Let’s say you have a network with 20 switches and 50 VLANs. Usually, you would have to configure each switch separately and create those VLANs on every switch. That’s a time-consuming task, so there is something to help us called VTP (VLAN Trunking Protocol). VTP will let you create VLANs on one switch, and all the other switches will synchronize themselves.
We have one VTP server. This is the switch where you create/modify or delete VLANs. The other switches are VTP clients. The VTP configuration has a revision number that increases every time you make a change. Every time you make a change on the VTP server, this will be synchronized to the VTP clients. Oh, and by the way, you can have multiple VTP servers since it also functions as a VTP client, so you can make changes on multiple switches in your network. To make VTP work, you need to set up a VTP domain name, which you can just make up as long as you configure it to be the same on all your switches.
This is the short version of what I just described:
- VTP adds / modifies / deletes VLANs.
- For every change, the revision number will increase.
- The latest advertisement will be sent to all VTP clients.
- VTP clients will synchronize themselves with the latest information.
Besides the VTP server and VTP client, there’s also a VTP transparent, which is a bit different. Let me show you an example:
Our VTP Transparent will forward advertisements but will not synchronize itself. You can create VLANs locally, which is impossible on the VTP client. Let’s say you create VLAN 20 on our VTP server. This is what will happen:
- You create VLAN 20 on the VTP server.
- The revision number will increase.
- The VTP server will forward the latest advertisement to the VTP transparent switch.
- The VTP transparent will not synchronize itself but will forward the advertisement to the VTP client.
- The VTP client will synchronize itself with the latest information.
Here’s an overview of the 3 VTP modes:
VTP Server | VTP Client | VTP Transparent | |
Create/Modify/Delete VLANs | Yes | No | Only local |
Synchronizes itself | Yes | Yes | No |
Forwards advertisements | Yes | Yes | Yes |
Should you use VTP? It might sound useful, but VTP has a considerable security risk…the problem with VTP is that a VTP server is also a VTP Client, and any VTP client will synchronize itself with the highest revision number. The following situation can happen with VTP:
You have a network with a single VTP server and a couple of VTP client switches, and everything is working fine, but one day you want to test some stuff and decide to take one of the VTP clients out of the network and put it in a lab environment.
- You take the VTP client switch out of the network.
- You configure it, so it’s no longer a VTP Client but a VTP server.
- You play around with VTP, create some VLANs, and modify some.
- Every time you make a change, the revision number increases.
- You are done playing…you delete all VLANs.
- You configure the switch from VTP Server to VTP Client.
- You connect your switch to your production network.
What do you think the result will be? The revision number of VTP on the switch we played with is higher than the revision number on the switches of our production network. The VTP client will advertise its information to the other switches. They synchronize to the latest information, and POOF all your VLANs are gone! A VTP client can overwrite a VTP server if the revision number is higher because a VTP server is also a VTP client.
Yes, I know this sounds silly, but this is the way it works…very dangerous since you’ll lose all your VLAN information. Your interfaces won’t go back to VLAN 1 by default but will float around in no man’s land…
One more thing about VTP, let me give you another picture:
You see, we have computers in VLAN 10, 20 and 30. The links between the switches are trunks using the 802.1Q protocol and carrying all VLAN traffic. One of our computers in VLAN 10 sends a broadcast frame. Where do you think this broadcast frame will go?
Broadcast frames must be flooded by our switches, and since our trunks carry all VLANs, this broadcast will go everywhere. However, if you look at the switch in the middle, do you see any computer in VLAN 10? Nope, there’s only VLAN 20 there, which means this broadcast is wasted bandwidth. By enabling VTP pruning, we’ll ensure there is no unnecessary VLAN traffic on trunks when there’s nobody in a particular VLAN. Depending on your switch model, VTP pruning is either turned on or off by default.
Let’s take a look at the configuration of VTP. I will be using three switches for this task. I erased the VLAN database and the startup configuration on all switches.
SW1#show vtp status VTP Version : running VTP1 (VTP2 capable) Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00 Local updater ID is 0.0.0.0 (no valid interface found)
SW2#show vtp status VTP Version : running VTP1 (VTP2 capable) Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00 Local updater ID is 0.0.0.0 (no valid interface found)
SW3#show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00 Local updater ID is 0.0.0.0 (no valid interface found)
Hi, thanks. This is good and useful lesson.
This topic clearifies different mode beautifully without any boredom
why we don’t use vtp in each network ?
can we use in big network?
You can use it but it has a security risk, a VTP client is able to overwrite the VTP server when its revision number is higher. It’s possible to wipe the VLAN Database on all your switches this way…
That is how one can do it once you have full understanding of the content.
Great job man.
Please help me with CCNA in this month.
Can you provide commands for the experiments please?