Categories R&S

L2 technologies – VTP

In this post I will have a look at VTP.

We will quickly go over VTP version 2 and focus more on the new features of VTP version 3.

 

VTP is used to automatically create, delete, manage vlans across your L2 network.

 

L2 technologies – VTP configuration – Physical network diagram

 

L2 technologies – VTP

L2 technologies – VTP configuration – VTP version 2 configuration:

VTP version 1and2 only works with standard vlans.

You must first configure a VTP domain, set one switch as VTP server and then set the other switches as VTP client.

 

So let’s use SW10 as our VTP server.

SW10(config)#vtp domain CISCO
Changing VTP domain name from NULL to CISCO
SW10(config)#vtp
*Aug  3 20:44:13.222: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to CISCO.
SW10(config)#vtp mode server
Device mode already VTP Server for VLANS.
SW10(config)#vtp version 2

 

Now we need to setup the other switches as client, they will need to use the same VTP domain.

SW11(config)#vtp domain CISCO
SW11(config)#vtp mode client

 

If we add some vlans on SW10, they will be also configure on the other switches.

SW10(config)#vlan 10
SW10(config-vlan)#vlan 11
SW10(config-vlan)#vlan 12

SW13#sh vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Et0/2, Et0/3, Et1/2, Et1/3
10   VLAN0010                         active    
11   VLAN0011                         active    
12   VLAN0012                         active

 

On the VTP client, you cannot create new vlan.

SW13(config)#vlan 15
VTP VLAN configuration not allowed when device is in CLIENT mode.

 

If we create vlan 1100 on the VTP server, this vlan isn’t replicate on the VTP client.

SW10(config)#vlan 1100

SW14#sh vlan | i 1100
SW14#

 

You can also use some authentication to make sure that if a new switch is connected to the network it doesn’t wipe out all the vlan configuration.

SW10(config)#vtp password CCIE
Setting device VTP password to CCIE

 

If a device doesn’t have the correct password, then you receive the following syslog message.

%SW_VLAN-4-VTP_USER_NOTIFICATION: VTP protocol user notification: MD5 digest checksum mismatch on receipt of equal revision summary on trunk: Et0/0

 

There is another mode, the VTP transparent mode that can be use.

In this mode, the switch doesn’t participate in the VTP domain and can create his own vlans without propagating the new vlans.

With VTP version 2, the VTP transparent switch will forward VTP advertisement received on his trunk links.

 

Some people prefer to use only transparent mode to avoid any problem.

On my side I like VTP it make new vlans configuration easier when you have a lot of switches.

SW12(config)#vtp mode transparent
Setting device to VTP Transparent mode for VLANS.
SW12(config)#vlan 150

SW12#sh vlan | i 150
150  VLAN0150                         active

 

L2 technologies – VTP configuration – VTP version 3 configuration:

 

VTP version 3 add some new features in order to improve how VTP works.

It now works with extended vlans.

You can setup a primary and secondary VTP server removing the risk of introducing a new VTP server and waste your vlan database.

It supports private vlan.

It has a better authentication method.

 

In our case, we will make SW10 primary VTP server and SW11 secondary.

By default VTP server will be secondary, you have to specify if a device is primary.

 

One thing here I wasted a lot of time to find out this f**** vtp primary command, I was thinking it was my IOS, I read the cisco doc three times.

VTP primary have to be configured from the privileged EXEC mode.

After some research, VTPv3 primary command is a runtime state.

If a switch holding the primary role is reloaded, it will lose the primary role upon coming back up and will only be a secondary server again. This explains why the promotion of a secondary server into a primary server can only be done in privileged EXEC mode.

SW10#vtp ?
  password  Set the password for the VTP administrative domain.
  primary   Make the system as the primary server
  pruning   Set the administrative domain to permit pruning.
  version   Set the administrative domain VTP version

 

So here I go.

SW10#vtp primary
This system is becoming primary server for feature vlan
No conflicting VTP3 devices found.
Do you want to continue? [confirm]

 

I’m configuring VTP version 3 on all the switches.

We can now create vlan on SW10 and they are replicated to the rest of the VTP domain.

If I try to create a vlan on SW11 who is VTP server secondary, I get the following message.

SW11(config)#vlan 11
VTP VLAN configuration not allowed when device is not the primary server for vlan database.

 

I’m going to configure VTP new authentication feature.

SW10(config)#vtp password CCIE hidden
Setting device VTP password

 

Now the show vtp password command return something hashed.

SW10#sh vtp password
VTP Password: 621F5C1360325D70E1B404F1D48E270F

 

Extended vlan can now be created and propagate to the VTP domain.

SW10(config)#vlan 1500
SW10(config-vlan)#end

SW13#sh vlan | i 1500
1500 VLAN1500                         active

 

L2 technologies – VTP configuration – VTP pruning:

 

Pruning will restrict traffic to go over a trunk link if there is no access device on the vlan at the switch destination.

In our case the trunk between SW11 and SW14 will prune the vlan11 and the trunk between SW10 and SW13 will prune the vlan12.

For VTPv1and2, pruning must be enable on the VTP server, then it is propagated to the clients.

For VTPv3 it must be enable on all the device.

SW10(config)#vtp pruning
Pruning switched on

 

I turned it on on all the switches because we are using v3.

Let’s have a look and see if the vlans are properly pruned.

SW10#sh int trunk
Port        Mode             Encapsulation  Status        Native vlan
Et0/2       on               802.1q         trunking      1
Et1/0       on               802.1q         trunking      1
Et1/1       desirable        n-802.1q       trunking      1

Port        Vlans allowed on trunk
Et0/2       1-4094
Et1/0       1-4094
Et1/1       1-4094

Port        Vlans allowed and active in management domain
Et0/2       1,10-12
Et1/0       1,10-12
Et1/1       1,10-12

Port        Vlans in spanning tree forwarding state and not pruned
Et0/2       1,12
Et1/0       1,11-12
Et1/1       1,10-11

 

This conclude our VTP configuration post.

 

 

Thank you for reading.

 

L2 technologies series previous article:

L2 technologies – VLANs & Trunking configuration

 

L2 technologies – VTP

 

Leave a Reply

Your email address will not be published.