5-R&S/Virtual LAN Trunking Protocol (VTP).

In this post i will talk about how can we advertise the VLAN database information in dynamic way, using VTP, so in this post i will talk about its operation, versions, configuration and its verification commands from CLI point of view.

Virtual LAN Trunking Protocol (VTP):

Assume that we have Layer 2 switched network, and it consists of 4 access switches and 2 distribution/core switches, and we need to define the VLANs at all these 6 switches, so simply we can access each switch and configure the VLANs we want on each switch, so we consider this task to be simple, but what will happen when this Layer 2 switched network consists of about 20 access switches, 5 distribution/core switches ? i think the number of devices to be accessed become large, this means that task of defining the VLANs on each switch become not simple at all, for this reason we need a dynamic way that will help at this situation, that help us to define the VLAN database with simple way, so simply we can use the VTP for this task. We will configure the VLANs on one switch, then this switch will advertise the VLAN database to all the remaining switches, so by this action we configure the VLANs on only one switch within this layer2 switched network, and using the VTP it help to advertise this VLAN databse information to all the other switches within this layer 2 switched network. The VTP advertises the VLANs defined in the VLAN database in addition to the parameters associated with each VLAN such as the VLAN ID, VLAN name, VLAN type and VLAN state, but it doesn’t advertise information about which ports are member on which VLAN, as for sure the port-to-VLAN mapping information maybe unique for each switch, so no need to advertise such information.  For VTP to work, the inter-switch links (i.e the links connecting the switches) must be configured as trunk, as the name of the VTP implies, the VLAN information is propagated from one switch to another over the trunk links connecting them, this means that if the inter-switch link is configured as access, so the switch will not send the VTP message over this access link and this is logical, but why ? as if the inter-switch link is configured as access, this means that this link is supposed to carry traffic for only one VLAN, so no need to send the VLAN database to the other switch as it seems that the traffic for these VLANs will not be carried between these two switches, so no need to send the VLAN database to the other switch.

VTP supports four modes of operation:

  1. VTP Off mode (this mode is applicable only with VTP version 3): When the switch is configured as Off mode, this means that the switch is disabling the VTP, this means that it doesn’t understand the VTP messages, hence it will not forward the VTP messages and drop them.
  2. VTP server mode: When the switch is configured as VTP server, this means that it is able to create, modify or delete VLANs.
    It can originate VTP advertisement message, process the VTP advertisement message and forward the VTP advertisement message it received from other switches.
  3. VTP client mode: When the switch is configured as VTP client, this means that it is unable to create, modify nor delete VLANs.
    It can originate VTP advertisement message, process the VTP advertisement message and forward the VTP advertisement message it received from other switches.
  4. VTP transparent mode: When the switch is configured as VTP transparent, this means that it is able to create, modify or delete VLANs.
    But it can’t originate not process the received VTP advertisement message, but it can forward or relay the received VTP advertisement message to other switches connected using trunk link.

There are three versions for VTP, VTP version 1, version 2 and version 3, at which each version has its own capabilities and each new version provides enhancement for certain capabilities provided by the previous version.

