Cisco CCNP SWITCH 642-813

VLANs: VLAN Trunking Protocol

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.

Welcome to Cisco Switch: Watch Me First!

The Switches Domain: Core Concepts and Design

VLANs: Configuration and Verification

VLANs: In-Depth Trunking

VLANs: VLAN Trunking Protocol

00:00:00 - The VLAN trunking protocol is said by some to be, quote, the
00:00:06 - best thing sliced bread, end quote.
00:00:10 - Others claim that VTP, or the VLAN trunking protocol, is, quote,
00:00:16 - invented by terrorists to destroy networks around the world,
00:00:19 - end quote. So where are these two bipolar positions coming from
00:00:25 - on VTP? That's what we're going to talk about here We'll look
00:00:29 - at VTP, the good, the bad and the ugly. Then we'll get in depth
00:00:34 - into what VTP is all about, the modes, what VLAN pruning is,
00:00:38 - how that comes into play, VTP consideration. We'll set up VTP
00:00:42 - between our switches. And then we'll wrap up this whole VLAN
00:00:45 - subseries by talking about common VLAN issues.
00:00:50 - Here's the scoop. The goal of the VLAN trunking protocol is very
00:00:54 - simple. It's to ease your daily administrative burdens of creating
00:01:00 - VLANs. Now, first thing I've got to say about VTP is it was misnamed.
00:01:05 - I can't stand the name VLAN trunking protocol. Because it's not
00:01:10 - a trunking protocol. What are the two protocols we have? ISL,
00:01:15 - 80.21Q. That's it. Period. And ISL is going away. So there really
00:01:20 - is only one trunking protocol we use today. VLAN trunking protocol
00:01:24 - is not a trunking protocol, but what it is is a VLAN replication
00:01:30 - protocol. That's what it should have been called, VRP. Maybe
00:01:33 - that was taken. The way it works is all of your switches, when
00:01:37 - you pull them out of the box and get them connected up, start
00:01:40 - with this very simple system of VTP revision numbers. And that
00:01:44 - is the double edged sword of VTP. Its simplicity is what can
00:01:49 - kill it. Let me give you a demonstration. When you pull your
00:01:52 - switches out of the box, they only have one VLAN, and that is
00:01:55 - VLAN 1. Everybody's at VTP REV 0. So you log into this switch
00:02:01 - up here. Let me get my pen going. You log into this switch up
00:02:05 - here and type in: I want to create VLAN 10.
00:02:10 - So you type in VLAN 10. Enter. All of a sudden your switch goes,
00:02:14 - okay, VLAN changed, clink, VTP REV 1. Let me send a VTP update.
00:02:19 - Goes down to this one. Says, oh, VTP REV 1, REV 1, REV 1. They
00:02:24 - all flip on over to VTP REV 1 and suddenly VLAN 10 magically
00:02:29 - appears on all these switches. We add VLAN 20 up here. Add VLAN
00:02:36 - 20. VTP REV 2, REV 2, REV 2. Goes down to all of these different
00:02:40 - switches and they get revision 2 and add VLAN 20 to their database.
00:02:46 - Now, that's the end result of what we see. We actually see that
00:02:51 - taking place on our switches, but what we don't see is the technical
00:02:56 - details of how that happens behind the scenes. The switches replicate
00:03:02 - their VLAN database to each other, and anytime somebody has a
00:03:05 - later revision number, they're like, oh, great, new database.
00:03:08 - Totally better than mine. I will flush my database, everything
00:03:13 - that I know about, and replace it with yours. So swoosh, those
00:03:16 - two VLANs show up. This database gets flushed and replaced with
00:03:19 - this one. So if I delete VLAN 10, deleted, VTP REV 3, REV 3,
00:03:24 - REV 3, everybody flushes their databases and replaces it with
00:03:28 - the latest and greatest one. So that's the basics of how VTP
00:03:32 - works. Now, let me show you by the way, let me stop right there
00:03:36 - and emphasize the good before I get to the bad. The good side
00:03:41 - of VTP is, think of your organization, or if you have a very
00:03:46 - small company, think of a big one. How many switches do you think
00:03:50 - exist in, say, an enterprise organization? A campus network?
