VTP – Is it on by default? IMPORTANT default behaviors, while demonstrating a simple VTP configuration (and breaking it)!

Posted on by Loopy

VTP_Top_1

After truly resetting all switches so no VLANs exist outside defaults, no trunks are configured, etc I will build the above Topology through this segment (though I may only work on portions and lead up to the it as a whole at the end).

Now for those who haven’t tested for CCNA recently, VTP is up to 3 versions, v1 / v2 / v3, which have 4 modes for VTP a switch can be in which will be covered later.

I bring this up to discuss a default behavior that I’ve really had to dig to get a coherent answer that made sense – Is VTP turned on by default like CDP? It’s semi-complex.

Every switch technically has it turned “On” by default, for example after my switch reset:

SW1#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 1ce6.c7c1.c800
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
Configuration Revision : 0
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
0x56 0x9D 0x4A 0x3E 0xA5 0x69 0x35 0xBC
SW1#

In my courses the instructor has been saying its not “On” by default, which I think he may have meant “Enabled”, because it is definitely running on all 3 switches that are completely reset. I highlighted in red some default states it will be in including:

  • Server Mode
  • Domain name NULL
  • No password

For the last two reasons, it cannot talk VTP with other switches, because if it is does not have their domain / password configured it won’t be able to talk with them (like if it is in NULL mode).

So technically it is on / enabled / running by default on a new switch, but is non-responsive / catatonic to the network by default. To enable it, you only need to add a VTP domain name, NOT a password!

That out of the way, VTP is solely a point-to-point Trunking protocol for switches, and has absolutely no interaction with any network endpoints or hosts.

Its purpose is to give switches that do not have a VLAN manually configured knowledge of it’s existence, so if it receives a frame tagged for that VLAN, it has some direction where to send it, and if it does the frame is discarded.

I did verify this time that all VLANs are reset, these switches are new as the day Cisco birthed them into this world!

So all 3 switches have no configurations outside of a hostname and ‘no exec-t’ on line con 0, so lets take a look at why VTP is useful:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vlan 12
SW1(config-vlan)#
ASR#2
[Resuming connection 2 to sw2 … ]

SW2#sh vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/10, Fa1/0/11, Fa1/0/12
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/22, Fa1/0/23, Fa1/0/24
Gi1/0/1, Gi1/0/2
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
SW2#

That would be why. Once I add interface Fa 1 and 2 from switches 1 and 3 into that VLAN and they try to ping each other, all VLANs will be allowed by default across the local Trunk.

However once SW2 receives a frame tagged with VLAN 12 and has no idea who VLAN 12 is, it will discard the frame, and we CCNP’s know this issue is unacceptable at best.

I’ll spare the CLI output, but I went ahead and made Fa1/0/10 a Trunk port between SW1 and SW2, and verified SW2 still does not see VLAN 12, it has not propagated over the Trunk.

Now it CAN be manually created, and that will then allow traffic to pass as well, however the point of VTP (like routing protocols) is to share the most accurate and up to date information of the network.

As a real world note, this is actually how I generally see VLANs created and administrated in small to medium business, is by manual configuration. VTP is more for scalability of an Enterprise type network in my experience in the real world, so there is nothing wrong with manual VLAN configuration on switches that do not have any interfaces in that VLAN (and in fact VTP may create more headaches than they solve out in the wild).

For on the job or an interview, if I were asked something where a simple manual VLAN could be configured or deploying VTP across all switches I would say manual VLAN every time (unless I am applying at Cisco).

But I digress, and I only say that because I hate when people transition topics by saying “But I digress”, so lets discuss Dynamically creating VLANs across switches.

It is done by configuring the desired switches in the network with the same VTP Domain Name, which will place them in what is called the same “Management Domain” or more commonly a “VTP domain”, all switches in this domain (SW1 / 2 / 3 in this case) will share VLAN information with each other dynamically.

