DTP & VTP

  • Cisco proprietary protocols

  • not in CCNA

  • 'show interfaces interface switchport' (administrative mode : what we configured on the interface operational mode : whether trunk or access port)

DTP

  • Dynamic Trunking Protocol

  • Allows Cisco switches to dynamically determine their interface statuses (access or trunk) without manual configuration.

  • Enabled by default.

(2 Cisco switches connected can form a trunk, otherwise the interface will automatically be an access port)

  • For security, manual configuration is recommended ('switchport mode access/trunk'). DTP should be disabled on all switchports.

  • 2 modes : Auto, Desirable

Dynamic Desirable

  • Will actively try to form a trunk with other Cisco switches.

  • It will form a trunk if connected to switchport in

    • switchport mode trunk

    • switchport mode dynamic desirable

    • switchport mode dynamic auto

  • Operational mode will be 'trunk'.

(Even if manually configured as a trunk, an interface still sends DTP frames out of it)

  • If the other switch is in 'access' mode, the trunk will not form and both will operate as 'access' ports in default VLAN (VLAN 1).

  • Operational mode will be 'static access' (An access port that belongs to a single VLAN that doesn't change, unless you configure a diff. VLAN).

Dynamic Auto

  • Will not actively try to form a trunk with other Cisco switches.

  • It will form a trunk if the other switch is actively trying to form a trunk.

  • It will form a trunk with a switchport in :

    • switchport mode trunk

    • switchport mode dynamic desirable

  • Will operate in 'access' mode if the other switch is in 'dynamic auto' (as it is also not trying to actively form a trunk) or 'access' mode.

DTP table

Mismatch

  • If a manually configured 'trunk' is connected to a manually configured 'access' port, they are forced to operate mismatched in trunk and access modes.

  • This configuration does not work and should result in an error and traffic will not pass between the switches.

Extras

  • DTP will not form a trunk with a router, PC, etc. The switchport will be in access mode.

    • If you want to configure ROAS, you must manually configure the interface connected to the router as a trunk.

    • You cannot put it in 'dynamic desirable' mode and expect it to become a trunk.

  • On newer switches, 'switchport mode dynamic auto' is the default administrative mode, while interfaces on older switches default to 'switchport mode dynamic desirable'.

Disabling DTP :

  • Disable DTP negotiation on an interface with : 'switchport nonegotiate'.

  • Configuring the port as 'access' port also disables DTP negotiation on an interface and will stop sending DTP frames.

  • If you manually configure an interface in 'trunk' mode, it does not stop it from sending DTP frames, unless you give the 'switchport nonegotiate' command.

Recommended :

  • Disable DTP on all switchports and manually configure them as 'trunk' or 'access' ports.

Trunk encapsulation negotiation

  • Switches that support both '802.1Q' and 'ISL' trunk encapsulations can use DTP to negotiate the encapsulation they will use.

  • This negotiation is enabled by default, as the default trunk encapsulation mode is : 'switchport trunk encapsulation negotiate'.

(If you want to manually configure a trunk interface on a switch that supports both dot1q and ISL, you must first change the encapsulation mode to dot1q or ISL, you can't leave it in 'negotiate' mode)

  • ISL is favored over dot1q, so if both switches support ISL, it will be selected.

  • DTP frames are sent in VLAN1 when using ISL, or in the native VLAN when using dot1q (the default native VLAN in VLAN1 however).

Output of 'show interfaces interface switchport' :

  • Consider both switches set to 'dynamic desirable' mode, so they'd form a trunk.

  • Notice that the default trunking encapsulation of 'negotiate' results in an operational trunking encapsulation of 'ISL'.

  • The field 'negotiation of trunking' shows whether DTP is enabled, whether the interface is sending DTP frames or not.

  • It will be 'ON' if the interface is in 'dynamic desirable', 'dynamic auto' or 'trunk' modes.

  • If you use 'access' mode or if you use 'switchport nonegotiate' command, it will be 'OFF'.

VTP

  • VLAN Trunking Protocol

  • This allows you to configure VLANs on a central VTP server switch, and other switches (VTP clients) will synchronize their VLAN database to the server.

  • It is designed for large networks with many VLANs, so that you don't have to configure each VLAN on every switch.

  • Rarely used and recommended not to use it.

  • VTP versions : 1, 2, 3 (older versions might not support 3)

  • VTP modes : server, client, transparent

  • Cisco switches operate in VTP server mode by default.

Note

VTP only syncs the VLAN database, you still have to configure the interfaces on each switch separately (eg: switchport access vlan 10). VTP does not automatically assign interfaces to VLANs.

Modes

VTP servers

  • Can add/modify/delete VLANs.

  • As Cisco switches operate VTP server mode by default, you can modify the VLAN database on Cisco switches by deafult.

  • Store the VLAN database in non-volatile RAM (NVRAM). This means the VLAN database is saved even if the switch is turned off or reloaded.

  • VTP servers will increase the revision number every time a VLAN is added, modified or deleted.

  • Revision number : It is what VTP uses to determine the newest version of the VLAN database, the version that the switches will synchronize to.

  • VTP servers will advertize the latest version of the VLAN database on trunk interfaces and the VTP clients will synchronize their VLAN database to it.

  • VTP advertizements aren't sent on access ports, only on trunk ports.

  • VTP servers also function as VTP clients - VTP server will synchronize to another VTP server with a higher revision number (highest revision number - newest and accurate).

