VLAN trunk protocol
- MAC dst: 0100.0ccc.cccc
- SNAP = 0xaaaa (code), 0x2003 (type)
- VTP version change – enough to perform on server only (except version 3)
- runs across trunks
- configuration revision number
- how recent DB is: the larger, the newer
- starts with 0
- transparent mode always has 0
- if matches – equal revisions, even if hash is different
- reset:
- state → transparent → server/client: version 1 and 2 only
- domain name → other unique domain name → old domain name
- change password: version 3 only
- data storage:
- NVRAM: vlan.dat
- transparent mode stored VLAN config in running-config
- does not distribute VLAN status (e.g., shutdown)
- neighborship: version, domain name and password must match
(config)# vtp version <N>
; case sensitive
(config)# vtp domain <NAME>
# show vtp counters
# show vtp interface
; v1/v2 store password in cleartext, v3 – in MD5 hash
# more flash:vlan.dat
# debug sw-vlan vtp events
Defaults
- version 1
- domain NULL
- mode server
- no password
- pruning disabled
- if configuration is default and summary update received, copy revision, domain name and VLANs from update
Modes
- server
- default
- can create/modify VLANs
- synchronized VLANs with other clients and servers
- client
- listens to update
- can only accept VLANs (exception – client has higher revision number)
- cannot create VLANs, no manual config available
- distributes updates further
- transparent
- does not participate in VTP
- forwards updates
- off
- version 3 only
- does not participate in VTP
- does not forward updates
; best practice – transparent
(config)# vtp mode server|client|tranparent|off
# show vtp status
# show vtp devices
Advertisements
- sent only in trunk interfaces
Summary
- sent every 300s or on change by server
- sent after power on by client
- default Updater identity: lowest number SVI (can be without IP address)
; Updater identity
(config)# vtp interface <INTF>
; PASS case sensitive, secret – cleartext password in running-config
(config)# vtp password <PASS> [secret]
; v1/v2 – cleartext, v3 – MD5 hash
# show vtp password
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version | Type | Subsets count | Domain length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Domain name /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Configuration revision number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Updater identity (originating IP) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|_ _|
|_ Update timestamp _|
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|_ _|
|_ MD5 digest hascode _|
|_ _|
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Domain name: zero-padded to 32 bytes
Subset
- sent on change after Summary by server
- sent after power on by client
- VLAN list
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version | Type | Subsets seq n | Domain length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Domain name /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Configuration revision number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+
| Info length | VLAN status | Reserved | VLAN name len | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| VLAN ID | MTU size (VLAN max) | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \
| 802.10 Security association ID (SAID) – deprecated | > VLAN
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / info
\ \ |
/ VLAN name / |
\ \ |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+
Domain name: zero-padded to 32 bytes
VLAN name: zero-padded to 4 bytes
Request
- used by client to request info
- after reload
- after DB purge
- after domain name change
- summary with larger revision received
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version | Type | Reserved | Domain length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \
/ Domain name /
\ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Start advertisement to request|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Domain name: zero-padded to 32 bytes
Join
- unidirection VTP Pruning
- VLAN membership advertisement (VMA)
VTPv1
- VLANs: 1-1005 (ISL restriction)
- does not support private VLANs: manual config only
- transparent:
- documentation: distributes update only for own domain, only version 1
- practice: domain = NULL – forward, domain ≠ NULL – forward only own domain
- if version 3 is detected – update to version 2
- enabled per switch
VTPv2
- VLANs: 1-1005 (ISL restriction)
- does not support private VLANs: manual config only
- transparent:
- documentation: distributes update only for all domains, any version
- practice: domain = NULL – forward, domain ≠ NULL – forward only own domain
- does not check VTP version when forwarding VTP messages
- verifies parameters, input via CLI and SNMP
- TokenRing support
- TLV support: TLVs are forwarded further
- VTP pruning support
- enabled per switch
VTP sync problem
- switch in client/server mode with higher revision number overwrites all VLANs in domain
- ports → unused VLAN
- common case: insert spare switch from lab into production
VTPv3
- VLANs: 1-4094
- supports private VLAN distribution
- authentication: hash in lieu of cleartext
- does not learn domain name automatically
- can distribute other DB (e.g., MST)
- server role:
- secondary:
- default
- not allowed to configure VLAN
- primary:
- only one server in domain
- when configured:
- checks, whether other primary server in domain is active
- notifies the network once (not repeated later)
- allowed to configure VLAN
- secondary:
- client role:
- if own revision number is larger, network ignores this information
- accepts VTP update from primary even with lower revision
- can be enabled per trunk
- imcompatible with version 1
- only manual config, no autoconfig on detection
; MD5 hash in running-config instead of cleartext, incompatible with v2
(config)# vtp password <PASS> hidden
; disable VTPv3 on trunk
(config-if)# no vtp
Dynamic trunking protocol (DTP)
- trunk is not negotiated if domain names are different
- can negotiate 802.1Q and ISL, ISL has more priority
- sent by trunk
- sent by static access only after being brought up
- timers:
- hello: 30s
- timeout: 300s
- does not support private VLAN, QinQ
; disable DTP
(config-if)# switchport nonegotiate
# show dtp
# show interface <INTF trunk
VTP pruning
- VTPv2 minimum
- VLAN 2-1001 only: VLAN 1 and extended VLAN not supported
- reduces link load because of flooding
- Join advertisement: announce VLANs, that have ports assigned ≡ switch is interested in
- does not reduce STP load (manual pruning only)
- does not work on transparent
- strange behaviour because of unidirectional Joins (UDL form transparent)
- configuration:
- v2: config on server → distributed in domain
- v3: manual config
- best practice:
- manual VLAN filtering: otherwise rogue switch receives all VLANs
- if no Join received – permit all VLANs (compatibility)
- breaks pruning
- usually links towards router
- manual allowed list in lieu of Join (e.g., to hypervisor)
- VLAN membership advertisement (VMA): list of VLANs that are active on switch
- access ports
- SVIs
- trunk ports that receive VMA
- VMA trigger:
- port is assigned to VLAN
- periodic flood: 6s
; disabled by default
(config)# vtp pruning
; 2-1001 default, list of VLANs, eligible for pruning
(config-if)# switchport trunk pruning vlan <LST>
# show interface <INTF> pruning