Cisco CCNA ICND2 640-816

Switch VLANs: Understanding Trunks and VTP

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.
Video Title Duration

Review: Rebuilding the Small Office Network, Part 1

Review: Rebuilding the Small Office Network, Part 2

Review: Rebuilding the Small Office Network, Part 3

Switch VLANs: Understanding VLANs

Switch VLANs: Understanding Trunks and VTP

00:00:00 - We're going deeper. In the last video, we talked about VLANS
00:00:05 - and it's kind of a like looking at shiny car and going, "Wow
00:00:08 - that's very glossy, I like it." But what we're going to do now
00:00:12 - is open up the hood of the car and take a look at what actually
00:00:16 - runs it and some of the technical details behind it. We're going
00:00:19 - to look at how trunks really work. We talked about them in the
00:00:22 - previous video as something that allows VLANS to move between
00:00:26 - switches but we're going to see how it happens, the technical
00:00:29 - details behind it and a lot of that focuses around the 802.1
00:00:34 - Q protocol. It's known as the tagging protocol. The last one
00:00:38 - will be a fun one. I like this concept. How VTP can help; it's
00:00:41 - great help, or completely annihilate your network all at one
00:00:45 - time. So that is the fun conversation because VTP is something
00:00:50 - that is CISCO proprietary. Only CISCO switches support it. It
00:00:54 - can be a great assistance but it can also be very devastating.
00:00:58 - Let's get going. As
00:01:00 - we discussed in the previous video, trunking allows the switches
00:01:04 - to pass multi VLAN information between each other. So for example
00:01:08 - you see the picture right here, we've got three VLANS; the red,
00:01:11 - purple and green VLAN or officially called VLAN two, three and
00:01:15 - four down below. Now when this green computer, the green VLANs
00:01:19 - sends a broadcast, it comes up to the switch. Switch it looks
00:01:22 - like say this, Oh, well I don't have any other ports that are
00:01:24 - a member of that green VLAN so I'll just send that across the
00:01:27 - trunk." Reach over-reaches switch P over here, this is the trunk.
00:01:31 - And switch B senses out all the port that belong to the V-green
00:01:34 - VLAN. Same thing happens if somebody in the purple VLAN sends
00:01:38 - a broadcast, it crosses the trunks because the trunks sends all
00:01:41 - VLANs traffic and comes out the other side. Now you see my first
00:01:45 - note that I have here, that says trunking also known as tagging
00:01:51 - passes multi VLAN information between switches. First thing I
00:01:55 - want to mention on that is that trunking is a CISCO term. CISCO
00:02:00 - came up with that term to describe ports that pass all VLAN information.
00:02:04 - Other vendors like HP, like 3Com, like every other vendor in
00:02:08 - the world except CISCO calls trunklings, tag links. Now why do
00:02:14 - they do that? Well it's because how the trunk really functions.
00:02:19 - When you send a packet, say this VLAN 4 sends a broadcast to
00:02:23 - the green VLAN, it crosses at trunk. The switch has to have some
00:02:27 - way of telling the other switch what VLAN that it belongs to.
00:02:31 - So if we were to zoom on that packet, you would see that before
00:02:35 - the switch actually passes it to the other side, it grabs its
00:02:39 - little marker and says, "Shoooom,
00:02:42 - you are now green, you are a green VLAN packet." So when this
00:02:46 - switch in the other side receives, it goes "Oh green packet,
00:02:50 - great!" So it strips that color off, because the computer don't
00:02:53 - actually know what VLAN there in. They-if they got a colored
00:02:56 - packet, they dropped it because they think there's something
00:02:58 - is wrong with it. So this is just the language that happens between
00:03:02 - the switches. A tagging language so the switches know what VLAN
00:03:06 - things belong to. The red computer sends a broadcast that will
00:03:09 - cross that trunk, and as it goes across the trunk link, the switch
00:03:14 - will color it and say, "You are now-darn
00:03:17 - it! I thought it was fast enough to switch colors-- "you are
00:03:20 - now a part of the red VLAN". So in this switch over here receives
00:03:24 - it, the switch will be able to say, "Oh you're going to go out
00:03:28 - all the red ports", so it de-colors the packet or de-tags it,
00:03:31 - sends it out all the red ports to the red pc's or VLAN2. So that
00:03:36 - puts the VLAN information into each frame. This is a layer two
00:03:41 - feature. Meaning that tag that colors the packet is put inside
00:03:46 - of the layer 2 header.
00:03:49 - Now let's get into the technical detail I promised you on how
00:03:53 - that happens. The trunking language of love is called 802.1
00:04:00 - Q. This is actually the trunking protocol. Lot of people call
00:04:04 - it the "trunking protocol" that allows your switches to communicate.
00:04:08 - Just like we have protocols like TCPIP and so on, the switches
00:04:11 - pass information between each other using the official language
00:04:15 - of 802.1 Q. Now, the good news is that that protocol is industry
00:04:20 - standard. So this could be a CISCO switch over here and this
00:04:23 - could be a 3Com switch over here and that's no worries at all.
00:04:27 - They both understand that tagging language that they're using. Now
00:04:31 - let's say I kind of shrunk our diagram here, we have the red
00:04:35 - and blue VLANs. Let's say the red VLANs sends a broadcast, the
00:04:39 - broadcast will come into the switch, the switch inspects itself
00:04:42 - and says, "Do I have any other red ports?" Nope let me go ahead
00:04:46 - and send it across my trunk. But before it actually sends that
00:04:49 - packet across the trunk, this is a zoom in view of it, we have
00:04:52 - the official frame right here, here's its destination Mac address,
00:04:56 - the source Mac address and since it's a broadcast, the destination
00:04:59 - Mac address will be all Fs, you know that's a broadcast. The
00:05:03 - source Mac address will be whatever Mac address this PC has right
00:05:07 - here. Now before it sends it across that trunk link, the switch
00:05:13 - sticks a little tag inside of that. Actually whenever I see that,
00:05:18 - I always think of this as like a shim. Have you ever been to
