Introduction to VTP (VLAN Trunking Protocol)

Let’s say you have a network with 20 switches and 50 VLANs. Normally you would have to configure each switch separately and create those VLANs on each and every switch. That’s a time consuming task so there is something to help us called VTP (VLAN Trunking Protocol). VTP will let you create VLANs on one switch and all the other switches will synchronize themselves.

Let’s say you have a network with 20 switches and 50 VLANs. Normally you would have to configure each switch separately and create those VLANs on each and every switch. That’s a time consuming task so there is something to help us called VTP (VLAN Trunking Protocol). VTP will let you create VLANs on



VTP Domain

We have one VTP server which is the switch where you create / modify or delete VLANs. The other switches are VTP clients. The VTP configuration has a revision number which will increase when you make a change. Every time you make a change on the VTP server this will be synchronized to the VTP clients. Oh and by the way you can have multiple VTP servers since it also functions as a VTP client so you can make changes on multiple switches in your network. In order to make VTP work you need to setup a VTP domain name which is something you can just make up, as long as you configure it to be the same on all your switches.

This is the short version of what I just described:

  1. VTP adds / modifies / deletes VLANs.
  2. For every change the revision number will increase.
  3. The latest advertisement will be sent to all VTP clients.
  4. VTP clients will synchronize themselves with the latest information.

Besides the VTP server and VTP client there’s also a VTP transparent which is a bit different, let me show you an example:

VTP Modes

Our VTP Transparent will forward advertisements but will not synchronize itself. You can create VLANs locally though which is impossible on the VTP client. Let’s say you create VLAN 20 on our VTP server, this is what will happen:

  1. You create VLAN 20 on the VTP server.
  2. The revision number will increase.
  3. The VTP server will forward the latest advertisement which will reach the VTP transparent switch.
  4. The VTP transparent will not synchronize itself but will forward the advertisement to the VTP client.
  5. The VTP client will synchronize itself with the latest information.

Here’s an overview of the 3 VTP modes:

  VTP Server VTP Client VTP Transparent
Create/Modify/Delete VLANs Yes No Only local
Synchronizes itself Yes Yes No
Forwards advertisements Yes Yes Yes

Should you use VTP? It might sound useful but VTP has a big security risk…the problem with VTP is that a VTP server is also a VTP Client and any VTP client will synchronize itself with the highest revision number. The following situation can happen with VTP:

You have a network with a single VTP server and a couple of VTP client switches, everything is working fine but one day you want to test some stuff and decide to take one of the VTP clients out of the network and put it in a lab environment.

  1. You take the VTP client switch out of the network.
  2. You configure it so it’s no longer a VTP Client but a VTP server.
  3. You play around with VTP, create some VLANs, modify some.
  4. Every time you make a change the revision number increases.
  5. You are done playing…you delete all VLANs.
  6. You configure the switch from VTP Server to VTP Client.
  7. You connect your switch to your production network.

What do you think the result will be? The revision number of VTP on the switch we played with is higher than the revision number on the switches of our production network. The VTP client will advertise its information to the other switches, they synchronize to the latest information and POOF all your VLANs are gone! A VTP client can overwrite a VTP server if the revision number is higher because a VTP server is also a VTP client.

Yes I know this sounds silly but this is the way it works…very dangerous since you’ll lose all your VLAN information. Your interfaces won’t go back to VLAN 1 by default but will float around in no man’s land…

One more thing about VTP, let me give you another picture:

VTP Pruning

You see we have computers in VLAN 10, 20 and 30. The links between the switches are trunks using the 802.1Q protocol and carrying all VLAN traffic. One of our computers in VLAN 10 sends a broadcast frame, where do you think this broadcast frame will go?

Broadcast frames have to be flooded by our switches and since our trunks are carrying all VLANs, this broadcast will go everywhere. However if you look at the switch in the middle do you see any computer in VLAN 10? Nope there’s only VLAN 20 there which means this broadcast is wasted bandwidth. By enabling VTP pruning we’ll make sure there is no unnecessary VLAN traffic on trunks when there’s nobody in a particular VLAN. Depending on your switch model VTP pruning is either turned on or off by default.

Let’s take a look at the configuration of VTP. I will be using three switches for this task. I erased the VLAN database and the startup-configuration on all switches.

three vtp switches

SW1#show vtp status
VTP Version                     : running VTP1 (VTP2 capable)
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)
SW2#show vtp status
VTP Version                     : running VTP1 (VTP2 capable)
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)
SW3#show vtp status
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 657 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

541 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Hello Abey

    VTP updates are sent out trunk ports regardless of which VLANs are configured on the switches themselves. It doesn’t matter what VLANs are configured on them. So if you have two switches, one VTP server and one VTP client that are not directly connected that have the same VTP domain, version and password, in order for them to sync up their VLAN information, the intermediate switch(es) must either be transparent OR have the same VTP config. VTP is not affected by the initial VLAN configuration of the switches, either intermediate or not, either tra

    ... Continue reading in our forum

  2. Hi Laz,

    Thank you very much for your explanation. That is quite good.

    Regards,
    Abc

  3. Hello Michael

    The answer to your question (unfortunately) is yes. If you have a client IN THE SAME DOMAIN with the SAME PASSWORD that has a higher revision number, the servers will all revert to the highest revision number. Just like Rene said, because a VTP server is also a client, it will be updated by any device with a higher revision number.

    Having said that, if one is careful (with the appropriate domain names and passwords) VTP can be very useful. Just be careful.

    Concerning the domain names, if a client does not have a domain name set, then it will a

    ... Continue reading in our forum

  4. Thanks much Rene.

    The following is good to know. Thinking back on a failure in my environment the likely cause was because of this.

    “A VTP client can overwrite a VTP server if the revision number is higher because a VTP server is also a VTP client”

    But below indicate this is now fixed in VTP version 3.

    “VTP primary server: only the primary server is able to create / modify / delete VLANs. This is a great change as you can no longer “accidently” wipe all VLANs like you could with VTP version 1 or 2.”

    Rohan

73 more replies! Ask a question or join the discussion by visiting our Community Forum