  1. VTP version 1:
    a-It is the default version for most IOSes.
    b-It supports only the advertisement of Ethernet VLAN.
    c-It supports only the normal range of VLANs  (i.e VLAN ID from 1 to 1001).
    d-It supports three modes of operation (Server, Client and Transparent).
    e-It supports the extended range of VLANs (i.e VLAN ID from 1006 to 4094) only when the switch is configured as VTP transparent mode.
    f-When the switch is configured as VTP transparent mode and receive VTP message, it will check two things inside this VTP message, the VTP version and the VTP domain name, if the VTP version and domain name seen on this VTP message match the value locally configured on this VTP transparent switch, so it will forward this VTP message to the other switches connected using trunk links, but if the VTP version of domain name differ, so it will not forward the VTP message.
  2. VTP version 2:
    a-It provides enhancement regarding which type of VLAN it can advertise, at which it can advertise the Token Ring VLAN information as well, this means that it supports the advertisement of Ethernet and Token Ring VLAN information.
    b-It supports only the normal range of VLANs.
    c-It supports three modes of operation (Server, Client and Transparent).
    d-It supports the extended range of VLANs (i.e VLAN ID from 1006 to 4094) only when the switch is configured as VTP transparent mode.
    e-When the switch is configured as VTP transparent mode and receive VTP message, it will check only the VTP domain name, if the VTP domain name seen on this VTP message match the value locally configured on this VTP transparent switch, so it will forward this VTP message to the other switches connected using trunk links, but if the VTP domain name differ, so it will not forward the VTP message.
  3. VTP version 3:
    a-It provides enhancement regarding the VLAN range that can be advertised in the VTP message, at which it supports the full range of Ethernet VLANs (normal and extended) (i.e VLAN ID from 1 to 1001 and 1006 to 4094).
    b-It supports four modes of operation (Off, Server, Client and Transparent).
    c-VTP server mode is different than the other versions, at the other versions (V1 and V2) we can configured multiple servers on the VTP domain, at which each one can create, modify or delete VLAN in the VLAN database, hence it can update the VLAN database of the other switches within the VTP domain, while at the case of VTP version 3, there are two types of VTP server, either primary server or secondary server, at which the primary server has the ability to create, modify or delete VLAN(s) to update the VLAN database of the other switches within the VTP domain, it is allowed to have only one VTP primary server switch at time, so by this action we reduce the probability of unwanted modifications that can disrupt the VLAN database by mistake. VTP secondary server is not considered as the backup primary, at which if the primary server fail or become down for any possible reason, the secondary server will not become the new primary server, instead to make the secondary server to become the primary server, so we have to configure the VTP password in its plaintext format (to make sure that only the admin of the VTP domain has the plaintext format of the password), so by this action, the secondary server become the new primary server, hence we can create, modify or delete VLAN(s).

VTP operation:

The VTP has multiple parameters that affect the VTP operation, VTP domain name, version number, password, mode of operation and configuration revision number. For the switches to become on the same VTP domain, this means that they must be configured with the same VTP domain name, version number and same password, so once these parameters match, then we can discuss the VTP operation between the switches.

Assume the following figure that shows the simple layer 2 switched network that we will talk about:

2

By default all the switches are VTP server switches, so to explain the VTP operation, we assume that we configure both switch2 and switch3 to be VTP client switches.

1-The Administrator of this layer 2 switched network will configure new VLAN(s) on switch1 (that is currently act as VTP server switch), so switch1 need to announce this VLAN database to the other switches that participate in this VTP domain, so before doing that it will increase the VTP configuration revision number, at which the configuration revision number is used by the VTP switches to know if the VLAN database received and originated by the VTP server is more updated than the local database or not, then it send summary about the VTP domain such as domain name, configuration revision number and number of the VTP subset advertisement message that will follow this message, and send this message out the trunk links using certain message called by “VTP Summary Advertisement” message. The following figure shows the VTP Summary Advertisement message as seen on Wireshark:

vtp 1

It consists of the following important fields:
1-Version: this field is used to indicate the VTP version number.
2-Code: this field is used to indicate the type of VTP message.
3-Followers: this field is used to indicate the number of VTP Subset Advertisement message that will follow this summary advertisement message.
4-Management Domain Length: this field is used to indicate the length of the VTP domain name.
5-Management domain: this field is used to indicate the VTP domain name.
6-Configuration Revision number: this field is used to indicate the VTP configuration revision number.
7-Updater Identity: this field is used to indicate the Identity of the switch that update the VLAN database.
8-Update Timestamp: this field is used to indicate the time of generating this VTP message.
9-MD5 Digest: this field is used to indicate the the MD5 digest of the information carried in this VTP message, at which the information carried in this VTP message will be applied to MD5 hashing function to generate the MD5 digest.