00:05:21 - the hardware store? And they sell those packs of shims. They're
00:05:25 - like a how do I describe them? They're like a piece of wood that
00:05:29 - looks like this. They're just called a shim and you can stick
00:05:33 - it like if your refrigerator right here, you've got your refrigerator
00:05:37 - and it kind of rocks because one side not, you know, taller than
00:05:41 - the other or you know uneven surface, you can just shove that
00:05:44 - shim under the fridge and it stops rocking. I have shims under
00:05:48 - everything in my house, my couches, my refrigerator; my house
00:05:51 - is like the most uneven house in the world. I kind of slide shims
00:05:54 - under everything. So the shims kind of just squeeze in there
00:05:58 - and that's kind of what I think of. Think of this is like your
00:06:00 - little shim that you stick inside of that header before it goes
00:06:04 - across the trunk and then inside of that shim is two pieces.
00:06:08 - One is a priority field. You actually talk about that if you
00:06:12 - ever get in to the world of voice over IP and quality of service,
00:06:16 - we're not going to talk about that here. The other piece, the
00:06:19 - one that we're concern with is the VLAN numbers. Now I've been
00:06:23 - using colors all along that represent the VLAN but I've also
00:06:26 - eluded the fact but VLANs are actually known as numbers, so the
00:06:30 - red VLAN might VLAN10 and the blue VLAN might VLAN20, so 10 and
00:06:35 - 20 over here.
00:06:37 - This tag will tell what VLAN number that belongs to. So since
00:06:44 - the red computer sent it, it will have the number 10 in that
00:06:47 - VLAN field. Shoos! It flies across the other side. The other
00:06:51 - switch receives it and when it receives that packet, it's going
00:06:54 - to look at it and look at the shim and go, "Oh, you belong to
00:06:58 - VLAN10." Immediately, as soon as it recognizes that, it strips
00:07:02 - that shim out. It takes the tag off because computers don't like
00:07:06 - tags. They'll drop the packets if it has done there and sends
00:07:09 - out to all the red VLANs with just the destination and source
00:07:13 - Mac address. The computers or the PCs never know that they actually
00:07:18 - belong to a VLAN. VLANs are a switching technology.
00:07:23 - Now let's talk about one more advance trunking concept and that
00:07:27 - is the idea of the native VLAN. The native VLAN is designed for
00:07:34 - packets that are received on the trunk that are not tagged. Let
00:07:38 - me explain what that means. When you have switches that are
00:07:41 - connected together, let me just draw a couple right here, typically,
00:07:45 - everything that sent across that trunk will be considered tagged.
00:07:48 - Meaning it will be colored just like what I've been talking about
00:07:50 - all along. But what if you have this kind of environment down
00:07:54 - here, where we have a switch over here and this is a hub; that's
00:07:58 - my little icon for a hub, in the middle of them and a switch
00:08:02 - over on the other side and you want to establish the trunk between
00:08:06 - them. Now, I know that's not that common of a topology that you
00:08:11 - would have a hub sitting in between two switches but back when
00:08:14 - trunking was created it was little more common because hubs were
00:08:17 - out there and sometimes you might have long cable distances as
00:08:20 - spanning to switches which were very expensive at that time.
00:08:24 - So you would have a hub sitting in between with the couple devices
00:08:26 - attached. Well, the concept of a native VLAN comes in when these
00:08:31 - devices right here want to communicate with the rest of the network.
00:08:36 - A native VLAN will take their traffic that comes in un-tagged.
00:08:40 - Meaning it's not colored in someway by one of the switches and
00:08:43 - places them on the VLAN. Whatever VLAN you decide to assign as
00:08:49 - the native VLAN will be the native VLAN for that network. So
00:08:53 - for example, we have VLAN 15 people and VLAN 1 people over here,
00:08:58 - that when somebody in VLAN 1 send a broadcast, it goes out all
00:09:01 - the VLAN 1 ports on the switch. Should it cross the trunk and
00:09:05 - tag, reaches over here and goes out all of the VLAN 1 ports on
00:09:09 - that switch. Now, I just send it out to that VLAN 15 ports, I
00:09:13 - meant, this port, I'm telling you, the VLAN 1 port. Same thing
00:09:16 - happens with VLAN 15. So if these PCs send a broadcast or some
00:09:22 - kind of communication, it will be received by the switch right
00:09:25 - here and that this you know, well, what VLAN are these people
00:09:28 - on. I mean I see a trunk link as right here so what VLAN do I
00:09:32 - put them on. That will be the native VLAN. Maybe you make the
00:09:36 - native VLAN 15. So they are part of this VLAN appearing. When
00:09:40 - they send a broadcast, these two hosts get it as well and VLAN
00:09:43 - 1 is left isolated. So, that's what the native VLAN is. Now,
00:09:48 - because this is not that common of a network diagram nowadays,
00:09:53 - you'll, most of time, see problems with something called a native
00:09:56 - VLAN mismatch. Now, I'm getting into some of the troubleshooting
00:10:01 - topics that I actually have planned for later on the series but
00:10:04 - this is such a common problem. Let me tell you about it. It happens
00:10:08 - when you mis-configure one of the sides of the trunk let me just
00:10:15 - clear off all my notes right there. It normally would be when
00:10:19 - you have two switches directly connected together like this with
00:10:21 - the trunk and you configure a native VLAN of say 10 over here
00:10:25 - and you leave it at the default of 1 over here. What you'll get
00:10:29 - is that all of this messages flooding your switch, "Native VLAN
00:10:32 - mismatch". Whew I just threw my pen. "Native VLAN mismatch, Native
00:10:35 - VLAN mismatch", you know, the computers will or the switches
00:10:38 - will constantly notify you of that. Now, when that happens, the
00:10:43 - reason that it is flagging you so much is you've actually bridge
00:10:47 - VLAN 1 and VLAN 10 together. Meaning the broadcast in VLAN 10
00:10:52 - will actually end up coming out VLAN 1 because if you've, kind
