as message digests (MD5) in the VTP updates.
Configuration Revision Number
A configuration revision number is a 32-bit number that indicates the level of revision for a VTP packet. Each VTP device tracks the VTP configuration revision number that is assigned to it. Most of the VTP packets contain the VTP configuration revision number of the sender.
This information is used in order to determine whether the received information is more recent than the current version. Each time that you make a VLAN change(create or delete) on a switch, the configuration revision is incremented by one.
In order to reset the configuration revision of a switch, change the VTP domain name, and then change the name back to the original name.
Example lab
Now that we understood about the VTP, let’s configure and verify the VTP version 2 using this lab. In this example, we have 4 cisco switches running 15.x code and they are connected as shown in the above-mentioned diagram. We will configure SW1 in VTP transparentt mode, SW2 in VTP server mode (default mode in VTPv2), SW3 & SW4 in VTP client mode. We will also configure VTP domain as SysVN and VTP password as P@$$W0rD on all 4 switches. Finally, we will create some VLANs to verify VTP is working or not as expected. So let’s get started.
The first step in configuration VTP is to ensure that the switches are trunking with each other (ISL or 802.1q; VTP runs over both).

SW1 –> SW4

Enable dot1q trunking on necessary switchports.

conf t
interface range Ethernet0/0-1
switchport trunk encapsulation dot1q
switchport mode trunk
no shut
end
write mem
Verify if trunk is formed or not

SWx# show interface trunk

Port Mode Encapsulation Status Native vlan
Et0/0 on 802.1q trunking 1
Et0/1 on 802.1q trunking 1

Port Vlans allowed on trunk
Et0/0 1-4094
Et0/1 1-4094

Port Vlans allowed and active in management domain
Et0/0 1
Et0/1 1

Port Vlans in spanning tree forwarding state and not pruned
Et0/0 1
Et0/1 none
Let’s verify the default VTP status

SWx# show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : aabb. cc00. 0200
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
Configuration Revision : 0
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
0x56 0x9D 0x4A 0x3E 0xA5 0x69 0x35 0xBC
As you can see, switches are running VTP version 1 and VTP server mode by default with no domain name.

Next, configure the VTP domain name on VTP server, and all other switches without domain names configured should dynamically learn the domain name. VTP password cannot be learned through VTP, so you must manually configure it on all switches. Finally, create some VLANs on the VTP server (SW2 in this case).

SW2

Configure VTP as per the lab requirement.

vtp domain SysVN
vtp version 2
vtp password P@$$W0rD
!
vlan 100-105
Verify the VTP status.

SW2#show vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : SysVN
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : aabb.cc00.0200
Configuration last modified by 0.0.0.0 at 10-4-16 15:02:43
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
Configuration Revision : 2
MD5 digest : 0x11 0xB7 0x23 0x63 0x39 0x57 0x10 0x82
0xFB 0x7A 0x13 0x5D 0xF1 0xAD 0x36 0xC6
Note that when a switch is in VTP client/server mode, the configured VLANs do not appear in the running-configuration; these are kept in the VLAN database file.

SW2# show running-config | i vlan
vlan internal allocation policy ascending

SW1

Configure VTP as per the lab requirement.

vtp domain SysVN
vtp version 2
vtp mode transparent
vtp password P@$$W0rD
!
vlan 100-105
NOTE: Since SW1 is running VTP transparent mode, it will not take participation in VTP advertisement hence all VLANs need to manually created.

Verify the VTP status.

SW1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : SysVN
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : aabb.cc00.0100
Configuration last modified by 0.0.0.0 at 10-4-16 15:00:30

Feature VLAN:
————–
VTP Operating Mode : Transparent
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
Configuration Revision : 0
MD5 digest : 0xE6 0xEC 0x88 0x1A 0xE7 0x39 0xB6 0x4E
0x3E 0xA5 0x74 0xFD 0x72 0xF3 0x80 0x50
Also note that, when a switch is in VTP transparent mode, the VLAN configuration statements appear in the running configuration.