2-Then the VTP server switch will send the full VLAN database information out the trunk links using certain message called by “VTP Subset Advertisement” message, that carry all the information about all the VLANs defined in the VLAN database, the following figure shows the VTP Subset Advertisement message as seen on Wireshark:

vtp 2

It consists of the following important fields (i will exclude the fields mentioned before):
1-VLAN information: this field is used to indicate the information about the VLAN carried inside this field.
a-VLAN information Length: this field is used to indicate the length of the information carried in the VLAN information field.
b-Status: this field is used to indicate the status of the VLAN carried either active or suspended.
c-VLAN type: this field is used to indicate the type of this VLAN either Ethernet, Token Ring or FDDI.
d-VLAN name Length: this field is used to indicate the length of the VLAN name.
e-ISL VLAN ID: this field is used to indicate the VLAN ID.
f-MTU size: this field is used to indicate the MTU size defined for this VLAN.
g-VLAN name: this field is used to indicate the VLAN name.

3-Once switch2 and switch3 received the two VTP messages, VTP Summary Advertisement and Subset Advertisement messages, they will check MD5 digest field in the VTP message, if the MD5 digest calculated by the local switch is the same as MD5 digest value in the MD5 digest filed in the VTP messages they will continue the process, but if they don’t match, they will ignore and drop those VTP messages. Once the MD5 digest values match, they will check the VTP domain name seen in these messages, if it match, so they will check the VTP configuration revision number to determine if they will accept this VTP message or not, if the configuration revision number seen on the message is larger than the local value, this means that this VTP message has new information regarding the VLAN database, hence they will accept it and forward/relay it out all the trunk ports, but if it is smaller than the local value, so it will be ignored as they has the most updated information regarding the VLAN database. At our case the two switches (switch2 and switch3) has no VTP configuration nor VLAN defined in the VLAN database (except for the default VLANs defined by the system), so once they receive these two VTP messages (Summary Advertisement and Subset Advertisement), and found VTP domain name inside these messages rather than “null”, so at this point they become member in the VTP domain with name “IP_FOR_EXPERTS”, then they will accept the VTP messages and add the VLANs inside the VLAN database.

As mentioned before, VTP version 3 define two types of server switches, primary server and secondary server. The primary server is the only switch within this VTP domain that can create, modify or delete VLAN, as well the only switch that can advertise the VTP update message to other switches in the VTP domain. Servers and clients switches can share their VLAN database only if the VTP domain name and the primary server ID is matched with each other, at which the primary server ID represents its MAC address. At VTP version 3 we can define multiple VTP server switches, but only one switch is configured as the VTP primary server, while the other server switches become secondary switches, and as mentioned before that they are not allowed to create, modify or delete VLAN from the VLAN database, but if we want to make the secondary server to be the primary server this can be done by configuration and it can’t be done automatically such as failover.  When two or more VTP version 3 switches (either server or client) has different  ID for the primary server, this is called by (Conflict), as the two switches don’t have the same primary server ID, so VTP version 3 use this concept (the conflict concept) to solve the issue of “creating, modifying or deleting VLAN by mistake” , this means that if two switches have the same VTP version (v3), VTP domain name, VTP password, but have different IDs for the primary server, they still can’t share their VLAN database with each other.

Notes:

1-To reset the VTP configuration revision number to 0 at VTP version 1 and 2, we can configure the switch as VTP transparent mode, while at the case of VTP version 3, configure the switch as VTP transparent mode will not reset the configuration revision number to 0, but you can reset it by changing the VTP domain name or change the VTP password.

2-If the switch is reloaded for any possible reason, or the VTP mode is changed to client, or the switch receive VTP Summary Advertisement message with VTP configuration revision number higher than the locally stored value, so the switch as this case will request from the switch connected over this trunk link to send its full VLAN database, and this is done by sending certain message called by “VTP Advertisement request” message, the following figure shows the VTP Subset Advertisement message as seen on Wireshark:

vtp 3

3-VTP has four types of messages:

