Cisco VTP – the VLAN Trunking Protocol is a management tool for large L2 deployments.
It provides a simple way to synchronize VLAN names and numbers across Cisco switching infrastructure, also automates some traffic optimizations (the VLAN pruning).
General information on VLAN Trunking Protocol
VLAN Trunking Protocol (VTP), despite the name, has nothing to do with trunking (as in switchport mode trunk); some authors suggest that “VLAN Management Protocol” would be a more suitable name.
It was developed to ease large deployments with a lot of VLANs crossing all of the campus network, with a lot of people moving around the campus, so to require often changes to configuration.
From a design standpoint, if we consider L2 networks only, there are two common options for campus deployment: a VLAN per switch and a VLAN per department. In the second case VTP is, perhaps, the most helpful.
It is really easy to see, that if you have 100 switches all around 5 buildings of your company HQ, and you happen to need to add a VLAN on many of them with consistent ID and naming, VTP comes to the rescue. Well, yeah, this is a rather stretched example. But still, we have what we have.
Personally, I say it might be useful for initial configuration of huge batches of campus switches (although there are cooler automation tools available) before installation.
VTP limits VLAN information dissemination by using a concept of VTP domains. Only two nodes (switches) sharing a domain will exchange databases. If a node was not yet configured with a domain name, it will learn it from the first VTP advertisement it receives (with the exception of password-protected domain). Also, for some reason, VTP domain mismatch might prevent DTP from operating correctly.
Each VTP node works in one of the modes: Server (default), Client and Transparent. Servers rule the domain, although there are some caveats (a client with higher revision number will update a server, not vice-versa), thus people prefer to turn mode to transparent, effectively making VTP irrelevant to the switch.
For its messaging, VTP uses VLAN1 over trunk links. The information is stored in switch’s flash0 vlan.dat (vlan database).
VTP Version 1, 2, & 3
There are so far three versions of the protocol:
- Version 1. VLANs are created at servers. Any server can also delete a VLAN from domain’s database. Clients advertise VLANs (the source of many grief, or so I’ve heard). Transparent ones create locally significant VLANs, forward advertisements for the same domain thei belong to. Only the Standard VLAN range is supported.
- Version 2 differs only in support for Token Ring VLANs. Not the kind of VLANs you generally see these days.
- Version 3 has some major differences: the configuration revision overwrite problem is fixed, Private VLANs are supported along with the Extended range. Now only the Primary server is able to rule the domain. For another server to take over that role, the domain password is required.
There are additional features introduced in VTPv3, like dissemination of MST configuration and RSPAN membership. Also, it is possible to disable VTP completely or on a per-port basis in version 3.
Prior to configuring VTP version 3, you must ensure that the spanning-tree extend system-id command has been enabled.
Authentication is the basis of security features of VTP, common to all versions. Authentication is done with MD5 hashes, salted by the revision number.
For authentication to work, passwords and domain names must match.
VTP Prunning is an optimization feature, which prevents broadcast/multicats/unknown unicast data to be transmitted over trunk links for VLANs, which do not have associated ports on a switch.
It works by removing (pruning) a VLAN in egress (outbound) direction from a trunk. Only supported between switches in server/client modes.
VLAN membership is propagated across infrastructure, so if a switch without ports in, say VLAN42, has a downlink to another switch, and that one has at least one access port assigned to VLAN42, then VALN42 won’t be pruned from trunks in that segment.
Pruning is enabled by default in VTPv1&2, and may be enabled if needed on a per-device basis in a VTPv3 network by administrator.
VTP Prune Eligible List
Prune Eligible means – able to be pruned. In a sense, opposite to allowed VLAN list.
For VTPv1&2, only VLANs 2-1001 can be pruned. Others are never pruned.
Prune Eligible list can be edited on a per-trunk basis:
>switchport trunk pruning vlan ...
VTPv3 & Private VLANs
VTP version 3 is not supported on private VLAN (PVLAN) ports. But that’s not the point. VTPv1&2 do not support propagation of PVLAN membership information. VTPv3 does support dissemination of relationships between primary, isolated and community VLANs across switching domain.