VLAN Trunking Protocol: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 21:01, 22 November 2007 edit Iridescent (talk \| contribs) Administrators 402,821 edits m Cleanup & typo fixing using AWB ← Previous edit		Latest revision as of 08:36, 12 August 2024 edit undo Clyde H. Mapping (talk \| contribs) Extended confirmed users, Rollbackers 19,551 edits m Reverted edits by 2409:40F4:A9:8CF8:3571:30B8:8C24:DE86 (talk) (HG) (3.4.12) Tags: Huggle Rollback
(211 intermediate revisions by more than 100 users not shown)
Line 1: {{short description\|Networking protocol from Cisco}} ~~:''VTP can also stand for [[Venturi Transport Protocol]], [[OSI protocols\|Virtual Terminal Protocol]] or in some cases the [[Windows Vista Transformation Pack]].''~~ {{redirect\|VTP}} ~~[[Image:VTP.gif\|thumb\|right\|300px\|Example without and with VTP]]~~ {{Refimprove\|date=October 2016}} '''VLAN Trunking Protocol''' ('''VTP''') is a [[Cisco]] proprietary Layer 2 messaging protocol that manages the addition, deletion, and renaming of [[VLAN]]s on a network-wide basis. Virtual Local Area Network (VLAN) Trunk Protocol (VTP) reduces administration in a switched network. When you configure a new [[VLAN]] on one VTP server, the VLAN is distributed through all switches in the ___domain. This reduces the need to configure the same VLAN everywhere. To do this VTP carries VLAN information to all the switches in a VTP ___domain. VTP advertisements can be sent over [[Cisco Inter-Switch Link\|ISL]], [[802.1q]], [[IEEE 802.10]] and LANE trunks. VTP traffic is sent over the management VLAN (VLAN1), so all [[Trunking#VLANs\|VLAN trunks]] must be configured to pass VLAN1. VTP is available on most of the Cisco [[Catalyst]] Family products.<ref name="javvin">http://www.javvin.com/protocolVTP.html</ref> '''VLAN Trunking Protocol''' ('''VTP''') is a [[Cisco]] [[proprietary protocol]] that propagates the definition of Virtual Local Area Networks ([[VLAN]]) on the whole local area network.<ref>[http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml Understanding VLAN Trunk Protocol (VTP)] at Cisco. ~~The comparable IEEE standard in use by other manufacturers is [[GARP VLAN Registration Protocol\|GVRP]].~~ </ref> To do this, VTP carries VLAN information to all the switches in a VTP ___domain. VTP advertisements can be sent over [[802.1Q]], and [[Cisco Inter-Switch Link\|ISL]] trunks. VTP is available on most of the Cisco [[Catalyst switch\|Catalyst]] Family products. Using VTP, each Catalyst Family Switch advertises the following on its [[Trunking\|trunk]] ports: * Management ___domain * Configuration revision number * Known VLANs and their specific parameters There are three versions of VTP, namely version 1, version 2, version 3. ~~==VTP Modes==~~ ~~VTP operates in one of three modes:1:server;2:client;3:transparent .~~ * Server – In this VTP mode you can create, remove, and modify [[VLAN]]s. You can also set other configuration options like the VTP version and also turn on/off VTP pruning for the entire VTP ___domain. VTP servers advertise their [[VLAN]] configuration to other switches in the same VTP ___domain and synchronize their [[VLAN]] configuration with other switches based on messages received over trunk links. VTP server is the default mode. The comparable IEEE standard in use by other manufacturers is [[GARP VLAN Registration Protocol\|GVRP]] or the more recent [[Multiple VLAN Registration Protocol\|MVRP]]. * Client – VTP clients behave the same way as VTP servers, but you cannot create, change, or delete [[VLAN]]s on the local device ==Implementation details== * Transparent – When you set the VTP mode to transparent, then the switches do not participate in VTP. A VTP transparent switch will not advertise its [[VLAN]] configuration and does not synchronize its [[VLAN]] configuration based on received messages. VLANS can be created, changed or deleted when in transparent mode. However, in VTP version 2, transparent switches do forward VTP messages that they receive out their trunk ports. [[File:VLAN_Trunking_Protocol.gif\|thumb\|right\|300px\|Example without and