VLAN & VTP Basics

Creating VLANs is an easy task, but you may run into issues with the VLANs populating between the other access switches (VTP : Client).

Option One (used to create the VLAN)

**Option One**
(config)#vlan 10
(config-vlan)#name SALES


**Option Two** 
(config)#interface vlan 10
(config-if)#description SALES
(config-if)#ip address a.b.c.d x.x.x.x

Option two allows you to set a static interface for IP routing. 

For EXTENDED VLANs(1006-4096), VTP mode must be in Transparent. Server mode should throw errors, probably not in IOL devices.

(config)#vtp mode transparent

By default all cisco catalysts come preconfigured with VTP server mode. You will need to change this on all access switches not serving vlans. First,

(config)#vtp mode Server
(config)#vtp mode Transparent
(config)#vtp mode Client

then, set the domain

(config)#vtp domain CISCO

This will put the switch in client mode and on the same domain as the VTP server. Allowing it to accept VLAN configs from the core or Firewall. If you run into an MD5 digest checksum mismatch error, you may need to change the password on all devices in the same domain that need VTP configs, like this: 

(config)#vtp password cisco

You will then want to issue the below command to show the current status: 

#show vtp status
Sw1>sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : CISCO
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : aabb.cc00.1200
Configuration last modified by at 7-5-19 23:13:37
Local updater ID is (no valid interface found)

Feature VLAN:
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 1005
Number of existing VLANs          : 9
Configuration Revision            : 0
MD5 digest                        : 0x87 0x6A 0xFA 0xCB 0xD3 0x27 0xDF 0x0C
                                    0x04 0xF4 0x94 0x8E 0x18 0xEA 0xE9 0x84

Cisco VLAN Trunking Protocol (VTP)

VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that makes administration of VLANs across a L2 network easier. Simply put, VTP propagates VLANs across trunk links to other switches, so that only one configuration line needs to be changed in one switch, and the rest of the switches configure that VLAN # in their VLAN database.

In VTP, five things must happens for VTP to proporgate VLANs:

  1. The devices must be in the same VTP domain (case sensitive)
  2. The devices must have the same VTP password (case sensitive)
  3. The device receiving a VTP message must have a lower configuration revision number than itself (output in sh vtp status)
  4. VTP messages are only sent on Trunk links, not access ports. A Switch connected to another switch via an access port will not allow VTP to propogate VLANs.
  5. The device must be in server or client mode (not transparent). Transparent participates in the vtp domain, but does not update its configuration register number. It forwards vtp messages out it’s trunk ports.

There are 3 flavors of VTP:

  • v1
  • v2:
    • Supports Token Ring VLANs
    • Supports consistency checks.
    • In transparent mode it will forward the message without checking version information, a transparent switching using vtp will check
  • v3:
    • Supports for the full range of VLANs (Normal AND extended)
    • Support for Propagation of PVLANS
    • Options for cleartext or Hidden VTP Passwords
    • Support for Propagation of 802.1s MST configuration info.
    • Can be turned off globally, or per-port

In all flavors of VTP, the vtp password is never displayed in the running-config

VTP v1 devices (that are v2 capable) will upgrade itself to v2 if:

  1. Detects if it is connected to a v2 neighbor
  2. Detects if it is connected to a v3 neighbor

VTP v2 device will remain as v2 if a v3 neighbor is detected (even if it is v3 capable). VTP v3 must be manually configured, it does not automatically upgrade to v3 from other switches.
VTP v1 and v2 automatically update the VTP domain name on incoming VTP messages if the domain name is not manually set/is NULL. However, VTP v3 does not have this functionality. in VTP v3 you must always manually configure the domain name for it to be joined.
VTP v3 is backwards compatible with v2 (on a per port basis where it is detected).

The other major difference with VTP v3 is that all switches by default are still VTP Servers, but they are considered “secondary servers”. It is very similar to VTP Client mode, because it does not allow manual addition or deletion of VLANs, or not allowed to update other VLAN databases. You then make one of your switches a “primary server”. This is manually configured. There can only be one Primary server per VTP domain. This Server is allowed to make the changes to their VLAN database, and propagate it. 

! Configure a vtp domain (Can be done from privileged EXEC or Configuration Terminal)

#vtp domain [name]

! Configure vtp password (Can be done from privileged EXEC or Configuration Terminal)

! When configured this way, it will display the password in the sh vtp password command. It will also store the password in cleartext in the vlan.dat file.

#vtp password [password]

! When configured this way, the sh vtp password command will instead show a 32-bit hash of the password (effectively hiding it). service password encryption ALSO encrypts the contents of the password. The hidden keyword in addition to scrambling the output of sh vtp password, it also scrambles the cleartext password in the vlan.dat file.

#vtp password [password] hidden

! Once you use the vtp password hidden command, you use the secret keyword to specify the 32 hex character on the OTHER switches

#vtp password [32-hex character] secret 

! Configure vtp version (Can be done from privileged EXEC or Configuration Terminal)

#vtp version [1 | 2 | 3] 

! Setting v3 device to a primary server (Can be done from privileged EXEC or Configuration Terminal)

#vtp primary 

! VTP pruning is disabled by default on cisco switches 

! VTP pruning is how switches in a VTP topology ‘prune’ trunk connections to prevent unnecessary broadcasts. The switches in a topology that do not have an access port in a said VLAN, sends a ‘vtp prune’ message to upstream trunks to prune that vlan off the trunk

!Enable VTP pruning

#vtp pruning

! Verification

#sh vtp status

By default all ports on a cisco catalyst switch start out as access ports (switchport mode dynamic auto), and send DTP messages to negotiate a trunk. The switchport nonegotiate command tells the switch to not send DTP. DTP messages contain a field for the VTP domain. DTP cannot negotiate a trunk if there is a mismatch in the VTP domain between switches

! Disable/enable DTP (on by default on a port)

#sw non

#no sw non

! Configure DTP to passively listen for DTP messages, and will negotiate a trunk if it receives a DTP message. Starts out as access port until it receives other DTP messages.

#sw mode dynamic auto

! Configure DTP to actively send DTP messages, and if it receives a reply it negotiates a trunk

#sw mode dynamic desirable 

Types of VLANs:

  1. Standard VLAN = 1-1005
  2. Extended VLAN = 1005 and above

When a standard VLAN is configured, it is copied into the running configuration and the vlan.dat file located in flash. When a extended VLAN is created it is only copied into the running configuration. You can only create extended VLANs when the switch is in vtp transparent mode. If a switch is operating in vtp server mode and VLAN configuration exists in both vlan.dat and startup config, it will ignore the startup config vlans and use the vlans in the vlan.dat  file for standard vlans.