00:10:55 - of, if you were look it logically, connected to port in VLAN
00:10:59 - 10 to a port in VLAN 1 and now those two are combined into one
00:11:02 - big VLAN. They actually called that VLAN seepage or VLAN leaking.
00:11:07 - It's some of the terms that you'll hear and thrown around with
00:11:10 - that. So the goal is to always make sure you native VLANs match.
00:11:14 - Most of people, I'll tell you this, just leave them at one all
00:11:18 - the time. That's the default and most of-mostly don't even know
00:11:22 - what the native VLAN is. So what do they say well let just keep
00:11:25 - it the default which is one which is great. It doesn't cause
00:11:28 - any problems at all. So in one side gets changed that end up
00:11:31 - in a mismatch. And you noticed down here, I have a second network
00:11:34 - diagram because I want to show you how the native VLAN is being
00:11:39 - used in modern times. We have these new devices that are coming
00:11:43 - out in our networks called IP phones. It's where people are combining
00:11:48 - the voice network meaning the phone system with the data system
00:11:52 - all on one network, all in one system, and all in one management
00:11:56 - authority. You get some really cool features on these phones
00:11:59 - like they have, you know, full internet access if you want them
00:12:02 - to, you can-there's a lot you can do on this phone. And I don't
00:12:05 - wan to get fully into it- ah -- on the capabilities
00:12:09 - of those but one
00:12:11 - of the security ramification
00:12:15 - of running your voice network along with the data devices is
00:12:20 - the computers can actually begin hacking the IP phones. Wow,
00:12:26 - I know that sounds kind of weird. But you can actually set it
00:12:29 - up. There are programs out there, one of them that's becomes
00:12:32 - well known, it's actually Vomit, V-O-M-I-T, that's the name of
00:12:36 - the program. I think it stands for Voice Over Mis-configured
00:12:41 - IP Telephony or something of that affect, that's what it stands
00:12:44 - for. What it does is it actually taps the phone and can record
00:12:48 - phone calls from the phone and convert them into wave files.
00:12:53 - Yaiks! Now, if this person is good enough, they cannot only tap
00:12:56 - their phone but they could tap other people's phones in the networks.
00:13:00 - Double yaiks, because that's a huge security violation, so one
00:13:04 - of the things that we need to do is actually separate the phones
00:13:09 - from the PCs. Now CISCO has a fantastic feature that these phones
00:13:16 - actually have switch ports on the back so you can daisy chain
00:13:19 - the computer from the phone itself. But if that's possible, how
00:13:25 - on earth do you put them on different VLANs. I mean, because
00:13:28 - if you look at this picture right here, every port is assigned
00:13:30 - to a VLAN. Now here's the concept and I don't mean to blow your
00:13:34 - mind too early because I know we just finished talking about
00:13:36 - trunks and I'm about to dump something really heavy on you here.
00:13:40 - What you can do in the voice over IP world is set this up as
00:13:46 - a trunk port or a type of trunk port to where the switch actually
00:13:51 - trunks to this phone because the CISCO IP phone that you have
00:13:55 - sitting right here can tag its packets. Let me say it again,
00:13:59 - the CISCO IP phone can tag its packets meaning I can-the phone
00:14:05 - itself can put little colors on these packets that it sends that
00:14:08 - says it's a part of VLAN 50. So, I'm talking on the phone. I
00:14:11 - lift up the handset. I've got to the ex-mayor and say, "Hey Bob!
00:14:14 - You know I'm going to down in the office today, things are going
00:14:17 - great". Behind the scenes; I actually picked up a phone to do
00:14:20 - that. Behind the scenes the phone is taking the words that are
00:14:23 - coming out of my mouth, converting them into packets and putting
00:14:27 - a little tag on them that says this is apart of VLAN 50. That's
00:14:31 - received by the switch and since this is a trunk port, the switch
00:14:34 - goes "Great! VLAN 50 that's fantastic. I'll assign it to that
00:14:38 - VLAN". Now, computers have no idea what VLANs are. They don't
00:14:42 - have a capability of tagging the wrong packets. It's-that's a
00:14:46 - switch function. It's not a computer function. So these are sending
00:14:51 - untagged. I'll just put unT right there. Just like this were.
00:14:57 - When they were connected up here to the trunk, they were sending
00:14:59 - things that are untagged and we would assign that this port just
00:15:04 - like we did up here, to a native VLAN. So maybe we wanted this
00:15:08 - computer to be on VLAN, oh I don't know, 10. I could set the
00:15:13 - native VLAN on that port to be 10 so any untagged packets that
00:15:16 - travel through that phone, the phone doesn't tag them and travel
00:15:19 - into the switch, will end up on VLAN 10. Now I-the big picture
00:15:24 - of this is I can set up the security parameters on the switch
00:15:27 - to say VLAN 50 is completely isolated
00:15:32 - from VLAN 10. Nothing is allowed to cross so if somebody opens
00:15:37 - this utility and starts trying to sniff conversation, they will
00:15:41 - be blocked from doing that because it's isolated even though
00:15:44 - they're plugged in to the same switch port. That's a powerful
00:15:48 - concept and it's a big concept, very deep concept this early
00:15:51 - on. But that's one of the things that you are able to accomplish
00:15:54 - with the native VLAN. That's the big idea about trunking. So
00:15:59 - we've talked about what trunks are. We've talked about the protocol
00:16:03 - of trunking. 802.1 Q. And we talked about the native VLAN and
00:16:07 - how that combines with trunking. Now, let's move on to the next
00:16:10 - major concept here which is the worst possible acronym ever,
00:16:16 - ever. It stands for the VLAN Trunking
00:16:22 - Protocol or VTP. Now, if you remember, think back about 10 minutes,
00:16:28 - I talked about the VLANs trunking protocol which was the language
00:16:34 - of love between switches, what was it? 802.1 Q. That is the only
00:16:39 - VLAN trunking protocol that is out there and that is used. Now,
00:16:42 - I will, you know, add a side note to that. CISCO had a proprietary