The sharing of VLAN information goes both ways, so it will let other switches in the VTP Domain know when a VLAN is deleted as well, and they will all synchronize their VTP database to make sure they are all on the same page – that was the output seen near the top of this post from “sh vtp status” though VTP is barely enabled right at the moment so we will look much more into that information soon.

Another very important note about VTP, is it will only share information with switches in ITS domain, if other VTP domains exist on the same switch it will not share any information with those domains.

There is configuring any kind of redistribution like with routing in VTP, it only exchanges info within its domain, very important to note!

So lets setup a simple VTP configuration between SW1 and SW2:

SW1(config)#vtp version 2
SW1(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 1ce6.c7c1.c800
Configuration last modified by 0.0.0.0 at 3-1-93 01:02:39
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 2
MD5 digest : 0xB0 0x8E 0xF6 0x3A 0x32 0x5D 0x47 0x02
0x80 0xAC 0xCD 0xFD 0x0C 0x66 0x45 0x06
SW1(config)#

I wanted to highlight the command “vtp version #” in global config, and that it is now running in version 2, but still has no name for its VTP Domain or is in NULL Domain.

I want to first configure version 2 on SW2 to see if just that is enough to get it dynamically sharing information:

SW2(config)#vtp ver 2
SW2(config)#do sh vlan br

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/11, Fa1/0/12, Fa1/0/13
Fa1/0/14, Fa1/0/15, Fa1/0/16
Fa1/0/17, Fa1/0/18, Fa1/0/19
Fa1/0/20, Fa1/0/21, Fa1/0/22
Fa1/0/23, Fa1/0/24, Gi1/0/1
Gi1/0/2
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW2(config)#

Nope. How about adding a VTP Domain, but no Domain Password:

SW1(config)#vtp domain CCNP
Changing VTP domain name from NULL to CCNP
SW1(config)#
*Mar 1 01:08:56.145: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to CCNP.
SW1(config)#

So lets first take a look at SW2 to see if anything dynamically happened at all yet:

SW2(config)#do sh vlan bri

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/11, Fa1/0/12, Fa1/0/13
Fa1/0/14, Fa1/0/15, Fa1/0/16
Fa1/0/17, Fa1/0/18, Fa1/0/19
Fa1/0/20, Fa1/0/21, Fa1/0/22
Fa1/0/23, Fa1/0/24, Gi1/0/1
Gi1/0/2
12 VLAN0012 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW2(config)#

There is VLAN 12 on SW2! However, I wanted to check out the VTP status, as the only thing I had changed was the version # and not any Domain names or Passwords:

SW2(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800
Configuration last modified by 0.0.0.0 at 3-1-93 01:02:39
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 2
MD5 digest : 0x1B 0x6A 0xCB 0xDF 0xB0 0x87 0xA7 0x9D
0xE6 0x56 0x1A 0xCD 0xB7 0x82 0x11 0x9A
SW2(config)#

This illustrates the dynamic nature of VTP, as SW1 had an update to its configuration in the same domain NULL, and sent out an advertisement containing that change, which was then received by SW2 which then updated its own Domain name dynamically because it had none manually configured.

I also wanted to note these are both running in Server Mode on both switches, as when you turn on VTP in any version, its default is to turn on in Server mode (more on VTP modes later).

So I found a very odd behavior with trying to manually change the VTP Domain Name on SW2 to see any side effects, however there were none that could be seen even after it was changed for a few minutes (please excuse the amount of output) :

SW2(config)#vtp domain ccnp
Changing VTP domain name from CCNP to ccnp
SW2(config)#
*Mar 1 01:28:42.160: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to ccnp.