VTP clients

  • Cannot add/modify/delete VLANs (the command will be rejected).

  • Do not store the VLAN database in NVRAM (in v3, they do).

  • Will synchronize their VLAN database to the server with the highest revision number in their VTP domain.

  • Will advertize their VLAN database, and forward VTP advertisements to other clients over their trunk ports.

Working

  • Consider 4 switches connected in series with all of their interfaces configured as 'trunk', so they will send and receive VTP advertisements between each other.

SW1# show vtp status

  • VTP version capable : 1 to 3

  • VTP version running : 1

  • By default, there is no domain name. If we want VTP to synchronize among these devices, we will need to configure them all with the same VTP domain name.

  • Default operating mode : Server

  • Max VLANs supported locally : 1005 (because VTP version 1,2 do not support the extended VLAN range of 1006-4094. Only v3 supports them).

  • Number of existing VLANs : 5 (deault VLANs that exist on the switch - 1, 1002, 1003, 1004, 1005).

  • Configuration revision number : 0 (if you add, modify, delete a VLAN this will increase to 1 and SW1 will advertize this to VTP clients in the same domain. It will also update its own VLAN database if it receives a VTP advertisement with a higher revision number, because VTP servers function as VTP clients also)

Configuring

SW1(config)# vtp domain cisco SW1(config)# vlan 10 SW1(config-vlan)# name engineering

  • Changes VTP domain name to 'cisco'.

  • VLAN10 is created and is named 'engineering'.

  • 'show vtp status' shows that the domain name has changed, revision number has increased to 1, and no of existing VLANs is increased by 1 to 6.

  • SW2 also has changed its domain name to 'cisco' and updated its VLAN database to match SW1 with a revision number of 1.

If a switch with no VTP domain (domain NULL) receives a VTP advertisement with a VTP domain name, it will automatically join that VTP domain.

If a switch receives a VTP advertisement in the same VTP domain with a higher revision number, it will update its VLAN database to match.

  • 'show vlan brief' on SW2 shows the VLAN10 with name 'engineering'.

  • The VTP advertisements are passed along to SW3 and SW4 and they joined the domain and updated their VLAN database as well.

Drawback

  • If you connect an old switch with a higher revision number to your network (and the VTP domain matches), all switches in the domain will sync their VLAN database to that switch.

  • This could cause all of the hosts in the network to instantly lose connectivity, because the switches could sync to a totally different VTP database, and the VLANs you were using could disappear.

VTP transparent mode

  • Does not participate in the VTP domain (does not sync its VLAN database to the VTP server).

  • Maintains its own VLAN database in NVRAM. It can add/modify/delete VLANs, but they won't be advertised to other switches.

  • Although, it doesn't sync its VLAN database, it will forward VTP advertisements over its trunk ports, if the VTP advertisement is in the same domain, but it won't advertise its own VLAN database.

Example

  • Consider 4 switches connected in a series with SW1 acting as a server, SW2 as client, SW3 in transparent mode and SW4 as server.

  • SW2 is set as 'client' by 'SW2(config)# vtp mode client'. You can not create VLANs in this switch.

  • SW3 is set to 'transparent' mode by 'SW3(config)# vtp mode transparent'. SW3's domain name is changed by 'SW3(config)# vtp domain juniper'.

  • Now, VLAN20 is created in SW1. It appears in 'show vlan brief' and 'show vtp status' shows the increase in revsion number from 1 to 2 and no. of allowed VLANs as 7.

  • The VTP client SW2 has added VLAN20 to its VLAN database and it has the same revision number as SW1.

  • On SW3, which is in transparent mode, the VLAN has not been added and has a revision number of 0.

Changing the VTP domain to an unused domain will reset the revision number to 0. Changing the VTP mode to transparent will also reset the revision number to 0.

So, if you're going to plug an old switch with high revision number into a network that uses VTP, make sure to reset the revision number with one these methods first, so it doesn't overwrite your network's VLAN configurations.

  • SW4 does not have VLAN20 and it is still on lesser revision number. SW3 is in transparent mode in different domain, so it shouldn't forward the VTP advertisements to SW4.

  • If we change the VTP domain on SW3 to 'cisco', it should start forwarding advertisements to SW4, even though SW3 itself won't sync its own VLAN database based on those advertisements.

VTP version

  • Change the VTP version using 'SW1(config)# vtp version version' command.

  • Changing the VTP version increases the revision number and advertisements with this new revision number will be sent.

  • Other servers and clients will then sync and start operating in version 2 as well.

VTP v2 introduces support for Token Ring VLANs (old tech). If you use them, you must enable v2. Otherwise, there is no reason to use VTP v2. v3 client maintains its VLAN database in NVRAM.

Lab

Configuring the interfaces connecting switches and hosts in 'access' mode turns off DTP negotiation (by default, it will be ON and sending DTP frames, though it won't form a trunk with the hosts) Ref. step 5

VTP password

A switch will reject any VTP advertisement if the password doesn't match.

  • On SW1, set the password with 'vtp password cisco' and create a new VLAN.

  • The revision number and existing VLANs would have increased by 1.

  • In SW3, the advertisement is not accepted. Check with 'show vtp status'.

  • If you set an incorrent passoword (vtp password ccna), the advertisement will still not be accepted.

  • As soon as you set the correct password (vtp password cisco), you can see that SW3 has accepted the advertisement.

PreviousVLAN (3)NextSpanning Tree Protocol (1)

Last updated