00:16:46 - one called ISL or inter switch link but that was discontinued.
00:16:50 - It's not used anymore. It was just something that was created
00:16:54 - to meet the need many years ago and that it is no longer used
00:16:58 - because you could only use it on CISCO switches. So there's only
00:17:01 - one VLAN trunking protocol and that's 802.1 Q. So, what's the
00:17:06 - concept here? What's the VTP? Well VTP should've been called
00:17:11 - in my opinion, VRP, the VLAN
00:17:16 - Replication Protocol, because here's what it does. When you are
00:17:21 - in a large organization, VLANs starts to multiply and so as your
00:17:25 - switches. I mean more people get hired and another switches added.
00:17:29 - You have you know, you have hundred of switches sometimes in
00:17:31 - large organization and anytime you want to add a VLAN, it becomes
00:17:36 - painful because let's say you know, let's say right now we've
00:17:39 - got you know, VLAN 10 and 20 and I want to add 30 to the list
00:17:44 - so I can add some people to a new VLAN. Well, I would have to
00:17:47 - telnet them in to each one of these switches here and add a VLAN
00:17:52 - one by one. Say add VLAN 30, add VLAN30, add VLAN, you know on
00:17:55 - every single switch. In an enterprise organization of hundreds
00:17:59 - of switches, that can be a huge task. So here's what
00:18:04 - VTP does. VTP says, "Let me replicate the VLANs for you". So
00:18:09 - I can go to one switch in my network and say "I would like say
00:18:13 - VLAN 10."
00:18:15 - VTP does the rest. It sends out a message out to its trunklings
00:18:19 - and says, "Hey, I've got an update, we've added VLAN 10. VLAN
00:18:22 - 10, VLAN10". And it shows up in all the other switches in your
00:18:26 - organization even though you only added it to one switch. Now
00:18:30 - inaudible 18:19 still have to go and assign the ports that you
00:18:34 - want to that VLAN. It doesn't do that for because it doesn't
00:18:36 - know which ports are going to be in that VLAN. But at least you
00:18:39 - don't have to create the VLAN on every single one of those hundred
00:18:44 - switches in your organization. So that's what VTP does. The VLAN
00:18:48 - Trunking Protocol is not a trunking protocol at all. It just
00:18:52 - works over trunklings to replicate VLANs. Now, you noticed that
00:18:57 - I have the double edge sword. Why am I saying that? Well that
00:19:01 - is because VTP as you might remember from my intro slide can
00:19:06 - either save and help your network or annihilate it all with one
00:19:11 - slight mistake. Here's the idea of how VTP works. When I add
00:19:17 - a VLAN in my organization, it has a very simple way of keeping
00:19:21 - track of who has the latest list of what VLAN are out there.
00:19:25 - So let's say I add VLAN 10. I type in VLAN 10 is created. VTP
00:19:30 - has a little database counter in the background says, "Okay we
00:19:33 - just moved from revision 0 of our database to revision 1" "ting!"
00:19:36 - Revision 1. It sends out a message, "Hey I got revision 1". Switch
00:19:40 - is like that, we've got-I've got 0. Let me upgrade. So it takes
00:19:43 - revision 1 database and replaces it's own and replicate the down
00:19:47 - town, "I'm revision 1" it goes, "Oh great!, you know, I'm 0 and
00:19:50 - I'm1" and everybody changes over. Poof! You know and that you
00:19:53 - know takes me a little longer to explain, that all happens in
00:19:55 - probably in less than a second so I think "Oh that was easy.
00:19:59 - That was fun. Let me add in VLAN 20. VLAN 20, rep 2 tink!, rep
00:20:03 - 2 tink! rep 2 tink!". And everybody gets VLAN 20. It's just that
00:20:08 - very simple revision of it. And the reason that it's been official
00:20:12 - is that means I can go to any VTP switch I want in my organization.
00:20:16 - And say, "Well I add in VLAN 30. VLAN 30 tink! rep 3 tink rep
00:20:22 - 3 tink! rep 3. I loose it as I go. So you know VLAN 30, you know,
00:20:30 - passes up this way and now everybody got VLAN 10, 20 and 30 in
00:20:33 - all of their databases. Very simple system for keeping track
00:20:37 - who has the latest database. Now
00:20:39 - here's the problem, you're going to watch the series and you
00:20:43 - are going to think, "Oh this is great, this is fantastic!" And
00:20:46 - you're going to go in eBay and by some lot of equipment because
00:20:49 - you know I highly recommend if you're studying for the CCNA,
00:20:52 - just to build a small little home lab, I'll talk more about that
00:20:54 - later on but it's very beneficial and you're in eBay and you're
00:20:58 - looking at the switches and you see the switch and it says, you
00:21:01 - know, "CISCO 2900 excel, buy it now price for $20." You know,
00:21:07 - "$20! That's a great deal." And you click on it and you know
00:21:12 - the well first we're all good eBayers here right so you would
00:21:16 - email the seller and say you know, "$20! It's seems like a very
00:21:19 - low price! What's the deal?" And the seller would reply, "Oh
00:21:23 - well, you know the-I just you know surplus from this company
00:21:25 - that went out of business, I've got many of this switches" you
00:21:28 - know their lost your gain, you know, all about marketing stuffs
00:21:31 - they're trying to --.
00:21:33 - So they say $20 and you'll go, "Great $20" "Buy it now!" You
00:21:37 - use the pay pal. You buy the switch, you know, two weeks later
00:21:39 - it's the best day, you get the box in the mail. And you opened
00:21:43 - it up. And you looked at it like, "Oh!" It's a switch you know
00:21:47 - and you plugged it in and it works and you're like "I didn't
00:21:50 - get ripped off. This is great". And you looked at it and you
00:21:53 - find out it's got an existing config on it. I'm telling you when
00:21:57 - you get into CISCO that is like the dream days. I love when I
00:22:01 - buy stuff out of eBay and it has old company configurations on
00:22:05 - it because when I do that, when I get their old configuration
00:22:09 - I kind of-I do a password recovery which is really easy. I'll
00:22:12 - show you how to do that later too. Break into the device and
00:22:15 - I can actually see how their network was set up. I love looking
00:22:19 - at configurations because I can see what people are thinking.
00:22:22 - I'm like, "Oh that's a good idea". You know, way to go. I kind