The change is made
SW2(config)#do sh vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa1/0/1, Fa1/0/2, Fa1/0/3
Fa1/0/4, Fa1/0/5, Fa1/0/6
Fa1/0/7, Fa1/0/8, Fa1/0/9
Fa1/0/11, Fa1/0/12, Fa1/0/13
Fa1/0/14, Fa1/0/15, Fa1/0/16
Fa1/0/17, Fa1/0/18, Fa1/0/19
Fa1/0/20, Fa1/0/21, Fa1/0/22
Fa1/0/23, Fa1/0/24, Gi1/0/1
Gi1/0/2
12 VLAN0012 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW2(config)#

VLAN 12 still on the switch and Active

SW2(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : ccnp
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800
Configuration last modified by 0.0.0.0 at 3-1-93 01:02:39
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 0
MD5 digest : 0x92 0x14 0x53 0xCE 0x00 0x11 0xC8 0x26
0x18 0x4E 0x89 0x24 0x83 0x0B 0xDD 0x93
SW2#

The switch shows that it is in fact in the “ccnp” domain now

SW1(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 1ce6.c7c1.c800
Configuration last modified by 0.0.0.0 at 3-1-93 01:02:39
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 2
MD5 digest : 0x1B 0x6A 0xCB 0xDF 0xB0 0x87 0xA7 0x9D
0xE6 0x56 0x1A 0xCD 0xB7 0x82 0x11 0x9A

Yet SW1 shows it is still in the “CCNP” domain. So I checked again and it was still there, so I took things one step further and deleted the vlan.dat file to see if that would remove the VLAN, which I assume it will:

SW2#sh vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active  (lots of ports)
12 VLAN0012 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW2#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
SW2#reload
Proceed with reload? [confirm]

*Mar 1 00:07:19.638: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command.

I’d love to have slacked off, and just skipped this odd behavior that perhaps I don’t recall from my CCNA youth, but I am not sure why the new “ccnp” domain inherits VLAN 12 unless it has to do with it just being added to the VLAN DB.

AAaaaaaallmost reloaded. There we go:

SW2#sh vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active (lots of ports)
12 VLAN0012 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW2#

I am getting way tired, but I have to know how far we can push this behavior, so on switch 1 I’ll add our trusty old 7940 in the Voice VLAN 24 to the VLANs and see if that propagates as well:

SW1(config)#vlan 24
SW1(config-vlan)#
ASR#2
[Resuming connection 2 to sw2 … ]
SW2#sh vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active (lots of ports)
12 VLAN0012 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW2#

So it did not propagate VLAN 24 to SW2, so next post I’ll continue by re-adding SW2 to “CCNP” and see if the that VLAN magically appears, and try deleting it and get into some other behaviors and output for VTP – Later!

Edit 9/4/17, explanation of above behaviors (some were derps from being tired):

I’d like to start fresh with the VTP modes in the next post, so wanted to follow up here on what was happening towards the end on this post. When I turned my lab on today, the first command was “sh vlan brief” and I immediately noticed VLAN’s 12 and 24.

So being that it now has both VLANs dynamically learned from SW1, I looked at the “sh vtp status” and sure enough it was back in the CCNP domain, because I never did a “wr” on SW2 (or “wr er” to blow away the whole config) after changing the VTP domain name to “ccnp” so it just inherited the advertised Domain of CCNP.

Although I am not sure why it didn’t pick up VLAN 24, I might have moved switches too fast, I though it was instant but I am possibly faster than instant!

So I tried to fully reset SW2:

SW2#wr er
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete
SW2#
*Mar 1 00:06:28.711: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
SW2#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
SW2#reload
Proceed with reload? [confirm]

And of course, without me thinking, it did the same thing before SW2 even had a host name:

Switch#sh vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active (lots of ports)
12 VLAN0012 active
24 VLAN0024 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
Switch#

So the deal is that dynamic VTP domain sharing, SW1 immediately shared VTP Domain name and VLANs to SW2 over the Trunk, so the only way for this to truly work is unplugging the switch completely from other switches so the info isn’t learned dynamically.

Also, VLAN 12 after changing the Domain name because that is how Cisco switches work, they will retain VLAN info in their VLAN Database, however they will stop sharing it outside of their VTP domain.

So to get some VLANs off the switch you don’t want on there, you have some unplugging and configuration to put on the switch before it can be plugged back in, and with that I will get into some VTP modes in my next post!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s