00:03:54 - Maybe 20
00:03:57 - on the very low end. Maybe 50. Maybe 100 different switches in
00:04:01 - all these different locations around the campus. And that's just
00:04:04 - getting started. Now, if I were to have to add a VLAN to all
00:04:08 - 100 switches, without VTP, what that means is I'm going to every
00:04:13 - single switch, sure it's via telenet, but who wants to telenet
00:04:16 - to 100 switches and adding VLAN 100 or whatever it is to every
00:04:20 - single switch in my organization. It can be painful. So VTP eases
00:04:24 - that load for me by just creating it once and it replicates it
00:04:28 - everywhere. That's the good side. The bad side is this: Let's
00:04:34 - say you finish watching the BCMSN series here and you're thinking
00:04:40 - this is awesome; I want to I'm getting into this. I'm going to
00:04:44 - build my own home lab. So you go on eBay and you're searching
00:04:48 - around and you're thinking: You know what, I can see a switch
00:04:51 - here. It says Cisco 2900 XL switch, buy it now price for $20.
00:04:56 - You're like, wow, and you look at the description and it says
00:04:59 - reputable seller used for years in dotcom companies, their loss,
00:05:04 - your gain and you know the eBay lingo. You're like, great, buy
00:05:08 - it now and you make your PayPal payment and it doesn't take long
00:05:12 - and all of a sudden this little switch shows up in the mail.
00:05:15 - And I'm telling you, it's an exciting time. You unbox the switch
00:05:18 - and you get into the switch, and one of my favorite things to
00:05:22 - do when I get stuff off of eBay is to do password recovery, because
00:05:26 - most of the time the people that sell stuff on eBay they don't
00:05:29 - even know what it is. They just like, hey, this looks cool, let's
00:05:32 - sell it on eBay. You log into the switch. It's got a password.
00:05:36 - That immediately should tell you there's a config on this from
00:05:39 - a company. So you do a password recovery on the switch and you
00:05:42 - start looking at their old config.
00:05:45 - I've done this a few times. I'm telling you, if you haven't done
00:05:48 - it, it's great. So you're scanning the config, and you actually
00:05:51 - see how the company's set up and you're all excited. So, anyway,
00:05:55 - you've got this switch at home and you're practicing on some
00:05:59 - labs and maybe it's VTP REV 1302.
00:06:03 - That's just, it's been a dotcom company for years. That's what
00:06:07 - it's at. And before long you're sitting there at home and you're
00:06:10 - like, oh, I gotta go to work. Like, well, I don't really do much
00:06:15 - at work anyway. And you know maybe I could take some of the downtime
00:06:20 - at the office to study and go after my Cisco certification. I'm
00:06:24 - going to bring the switch to work. You're bringing it to work
00:06:26 - and playing with it and creating VLANs and messing with spanning
00:06:30 - tree and learning all kinds of stuff. This story is going somewhere,
00:06:33 - by the way. And all of a sudden you have this brilliant idea.
00:06:38 - You think, you know what, I can make a real network here in my
00:06:44 - cubicle. I can take my switch, plug in a couple of laptops here
00:06:49 - into my switch or my desktop and my laptop or whatever the case
00:06:53 - is, and I can just grab a crossover cable and plug it right there
00:06:56 - into the port in my wall and have a real working network. So
00:07:00 - you do, you plug in that crossover cable and like this is going
00:07:04 - to be great. And all of a sudden you see Bob down the hall kind
00:07:06 - of stick his head up above the cubicle and Bob is like, hey,
00:07:10 - Jim, you able to get on the Internet? And Jim's like no, no,
00:07:16 - I can't. My e mail isn't even working. And as a side note, little
00:07:21 - side bar here, isn't it funny how in just about every business
00:07:25 - around the world, if the Internet goes down, immediately everybody
00:07:29 - knows and everybody panics. But like major servers, accounting
00:07:33 - databases, they can all go away and at least take them a little
00:07:36 - time to know. The moral of the story there, in the Cisco network
00:07:40 - you can hose up anything productive but just don't down the Internet
00:07:43 - access, and at least you've got some time before people start
00:07:46 - whining. So anyway, back to the story. Bob and Jim are above
00:07:50 - yeah, nothing's going on. Meanwhile, you're kind of unplugging
00:07:54 - your crossover cable and shoving everything in a file cabinet.
00:07:57 - Here's what happened. When you connected that crossover cable
00:08:01 - to the port in the wall, this switch, if it was able to negotiate
00:08:06 - a trunk with the other side, sent a VTP update and says, hey,
00:08:11 - everybody, I've got VTP REV 1302.