00:22:25 - of save their config as model configs that I can use later on.
00:22:28 - So my point is you've got the switch and it's great. So you're
00:22:33 - using it in your home network, you know using it in the lab environment.
00:22:36 - Trying stuff how creating VLANSs, doing VLANs and then, then
00:22:39 - you think, "Ah I got to go to work." But then the thought hits
00:22:41 - you. You think, "I don't really do all that much work anyway.
00:22:47 - I mean, come on, do any of this really". You know, I could be
00:22:50 - studying from my CCNA at the office." So you bring the switch
00:22:56 - in your cubicle and you know, during the slow times of day, when
00:22:59 - not much is going on, you're just practicing creating stuff and
00:23:03 - I'm telling you the bugle bites you! You'll be sitting there
00:23:05 - and that all of a sudden the thought will hit you like, "Ha!
00:23:08 - I've been creating this lab environments for a long time but
00:23:13 - I bet, I bet what I could do is I could make this thing real.
00:23:17 - Meaning I could, you know, in my cubicle wall, you know, I've
00:23:21 - got this little wall jack right here. I could run across cable
00:23:24 - from that to my switch and plug in a couple of laptops computer
00:23:28 - something like that and actually I have a real switch VLAN network
00:23:33 - world." You know of course we use our cross over cable to make
00:23:36 - that happen; a little concept review there. And we could have
00:23:40 - this live working environment and I'm telling you. This sound
00:23:43 - crazy but it happens more than you may know. And you build this
00:23:47 - little mini network in your cubicle and then you connect that
00:23:51 - cross over cable. All of a sudden, Bob from a couple of cubicles
00:23:56 - down kind of pokes his head out, he say, "Hey! Hey Jim! Can you
00:23:59 - get on the internet?" You know, It's kind of funny that the first
00:24:03 - every notice is going down. It's not the accounting server. It's
00:24:06 - not the inventory log or anything. It's the internet you know.
00:24:10 - If you're going to blow up something in the company, just make
00:24:12 - sure you don't blow up internet access. But anyway Jim pops up;
00:24:15 - he's like, "Yeah! No, I can't get on to the internet and I can't
00:24:18 - even check my email." And you know you kind of going, "Ha! Haha"
00:24:21 - Unplugged the crossover cable you know. Shove that little switch
00:24:27 - in your network. Here's what happens, you brought that switch
00:24:30 - that home that had the companies old configuration on it that
00:24:33 - could've been we'll say VTP rev 1302.
00:24:38 - And when you plug that into the network with a cross over cable,
00:24:42 - this line in your cubicle wall goes to the ceiling and backed
00:24:46 - up and eventually connects to some switch somewhere else which
00:24:49 - if they've left the switching ports by default, will negotiate
00:24:54 - a trunk port with your switch and this will say "Hey! I'm VTP
00:24:59 - rev 1302.
00:25:02 - And this will say, "What? I'm three." You know, three! "It-you're
00:25:07 - away ahead of me. Give me your database." Now here's how VTP
00:25:11 - works and this is why it's double edge sword. If or when a high
00:25:16 - revision database comes about, it's not like it just combine
00:25:20 - the existing VLANs that are there with the new database, what
00:25:23 - it will do is completely flush that whole database and all the
00:25:27 - VLANS that existed and replace it with whatever VLANs you have
00:25:31 - on your switch. So maybe you know, on your switch you were using
00:25:35 - one, two and three. Now, by the way, there are 0-4096
00:25:43 - total VLAN numbers. So there's quite a few numbers that you could
00:25:46 - choose for your VLAN. But you know, it flushes it and everybody
00:25:49 - goes to one, two and three, all the switches now have VLANs one,
00:25:52 - two and three. Now, here's the major problem.
00:25:56 - All of the ports in your network, in your whole organization
00:26:01 - are assigned to what VLANs? 10, 20 and 30 right?, 10,20 and 30
00:26:06 - just disappeared. They just vanished into thin air. And when
00:26:10 - a port is assigned to a VLAN that it doesn't exist,
00:26:14 - the port just kind of goes, "Ha?" You know. "I'm lost. Help me!
00:26:18 - Where am I? I don't know". It can't even communicate with things
00:26:22 - that are right next to it. The port essentially goes inactive.
00:26:25 - As a matter of fact, if you look at the switch physically, on
00:26:30 - the switch, all of the ports will turn yellow. The light above
00:26:32 - them will turn from green to yellow. And you'll like, "Ah I'm
00:26:35 - lost" Because I've lost my VLAN and I can't get there so the
00:26:39 - whole entire network goes down. It's flushed on that point. Now
00:26:45 - you know administration panicked, you know this network administrator
00:26:50 - begins sweating bullets you know, the hair is flying out, molecules
00:26:55 - everywhere, you know, just because the whole networks down and
00:26:57 - everybody's like, "What's going on?" Any you know, you don't
00:27:00 - even think to start looking at the VLAN database. He goes in
00:27:04 - there and sees all the switches are orange and goes, "What's
00:27:07 - going on?" you know, he thinks of worm of virus you know, something
00:27:11 - is taking out the network. What happening? You know by timely
00:27:13 - figures it out and figure out that the you know that VLANs are
00:27:17 - gone, there could be 30, 20 minutes of complete network out that
00:27:21 - goes by. Now 20, 30 minutes to you and me, you know that's a
00:27:24 - sitcom show, but 20 and 30 minutes to a production network, that's
00:27:28 - an eternity, so what he do. He pulls, he goes, and "Oh VLANs
00:27:32 - are gone". So he pulls one of these switches of and restores
00:27:35 - the configuration from back up right. And paste everything back
00:27:38 - in there. Well as soon as it plugs that back into the network,
00:27:41 - what happens? Boosh! Toast! You know, because these are all 1306,
00:27:47 - 1306, this one was resort from back up, it's on three, you know
00:27:51 - this replicates down and wham! It wipes out all VLAN database
00:27:54 - again. The only way to fix this is to manually recreate the VLAN
00:28:00 - database meaning he has to manually add in, you know VLAN 10
