Cart
Every aspiring CCIE knows this one. VTP has 3 versions, of which one we don’t have available in the lab – version 3. Versions 1 and 2 behave differently when the switch is configured in VTP transparent mode. This blog takes a stab at that established truth.
Theory
Some books and Cisco documentation will tell us different things. For example, the latest official exam guide for CCNP SWITCH exam (still the best study material for switching theory, regardless of few blunders) has this to say:
In VTP version 1, a transparent mode switch does not even relay VTP information it receives to other switches unless its VTP domain names and VTP version numbers match those of the other switches. In VTP version 2, transparent switches do forward received VTP advertisements out of their trunk ports, acting as VTP relays. This occurs regardless of the VTP domain name setting.
On the other hand, Cisco documentation for Catalyst 3560 has the following to say about transparent VTP:
VTP transparent switches do not participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, in VTP Version 2, transparent switches do forward VTP advertisements that they receive from other switches through their trunk interfaces. You can create, modify, and delete VLANs on a switch in VTP transparent mode.
A little further in the same document:
Version-Dependent Transparent Mode—In VTP Version 1, a VTP transparent switch inspects VTP messages for the domain name and version and forwards a message only if the version and domain name match. Because VTP Version 2 supports only one domain, it forwards VTP messages in transparent mode without inspecting the version and domain name.
I don’t know about you, but I am a little bit confused as to how VTP transparent actually works after reading this. Luckily, I do have few Catalysts 3560 in ProctorLabs I can test this on.
Testbed
In order to test behavior of VTP, let’s quickly build the topology for testing. I will use the one depicted on the diagram below.
We will also configure some basic stuff on all of the involved switches. Things like hostnames, ensuring that only interfaces we need are used and that they are trunks. Since we’ll be messing with VTP in this blog, we can’t rely on DTP.
Cat2:
hostname Cat2 ! interface range FastEthernet0/1 - 24 , GigabitEthernet0/1 - 2 shutdown ! interface FastEthernet0/19 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate no shutdown ! interface Vlan1 ip address 10.0.0.2 255.255.255.0 no shutdown !
Cat3:
hostname Cat3 ! interface range FastEthernet0/1 - 24 , GigabitEthernet0/1 - 2 shutdown ! interface range FastEthernet0/19 , FastEthernet0/23 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate no shutdown ! interface Vlan1 ip address 10.0.0.3 255.255.255.0 no shutdown !
Cat4:
hostname Cat4 ! interface range FastEthernet0/1 - 24 , GigabitEthernet0/1 - 2 shutdown ! interface FastEthernet0/23 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate no shutdown ! interface Vlan1 ip address 10.0.0.4 255.255.255.0 no shutdown !
We are now ready to play around with VTP.
Basic VTP Configuration
Before we start testing transpartent VTP, let’s configure some basic VTP config. All threee switches to IPexpert domain and server mode, for example.
Cat2, Cat3 and Cat4:
vtp domain IPexpert vtp mode server
With that done, let’s make a VLAN on Cat2 and see if it’s created on Cat4.
Cat2(config)#vlan 100 Cat2(config-vlan)#name Test-1 Cat2(config-vlan)#exit
Cat4#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/24, Gi0/1
Gi0/2
100 Test-1 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
That worked, just as we expected it would. It’s time to play with transparent mode on Cat3.
Transparent VTP, Version 1
Let’s change VTP to transparent on Cat3 and see if it will forward updates from Cat2 to Cat4.
Cat3(config)#vtp mode transparent Setting device to VTP TRANSPARENT mode. Cat3(config)#exit Cat3#show vtp status VTP Version : running VTP1 (VTP2 capable) Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 6 VTP Operating Mode : Transparent VTP Domain Name : IPexpert VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xA6 0xD7 0xCE 0x39 0x15 0x45 0xF0 0x11 Configuration last modified by 10.0.0.2 at 3-1-93 15:52:42
Excellent, Cat3 is is not VTP version 1 transparent switch with revision 0. Let’s create another VLAN on Cat2 and see it created on Cat4. This should work according to the quoted documentation.
Cat2(config)#vlan 101 Cat2(config-vlan)#name Test-2 Cat2(config-vlan)#exit
Cat4#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/24, Gi0/1
Gi0/2
100 Test-1 active
101 Test-2 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Excellent. Let’s now change the domain to “ipexpert” on Cat3 and see what happens. We’ll also enable some debugging.
Cat3(config)#vtp domain ipexpert
Cat3(config)#exit
Cat3#show vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
VTP Operating Mode : Transparent
VTP Domain Name : ipexpert
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xD1 0x64 0xC3 0xC6 0x6C 0x98 0xBD 0xB5
Configuration last modified by 10.0.0.2 at 3-1-93 15:52:42
That’s all set. So, let’s make another VLAN on Cat2 and observe what happens. Since we’re using VTP version 1, according to documentation, this should not work, due to domain mismatch.
Cat2(config)#vlan 102 Cat2(config-vlan)#name Test-3 Cat2(config-vlan)#exit
Look at Cat3.
