VTP

From Wikipedia, the free encyclopedia

VTP can also stand for Venturi Transport Protocol.
Example without and with VTP
Example without and with VTP

VLAN Trunking Protocol (VTP) is a Cisco Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis. Virtual Local Area Network (VLAN) Trunk Protocol (VTP) reduces administration in a switched network. When you configure a new VLAN on one VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. To do this VTP carries VLAN information to all the switches in a VTP domain. VTP advertisements can be sent over ISL, 802.1q, IEEE 802.10 and LANE trunks. VTP traffic is sent over the management VLAN (VLAN1), so all trunks must be configured to pass VLAN1. VTP is a Cisco-proprietary protocol that is available on most of the Cisco Catalyst Family products.[1]

Contents

[edit] VTP Modes

VTP operates on Cisco switches in one of three modes:

  • Server – In this VTP mode you can create, remove, and modify VLANs. You can also set other configuration options like the VTP version and also turn on/off VTP pruning for the entire VTP domain. VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on messages received over trunk links. VTP server is the default mode.
  • Client – VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs
  • Transparent – When you set the VTP mode to transparent, then the switches do not participate in VTP. A VTP transparent switch will not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received messages. However, in VTP version 2, transparent switches do forward VTP messages that they receive out their trunk ports.

VTP sends messages between trunked switches to maintain VLANs on these switches in order to properly trunk. VTP messages are exchanged between switches within a common VTP domain. If the domain name is different, the switch simply ignores the packet. If the name is the same then it checks by a revision number. If the revision number of an update received on a client or server VTP switch is higher than the previous revision, then the new configuration is applied. Otherwise, the configuration is ignored.

When new devices are added to a VTP domain, revision numbers should be reset on the entire domain to prevent conflicts. Utmost caution is advised when dealing with VTP topology changes, logical or physical. Exchanges of VTP information can be controlled by passwords. You need to put the password on every switch for it to work.

[edit] VTP Versions

VTP version 2 supports the following features not supported in version 1:[2]

VTP Functionality Support/Processing in Version 2
Token Ring Token Ring Bridge Relay Function (TrBRF) and Token Ring Concentrator Relay Function (TrCRF) VLAN are supported
Unrecognized Type-Length-Value (TLV) In V2, a server will propagate TLVs even those it does not understand. It also saves them in NVRAM when the switch is in VTP server mode. This could be useful if not all devices are at the same version or release level.
Version-Dependent Transparent Mode Version 1 supports multiple domains while Version 2 supports only 1. Normal behavior for V1 would be to forward messages only if they match the destination domain name and version. VTPv2 does not do this check before forwarding.
Consistency Checks VTPv1 does more consistency checking on messages, which can add overhead. As long as the MD5 digest on a message is correct, VTPv2 will forward it. VTPv2 will consistency-check new configuration information added through the configuration editor, Cluster Management Software or SNMP.

VTP version 3: is a protocol that is only responsible for distributing a list of opaque databases over an administrative domain. When enabled, VTP version 3 provides the following enhancements to previous VTP versions:

  • Support for extended VLANs.
  • Support for the creation and advertising of private VLANs.
  • Improved server authentication.
  • Protection from the "wrong" database accidentally being inserted into a VTP domain.
  • Interaction with VTP version 1 and VTP version 2.
  • Provides the ability to be configured on a per-port basis.
  • Provides the ability to propagate the VLAN database and other databases.[1]

[edit] VTP Version 1 and 2 Configuration Guidelines

This section describes the guidelines for implementing VTP in your network:

  • All switches in a VTP domain must run the same VTP version.
  • You must configure a password on each switch in the management domain when you are in secure mode.

Caution If you configure VTP in secure mode, the management domain will not function properly if you do not assign a management domain password to each switch in the domain.

  • A VTP version 2-capable switch can operate in the same VTP domain as a switch running VTP version 1 if VTP version 2 is disabled on the VTP version 2-capable switch (VTP version 2 is disabled by default).
  • Do not enable VTP version 2 on a switch unless all of the switches in the same VTP domain are version 2 capable. When you enable VTP version 2 on a switch, all of the version 2-capable switches in the domain enable VTP version 2.
  • In a Token Ring environment, you must enable VTP version 2 for Token Ring VLAN switching to function properly.
  • Enabling or disabling VTP pruning on a VTP server enables or disables VTP pruning for the entire management domain.
  • Making VLANs pruning eligible or pruning ineligible on a switch affects pruning eligibility for those VLANs on that device only (not on all switches in the VTP domain).[2]

[edit] Configuration Commands

Task Command
Step 1 Define the VTP domain name. set vtp domain name
Step 2 Set the VTP mode. set vtp mode (server/client/transparent)
Step 3 Set which VTP version to run vtp version #
Step 4 (Optional) Set a password for the VTP domain. set vtp passwd passwd
Step 5 Verify the VTP configuration. show vtp domain


[edit] VLAN Pruning

VTP can prune unneeded VLANs from trunk links. VTP maintains a map of VLANs and switches, enabling traffic to be directed only to those switches known to have ports on the intended VLAN. This enables more efficient use of trunk bandwidth.

[edit] Configure VLAN Pruning

Task Command
Step 1 Enable VTP pruning in the management domain. set vtp pruning enable
Step 2 (Optional) Make specific VLANs pruning-ineligible on the device.

(By default, VLANs 2-1000 are pruning-eligible.)

clear vtp pruneeligible vlan_range
Step 3 (Optional) Make specific VLANs pruning-eligible on the device. set vtp pruneeligible vlan_range
Step 4 Verify the VTP pruning configuration. show vtp domain
Step 5 Verify that the appropriate VLANs are being pruned on trunk ports. show trunk


[edit] VTP security

VTP may operate unauthenticated, in which case an attacker can easily inject spoofed VTP packets in order to add/delete VLAN information. Tools such as Yersinia are freely available to do that. A password can be set for the VTP domain: it is used in conjunction with the MD5 hash function to provide authentication of VTP packets. However, this optional password authentication should not conceal the fact that it is very risky to use VTP in sensitive environments.

[edit] VTP Problems

When inserting a vtp client or server with a higher config revision number, the other switches will delete their configuration information and take the VLAN information from the inserted switch. The only way to get the deleted information back is to add the missing VLANs and delete the unwanted VLANs. To avoid this you should set the switch you're inserting into the network to transparent mode because that resets the configuration number, then switch it back to client or server mode. Another way of resetting the configuration number is to change the domain name to something else, like "test", then change it back.

Another problem can happen when you are inserting a switch with a different VTP domain name.

Image:Vtp.JPG‎

As you can see in the image above switch B is on a different VTP domain than A and C. If on switch A more VLANs were added switch C wouldn't get the update because switch B would drop all the messages. To fix this, if you want to add switch B into the same cloud as the others then you would have to change the domain name to Cisco and then they would all synchronize to switch A. But you would have to re add any VLANs deleted on switch B.

[edit] References

  1. ^ a b http://www.javvin.com/protocolVTP.html
  2. ^ a b http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800e47e3.html


[edit] See also

[edit] External links