VTP, or the VLAN Trunking Protocol can be a huge time saver. It can also destroy your network, if you're not careful. VTP is actually a bit of a misnomer, since the language of trunking is 802.1q. What VTP does is copy your VLANs to all the switches in your network.
In my last post I demonstrated how to create a VLAN on two switches. Now it's no big deal to create VLAN10 on two switches, but what about 200 switches? It's really an issue when you have your network all set up, but later decide to add another VLAN. Now you have to telnet or SSH to the other 199 switches in your network and add the VLAN.
The way VTP works is through revision numbers. Every time a VLAN is added to a VTP switch, it increments the revision number. The other switches see a revision number that is higher then theirs and say, "Hey! There's been an update, let me copy the VLAN database". Now this is great, but can destroy your network if you aren't careful. There are many network administrators who have sworn off VTP after being stung by this. Imagine you work at a company that has a production environment and a lab environment. One of your production switches catches fire and is burned past all repair. So you go online and buy a new switch, but in the meantime you decided to loan out one of your switches from your lab environment. All the sudden, your whole network goes down, all your switchports start blinking orange, and the masses panic. Can you guess the problem? The switch you had from the lab environment was plugged into the network, and had a higher revision number than any other switch, so all the other switches overwrote their VLAN databases with the lab environment's database. When ports have their VLAN disappear, they panic and can't talk to anyone, essentially shutting off. In order to fix the problem you would have to go on a VTP server switch and manually add back in each proper VLAN, so be very careful when you add a VTP switch onto a preexisting network.
Luckily there are some safeguards to prevent this from happening. You can set the VTP domain name and password to minimize the risk of someone bringing a switch from home and wiping out your network.
So how does VTP work? VTP has three modes: Server, Client, and Transparent. Well, by default, every switch is in VTP Server mode which is great for setup/making changes, but also very dangerous. What Cisco recommends is having very few servers, and the rest set as clients.
Server mode gives the power to make changes to the VLAN database and propagate those changes to all other switches. If you have more than one switch set to server mode, the switch with the lower revision number will copy the VLAN database from the switch with the higher revision database, thereby becoming equal.
Client mode is unable to make changes to the VLAN database, but it can both receive and send VTP updates. You can't add VLANs to these switches. Now, you can always just convert a client to a server, make a change, and change it back, but what's the point of good network design if you do things like that?
The last mode is known as Transparent mode. Transparent mode has the power to change the VLAN database, but they won't send these changes to other switches. They will, however, forward other switch VTP updates they hear to other switches. It seems more confusing than it is. Basically they are their own little VTP group. If they receive a VTP update on a port they'll say, "Sorry, I'm not going to make any changes to my VLAN database, but I will send this update forward to the next guy for you."
Concepts = Completed, let's do some configuration.
In this configuration we have 3 switches
SwitchServer = Server mode
SwitchTransparent = Transparent mode
SwitchClient = Client mode
The switches are set up so that the transparent mode switch is in the middle as follows.
SwitchServer------------SwitchTransparent------------SwitchClient
All of our switches are in server mode by default, so no configuration is needed on SwitchServer just yet, so let's start on SwitchTransparent.
SwitchTransparent(config)#vtp domain EXAMPLE
Changing VTP domain name from NULL to EXAMPLE (Output)
SwitchTransparent(config)#vtp password sprinkles
Setting device VLAN database password to sprinkles (Output)
SwitchTransparent(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode. (Output)
Now let's make some changes to the transparent switch to demonstrate that they are not propagated.
SwitchTransparent(config)#vlan 10
SwitchTransparen(config-vlan)#name TRANSPARENT
Okay, let's jump over to the client switch and change it's VTP mode, domain, and password
Switch(config)#vtp domain EXAMPLE
Changing VTP domain name from NULL to EXAMPLE (Output)
SwitchClient(config)#vtp password sprinkles
Setting device VLAN database password to sprinkles (Output)
SwitchClient(config)#vtp mode client
Setting device to VTP CLIENT mode. (Output)
SwitchClient(config)#vlan 20
VTP VLAN configuration not allowed when device is in CLIENT mode.