VTP LOG RUNTIME: Dropping packet received on trunk Fa0/19 - not in domain IPexpert
Is there VLAN 102 on Cat4?
Cat4#show vlan id 102 VLAN id 102 not found in current VLAN database
So far so good. We proved that VTP transparent switch will only forward VTP updates that are in the same domain. So far, so good. How about VTP version 2?
Transparent VTP, Version 2
Let’s change the configuration on our Cat3 back to domain IPexpert, but change the version to 2.
Cat3(config)#vtp version 2 Cat3(config)#vtp domain IPexpert Cat3(config)#exit Cat3#show vtp status VTP Version : running VTP2 Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 6 VTP Operating Mode : Transparent VTP Domain Name : IPexpert VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0x04 0xAF 0x40 0x22 0x73 0x39 0x2E 0xE8 Configuration last modified by 10.0.0.3 at 3-1-93 15:52:42 VTP LOG RUNTIME: Relaying packet received on trunk Fa0/19 - in TRANSPARENT MODE (nc = false) VTP LOG RUNTIME: Relaying packet received on trunk Fa0/23 - in TRANSPARENT MODE (nc = false)
Great stuff. Not only are we running VTP version 2 now, but it would appear that update from Cat2 was relayed to Cat4. Let’s make sure.
Cat4#show vlan id 102 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 102 Test-3 active Fa0/23 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 102 enet 100102 1500 - - - - - 0 0 Remote SPAN VLAN ---------------- Disabled Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------
From this, we can conclude that VTP running version 2 will indeed relay updates sent by VTP version 1, ignoring the version. Interesting. How about the claim that it will relay these updates if domains don’t match?
Cat3(config)#vtp domain ipexpert Cat3(config)#exit VTP LOG RUNTIME: Dropping packet received on trunk Fa0/19 - not in domain IPexpert VTP LOG RUNTIME: Dropping packet received on trunk Fa0/23 - not in domain IPexpert
Come again? Didn’t the official documentation say this is OK? Let’s try to be more explicit. Time for VLAN 103 to start its mission.
Cat2(config)#vlan 103 Cat2(config-vlan)#name Test-4 Cat2(config-vlan)#exit
VTP LOG RUNTIME: Dropping packet received on trunk Fa0/19 - not in domain IPexpert VTP LOG RUNTIME: Dropping packet received on trunk Fa0/19 - not in domain IPexpert
Let me quote that piece of documentation again.
Because VTP Version 2 supports only one domain, it forwards VTP messages in transparent mode without inspecting the version and domain name.
I’m sorry, but I disagree and I have configuration to prove it!
Let’s not stop here. What if Cat2 and Cat4 were also running VTP version 2. Perhaps that will change things? Let’s try.
Cat2(config)#vtp version 2 Cat2(config)#exit Cat2#show vtp status VTP Version : running VTP2 Configuration Revision : 5 Maximum VLANs supported locally : 1005 Number of existing VLANs : 9 VTP Operating Mode : Server VTP Domain Name : IPexpert VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0x9A 0x99 0xE7 0x53 0x9C 0xFE 0x00 0xF7 Configuration last modified by 10.0.0.2 at 3-1-93 16:25:13 Local updater ID is 10.0.0.2 on interface Vl1 (lowest numbered VLAN interface found)
Cat4(config)#vtp version 2 Cat4(config)#exit Cat4#show vtp status VTP Version : running VTP2 Configuration Revision : 4 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Server VTP Domain Name : IPexpert VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0xCE 0x26 0x0C 0x27 0xFD 0x98 0xF6 0x20 Configuration last modified by 10.0.0.4 at 3-1-93 16:26:00 Local updater ID is 10.0.0.4 on interface Vl1 (lowest numbered VLAN interface found)
While we were busy changing all that, Cat3 was also busy.
VTP LOG RUNTIME: Dropping packet received on trunk Fa0/23 - not in domain IPexpert VTP LOG RUNTIME: Dropping packet received on trunk Fa0/19 - not in domain IPexpert VTP LOG RUNTIME: Dropping packet received on trunk Fa0/19 - not in domain IPexpert VTP LOG RUNTIME: Dropping packet received on trunk Fa0/23 - not in domain IPexpert VTP LOG RUNTIME: Dropping packet received on trunk Fa0/23 - not in domain IPexpert
It was very busy telling us that it will not behave in the documented way.
One more thing. What if Cat2 and Cat4 are VTP version 2 and Cat3 is VTP version 1? Let’s see.
VTP version 1, Relaying VTP Version 2
Cat3(config)#vtp version 1 Cat3(config)#domain IPexpert Cat3(config)#exit VTP LOG RUNTIME: Relaying packet received on trunk Fa0/19 - in TRANSPARENT MODE (nc = false) VTP LOG RUNTIME: Relaying packet received on trunk Fa0/23 - in TRANSPARENT MODE (nc = false)
Fair enough. Let’s see if Cat4 has all the VLANs we need.