00:28:04 - and then it will increment up to red number to 1307 and replicate
00:28:08 - every of it, you know all of VLANs 10s come back on. He manually
00:28:10 - adds back in VLAN 20, VLAN 30, manually adds those in and as
00:28:14 - he add those back in, you'll see the port on at the front of
00:28:17 - the switch, all are turning green because their VLANS are back
00:28:20 - and every body is happy again. But by time they figure that out
00:28:24 - and three VLANs is a very small network, you usually have many
00:28:28 - VLANs and recreate all the VLANs and where they should go and
00:28:31 - you're looking at the network outage,
00:28:34 - hours if not, you know one of those okay company closed down
00:28:38 - for the day, you know that, that kind of crisis. There are people,
00:28:42 - you will talk to people that have been burn by this before, this
00:28:46 - VTP system. And they will swear to you that they will never ever
00:28:51 - use VTP again. If you haven't been burnt by this before, then
00:28:56 - you'll say, "Ah VTP is the greatest things, it's sliced bread,
00:28:58 - it does what we needed to do." Now I will mention you know, I
00:29:03 - know some of you are thinking "Come on! This is pathetic isn't
00:29:07 - there a more security than this?" There is, meaning that there's
00:29:11 - this VTP domain name that has to be the same in order for these
00:29:15 - replications to happen. For example if I worked for Intel, I
00:29:19 - might name, my VTP domain Intel and all the switches have to
00:29:22 - provide that name in order to replicate. Well if somebody brought
00:29:25 - one in from home then chances are, they're not going to be using
00:29:28 - the same VTP name of Intel when they bring them in the company.
00:29:33 - Where this is normally happens because it did does happen quite
00:29:35 - frequently. It's in corporate lab environments. The goal of a
00:29:41 - corporate lab is to simulate the live environment, to simulate
00:29:47 - you know, what going on to real network. So a lot of times they'll
00:29:49 - use the same VTP names and you can assign the password to the
00:29:53 - VTP update and so on. So they'll use the same password and all
00:29:55 - that and they'll have all these lab switches over here; which
00:29:58 - is lab that is not connected the corporate network, they're doing
00:30:00 - all their stuff on and you know it's a lab environment. They're
00:30:03 - trying all kind of crazy stuff in there. Well what-the way that
00:30:07 - usually happens is when that you know you run out of switch ports
00:30:10 - in the corporate network and if there's no spare switch on hand
00:30:14 - and somebody goes, "Ah we need another switch but another new
00:30:17 - one will take week to get here. We need it now." And someone
00:30:20 - is like, "Oh yeah! We got the lab switch." You know and someone
00:30:22 - runs in the lab, the happy person runs in the lab grabs the switch
00:30:26 - and then comes and plugs in into the network and wham! Same kind
00:30:29 - of system. The whole network goes down. So I will tell you, in
00:30:33 - my personal experience, if you are careful
00:30:37 - with VTP, if you set up the network in a right way,
00:30:43 - VTP is great because I'm going to show you, in the upcoming videos
00:30:48 - the way to properly set up VTP. If you leave things at default,
00:30:52 - meaning you just used VTP as it is out of the box and you don't
00:30:55 - change them in your switch ports. That is where these nightmares
00:30:58 - can really begin.
00:31:00 - Let me hit this last few concepts and then we'll wrap up. VTP
00:31:03 - modes. There are three modes that you can configure a switch
00:31:07 - for when you're getting it ready for VTP. By default, when you
00:31:11 - pull the switch out of the box and don't change anything, every
00:31:14 - switch is a server. And what that means is it relates to VTP
00:31:20 - that switch can create VLANs and delete VLANs and modify VLANs
00:31:24 - and do whatever you want to the VLAN database of the corporate
00:31:27 - network and replicate those changes to everybody else just like
00:31:31 - I showed you in the previous file where it says, "Hey I've got
00:31:33 - a red VTP number here. Let me give that to you." And we'll also
00:31:37 - receive new VTP rev and say, "Oh let me apply that to myself."
00:31:40 - So every switch by default is a server. Now security wise that
00:31:46 - can be a little dangerous because that means anyone who has access
00:31:49 - to a switch can change your VLAN database. So the second mode
00:31:53 - that you see there is VTP clients. VTP
00:31:57 - clients do not have the authority to change the database. You
00:32:01 - can't add VLANs. You cannot add VLANs. You cannot delete VLANs
00:32:04 - or change them. You just receive updates from the servers and
00:32:08 - apply those updates to your configuration. So here's the idea
00:32:13 - of how you're suppose to set this up is you're suppose to have
00:32:16 - one switch that is the server and all the other switches maybe
00:32:20 - connected to that one and maybe you've got a couple of daisy
00:32:22 - chain like that and you make all your changes from that server
00:32:26 - switch and it replicates out to all of these clients which is
00:32:29 - everywhere. You are not able to add VLANs or delete VLANs from
00:32:33 - any one of those client switches. Now, the problem with that
00:32:36 - theory is just that. It's a theory. It's how you're supposed
00:32:41 - to set it up to where all of your changes are centralized. Now
00:32:44 - some people do and I applaud them, that's awesome, but unfortunately,
00:32:49 - my self included, many IT people are just lazy. Meaning you get
00:32:55 - to a point-here's the idea, you telnet to a switch, right? You
00:32:59 - need to add a VLAN real quick. You're like, "Ah I just seen that
00:33:01 - VLAN 50." So you telnet into this switch because you forget who
00:33:04 - the server in your network is. You get in there and say okay,
00:33:08 - add VLAN50, enter and a message comes up and says, "Oops Sorry,
00:33:12 - you can't add a VLAN, you're on a VTP client." And you go, "Oh!
00:33:16 - Oh yeah!" Okay stop right there. The good idea administrator
00:33:21 - looks at his documentations and goes, "Let me telnet into the
00:33:26 - VTP server and make my changes where I'm supposed to." Me, the