with VTP]] On '''Cisco Devices''', VTP (VLAN Trunking Protocol) maintains VLAN configuration consistency across a single Layer 2 network. VTP uses Layer 2 [[Frame_(networking)\|frames]] to manage the addition, deletion, and renaming of VLANs from switches in the VTP client mode. VTP is responsible for synchronizing VLAN information within a VTP ___domain and reduces the need to configure the same VLAN information on each switch thereby minimizing the possibility of configuration inconsistencies that arise when changes are made. ===Upside=== VTP sends messages between trunked switches to maintain [[VLAN]]s on these switches in order to properly trunk. VTP messages are exchanged between switches within a common VTP ___domain. If the ___domain name is different, the switch simply ignores the packet. If the name is the same then it checks by a revision number. If the revision number of an update received on a client or server VTP switch is higher than the previous revision, then the new configuration is applied. Otherwise, the configuration is ignored. VTP provides the following benefits: * VLAN configuration consistency across the layer 2 network * Dynamic distribution of added VLANs across the network * Plug-and-play configuration when adding new VLANs ===Downside=== When new devices are added to a VTP ___domain, revision numbers should be reset on the entire ___domain to prevent conflicts. Utmost caution is advised when dealing with VTP topology changes, logical or physical. Exchanges of VTP information can be controlled by passwords. You need to put the password on every switch for it to work. When a new switch is added to the network, by default it is configured with no VTP ___domain name or password, but in VTP server mode. If no VTP Domain Name has been configured, it assumes the one from the first VTP packet it receives. Since a new switch has a VTP configuration revision of 0, it will accept any revision number as newer and overwrite its VLAN information if the VTP passwords match. However, if you were to accidentally connect a switch to the network with the correct VTP ___domain name and password but a higher VTP revision number than what the network currently has (such as a switch that had been removed from the network for maintenance and returned with its VLAN information deleted) then the entire VTP Domain would adopt the VLAN configuration of the new switch which is likely to cause loss of VLAN information on all switches in the VTP Domain, leading to failures on the network. Since Cisco switches maintain VTP configuration information separately from the normal configuration, and since this particular issue occurs so frequently, it has become known colloquially as the "VTP Bomb". Before creating VLANs on the switch that will propagate via VTP, a VTP ___domain must first be set up. A VTP ___domain for a network is a set of all contiguously trunked switches with the matching VTP settings (___domain name, password and VTP version). All switches in the same VTP ___domain share their VLAN information with each other, and a switch can participate in only one VTP management ___domain. Switches in different domains do not share VTP information. Non-matching VTP settings might result in issues in negotiating VLAN trunks, port-channels or Virtual Port Channels. ~~==VTP Versions==~~ '''VTP version 2 supports the following features not supported in version 1:'''<ref name="configuration">http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800e47e3.html</ref> == See also == ~~{\| class="wikitable"~~ [[Multiple Registration Protocol]] \|- [[VLAN access control list]] ~~! VTP Functionality~~ ~~! Support/Processing in Version 2~~ \|- ~~\|[[Token Ring]]~~ ~~\| Token Ring Bridge Relay Function (TrBRF) and Token Ring Concentrator Relay Function (TrCRF) VLAN are supported~~ \|- ~~\| Unrecognized Type-Length-Value (TLV)~~ \| In V2, a server will propagate TLVs even those it does not understand. It also saves them in NVRAM when the switch is in VTP server mode. This could be useful if not all devices are at the same version or release