Cat4#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/24, Gi0/1
Gi0/2
100 Test-1 active
101 Test-2 active
102 Test-3 active
103 Test-4 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
Let’s change the domain name on Cat3 and see if that works.
Cat3(config)#vtp domain ipexpert Cat3(config)#exit
Time for VLAN 104.
Cat2(config)#vlan 104 Cat2(config-vlan)#name Test-5 Cat2(config-vlan)#exit
And Cat3, as expected, tells us ¡no pasarán!
VTP LOG RUNTIME: Dropping packet received on trunk Fa0/19 - not in domain IPexpert VTP LOG RUNTIME: Dropping packet received on trunk Fa0/19 - not in domain IPexpert
Conclusion
The only thing I can say after this exercise is that on Catalyst 3560, the only switch we care about in CCIE R&S exam, behaves the same way in VTP version 1 and VTP version 2 transparent mode in regard to relaying VTP updates.
What do you think. Myth busted?
–
Marko Milivojevic – CCIE #18427
Senior Technical Instructor – IPexpert
Join our Online Study List
So, if I understand this correctly, VTP v2 transparent mode will forward VTP advertisements only if in same domain and same with v1?
I wonder if pre 12.4 or even earlier the myth was correct?
Well, switches don’t have 12.4, yet. This was tested on 12.2SE, which is one of the latest releases (there are other 12.2 trains on Catalysts).
I doubt behavior is much different, though.
–
Marko Milivojevic – CCIE #18427
Senior Technical Instructor – IPexpert
Join our Online Study List
Hi,
This consistent inconsistency has been for a while. The Documentation is wrong but the behavior hasnt been updated for older switches. Tassos posted some info on this sometime back…
http://ccie-in-3-months.blogspot.com/2008/05/passing-vtp-advertisements-through-vtp.html
http://ccie-in-3-months.blogspot.com/2008/07/cco-documentation-errors-vtp-v2.html
Myth Busted
What about V3, will it forward if domains dint match ??
VTPv3 is very different in many aspects and I cannot say without trying. At this moment I don’t have access to any equipment that supports v3. If you have access to some switches that support it, try it out and let us know!
–
Marko Milivojevic – CCIE #18427
Senior Technical Instructor – IPexpert
Join our Online Study List
Nice write up, but what if you’re asked a question along those lines in the CCIE written (or SWITCH for that matter). Do you answer what you know, what you’ve tested and what you’ve proved. Or do you answer what’s documented?? Is it right or wrong??
It’s a tricky question you ask. Those are not open-ended questions. I would definitely answer what the documentation says and leave the comment for the question explaining the real life.
If you are faced with this as the OEQ, you can answer properly, giving book and real-life answers :-)
–
Marko Milivojevic – CCIE #18427
Senior Technical Instructor – IPexpert
Join our Online Study List
awesome article, thanks for taking the time to write this!
you could have explain it patiently , it could be more beneficial to every body,u have mention server – transp – server, u could have get more fun in server- transp-client.
In the SWITCH book they also mention in a short blurb that VTP transparent mode is recommended for all switches in a switch fabric that is sensitive/critical (i.e. a data center) as to prevent the well known problems where a new VTP client or server can come online in some situations and overwrite the existing VLAN DB on other switches by advertising summaries with higher revision numbers.
Interestingly enough, in the Arch Exam (CCDP – Design) Cisco recommends ALL switches in ANY switch fabric should run in VTP transparent mode (effectively turning VTP OFF on your network) because of several reasons:
1. The VLAN DB Overwrite issue.
2. The fact that networks tend to run on the 20/80 rule now and not the 80/20 rule. Most traffic will be routed making individual switch fabrics smaller in terms of vlans.
3. For security: To minimize the advertisement of information about the network that an attacker can gain through VTP.
4. Global VLANs are no longer recommended and trunking should not traverse the network core layer.
5. And finally, because most switch fabrics should be small and confined to a single closet where only two VLANs exist (Data and Voice) with the exception of things like DCs and the like.
So in the end I don’t care much about VTP because truly it is a protocol that has a history of problems in many facets and no longer benefits the network. It should be turned off. If most of your switches in a properly config’d network just need two VLANs then you should manually configure them. Its not like you don’t have to manually configure other things on these switches any way. Unfortunately, VTP is still on many networks just as are Global VLANs. I could site the reasons for this but it would just be derogatory.
Now in ending, I’m not saying that you talking about VTP is a bad thing because VTP *is* on these exams and you have to study it. I just like to spread the news on VTP and that I think we should get rid of it. I really think it is sticking around like a bad urban legend.
Cheers,
Mark (CCNP, CCIE Student)
P.S. If anyone has any reasons why they think I”m wrong here I’d love to here it. And sorry if I’m too off topic for the thread.
Hi to all :
For Mark Delong It should be turned off. If most of your switches in a properly config’d network just need two VLANs then you should manually configure them.
I’m ok with that … On where I work we have two core switches and medium enterprise with 84 Vlan … even if it has many problems (VTP) how can I manage such a burden and for many others the need for many vlans is a necessity ..
that is it I wanted to say … :)