  • VTP Summary Advertisement message: as mentioned before it is generated by the VTP server and client switches periodically every 300 seconds, and when there is change happened in the VLAN database, at which this message carry summary about the VTP domain such as domain name, configuration revision number and number of the VTP subset advertisement message that will follow this message, and send this message out the trunk links, The following figure shows the VTP Summary Advertisement message as seen on Wireshark:vtp 1
    It consists of the following important fields:
    1-Version: this field is used to indicate the VTP version number.
    2-Code: this field is used to indicate the type of VTP message.
    3-Followers: this field is used to indicate the number of VTP Subset Advertisement message that will follow this summary advertisement message.
    4-Management Domain Length: this field is used to indicate the length of the VTP domain name.
    5-Management domain: this field is used to indicate the VTP domain name.
    6-Configuration Revision number: this field is used to indicate the VTP configuration revision number.
    7-Updater Identity: this field is used to indicate the Identity of the switch that update the VLAN database.
    8-Update Timestamp: this field is used to indicate the time of generating this VTP message.
    9-MD5 Digest: this field is used to indicate the the MD5 digest of the information carried in this VTP message, at which the information carried in this VTP message will be applied to MD5 hashing function to generate the MD5 digest.
  • VTP Subset Advertisement message: as mentioned before this message is generated by the VTP server and client switches and is used to carry all the information about all the VLANs defined in the VLAN database after change happened in the VLAN database, either create, modify or delete VLAN, and if the VLAN database is large, so the switch will generate multiple subset advertisement messages to carry all the VLANs defined in the VLAN database. The following figure shows the VTP Subset Advertisement message as seen on Wireshark:vtp 2It consists of the following important fields (i will exclude the fields mentioned before):
    1-VLAN information: this field is used to indicate the information about the VLAN carried inside this field.
    a-VLAN information Length: this field is used to indicate the length of the information carried in the VLAN information field.
    b-Status: this field is used to indicate the status of the VLAN carried either active or suspended.
    c-VLAN type: this field is used to indicate the type of this VLAN either Ethernet, Token Ring or FDDI.
    d-VLAN name Length: this field is used to indicate the length of the VLAN name.
    e-ISL VLAN ID: this field is used to indicate the VLAN ID.
    f-MTU size: this field is used to indicate the MTU size defined for this VLAN.
    g-VLAN name: this field is used to indicate the VLAN name.
  • VTP Advertisement request message: as mentioned before this message is generated if the switch is reloaded for any possible reason, or the VTP mode is changed to client, or the switch receive VTP Summary Advertisement message with VTP configuration revision number higher than the locally stored value, so the switch at this case will request from the switch connected over this trunk link to send its full VLAN database, and this is done by sending  the VTP Advertisement request message, the following figure shows the VTP Advertisement request message as seen on Wireshark:vtp 3
  • VTP Join message:  this message is generated by the VTP server and client switches and is used when the VTP pruning is enabled, so the join message is used by the switch to tell its neighbors if the VLAN is active or pruned, the following figure shows the VTP Join message as seen on Wireshark:vtp 4It consists of the following important fields (i will exclude the fields mentioned before):
    1-First VLAN ID: this filed is used to indicate the VLAN ID of the first VLAN (system defined VLAN ID).
    2-Last VLAN ID: this field is used to indicate the VLAN ID of the last VLAN (system defined VLAN ID).
    3-Advertised Active (i.e not pruned) VLANs: this field is used to indicate the VLANs that are active and not pruned on the trunk link that this VTP message is sent over it.

 

VTP Configuration:

As mentioned before, the switch will send VTP message only out the trunk link, this means that before define the VTP configurations on the switch(es), at the first we need to make sure that the inter-switch link (i.e the links connecting the switches) is configured as trunk, so that the VTP message can be exchanged between the switches over these links.

You can configure the link to be trunk using the following commands:

conf 1

You can define the basic VTP configuration on the VTP server switch using the following commands:

conf 2

“vtp domain IP_FOR_EXPERTS” command is used to define the name of the VTP domain on the switch.

You can change the VTP mode (default mode is server) of the switch using the following command:

conf 3

“vtp mode client” command is used to define the VTP mode for this switch to be client.

You can change the VTP version (default version is 1) running on the switch using the following command:

conf 4

You can configure VTP password using the following command:

conf 5

“vtp password IP_FOR_EXPERTS_PASSWORD” command is used to define the VTP password, and it must match on all the switches that need to be member on the same VTP domain.

