VPT_Pruning Demo

The above Topology has been configured for the labbing portion of configuring VTP Authentication, I won’t go int every detail, but I will bullet point the basics, before reviewing authentication methods to know for exam day + full explanation of VTP Pruning as it can be a tricky topic if you don’t know the mechanisms that drive it.

That being said, lets get right into the VTP basic review info, bullet point style!

First, the improvement on V3 over its previous versions:

  • Supports propagation full range of normal AND extended VLANs (1-4094) where v1 and v2 only supported the Normal Range of 1-1005
  • Supports VTP Password NOT to be shown in clear text, FINALLY!
  • Supports 802.1s MST Spanning-Tree propagation (but will be in Transparent Mode!)
  • Is backwards compatible to V2 VTP on a per-link basis
  • Can be turned off on a per-link basis rather than all or none in previous versions

Basics from previous Versions:

  • All switches must have matching Domain names, Passwords, and be connected via Trunk links to propagate VLAN information
  • V1 switches will auto-detect V2 VTP packets received, and auto-update to V2, will not do this for v3 – v3 always must be manually configured
  • All switches are default in v1 VTP (disabled), and only switches that are capable of v3 will show it in “sh vtp status”

The technical aspects WE care about for exam day of v3:

  •  VTP v3 Servers all all “Secondary Server” mode by default, basically like Client Mode it cannot update other VTP switches VLAN database
  • Default Secondary Server mode also will not allow deletion or creation of new vlans
  • Primary Server is the new “VTP Server” mode for v3, and can only be ONE per VTP Domain, unlike v1 and v2 that could have multiple VTP Servers
  • Primary Server only device allows to add / remove / update vlan databases of others switches in its VTPv3 domain

Now to take a look at SW1 which will be our “Primary Server” eventually, but how it propagates information to SW2 and SW3 to see if they update their VTP info:

SW1

SW1#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 1ce6.c7c1.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:35:41
Local updater ID is 10.2.2.1 on interface Vl20 (lowest numbered VLAN interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 1
MD5 digest : 0x05 0x05 0xF4 0x88 0xCB 0x99 0xA9 0x58
0xD8 0xF6 0xC7 0xE0 0x38 0xCB 0x72 0x72
SW1#

Highlighted some notable things there, no Domain Name, running V1 (so we can assume all 3 switches are as I’ve not configured them), 6 VLANs because I’ve added VLAN 20 and it has the 5 default 1001-1005 automatically added.

So I’ll update this version, give it a domain name, and see if the other 2 switches get on board with the new VTP Domain – Passwords must be manually so I’ll skip that:

SW1

SW1(config)#vtp version 2
SW1(config)#vtp domain CCNP
Changing VTP domain name from NULL to CCNP
SW1(config)#
*Mar 1 00:52:30.870: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to CCNP.
SW1(config)#

SW2

SW2(config)#vtp domain CCNP
SW2(config-if)#do sh vtp status

VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:34:45
Local updater ID is 10.2.2.1 on interface Vl20 (lowest numbered VLAN interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 1
MD5 digest : 0x05 0x05 0xF4 0x88 0xCB 0x99 0xA9 0x58
0xD8 0xF6 0xC7 0xE0 0x38 0xCB 0x72 0x72
SW2(config-if)#exit
SW2(config)#
SW2(config)#exit
SW2#debug v
*Mar 1 00:52:45.978: %SYS-5-CONFIG_I: Configured from console by console
SW2#debug vtp ?
% Unrecognized command

^Nice, no VTP debug commands, and the switch is not doing an automatic update as in theory of the CCNA studies, however I wonder if it is because of the upgraded switches.

Tried setting it to it to Client mode and made no difference in terms of “updating itself” to version 2, I’ve never really gotten that theory to work except on ancient switches, so I won’t bother myself with it and move along to just configure VTP manually.