Excellent, this is where you have to exercise self control, leave the switch in client mode, and jump over on your VTP server switch to make changes.
SwitchClient#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa1/1, Fa2/1, Fa3/1
Fa4/1, Fa5/1
1002 fddi-default active
1004 fddinet-default active
1005 trnet-default active
Now you can see the VLAN database has no additional VLANs besides the defaults.
Let's get on our SwitchServer...
SwitchServer(config)#vtp domain EXAMPLE
Changing VTP domain name from NULL to EXAMPLE (Output)
SwitchServer(config)#vtp password sprinkles
Setting device VLAN database password to sprinkles (Output)
SwitchServer(config)#vlan 20
SwitchServer(config-vlan)#name SERVERVLAN
SwitchServer(config-vlan)#exit
SwitchServer(config)#vlan 30
SwitchServer(config-vlan)#name ICECREAM
SwitchServer#show vtp status
VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 64
Number of existing VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : EXAMPLE
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x0F 0x5A 0xC0 0xA5 0x42 0xF4 0xEB 0x2B
Configuration last modified by 0.0.0.0 at 3-1-93 00:13:49
Local updater ID is 0.0.0.0 (no valid interface found)
Okay, so you can see from the show command above there have been a few changes, bumping the revision number to 4. 7 VLANS exist, the two we created and the five that are there by default. The configuration was last modified by this switch.
Let's look at the transparent switch...
SwitchTransparent#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 64
Number of existing VLANs : 6
VTP Operating Mode : Transparent
VTP Domain Name : EXAMPLE
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xC7 0x96 0x4B 0x8F 0x9A 0x02 0x26 0x38
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
You can see that the VLANs were not propagated to this switch, and the revision number has not been incremented, as expected of a switch in transparent mode.
To finish, we'll look at the client to see if the changes were updated.
In my last post I demonstrated how to create a VLAN on two switches. Now it's no big deal to create VLAN10 on two switches, but what about 200 switches? It's really an issue when you have your network all set up, but later decide to add another VLAN. Now you have to telnet or SSH to the other 199 switches in your network and add the VLAN.
The way VTP works is through revision numbers. Every time a VLAN is added to a VTP switch, it increments the revision number. The other switches see a revision number that is higher then theirs and say, "Hey! There's been an update, let me copy the VLAN database". Now this is great, but can destroy your network if you aren't careful. There are many network administrators who have sworn off VTP after being stung by this. Imagine you work at a company that has a production environment and a lab environment. One of your production switches catches fire and is burned past all repair. So you go online and buy a new switch, but in the meantime you decided to loan out one of your switches from your lab environment. All the sudden, your whole network goes down, all your switchports start blinking orange, and the masses panic. Can you guess the problem? The switch you had from the lab environment was plugged into the network, and had a higher revision number than any other switch, so all the other switches overwrote their VLAN databases with the lab environment's database. When ports have their VLAN disappear, they panic and can't talk to anyone, essentially shutting off. In order to fix the problem you would have to go on a VTP server switch and manually add back in each proper VLAN, so be very careful when you add a VTP switch onto a preexisting network.
Luckily there are some safeguards to prevent this from happening. You can set the VTP domain name and password to minimize the risk of someone bringing a switch from home and wiping out your network.
So how does VTP work? VTP has three modes: Server, Client, and Transparent. Well, by default, every switch is in VTP Server mode which is great for setup/making changes, but also very dangerous. What Cisco recommends is having very few servers, and the rest set as clients.
Server mode gives the power to make changes to the VLAN database and propagate those changes to all other switches. If you have more than one switch set to server mode, the switch with the lower revision number will copy the VLAN database from the switch with the higher revision database, thereby becoming equal.
Client mode is unable to make changes to the VLAN database, but it can both receive and send VTP updates. You can't add VLANs to these switches. Now, you can always just convert a client to a server, make a change, and change it back, but what's the point of good network design if you do things like that?