00:33:30 - lazy IT administrator or, you know, you'll just short on time,
00:33:33 - it happens to us all. You've got to make a quick change does
00:33:36 - what? Well you just change that guy over to a server because
00:33:40 - we have privilege mode access to do it. It's just one command
00:33:43 - and make our change there and slowly but surely all of our clients
00:33:47 - come back to server mode because we never quite remember where
00:33:51 - the servers in our network are. So we have this random spattering
00:33:54 - of clients and servers. The third mode of VTP is known as Transparent
00:34:00 - Mode. Transparent mode is for those people that say I never ever
00:34:05 - want to use VTP again in my life.
00:34:08 - What Transparent mode does is
00:34:12 - essentially turn a switch into a kind of a Harley Davidson switch.
00:34:17 - Meaning it can add VLANs, delete VLANs, modify VLANs but it's
00:34:22 - a rebel. It's a Harley Davidson switch. It's a rebel. It doers
00:34:25 - not listen to anybody else. Meaning if this switch says, "Hey!
00:34:29 - Add VLAN 10." The transparent mode switch say, "No way, I've
00:34:33 - got my own VLAN database, I'm not going to tell you about it
00:34:37 - because they don't send VTP updates and I'm not going to listen
00:34:40 - to your updates either because I am my own switch. By changing
00:34:44 - all the switches in your network over to a transparent mode,
00:34:48 - you effectively disabled VTP. Now,
00:34:52 - one note is that transparent mode switches maybe the Harley Davidson,
00:34:56 - they maybe rebels but they will pass through VTP updates. What
00:35:01 - that means is that-you know let me-oh know what have I done-I
00:35:07 - have-I have hearing things in my ear. Hang on let me, let me
00:35:12 - pause our recording. Things are going dark quickly.
00:35:16 - There we go. Someone must have unleashed VTP update on my network.
00:35:20 - I don't know what that was. So, here's the idea, if we've got
00:35:23 - the server sitting in the middle and maybe we plug that into
00:35:27 - a transparent mode switch which is attached to a client switch.
00:35:31 - When it sends out a VTP updates saying, "Hey! Update your database."
00:35:34 - The Harley Davidson Transparent mode switch will listen to it
00:35:37 - but it will pass it on to the client does still receive its update.
00:35:41 - So a transparent mode switch thankfully will not break the chain.
00:35:44 - We still want to use VTP through those
00:35:50 - switches. Now if you decide to use VTP in your network, there
00:35:53 - is one more benefit that you can benefit from. That sounds right.
00:35:57 - One more benefit that you'll get and that is VLAN pruning.
00:36:01 - This keeps unnecessary broadcast traffic from going across your
00:36:06 - trunk links. Here's the picture of three switches. I've got
00:36:10 - trunk links configure between them all. Now, this is obviously
00:36:13 - a logical diagram because you don't have one cable connecting
00:36:16 - all three. You know, you've got a crossover going here and then
00:36:18 - another crossover from another port that will come down here.
00:36:22 - But logically speaking, all of those would be trunk links configure
00:36:26 - between them. Now notice we've got the green VLAN, the red VLAN
00:36:29 - and the blue VLAN. But also notice that the switch down here
00:36:33 - does not have any green VLAN ports. Well, the concept of VLAN
00:36:38 - pruning and the benefit that you get from it is when the green
00:36:41 - PC sends a broadcast normally that broadcast would go across
00:36:46 - every trunk link even down to the bottom and it switch on the
00:36:49 - bottom which is half to drop it with look like, "Ooops! I don't
00:36:52 - have any green, I don't have any green, you know." Every broadcast
00:36:55 - say, "I don't have any green" You'll just have to drop the broadcast.
00:36:58 - Well, VLAN pruning just like we've got our pruning shears right
00:37:01 - here can take that broadcast and stop it at the last switch to
00:37:05 - get it. It uses VTP to do that because these switches can use
00:37:09 - VTP. You can see it only works if they're VTP servers. These
00:37:13 - switches will allow-be able to communicate with each other and
00:37:16 - say, "Hey! I've been, I've been getting some green broadcast
00:37:19 - down here and I don't want-I don't have any ports that are member
00:37:23 - of the green VLAN but thankfully if I decided, I would like to
00:37:27 - add a port that belongs to the green VLAN you know this first
00:37:30 - is no longer blue, they're green. When I did that, the switch
00:37:35 - would send a notification appear and say, "I've got a green port.
00:37:39 - Go on and send those down." So it would de-prune the link and
00:37:43 - make this links much more efficient. So you're not sending broadcast
00:37:46 - packet where they don't need to go. So VLAN pruning is something
00:37:50 - that only get if you use VTP servers everywhere in your organization
00:37:54 - but also remember you run the risk of changes taking over your
00:37:57 - network with VTP servers everywhere. So
00:38:01 - there it is. The deep technical detail about VTP, about trunk,
00:38:06 - about how all of these VLAN concepts work. So to hit the high
00:38:11 - points we did talk about understanding how VTP or-sorry-how trunks
00:38:16 - really do work. Looking at the tagging protocol or the language
00:38:19 - of love between them, 802.1
00:38:22 - Q. So the 802.1 Q protocol add those shims, those tags to the
00:38:27 - packets as they cross the trunk that let the switches know what
00:38:31 - VLAN packet belongs to. Now once the switch processes that, its
00:38:35 - strips the shim out so the computer doesn't actually receive
00:38:39 - it. The PC never knows what VLAN it belongs to. Last thing we
00:38:43 - look at is how VTP can help or annihilate your network depending
00:38:47 - on how you have it configured. Now in this upcoming video we're
00:38:50 - going to talk about how to configure VTP the right way so you
00:38:54 - don't run or you have or should I say you have very little risk
00:38:58 - of what happened in some of those scenarios I was talking about,
00:39:02 - happening in your network. I hope that this had been informative
00:39:05 - for you and I'd like to thank you for viewing.

