VTP_Doomsday_1

Above is the logical Topology of how I cabled / Trunked the switches, and modes they are in, I’ll walk through the changes step by step as I introduce the nuke switch.

Advertisements / “Subset Advertisements” and Configuration Revision #

Now as previously stated, the highest “Configuration Revision #” in a VTP Domain is considered the most up to date view of the network that VTP Servers are Advertising. These configuration revision #’s are actually contained in the Advertisements sent out, and are incremented every time there is an add / change / delete of a VLAN in the VTP Domain.

The Ads that are triggered are called “Subset Advertisements” which are created locally, so the Config Revision # increments locally first, then it is sent to Clients and other Server switches with the new Config Revision # in the VTP Subset Advertisement.

Once the VTP Ad is received with a higher Config Revision # the receiving switch assumes it is more up to date, and replaces its own VTP Database with the Advertisement information, and then increments its Configuration Revision # after updating its Database with the config info from the advertisement with the higher Revision #.

One gotcha that can wipe out the VLAN / VTP configuration in a VTP Domain – Putting in a switch with a much higher Revision #

One issue that could arise in a network is introducing a switch into the network that has a much higher revision # than the other switches in the VTP Domain, so when it boots up connected Trunking to the other switches, it will pass along its higher Revision # and wipe out all the VLANs whether it’s in Server and possibly Client mode (will test both).

Important Note – Cisco’s official term for this is called “VTP Synch Issue”

So I’ve created the above Topology, making R4 (the 3560 running 12.2 IOS) the Server and it is Trunking to the two 3750’s with the following Topology:

VTP_Doomsday_1

 

With the following config for VLANs and VTP, except R2 and R3 are in Client Mode:

SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#vtp mode client
Setting device to VTP Client mode for VLANS.
SW3(config)#do sh vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active (lots of ports)
12 Engineering active
24 Voice active
34 Accounting active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW3(config)#
SW3(config)#
SW3(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.ce00
Configuration last modified by 0.0.0.0 at 3-1-93 00:18:34

Feature VLAN:
————–
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
Configuration Revision : 4
MD5 digest : 0xDC 0x39 0x64 0xEA 0x9F 0x72 0xA3 0x77
0x5B 0xFB 0xA2 0x3C 0x57 0xAF 0xC3 0x3B
SW3(config)#

The above is how SW3 and SW2 are configured, I will spare the output from all 3 switches, however take my word SW4 is configured as the Server Trunking to SW2 / SW3, and everything is synced and has the same configuration as above.

So Trunks configured on SW1 / SW2 / SW3 for connections but unplugged, I configured SW1, only made a lot of changes that upped the Revision # quite a bit.

Note that I had to keep it unplugged or it would have updated its VLAN DB (vlan.dat file in flash) first, upped the Revision #, then advertised it to neighbor switches if I hadn’t left all Trunks unplugged at this time:

SW1(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 1ce6.c7c1.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:38:29
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
Configuration Revision : 23
MD5 digest : 0x61 0x3A 0x6F 0xC6 0xF3 0x3F 0xF9 0x6D
0x12 0x34 0x7B 0x68 0xC8 0x56 0x86 0xF0
SW1(config)#

Also note it is in Server mode to configure it, because switches in Client mode, it would throw an error very similar (and actually exactly like) this one:

SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#vlan 44
VTP VLAN configuration not allowed when device is in CLIENT mode.
SW3(config)#vlan 12
VTP VLAN configuration not allowed when device is in CLIENT mode.
SW3(config)#

It spells the error out for you, but just a reminder for exam day, if a switch is configured with as a VTP client it is now allowed to make any changes, note it will not create a new VLAN or allow access to the existing VLAN 12 to make changes AT ALL.

So I have configured Trunk ports, SW1 is currently off but configured to nuke the Topology, I will power it on with the following Topology:

VTP_Doomsday_2

So SW1 has now booted up, and I will just use SW3 for CLI output, as all other switches will have identical information as they have been powered on the entire time:

SW3#sh vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active (lots of ports)
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW3#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.ce00
Configuration last modified by 0.0.0.0 at 3-1-93 00:38:29

Feature VLAN:
————–
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
Configuration Revision : 23
MD5 digest : 0x61 0x3A 0x6F 0xC6 0xF3 0x3F 0xF9 0x6D
0x12 0x34 0x7B 0x68 0xC8 0x56 0x86 0xF0
SW3#

The entire VTP domain has now removed the 3 non-default VLANs it had configured, because it received the higher Revision # from a VTP Server with matching VTP Domain configuration so it wipes out the switched topology it was added to.

*** Quick note for TSHOOT and real life scenario***

This can happen if a company switched network uses the same VTP Domain name / password (password not required) across all sites, and a spare switch is pulled from storage that came from one site, and added to another site to put some extra ports on without a network admin checking its VTP status.

So if you see a best practice or scenario question regarding risks of plugging in unchecked switches into a network, this is a very big issue / risk of doing so.

