VTP

From cwhite's wiki
Jump to: navigation, search

VTP v1/v2

  • Used to sync VLAN creation between switches.
  • VTP uses the configuration revision number to determine whether or not an advertisement has new information. If an advertisement is received with a higher revision number, the VLAN database is updated with the information in the advertisement. The new advertisement will replace all information in the VLAN database. The biggest issue with this is that if a device is advertising wrong information with a higher revision number, all switches in the VTP domain will update their VLAN databases with the new information in the VTP advertisement.
  • When you set the VTP domain, it does not change the revision number but does advertise the new domain name and other switches will inherit the VTP domain name.
  • When moving a switch from client / server to transparent, the VLANs become locally significant and you are able to see all the VLANs in the running configuration rather than just in the VLAN database. When moving it to transparent mode, it does not delete the VLANs in the VLAN database but does change the revision number back to 0.
  • VTP domains must match. If a transparent mode switch is sitting between two switches, the VTP domain must match on the transparent mode switch for VTP advertisements to be passed along.
  • When there is a VTP domain mismatch, it breaks DTP. During DTP's negotiation process, it will check to ensure that the adjacent switches have identical VTP domain names. DTP does this to prevent bringing up a trunk between two switches with different VLANs as this can cause traffic to be blackholed.
  • IMPORTANT: in VTPv1/2, a client mode switch can actually overwrite the database of all other VTP devices (servers and clients). For this to happen, the client switch would need to have the same domain name and a higher revision then the VTP servers. This would only happen when the switch first comes online as it will send out a summary advertisement. The other switches would see the summary advertisements with a higher revision number, send out an advertisement request and the client would respond with the subset advertisements which contains the information for the VLAN database. More information about the different messages can be found here.

Modes

Server
Create VLANs and advertise VLANs on trunk links.
Client
Cannot create VLANs but listens for advertisements and sends out advertisements on trunk links.
Transparent
Creates locally significant VLANs. Does not install VLANs from advertisements it receives but will pass the advertisements along on trunk links.

Authentication

VTP v1 and v2 do support authentication via password. To enable VTP authenticaiton, use the command vtp password $PASS to set the VTP password. The VTP password must match on all VTP switches participating in the VTP domain. Once you set the password, you must make sure the MD5 hashes match on all the switches in the VTP domain. If the MD5 hashes do not match, you should ensure that the passwords were entered correctly.

Pruning

  • When you enable VTP pruning on the VTP server, all switches in the VTP domain receive the VTP update message and turn pruning on.
  • Automatically exchanges what VLANs are configured locally so the VLANs that are not configured can be pruned off the trunk.
  • Reduces unnecessary replication of broadcasts, unknown unicasts and unknown multicasts.
  • The VLAN pruning list does not need to be symmetrical.
  • Only supported in server and client mode.
  • For VTP version 1 and version 2, you cannot prune off extended VLANs. You can only prune VLANs 2 - 1001. Only VLANs that are "prune eligible" are able to be pruned. To edit the prune eligible list, use the "switchport trunk pruning vlan" command on the interface.
  • To configure VTP pruning, you just need to into global configuration mode and run "vtp pruning".
  • If a device sends out pruning request and it does not receive a reply (trunks to hypervisors), it tells the rest of the devices on the other trunks that it needs all VLANs. Even for the trunk links that do support pruning, the switch will request to receive traffic for all VLANs. When a trunk is added and the adjacent device doesn't support pruning, you will see "Vlan traffic requested of neighbor" change from just a few VLANs to all VLANs for every trunk port. To fix this, on the trunk links that don't support VTP pruning, manually prune them with the "trunk allowed" interface command. This will re-enable pruning on the trunk ports that do support VTP pruning since the switch knows that the other trunk only needs traffic for whatever VLANs you specified.
  • In some cases, when a switch is in transparent mode, it will still pass along VTP pruning messages which can possibly cause issues. So, for example, we could have SW1, SW2 and SW3. SW2 is sitting in between SW1 and SW3 and is participating in VLANs 10, 20 and 30. SW1 is only using VLAN 10 and SW3 is only using VLAN 30. A VTP pruning message would be sent from SW1 saying that it only needs traffic for VLAN 10. SW2 receives the message and forwards it on to SW3. SW3 then prunes the link to SW2 saying that only VLAN 10 is allowed on the trunk because that is what the pruning message it received from SW1. Now if SW2 wants to send traffic to a host on VLAN 30 on SW3, the traffic will be blackholed because SW3 pruned VLAN 30 off of the trunk because of SW1's prune message (only VLAN 10 is allowed on the trunk).
  • Because of the issues with transparent mode switches and pruning, transparent mode switches should not be used in a VTP domain with VTP pruning enabled.
To verify
show interface trunk
show interface pruning
show interface switchport


When running "show interface pruning"
Vlans pruned for lack of request by neighbor - These are the VLANs that are being pruned on the trunk link since the adjacent switch did not ask to receive traffic for the VLANs.
Vlan traffic requested of neighbor - These are the VLANs that the local switch is requesting to receive traffic for.

VTP v3

VTPv3 is the most commonly used version as it adds many security enhancements.

  • With VTPv3, you must enable VTP pruning on every switch in the VTP domain. In VTPv1/2, you were able to enable VTP pruning on the VTP server and that would enable VTP pruning on all other switches in the VTP domain; this is not the case in v3.
  • VTPv3 is backwards compatible with VTPv2.
  • There are two different server roles, primary server and secondary server. The primary server is the VTP device that is able to make updates. The secondary servers are able to receive the updates but are not allowed to make updates.
  • Adds the ability to advertise extended VLANs, private VLANs and MST configurations.
  • Adds the ability to completely disable VTP (mode off) or disable on a link by link basis. This fixes the pruning issues as you are now able to go to the trunks that are attached to hypervisor and run no vtp and that will disable VTP on that trunk link.
  • Adds the ability to create hidden passwords.
  • VTP pruning only works with the first 1001 VLANs.
  • Primary server status is lost if the device reloads or domain parameters change, even when a password is configured on the switch.