00:08:14 - And maybe on this switch you've got VLAN 100 and 200 that you've
00:08:18 - created. And this switch is sitting there and it goes: That's
00:08:22 - great. We're on VTP 3. It's like give me your database. So it
00:08:26 - takes that REV 1302, flushes its old database along with all
00:08:31 - its old VLANs. They all go away. All gone. And replace them with
00:08:37 - VLANs 100 and 200. It takes less than a second. It's very fast.
00:08:42 - And wham all the switches in the network lose their existing
00:08:46 - VLANs 10 and 20, and replace them with 100 and 200. Now, the
00:08:50 - problem is all of the ports in your company or this little scenario
00:08:54 - here were assigned to VLAN 10 and VLAN 20. And if a port is assigned
00:08:59 - to a VLAN, and that VLAN just disappears, the port is like, wow,
00:09:05 - where am I? I'm lost. I can't talk to anybody. It literally cannot
00:09:10 - talk to anything. The ports just disappear from the switch. If
00:09:15 - you do a show VLAN to see where the ports are assigned, you won't
00:09:17 - see anything. They're all just gone. All communication goes down.
00:09:21 - So less than a second, the entire network collapses. Now, the
00:09:26 - administrator over here, you know, is in a panic at this point.
00:09:30 - Cell phones ringing and nightmare's going on, and the administrator
00:09:34 - is like what's going on? And it takes a while to figure out,
00:09:37 - because nobody thinks all the VLANs disappear. Oh, by the way,
00:09:39 - as soon as that happened, all of the ports on all of the switches
00:09:43 - turn amber. That's your clue right there that this has happened.
00:09:48 - If a port isn't assigned to a VLAN and it just disappears, it
00:09:52 - goes amber. So if you're looking at a rack of switches and all
00:09:55 - of a sudden everything goes orange, panic. Because that just
00:09:59 - happened, all the VLANs disappeared. So the administrator figures
00:10:03 - out, it's like, oh, no. So he pulls the switch off and restores
00:10:07 - the config from back up and plugs the switch back in. But as
00:10:11 - soon as he does, what happens? Replication down, we are VTP REV
00:10:15 - 1302, you are VTP REV 2 or 3 and wham complete VTP flush again.
00:10:21 - The only way the administrator can fix the VTP database is manually
00:10:26 - recreate it on one of those switches and add all those VLANs
00:10:29 - back in. Now I've been referring just because I didn't have I
00:10:34 - don't want to draw up a huge pen dot scenario, I've been talking
00:10:37 - about two VLANs here. A company may have 10, 20, 30 different
00:10:41 - VLANs they have that's spread across the organization, so the
00:10:44 - administrator has to manually enter those back in and recreate
00:10:48 - them. By this point in time, in terms of downtime, you're typically
00:10:52 - talking about 30 minutes to maybe an hour of complete network
00:10:58 - outage. Now, you can see the double edged sword of VTP. Now,
00:11:04 - this scenario,
00:11:06 - if you know a little bit about VTP, is not as easy to stumble
00:11:11 - into as maybe I've shown it right here. For instance, the eBay
00:11:15 - switch isn't going to typically have the same VTP domain name
00:11:20 - as your organization. We'll see this in just a moment. All the
00:11:23 - switches in order for them to talk have to be assigned to the
00:11:26 - same VTP domain. Where this sort of scenario usually happens
00:11:31 - is a lab environment. A company has a lab environment that they
00:11:34 - have set up for testing and stuff like that. And the goal of
00:11:38 - a lab is to mirror the corporate network as close as possible
00:11:41 - to run some tests before you release things in production. And
00:11:44 - what would typically cause this is a simple problem in the network.
00:11:49 - Hey, we just got ten more employees. You got another switch.
00:11:52 - You look at the inventory, we're like we're out of switch, and
00:11:54 - somebody's like there's one in the lab, go grab the one in the
00:11:57 - lab. Oh, yeah, the one in the lab. And dadum. This scenario happens
00:12:02 - right here, because the lab switch had the existing previous
00:12:05 - configuration on there. So VTP can be your best friend if used
00:12:11 - wisely. Let's look at the details.
00:12:14 - The first thing to understand about VTP is the three different
00:12:18 - modes that it supports. Server, client and transparent.