*** That ^ is very important to keep in mind for both SWITCH and TSHOOT ***

So I will try this one more time by unplugging those Trunks and confirming it went back to its original config:

SW3#
*Mar 1 01:00:35.589: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/20, changed state to down
*Mar 1 01:00:36.604: %LINK-3-UPDOWN: Interface FastEthernet1/0/20, changed state to down
SW3#sh vtp stat
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.ce00
Configuration last modified by 0.0.0.0 at 3-1-93 00:38:29

Feature VLAN:
————–
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
Configuration Revision : 23
MD5 digest : 0x61 0x3A 0x6F 0xC6 0xF3 0x3F 0xF9 0x6D
0x12 0x34 0x7B 0x68 0xC8 0x56 0x86 0xF0
SW3#

Even after unplugging this “rogue” switch the VLANs do not dynamically change back,  that is because ALL switches in the domain have updated their VTP DB’s with this new configuration across the entire network including the SW4 Server.

Now either way once this damage is done the proper VLANs will need to be reconfigured on the Server switch while its disconnected from Client / other Server switches, and for any Client switches you can use the following methods to set their Revision # back to 0!

Cisco’s recommended / official fix for the above issue – VERY IMPORTANT TO KNOW FOR EXAM DAY, be sure you understand and remember these methods!!!

For this I reconfigured SW1 with Trunks unplugged as a Server so I could up the Revision # quick for this demonstration:

SW1(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 1ce6.c7c1.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:46:38
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
Configuration Revision : 15
MD5 digest : 0x4C 0xD6 0x98 0xED 0xB6 0x7E 0x3C 0x40
0x48 0x28 0xBD 0x01 0x5F 0x9B 0x11 0xC4
SW1(config)#

Default VLANs, Config Rev 15, SW1 currently unplugged from the rest of the network.

There are two ways Cisco recommends that I will test to reset the Revision number to 0:

  • Change the VTP Domain to an unused name and then back to the correct VTP Domain name
  • Change VTP mode from Server to Transparent, then back to Server

So this should be done on a switch before plugging it into a network, but can be used on Client switches to quickly reset them back to Rev 0, however the VTP Server if impacted will have to be completely reconfigured with VLANs if they got wiped out!

First and Second Methods demonstrated on the CLI to confirm they are both valid:

First Method:

Changing the VTP domain and back

SW1(config)#vtp domain RESET
Changing VTP domain name from CCNP to RESET
SW1(config)#
*Mar 1 00:56:59.397: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to RESET.
SW1(config)#vtp domain CCNP
Changing VTP domain name from RESET to CCNP
SW1(config)#
*Mar 1 00:57:11.880: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to CCNP.

Verification

SW1(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 1ce6.c7c1.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:46:38
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
Configuration Revision : 0
MD5 digest : 0x5E 0x16 0x5E 0x7B 0x7B 0x58 0xC6 0xD5
0x39 0xDA 0xD3 0x3F 0x31 0xC1 0xFF 0x5B
SW1(config)#

Plugging the switch into the network to confirm it synches correctly

SW1(config)#
*Mar 1 01:01:02.264: %LINK-3-UPDOWN: Interface FastEthernet1/0/18, changed state to up
*Mar 1 01:01:03.388: %LINK-3-UPDOWN: Interface FastEthernet1/0/20, changed state to up
*Mar 1 01:01:04.286: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/18, changed state to up
*Mar 1 01:01:05.402: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/20, changed state to up

SW1(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 1ce6.c7c1.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:06:20
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
Configuration Revision : 4
MD5 digest : 0xED 0xA4 0x2C 0x01 0x71 0x62 0x26 0x93
0x14 0xB7 0xA9 0x29 0x3D 0xE4 0xA3 0x33
SW1(config)#

Second method:

Trunks unplugged, Revision # cranked back up a few notches

SW1(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 1ce6.c7c1.c800
Configuration last modified by 0.0.0.0 at 3-1-93 01:17:51
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
Configuration Revision : 13
MD5 digest : 0x5D 0x2B 0x5D 0xFC 0xAE 0x90 0xE2 0xCC
0x84 0x2D 0x10 0xB8 0x0E 0x6D 0xD1 0x86
SW1(config)#

Changing to Transparent mode, then back to Server mode

SW1(config)#vtp mode transparent
Setting device to VTP Transparent mode for VLANS.
SW1(config)#vtp mode server
Setting device to VTP Server mode for VLANS.
SW1(config)#

Verification:

SW1(config)#do sh vtp status | i Configuration Revision
Configuration Revision : 0
SW1(config)#

Wanted to throw the pipe modifier in there to demonstrate again how it can work to nab just the piece of information you are looking for, and sure enough it’s back to 0 which will allow it to again synch up with the existing VTP domain.

It does also retain the last known VTP domain name, so once plugged in, it will synch with the domain if the configuration information matches the Domain configuration.

So both methods worked great, no reloads or deleting VLAN DB’s or reloads needed, the only part of the network that this does not apply to is the Server if its impacted.

I am now tired, and going to go to bed.

There is a bit more depth into both the advertisements sent and the different versions of VTP to delve into, but I’ll save that for hopefully a shorter more concise post, but I wanted to go into painful detail with this as it may show up on both SWITCH and TSHOOT exams.