Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

VTP

Now that we have configured our trunk links and built a system of switches to carry our VLAN traffic, we can start creating and naming VLANs and assigning port membership to them. We can do this the hard way, by going to every switch in the system and configuring exactly the same VLAN information on each of them (and doing it again when something changes), or we can do it the easy way by using the VLAN Trunking Protocol (VTP).

VTP is a Layer 2 protocol that takes care of the steps of creating and naming VLANs on all switches in the system. We still have to set port membership to VLANs at each switch, which we can do either statically or using a VMPS.

VTP works by establishing a single switch as being in charge of the VLAN information for a domain. In this case, a domain is simply a group of switches that all have the same VTP domain name. This simply puts all the switches into a common administrative group.

VTP Switch Modes

In a VTP domain, there are three types of switches:

  • Server mode—This is the one switch that is in charge of the VLAN information for the VTP domain. You may add, delete, and change VLAN information on this switch, and doing so affects the entire VTP domain. This way, we only have to enter our VLAN information once, and the Server mode switch propagates it to all the other switches in the domain.
  • Client mode—Client mode switches get VLAN information from the Server. You cannot add, delete, or change VLAN information on a Client mode switch; in fact, the commands to do so are disabled.
  • Transparent mode—A Transparent mode switch is doing its own thing; it will not accept any changes to VLAN information from the Server, but it will forward those changes to other switches in the system. You can add, delete, and change VLANs—but those changes only affect the Transparent mode switch and are not sent to other switches in the domain.

VTP Communication

In order for switches to properly communicate with VTP, four elements must be configured. First, you need to have all switches connected by working trunk links. (This, of course, implies crossover cables as well.)

Second, you need a domain name. This name can be anything you like, but make sure that it is unique in a switched system, or you can cause real problems, as you will see. The domain name must be identical on all the switches in the VTP system; this is a common misconfiguration error, and also highly tested. The domain name is case sensitive, too!

Third, you need at least one (and preferably only one) Server mode switch. Yes, you can have more than one, but you don't need or want that.

Fourth, if you want, you can configure a password so that VTP information will not be exchanged if the password does not match on the server and client switch(es). The password is optional, but it must be identical (case sensitive) on all switches in the domain. This is also highly testable!

VTP Pruning

VTP pruning is a way to conserve a little bandwidth on those trunk links. If a client switch has no ports in VLAN 10, and we enable VTP Pruning on the Server mode switch, information about VLAN 10 will not be sent down the trunk to the client mode switch. This way, switches only learn what they need to know.

VTP Configuration

Configuring VTP is done from the global config prompt. The commands are simple:

2960(config)#vtp mode [server | client | transparent}
2960(config)#vtp domain vtp_domain_name
2960(config)#vtp password vtp_password>

VTP Verification and Troubleshooting

The primary command used for verification and troubleshooting VTP is show vtp status. The following sample output shows what information can be drawn from this command:

2960#show vtp status
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 38
VTP Operating Mode              : Server
VTP Domain Name                 : ExamCram2
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 10.0.0.1 at 8-13-66 05:30:38
Local updater ID is 10.0.0.1

If you compare the output of show vtp status from two different switches, look for a match between them for the domain name and check that one of them is in Server mode.

  • + Share This
  • 🔖 Save To Your Account