VTP or VLAN Trunking Protocol is something I find to be very useful and something that works very well, with very little configuration. Large networks can have hundreds of VLANs and hundreds of switches. Having to manually configure all VLANs on all those devices would be a long and very boring task. The idea of VTP is that you configure a VTP domain (this can be any name you desire) that all the devices join, and within this domain, you elect one or multiple VTP servers. These VTP servers dictate which VLANs can exist on the network and synchronise all the VLAN information to all the other devices which are configured as VTP clients. New VLANs can ONLY be added, edited or deleted via a VTP server.

Another role of a VTP domain is VTP transparent. When a device is in transparent mode, it does not participate in the VTP domain and can have its own VLAN database. It will however, forward on any VTP advertisements it receives. A side note is that VTP transparent switches store their VLANs in the running config, rather than in vlan.dat on the flash like VTP server/client switches do. Not that important but useful to know!

While VTP all sounds great up until now, there are a few potential drawbacks that can be catastrophic to a network is the protocol is not implemented and maintained correctly. The addition of an already configured switch to a network could result in the whole network VLAN database being overwritten! The ports would not default into VLAN 1 either, they would just become non-functioning. How could this happen? Firstly, let’s discuss how VTP advertisements are interpreted by VTP clients.

Every time a change is made regarding VLANs on a VTP server, an advertisement is sent out from the VTP server to all members of the domain. Within this advertisement, there is a revision number which goes up by 1 every time an advertisement is sent. If a client receives an advertisement with a revision number lower than it already had from its last received advertisement, it will discard it as old. If it receives an advertisement with a higher revision number than it currently has, it will synchronise this information and updates its database. So let’s take a hypothetical scenario that a switch has been removed from the network, and has been used to testing, and is then re-introduced to the same network. If the re-introduced switch has a higher revision number in its VTP advertisements than the most recently sent one, the information will synchronised across all clients AND servers. A VERY important point to remember is that even though VTP servers are the ones allowed to modify the VLAN database, they also act as CLIENTS and will synchronise any advertisements received with a higher revision number.

A killer feature of VTP however, is automatic VLAN PRUNING. As previously discussed, you can manually prune trunk links with the VLAN allowed command, however as VTP is aware of which VLANs are present on which switches across the network, it will automatically prune the uplinks so that no broadcast traffic is sent to switches where the source VLAN of the broadcast isn’t present. If you were to then configure a port on a switch in one of those VLANs, the automatic pruning would then allow this VLAN across the trunk. Great stuff.

Now that we’ve discussed what VTP does, let’s look at the differences between the versions. VTP started with version 1, but is not at version 3. There isn’t much difference between V1 and V2 other than V2 supports token ring, TLV, and performs consistency checks. Version 3 however provided some more meat on the bones. V3 provides the ability to elect a PRIMARY server. This eliminates the possibility of wiping the VLAN database as previously described.

There is also a new VTP role (or non-role), which is ‘off.’ Previously, as the default for a switch was VTP enabled in server mode, you had to manually configure the switch as transparent if you didn’t wish for it to take part in VTP. The off mode, allows for it to be off completely. In off mode, the switch will not even forward received advertisements.

The VTP domain password for taking part is now encrypted, rather than stored in plain text as it is in V1 and V2. VTPv3 also offers support for the extended VLAN range, private VLANs, RSPAN VLANs, offers MST support and is backward compatible with V2 (not V1.)

Heavy text, no image post. Mostly because my IOSv GNS3 setup doesn’t fully support VTP. Will update with some images when I get access to some physical switch hardware. Embrace the grind people.

Jack x