00:12:23 - If you set up VTP servers which are the default, they have the
00:12:27 - power to change any of the VLAN information and replicate those
00:12:31 - changes to all the other switches in your domain. That's where
00:12:34 - the VTP REV number comes in handy because that helps all the
00:12:37 - switches discover who has the latest copy of the VLAN database
00:12:41 - since it is a multi server environment. The theory goes something
00:12:45 - like this. You should only have one server in your network and
00:12:50 - all the rest of the switches should be, wow, that's a non Cisco
00:12:54 - switch obviously, the rest of them should all be client mode
00:12:59 - switches. You can see that the clients cannot change VLAN information.
00:13:03 - They are locked. If you log into a client and type in I want
00:13:07 - to create VLAN 20, that means that well, I should say it's just
00:13:11 - going to reject you and say sorry this is in VTP client mode,
00:13:14 - you cannot make changes from here. Likewise, the VTP clients
00:13:19 - do not save the VLAN configuration. The servers save that config
00:13:24 - in a file and flash called VLAN.dat. Clients keep it in RAM.
00:13:28 - So every time they reboot they have no VLAN database file and
00:13:31 - they have to rely on the replication from the server to get the
00:13:36 - latest copy of the database. Now, the reason I said the theory
00:13:40 - goes something like this is because unfortunately
00:13:44 - most of the time it remains a theory. As in everybody starts
00:13:48 - off having a great config like this where you've got the one
00:13:51 - server and many clients in your network, but the problem is that
00:13:55 - IT people are lazy. I'll be the first to throw myself under the
00:13:59 - bus with that group. You telenet into a switch. Somebody just
00:14:03 - said hey I need a new VLAN, you go into the switch you type in
00:14:06 - VLAN 100. It says oh, sorry this switch is client mode. You can't
00:14:10 - make that change here. What do you do? You changed over the client
00:14:15 - to the server mode because you're lazy and you don't remember
00:14:19 - where the server is in the network and eventually go back to
00:14:22 - a multi master server model anyway. So the client mode is supposed
00:14:27 - to be good as long as it's backed up by specific company policy
00:14:31 - saying you don't make changes from clients and you don't change
00:14:35 - clients back into servers. The VTP transparent mode you see at
00:14:39 - the bottom there is if you don't want
00:14:43 - to use VTP. That's one of those ones you've been burned. You
00:14:46 - don't want to use VTP ever again. Change all your switches to
00:14:49 - transparent mode. They become essentially rebel switches at that
00:14:53 - point to where if they receive updates from VTP they will say
00:14:57 - I am not going to listen to this. Now, they'll pass it through.
00:15:01 - You can see that second bullet there. It says it passes through
00:15:04 - the VTP updates in VTP version 2 which all Cisco switches support.
00:15:08 - So if you had a situation like
00:15:11 - let's say this is a transparent mode switch and then you had
00:15:14 - another client down here, it could pass the updates through to
00:15:17 - the client, but it won't listen to the updates themselves. You
00:15:21 - can create and delete VLANs and it saves those configurations
00:15:24 - in the VLAN database file in flash, but those VLANs are never
00:15:29 - sent to anybody else. So every switch becomes its own independent
00:15:33 - authority once you move over to transparent
00:15:37 - mode. VTP also has a bonus feature called
00:15:42 - VTP pruning. What this feature does is it allows the switches
00:15:46 - to do some of the work for you in a trimming down where broadcast
00:15:50 - traffic goes. In this example you can see we have three switches
00:15:54 - connected to that middle magic port, which is able to handle
00:15:58 - two switch connections per port, and the top two switches are
00:16:02 - the only ones that have devices in the green VLAN. The bottom
00:16:06 - switch does not. Now, just with the definition of a trunk, the
00:16:10 - trunk passes all VLAN traffic. So if somebody sends a broadcast
00:16:14 - on the green VLAN, the bottom switch gets it even though it doesn't
00:16:17 - have any clients in the green VLAN. VTP pruning uses the VTP
00:16:23 - technology to allow the switches to notify each other if they
00:16:28 - do not have any ports in a specific VLAN. Now, we saw early on,
00:16:33 - I believe in the previous Nugget, when we talked about trunking
00:16:36 - one of the things I mentioned was that you can manually go in
00:16:39 - there and type in these are the allowed VLANs on the ports, whereas
00:16:43 - VTP pruning is an automatic way to do that for you. Now, you
00:16:48 - know my thoughts on things being auto. But at the same time I
00:16:52 - have never run into a problem with VTP pruning other than the
00:16:56 - fact that it has to be run on VTP capable devices. Meaning if
00:17:01 - you go VTP transparent mode you obviously can't use that. Likewise,
00:17:06 - here's another thought for you, VTP pruning only works on VTP
00:17:12 - servers. So your client switches, if you have clients daisychained
00:17:17 - from other clients, they will not be able to do VTP pruning,
00:17:21 - which is another, I guess, you could say incentive to keep all
00:17:25 - your switches VTP servers, which is a bad practice in the first
00:17:29 - place. So follow my logic on that. That's how VTP pruning works.