Found an interesting behavior labbing:

SW2

SW2(config)#vtp version 2
Cannot modify version in VTP client mode unless the system is in VTP version 3
SW2(config)#

VTP is fighting me tooth and nail here, as it often does, but I am the network admin and it will do as I command… on the command line interface… yeah!

SW2(config)#vtp mode server
Setting device to VTP Server mode for VLANS.
SW2(config)#vtp ver 2
SW2(config)#
SW2(config)#do sh vtp status

VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800
Configuration last modified by 10.2.2.1 at 3-1-93 01:04:34
Local updater ID is 10.2.2.1 on interface Vl20 (lowest numbered VLAN interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 2
MD5 digest : 0x95 0xDC 0x62 0xA3 0x23 0x73 0xD2 0xCD
0x04 0x6E 0x22 0xC8 0x60 0x16 0x98 0x48
SW2(config)#

So it has now joined the domain, as can be told be the Revision # updating form 1 to 2.

One oddity I found, is that SW3 DID self-update while I was cursing SW’s name:

SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#vtp domain CCNP
Domain name already set to CCNP.
SW3(config)#
SW3(config)#
SW3(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.ce00
Configuration last modified by 10.2.2.1 at 3-1-93 00:52:26
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 2
MD5 digest : 0x95 0xDC 0x62 0xA3 0x23 0x73 0xD2 0xCD
0x04 0x6E 0x22 0xC8 0x60 0x16 0x98 0x48
SW3(config)#

So I know my IOS versions are buggy on my older hardware lab, but I absolutely must troubleshoot this from SW1, please feel free to follow along:

SW1:

SW1(config)#do sh int trunk

Port Mode Encapsulation Status Native vlan
Po13 on 802.1q trunking 1

Port Vlans allowed on trunk
Po13 1-4094

Port Vlans allowed and active in management domain
Po13 1,20

Port Vlans in spanning tree forwarding state and not pruned
Po13 1,20

The very interesting thing here, is that I forgot to Trunk / L2 EC ports 11-12 to SW3 yet, however it updated itself to Version 2 and joined the domain while SW2 had a L2 EC bundling its two trunk ports as seen above! Leading to SW3 is a single Access Port and the other (obviously) in an STP BLK state!

That is something you just won’t encounter unless you are kicking around a lab, so wanted to share that with all you fellow Grinders for the sake of knowledge!

I’ll fix this up quick so Po12 will be 2 x Trunk ports using PAgP to SW2 from SW1, and Po13 will be SW1-SW3 with 2 x Trunks bundled via LACP (syntax drives me insane).

OK so at this point all fixes have been made, all on the same v2 domain, and all in Server Mode so lets see if SW2 has received information pertaining to VLAN 30 on SW3 so it knows of its existence (even though it does not need to – Pruuuuuuuning!)

SW2:

SW2#sh vlan bri

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa1/0/2, Fa1/0/3, Fa1/0/4
Fa1/0/5, Fa1/0/6, Fa1/0/7
Fa1/0/8, Fa1/0/9, Fa1/0/10
Fa1/0/13, Fa1/0/14, Fa1/0/15
Fa1/0/16, Fa1/0/17, Fa1/0/18
Fa1/0/19, Fa1/0/20, Fa1/0/21
Fa1/0/22, Fa1/0/23, Fa1/0/24
Gi1/0/1, Gi1/0/2
20 VLAN0020 active Fa1/0/1
30 VLAN0030 active

SW2 will never need to receive a Broadcast or have Hosts in this VLAN, so we need to Prune it somewhere in the network, so that it does not advertise that VLAN.

Lets take a look at “Pruning” and what mechanisms drive it!

When a host connects to a VLAN that is otherwise not in use, it will send out what is called a “Triggered Join” for the VLAN to its RP (if its not the Root), and out all DP’s on the Root Bridge to make all switches aware of that VLAN.