Switch VLANs: Configuring VLANs and VTP, Part 1

Switch VLANs: Configuring VLANs and VTP, Part 2

Switch STP: Understanding the Spanning-Tree Protocol

Switch STP: Configuring Basic STP

Switch STP: Enhancements to STP

General Switching: Troubleshooting and Security Best Practices

Subnetting: Understanding VLSM

Routing Protocols: Distance Vector vs. Link State

Routing Protocols: OSPF Concepts

Routing Protocols: OSPF Configuration and Troubleshooting

Routing Protocols: EIGRP Concepts and Configuration

Access-Lists: The Rules of the ACL

Access-Lists: Configuring ACLs

Access-Lists: Configuring ACLs, Part 2

NAT: Understanding the Three Styles of NAT

NAT: Command-line NAT Configuration

WAN Connections: Concepts of VPN Technology

WAN Connections: Implementing PPP Authentication

WAN Connections: Understanding Frame Relay

WAN Connections: Configuring Frame Relay

IPv6: Understanding Basic Concepts and Addressing

IPv6: Configuring, Routing, and Interoperating

Certification: Some Last Words for Test Takers

Advanced TCP/IP: Working with Binary

Advanced TCP/IP: IP Subnetting, Part 1

Advanced TCP/IP: IP Subnetting, Part 2

Advanced TCP/IP: IP Subnetting, Part 3

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Stay Connected

Get the latest updates on the subjects you choose.

  © 2015 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS