Cisco VLAN Trunking Protocol (VTP)

VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that makes administration of VLANs across a L2 network easier. Simply put, VTP propagates VLANs across trunk links to other switches, so that only one configuration line needs to be changed in one switch, and the rest of the switches configure that VLAN # in their VLAN database.

In VTP, five things must happens for VTP to proporgate VLANs:

  1. The devices must be in the same VTP domain (case sensitive)
  2. The devices must have the same VTP password (case sensitive)
  3. The device receiving a VTP message must have a lower configuration revision number than itself (output in sh vtp status)
  4. VTP messages are only sent on Trunk links, not access ports. A Switch connected to another switch via an access port will not allow VTP to propogate VLANs.
  5. The device must be in server or client mode (not transparent). Transparent participates in the vtp domain, but does not update its configuration register number. It forwards vtp messages out it’s trunk ports.

There are 3 flavors of VTP:

  • v1
  • v2:
    • Supports Token Ring VLANs
    • Supports consistency checks.
    • In transparent mode it will forward the message without checking version information, a transparent switching using vtp will check
  • v3:
    • Supports for the full range of VLANs (Normal AND extended)
    • Support for Propagation of PVLANS
    • Options for cleartext or Hidden VTP Passwords
    • Support for Propagation of 802.1s MST configuration info.
    • Can be turned off globally, or per-port

In all flavors of VTP, the vtp password is never displayed in the running-config

VTP v1 devices (that are v2 capable) will upgrade itself to v2 if:

  1. Detects if it is connected to a v2 neighbor
  2. Detects if it is connected to a v3 neighbor

VTP v2 device will remain as v2 if a v3 neighbor is detected (even if it is v3 capable). VTP v3 must be manually configured, it does not automatically upgrade to v3 from other switches.
VTP v1 and v2 automatically update the VTP domain name on incoming VTP messages if the domain name is not manually set/is NULL. However, VTP v3 does not have this functionality. in VTP v3 you must always manually configure the domain name for it to be joined.
VTP v3 is backwards compatible with v2 (on a per port basis where it is detected).


The other major difference with VTP v3 is that all switches by default are still VTP Servers, but they are considered “secondary servers”. It is very similar to VTP Client mode, because it does not allow manual addition or deletion of VLANs, or not allowed to update other VLAN databases. You then make one of your switches a “primary server”. This is manually configured. There can only be one Primary server per VTP domain. This Server is allowed to make the changes to their VLAN database, and propagate it. 

! Configure a vtp domain (Can be done from privileged EXEC or Configuration Terminal)

#vtp domain [name]

! Configure vtp password (Can be done from privileged EXEC or Configuration Terminal)

! When configured this way, it will display the password in the sh vtp password command. It will also store the password in cleartext in the vlan.dat file.

#vtp password [password]

! When configured this way, the sh vtp password command will instead show a 32-bit hash of the password (effectively hiding it). service password encryption ALSO encrypts the contents of the password. The hidden keyword in addition to scrambling the output of sh vtp password, it also scrambles the cleartext password in the vlan.dat file.

#vtp password [password] hidden

! Once you use the vtp password hidden command, you use the secret keyword to specify the 32 hex character on the OTHER switches

#vtp password [32-hex character] secret 

! Configure vtp version (Can be done from privileged EXEC or Configuration Terminal)

#vtp version [1 | 2 | 3] 

! Setting v3 device to a primary server (Can be done from privileged EXEC or Configuration Terminal)

#vtp primary 

! VTP pruning is disabled by default on cisco switches 

! VTP pruning is how switches in a VTP topology ‘prune’ trunk connections to prevent unnecessary broadcasts. The switches in a topology that do not have an access port in a said VLAN, sends a ‘vtp prune’ message to upstream trunks to prune that vlan off the trunk

!Enable VTP pruning

#vtp pruning

! Verification

#sh vtp status

By default all ports on a cisco catalyst switch start out as access ports (switchport mode dynamic auto), and send DTP messages to negotiate a trunk. The switchport nonegotiate command tells the switch to not send DTP. DTP messages contain a field for the VTP domain. DTP cannot negotiate a trunk if there is a mismatch in the VTP domain between switches

! Disable/enable DTP (on by default on a port)

#sw non

#no sw non

! Configure DTP to passively listen for DTP messages, and will negotiate a trunk if it receives a DTP message. Starts out as access port until it receives other DTP messages.

#sw mode dynamic auto

! Configure DTP to actively send DTP messages, and if it receives a reply it negotiates a trunk

#sw mode dynamic desirable 

Types of VLANs:

  1. Standard VLAN = 1-1005
  2. Extended VLAN = 1005 and above

When a standard VLAN is configured, it is copied into the running configuration and the vlan.dat file located in flash. When a extended VLAN is created it is only copied into the running configuration. You can only create extended VLANs when the switch is in vtp transparent mode. If a switch is operating in vtp server mode and VLAN configuration exists in both vlan.dat and startup config, it will ignore the startup config vlans and use the vlans in the vlan.dat  file for standard vlans.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s