Lets take a look at Host C / VLAN 30 for instance:

VPT_Pruning Demo_2

Two important notes on Pruning and taking VLANs OUT of a Pruning state (If SW2 suddenly had a device join VLAN 30), the Root Bridge requires two things:

  • Received this “Triggered Join” from SW2 on a port from SW2
  • This Port sending the Triggered Join must be in a FWD state for the VLAN #

Before enabled Pruning on SW1, I want to show that the “sh int trunk” shows we are all friends and sending traffic everywhere:

SW1(config)#do sh int trunk

Port Mode Encapsulation Status Native vlan
Po12 on 802.1q trunking 1
Po13 on 802.1q trunking 1

Port Vlans allowed on trunk
Po12 1-4094
Po13 1-4094

Port Vlans allowed and active in management domain
Po12 1,20,30
Po13 1,20,30

Port Vlans in spanning tree forwarding state and not pruned
Po12 1,20,30
Po13 1,20,30
SW1(config)#

Now to enable Pruning and see what happens here, will it propagate Pruning to the other two switches by default? Will it immediately Prune VLAN 30 from traversing Po12?

Lets see:

SW1(config)#vtp pruning
Pruning switched on
SW1(config)#do sh int trunk

Port Mode Encapsulation Status Native vlan
Po12 on 802.1q trunking 1
Po13 on 802.1q trunking 1

Port Vlans allowed on trunk
Po12 1-4094
Po13 1-4094

Port Vlans allowed and active in management domain
Po12 1,20,30
Po13 1,20,30

Port Vlans in spanning tree forwarding state and not pruned
Po12 1,20
Po13 1,20,30
SW1(config)#

I’ll spare the output, but Pruning did propagate to all 3 switches once enabled on SW1.

Now for SW1 NOT to Prune traffic destined for VLAN 30 to SW2, there would need to be a device that is configured in VLAN 30 to kick off a “Triggered Join” on an active FWD port as described above to be removed from Pruning.

Po13 has all 3 VLANs, has the Host A in VLAN 1 sent a Triggered Join to both SW2 and SW3, however SW3 only announced itself to SW1 with a triggered join, Pruning is only done neighbor to neighbor over Trunk links.

Now onto the fun part of all this – VTP v3 different methods of Authentication!

SW1(config)#vtp version 3
SW1(config)#
*Mar 1 02:03:57.272: %SW_VLAN-6-OLD_CONFIG_FILE_READ: Old version 2 VLAN configuration file detected and read OK. Version 3
files will be written in the future.
SW1(config)#

I’ve switched all switches to be running version 3 to demonstrate some cool different ways to input and actually hide VTP Domain passwords, lets get to it:

SW1:

SW1(config)#vtp password Derp ?
hidden Set the VTP password hidden option
secret Specify the vtp password in encrypted form
<cr>

SW1(config)#vtp password Derp

This is where things get interesting, as the <cr> just means plain text as with the other 2 version, however “Hidden” will encrypt / hash the password into a big blob of characters, and it is unique how you can actually use this hash output to set the same secret to other VTP v3 switches in the Domain!

SW1(config)#vtp password Derp hidden
Setting device VTP password
SW1(config)#^Z
SW1#sh vtp password
VTP Password: B70BB664D982FD0C7FBF81FC29DD7598
SW1#

Alight so lets go over to SW2 and use the “secret” option for that password to hide it as well from prying eyes:

SW2:

SW2(config)#vtp password Derp ?
hidden Set the VTP password hidden option
secret Specify the vtp password in encrypted form
<cr>

SW2(config)#vtp password Derp secret ?
<cr>

SW2(config)#vtp password Derp secret
VTP secret has to be 32 characters in length
SW2(config)#

You probably saw that it had to be entered in “Encrypted form” for the “Secret” command to work, however I wanted to demonstrate that I can pull that “sh vtp password” from SW1 (the encrypted output) and enter it with the “Secret” command, and it will unhash it using its algorithms to find the Password is “Derp” as seen here:

SW2(config)#vtp password B70BB664D982FD0C7FBF81FC29DD7598 secret
Setting device VTP password
SW2(config)#

THAT MAY BE VERY IMPORTANT TO KNOW FOR EXAM DAY!