level. \|- ~~\| Version-Dependent Transparent Mode~~ \| Version 1 supports multiple domains while Version 2 supports only 1. Normal behavior for V1 would be to forward messages only if they match the destination ___domain name and version. VTPv2 does not do this check before forwarding. \|- ~~\| Consistency Checks~~ \| VTPv1 does more consistency checking on messages, which can add overhead. As long as the MD5 digest on a message is correct, VTPv2 will forward it. VTPv2 will consistency-check new configuration information added through the configuration editor, Cluster Management Software or [[SNMP]]. \|- \|} == References == '''VTP version 3:''' is a protocol that is only responsible for distributing a list of opaque databases over an administrative ___domain. When enabled, VTP version 3 provides the following enhancements to previous VTP versions: <br> ~~::* Support for extended VLANs. <br>~~ ~~::* Support for the creation and advertising of private VLANs. <br>~~ ~~::* Improved server authentication. <br>~~ ~~::* Protection from the "wrong" database accidentally being inserted into a VTP ___domain. <br>~~ ~~::* Interaction with VTP version 1 and VTP version 2.<br>~~ ~~::* Provides the ability to be configured on a per-port basis.<br>~~ ~~::* Provides the ability to propagate the [[VLAN]] database and other databases.<ref name="javvin"/><br>~~ ~~==VTP Version 1 and 2 Configuration Guidelines==~~ ~~This section describes the guidelines for implementing VTP in your network:<br>~~ ~~::* All switches in a VTP ___domain must run the same VTP version.<br>~~ ~~::* You must configure a password on each switch in the management ___domain when you are in secure mode.<br>~~ ~~'''Caution''' If you configure VTP in secure mode, the management ___domain will not function properly if you do not assign a management ___domain password to each switch in the ___domain.<br>~~ ::* A VTP version 2-capable switch can operate in the same VTP ___domain as a switch running VTP version 1 if VTP version 2 is disabled on the VTP version 2-capable switch (VTP version 2 is disabled by default).<br> ::* Do not enable VTP version 2 on a switch unless all of the switches in the same VTP ___domain are version 2 capable. When you enable VTP version 2 on a switch, all of the version 2-capable switches in the ___domain enable VTP version 2.<br> ~~::* In a Token Ring environment, you must enable VTP version 2 for Token Ring VLAN switching to function properly.<br>~~ ~~::* Enabling or disabling VTP pruning on a VTP server enables or disables VTP pruning for the entire management ___domain.~~ ::* Making VLANs pruning eligible or pruning ineligible on a switch affects pruning eligibility for those VLANs on that device only (not on all switches in the VTP ___domain).<ref name="configuration"/><br> ~~==Configuration Commands==~~ ~~{\| class="wikitable"~~ \|- ! ~~! Task~~ ~~! Command~~ \|- ~~\| '''Step 1'''~~ ~~\| Define the VTP ___domain name(Case sensitive)~~ ~~\| '''set vtp ___domain''' ''name''~~ \|- \| \|- ~~\| '''Step 3'''~~ ~~\| Set which VTP version to run~~ ~~\| '''vtp version''' ''#''~~ \|- ~~\| '''Step 4'''~~ ~~\| (Optional) Set a password for the VTP ___domain.~~ ~~\| '''set vtp passwd''' ''passwd''~~ \|- ~~\| '''Step 5'''~~ ~~\| Verify the VTP configuration.~~ ~~\| '''show vtp ___domain'''~~ \|- \|} ~~==[[VLAN]] Pruning==~~ ~~[[Image:Pruning.gif\|thumb\|right\|300px]]~~ VTP can prune unneeded [[VLAN]]s from trunk links. VTP maintains a map of [[VLAN]]s and switches, enabling traffic to be directed only to those switches known to have ports on the intended [[VLAN]]. This enables more efficient use of trunk bandwidth. Each switch will advertise which VLAN's it has active to neighboring switches. The neighboring switches will then "prune" VLAN's that are not active across that trunk, thus saving bandwidth. If a VLAN is then added to one of the switches, the switch will then re-advertise it's active VLAN's so that pruning can be updated by its neighbors. For this to work, VLAN pruning must be enabled on both ends of the trunk. It is easiest to enable VLAN pruning for an entire VTP management ___domain by simply enabling it on one of the VTP servers for that ___domain. To enable VLAN pruning for a VTP ___domain, enter the following command on a VTP server for that ___domain... ~~VTP_Server_Sw1(config)# vtp pruning~~ ~~This will then propagate to all switches in the vtp ___domain.