The last mode is known as Transparent mode. Transparent mode has the power to change the VLAN database, but they won't send these changes to other switches. They will, however, forward other switch VTP updates they hear to other switches. It seems more confusing than it is. Basically they are their own little VTP group. If they receive a VTP update on a port they'll say, "Sorry, I'm not going to make any changes to my VLAN database, but I will send this update forward to the next guy for you."
Concepts = Completed, let's do some configuration.
In this configuration we have 3 switches
SwitchServer = Server mode
SwitchTransparent = Transparent mode
SwitchClient = Client mode
The switches are set up so that the transparent mode switch is in the middle as follows.
SwitchServer------------SwitchTransparent------------SwitchClient
All of our switches are in server mode by default, so no configuration is needed on SwitchServer just yet, so let's start on SwitchTransparent.
SwitchTransparent(config)#vtp domain EXAMPLE
Changing VTP domain name from NULL to EXAMPLE (Output)
SwitchTransparent(config)#vtp password sprinkles
Setting device VLAN database password to sprinkles (Output)
SwitchTransparent(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode. (Output)
Now let's make some changes to the transparent switch to demonstrate that they are not propagated.
SwitchTransparent(config)#vlan 10
SwitchTransparen(config-vlan)#name TRANSPARENT
Okay, let's jump over to the client switch and change it's VTP mode, domain, and password
Switch(config)#vtp domain EXAMPLE
Changing VTP domain name from NULL to EXAMPLE (Output)
SwitchClient(config)#vtp password sprinkles
Setting device VLAN database password to sprinkles (Output)
SwitchClient(config)#vtp mode client
Setting device to VTP CLIENT mode. (Output)
SwitchClient(config)#vlan 20
VTP VLAN configuration not allowed when device is in CLIENT mode.
Excellent, this is where you have to exercise self control, leave the switch in client mode, and jump over on your VTP server switch to make changes.
SwitchClient#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa1/1, Fa2/1, Fa3/1
Fa4/1, Fa5/1
1002 fddi-default active
1004 fddinet-default active
1005 trnet-default active
Now you can see the VLAN database has no additional VLANs besides the defaults.
Let's get on our SwitchServer...
SwitchServer(config)#vtp domain EXAMPLE
Changing VTP domain name from NULL to EXAMPLE (Output)
SwitchServer(config)#vtp password sprinkles
Setting device VLAN database password to sprinkles (Output)
SwitchServer(config)#vlan 20
SwitchServer(config-vlan)#name SERVERVLAN
SwitchServer(config-vlan)#exit
SwitchServer(config)#vlan 30
SwitchServer(config-vlan)#name ICECREAM
SwitchServer#show vtp status
VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 64
Number of existing VLANs : 7
VTP Operating Mode : Server
VTP Domain Name : EXAMPLE
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x0F 0x5A 0xC0 0xA5 0x42 0xF4 0xEB 0x2B
Configuration last modified by 0.0.0.0 at 3-1-93 00:13:49
Local updater ID is 0.0.0.0 (no valid interface found)
Okay, so you can see from the show command above there have been a few changes, bumping the revision number to 4. 7 VLANS exist, the two we created and the five that are there by default. The configuration was last modified by this switch.
Let's look at the transparent switch...
SwitchTransparent#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 64
Number of existing VLANs : 6
VTP Operating Mode : Transparent
VTP Domain Name : EXAMPLE
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xC7 0x96 0x4B 0x8F 0x9A 0x02 0x26 0x38
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
You can see that the VLANs were not propagated to this switch, and the revision number has not been incremented, as expected of a switch in transparent mode.
To finish, we'll look at the client to see if the changes were updated.
SwitchClient#show vtp status
VTP Version : 2
Configuration Revision : 4
Maximum VLANs supported locally : 64
Number of existing VLANs : 7
VTP Operating Mode : Client
VTP Domain Name : EXAMPLE
Great! That's VTP in a nutshell. Thanks for reading!
No comments:
Post a Comment