SW1# show running-config | i vlan
vlan internal allocation policy ascending
vlan 100-105

SW3 & SW4

Configure VTP as per the lab requirement.

vtp domain SysVN
vtp version 2
vtp mode client
vtp password P@$$W0rD
NOTE: Since SW3 and SW4 are running VTP client mode, all VLANs will be created automatically using VTP advertisements from SW2.

Verify the VTP status.

SW3/4# show vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : SysVN
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : aabb.cc00.0300
Configuration last modified by 0.0.0.0 at 10-4-16 15:02:43

Feature VLAN:
————–
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
Configuration Revision : 2
MD5 digest : 0x11 0xB7 0x23 0x63 0x39 0x57 0x10 0x82
0xFB 0x7A 0x13 0x5D 0xF1 0xAD 0x36 0xC6
Note that when a switch is in VTP client/server mode, the configured VLANs do not appear in the running configuration; these are kept in the VLAN database file.

SW3/4# show running-config | i vlan
vlan internal allocation policy ascending

SW1 to SW4

Verify the VTP password

SWx# show vtp password
VTP Password: P@$$W0rD
NOTE: VTP password is never sent in VTP messages; an MD5 hash is sent instead.

Verify the VLAN status

SWx#show vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Et0/2, Et0/3, Et1/0, Et1/1
Et1/2, Et1/3, Et2/0, Et2/1
Et2/2, Et2/3, Et3/0, Et3/1
Et3/2, Et3/3
100 VLAN0100 active
101 VLAN0101 active
102 VLAN0102 active
103 VLAN0103 active
104 VLAN0104 active
105 VLAN0105 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup

Sure enough, VTP advertisements worked as expected. Now for the final verification, let’s verify that the change in the rest of the VTP domain, such as VLAN creation or removal, does not actually affect the transparent switches (SW1 in this case), which just relay VTP messages.

To verify that first, enable the VTP debug on SW1 as follows.

SW1# debug sw-vlan vtp events
vtp events debugging is on
Now let’s create a new VLAN on SW2 so it generates VTP advertisements.

SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#vlan 200
SW2(config-vlan)#end
SW2#
You should receive following debug messages on your terminal screen of SW1. As you can see, SW1 is relaying or forwarding the VTP advertisement messages to other switches.

SW1#
*Oct 4 16:26:13.531: VTP LOG RUNTIME: Relaying packet received on trunk Et0/0 – in TRANSPARENT MODE (nc = false)
*Oct 4 16:26:13.532: VTP LOG RUNTIME: Relaying packet received on trunk Et0/0 – in TRANSPARENT MODE (nc = false)
*Oct 4 16:26:13.533: VTP LOG RUNTIME: Relaying packet received on trunk Et0/1 – in TRANSPARENT MODE (nc = false)
*Oct 4 16:26:13.534: VTP LOG RUNTIME: Relaying packet received on trunk Et0/1 – in TRANSPARENT MODE (nc = false)
On SW3 and SW4, you should be able to verify VLAN 200 is created automatically using VTP advertisements.

SW3/4# show vlan | i 200
200 VLAN0200 active
200 enet 100200 1500 – – – – – 0 0
Gotchas
-If a switch is configured as a VTP server without a VTP domain name, you cannot configure a VLAN on the switch.
-When VTP domain name is configured on VTP server, all other switches without domain names configured will dynamically learn the domain name.
-Dynamic Trunking Protocol (DTP) sends the VTP domain name in a DTP packet. Therefore, if you have two ends of a link that belong to different VTP domains, the trunk does not come up if you use DTP. In this special case, you must configure the trunk mode as on or nonegotiate, on both sides, in order to allow the trunk to come up without DTP negotiation agreement.
-If the domain has a single VTP server and it crashes, the best and easiest way to restore the operation is to change any of the VTP clients in that domain to a VTP server. The configuration revision still remains the same in the rest of the clients, even if the server crashes. Therefore, VTP works properly in the domain.
I hope you enjoyed this article. Please feel free to leave any comment or feedback.