So whats going on with SW3? I haven’t done anything with it besides update it to v3, I’ll add a vlan 10 to SW1 and see if it propagates down to SW3:

SW1(config)#vlan 10
VTP VLAN configuration not allowed when device is not the primary server for vlan database.
SW1(config)#

Well well, back to the “Primary Server” stuff, we will have to make SW1 the Primary Server for this Domain to add VLAN 10, so lets see about how to do that:

SW1:

SW1(config)#vtp ?
domain Set the name of the VTP administrative domain.
file Configure IFS filesystem file where VTP configuration is stored.
interface Configure interface as the preferred source for the VTP IP updater
address.
mode Configure VTP device mode
password Set the password for the VTP administrative domain
pruning Set the administrative domain to permit pruning
version Set the administrative domain to VTP version

SW1(config)#vtp mode ?
client Set the device to client mode.
off Set the device to off mode.
server Set the device to server mode.
transparent Set the device to transparent mode.

SW1(config)#vtp mode server ?
mst Set the mode for MST VTP instance.
unknown Set the mode for unknown VTP instances.
vlan Set the mode for VLAN VTP instance.
<cr>

Nothing here about becoming a Primary, and upon research, I found this is actually set in User Exec, though it rumored to work in both User Exec and Global Config (but only works in user Exec on my switches probably because they are “antiquated”):

SW1#vtp primary ?
force Do not check for conflicting devices
mst MST feature
vlan Vlan feature
<cr>

SW1#vtp primary force
This system is becoming primary server for feature vlan
Enter VTP Password: (hides chars as you type)
SW1#
*Mar 1 02:21:47.080: %SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: 1ce6.c7c1.c800 has become the primary server for the VLAN VTP feature
SW1#

I could have also just used “vtp primary” and gotten a warning message indicating any other Primary Servers will be relinquished of their Primary Role, but I don’t care which switch thinks its Primary Server because SW1 is who I want to be in charge.

NOW, back to adding Vlan 10 (Pruning is still enabled):

SW1:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.

SW1(config)#vlan 10
SW1(config-vlan)#exit
SW1(config)#do sh int trunk

Port Mode Encapsulation Status Native vlan
Po12 on 802.1q trunking 1
Po13 on 802.1q trunking 1

Port Vlans allowed on trunk
Po12 1-4094
Po13 1-4094

Port Vlans allowed and active in management domain
Po12 1,10,20,30
Po13 1,10,20,30

Port Vlans in spanning tree forwarding state and not pruned
Po12 1,20
Po13 1,20,30
SW1(config)#

So it is being Pruned from both Trunk Ports, because neither of them have VLAN 10 interfaces, and could honestly care less about traffic for them, but lets look at SW2 and SW3 to see what their Trunk output reveals about Pruning:

SW2:

SW2(config)#do sh int trunk

Port Mode Encapsulation Status Native vlan
Po12 on 802.1q trunking 1

Port Vlans allowed on trunk
Po12 1-4094

Port Vlans allowed and active in management domain
Po12 1,10,20,30

Port Vlans in spanning tree forwarding state and not pruned
Po12 1,20,30

We see 10 missing because it does not meet the two Criteria of having a Host Connected to that VLAN in sending a triggered join in a port with a FWD state, so it is Pruned on SW1, along with SW3:

SW3:

SW3#sh int trunk

Port Mode Encapsulation Status Native vlan
Po13 on 802.1q trunking 1

Port Vlans allowed on trunk
Po13 1-4094

Port Vlans allowed and active in management domain
Po13 1,20,30

Port Vlans in spanning tree forwarding state and not pruned
Po13 1,20
SW3#

So again, we see here SW1 is Pruning traffic from VLAN 10, as there not been any “Triggered Joins” sent to these switches on a port in FWD status.

And this is how I spend my Saturday night / Sunday mornings off work!

By studying for the CCNP exam, I thrive on learning new info, and I hope this if not teaching you anything new about VTP has been a good refresher!