~~ ~~==Configure VLAN Pruning==~~ ~~{\| class="wikitable"~~ \|- ! ~~! Task~~ ~~! Command~~ \|- ~~\| '''Step 1'''~~ ~~\| Enable VTP pruning in the management ___domain.~~ ~~\| '''set vtp pruning enable'''~~ \|- ~~\| '''Step 2'''~~ ~~\| (Optional) Make specific VLANs pruning-ineligible on the device.~~ ~~(By default, VLANs 2-1000 are pruning-eligible.)~~ ~~\| '''clear vtp pruneeligible''' ''vlan_range''~~ \|- ~~\| '''Step 3'''~~ ~~\| (Optional) Make specific VLANs pruning-eligible on the device.~~ ~~\| '''set vtp pruneeligible''' ''vlan_range''~~ \|- ~~\| '''Step 4'''~~ ~~\| Verify the VTP pruning configuration.~~ ~~\| '''show vtp ___domain'''~~ \|- ~~\| '''Step 5'''~~ ~~\| Verify that the appropriate VLANs are being pruned on trunk ports.~~ ~~\| '''show trunk'''~~ \|- \|} ~~==VTP security==~~ ~~VTP may operate unauthenticated, in which case an attacker can easily inject spoofed VTP packets in order to add/delete [[VLAN]] information. Tools such as Yersinia are freely available to do that.~~ ~~A password can be set for the VTP ___domain: it is used in conjunction with the [[MD5 hash]] function to provide authentication of VTP packets.~~ ~~However, this optional password authentication should not conceal the fact that it is very risky to use VTP in sensitive environments.~~ ~~==VTP Problems==~~ When inserting a vtp client or server with a higher config revision number, the other switches will delete their configuration information and take the [[VLAN]] information from the inserted switch. The only way to get the deleted information back is to add the missing [[VLAN]]s and delete the unwanted [[VLAN]]s. To avoid this you should set the switch you're inserting into the network to transparent mode because that resets the configuration number, then switch it back to client or server mode. Another way of resetting the configuration number is to change the ___domain name to something else, like "test", then change it back. ~~Another problem can happen when you are inserting a switch with a different VTP ___domain name.~~ ~~[[Image:Vtp.JPG‎]]~~ As you can see in the image above switch B is on a different VTP ___domain than A and C. If on switch A more [[VLAN]]s were added switch C wouldn't get the update because switch B would drop all the messages. To fix this, if you want to add switch B into the same cloud as the others then you would have to change the ___domain name to [[Cisco]] and then they would all synchronize to switch A. But you would have to re add any [[VLAN]]s deleted on switch B. ~~==References==~~ {{reflist}} ~~==See also==~~ [[Dynamic Trunking Protocol]] (DTP) [[GARP VLAN Registration Protocol]] ~~==External links==~~ [http://www.cisco.com/warp/public/473/vtp_flash/ Cisco Flash animation explaining VTP operation] [http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_4_2/config/vlans.htm Cisco documentation: Configuring VTP and Virtual LANs on Catalyst 5000 Series] [http://www.yersinia.net Yersinia, a framework for Layer 2 protocols and attacks] [http://www.areanetworking.it/index_docs.php?title=Cisco_VLAN_Trunking_Protocol Cisco VLAN Trunking Protocol italian's document] [http://www.ciscopress.com/articles/article.asp?p=102157&seqNum=3&rl=1 CCNA Self-Study (ICND Exam): Extending Switched Networks with Virtual LANs > VLAN Trunking Protocol:] [http://www.cramsession.com/articles/files/vlan-trunking-protocol-ba-9172003-0937.asp VLAN Trunking Protocol Basics - Adminstering VLANS using VTP] *[http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/vlans.htm#wp1020364 How to configure VLANs on the Catalyst 6500 series switches.] [[Category:Cisco protocols]] [[Category:Ethernet]] ~~[[de:VTP]]~~ ~~[[es:VTP]]~~ ~~[[fr:VLAN Trunking Protocol]]~~ ~~[[it:VLAN Trunking Protocol]]~~ ~~[[pl:VTP]]~~ ~~[[pt:VTP]]~~ ~~[[ru:VTP]]~~