You can configure the interface that you use its IP address as an updater in the VTP messages (by default the switch choose the lowest numbered SVI interface) using the following command:

conf 6

You can define the VTP primary server using the following command:

conf 7

“vtp primary vlan” command is used to define this switch as the VTP primary server, and this switch must be configured as VTP server switch not client.
We must enter the plaintext format of the VTP password at the field “Enter VTP password:”

You can configure the VTP password on the VTP v3 client or secondary servers using the following command:

conf 8

“vtp password 1A81533A2BA6746CA960EBFD156FB9BD secret” command is used to set the encrypted password instead of the plaintext format, as the plaintext password is set only with the primary server.

You can verify the status of the basic VTP using the following command:

conf 9

We can see at the following from this output:

1-VTP version capable: 1 to 3, this means that this switch is capable to support VTP versions 1, 2 and 3.
2-VTP version running: 1, this means the switch is running VTP version 1.
3-VTP domain name: IP_FOR_EXPERTS, this means that the VTP domain name is “IP_FOR_EXPERTS”.
4-VTP pruning mode: Disabled, this means that the VTP pruning is disabled.
5-VTP traps Generation: Disabled, this means that switch is not configured to generate traps.
6-Device ID: aabb.cc80.2000, this means that the ID representing this switch is “aabb.cc80.2000” which represents the MAC address of this switch.
7-Configuration last modified by 0.0.0.0 at 8-29-17 11:12:26, this means that the VLAN database is modified at 29 August 2017 at 11:12:26.
8-Local updater ID is 0.0.0.0 (no valid interface found), this means that no IP address chosen as the Updater, as no IP address is configured on the switch.
9-VTP operating mode: server, this means that this switch is configured as VTP server switch.
10-Maximum VLANs supported locally : 1005, this means that it is supporting only the normal range of VLAN.
11-Number of existing VLANs : 6, this means that there are 6 VLANs defined in the VLAN database.
12-Configuration Revision : 0, this means that the VTP configuration revision number is 0, which means that no change done since the VTP is configured, but once there is change happened in the VLAN database, this value will increase by one for each change.
13-MD5 digest : 0x82 0x78 0xCA 0x03 0x9E 0xBA 0x4C 0x5E
0x67 0x70 0x01 0x42 0x68 0xC1 0xE1 0x35, this represents the MD5 digest value calculated based on the VLAN database contents.

You can verify the status of the VTP version 3 using the following command:

conf 10

We can see at the following from this output:

1-VTP version capable: 1 to 3, this means that this switch is capable to support VTP versions 1, 2 and 3.
2-VTP version running: 3, this means the switch is running VTP version 3.
3-VTP domain name: IP_FOR_EXPERTS, this means that the VTP domain name is “IP_FOR_EXPERTS”.
4-VTP pruning mode: Disabled, this means that the VTP pruning is disabled.
5-VTP traps Generation: Disabled, this means that switch is not configured to generate traps.
6-Device ID: aabb.cc80.2000, this means that the ID representing this switch is “aabb.cc80.2000” which represents the MAC address of this switch.
7-VTP operating mode: Primary server, this means that this switch is configured as VTP primary server switch.
8-Number of existing VLANs : 6, this means that there are 6 VLANs defined in the VLAN database.
9-Number of existing extended VLANs : 6, this means that there are 0 extended VLANs defined in the VLAN database.
10-Maximum VLANs supported locally : 4096, this means that it is supporting both he normal and extended range of VLAN.
11-Configuration Revision : 2, this means that the VTP configuration revision number is 2, which means that there are two changes done since the VTP is configured, but once there is change happened in the VLAN database, this value will increase by one for each change.
12-Primary ID: aabb.cc80.1000, this means that the ID of the primary server is aabb.cc80.1000.
13-Primary Description : switch1, this means that the name/description of the primary server is “switch1”.
13-MD5 digest : 0xC4 0x4D 0xEF 0xE0 0xC7 0xDE 0x23 0xD5
0xBF 0x54 0x20 0xDD 0xAD 0x6B 0x05 0xB9, this represents the MD5 digest value calculated based on the VLAN database contents.

You can verify the VTP switches member in the VTP version 3 domain using the following command:

conf 11

You can verify the interface on which the VTP is enabled using the following command:

conf 12

You can verify the number of VTP messages generated and received by the switch using the following command:

conf 13

You can show the VTP password using the following command:

conf 14

 

Hope that the post is helpful.

Regards

Mostafa Hamza

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s