00:17:35 - I will say most people don't use
00:17:39 - it. So VTP pruning is something that's off by default. You just
00:17:43 - go in and turn it on and it does its
00:17:46 - magic. Last thing I want to mention on VTP pruning, this feature
00:17:50 - prunes the broadcast traffic from reaching the other switches.
00:17:53 - It does not prune out the actual VLANs. For example, I have the
00:17:58 - green, red and blue VLANs here. The green VLAN will still be
00:18:02 - available on the bottom switch down there. It's not like it just
00:18:05 - magically disappears from the switch and only appears when you
00:18:08 - add ports. You'll see it down there, because the replication
00:18:11 - feature is still working. Pruning just eliminates the broadcast
00:18:15 - traffic from reaching that switch since there are no assigned
00:18:17 - ports. Now let's get into the configuration of VTP. I'm going
00:18:22 - to show you a catch that happens on Cisco switches that might
00:18:26 - throw you off with some new switches you get into your organization.
00:18:30 - Step one in configuration is verifying the current VTP status
00:18:35 - on every switch. I can't emphasize how important it is to do
00:18:39 - this, even if you think the switch has no configuration, because
00:18:44 - if you forget to verify the VTP status, it may just be that eBay
00:18:48 - switch that wipes out your network. So let me bring up the console
00:18:53 - connection. Before I do you can see the live topology I have
00:18:57 - going at the bottom there. Switch A connected to B and C. So
00:19:01 - we are on switch A right now, and the key command to verify VTP
00:19:04 - is not a show run, because most VLAN information is not going
00:19:08 - to show up in the show run. It's all stored in flash in this
00:19:12 - file called VLAN.dat which is not there yet because I haven't
00:19:15 - configured this. So I'm going to type in show VTP status.
00:19:21 - That's your number one command for verifying
00:19:25 - VTP. So right up front you can see VTP version is currently 2.
00:19:29 - However, version 2 mode is disabled. It runs version 1 until
00:19:33 - you turn on VTP version 2. That's just the maximum the switch
00:19:36 - can support. This is the key line you're looking for.
00:19:41 - Configuration revision is 0. That means this switch has not received
00:19:47 - any VTP updates and has no VLANs or currently is not running
00:19:52 - a VLAN database that can replicate to other people. As you make
00:19:58 - changes, that's the revision number that keeps going up. Below
00:20:02 - that you see the operating mode right there, which is the server
00:20:06 - mode. That's the default mode every switch is in. And then you
00:20:09 - see the domain name. I want to focus on this. The domain name
00:20:14 - by default is blank. Cisco considers that null. It's at this
00:20:19 - point that the switch will be in its most susceptible state.
00:20:24 - Meaning if I plug it into a network that is running VTP and a
00:20:28 - trunk port is negotiated with me, VTP runs on top of the trunks,
00:20:33 - it will take whatever VTP domain name and password the organization
00:20:38 - has. So what this means is if I plug this switch in, I don't
00:20:43 - even need the VTP domain name or the password. I'm going to get
00:20:49 - all of the VTP updates sent down to me. Tell me that's not crazy.
00:20:53 - Because here's my fear. You forget to hard code a cubicle port
00:21:01 - as an access port. You leave it on the dynamic desirable mode.
00:21:05 - Well, when somebody plugs that in, their switch will negotiate
00:21:08 - a trunk port with your switch and if their VTP domain name is
00:21:12 - set to null or blank, as you can see on the screen right now,
00:21:15 - that means whatever VTP advertisement they receive it will automatically
00:21:20 - configure itself to. So can you imagine all that security you
00:21:24 - thought you had by assigning a VTP domain name and password that
00:21:27 - nobody knew, it's gone because it's sent in clear text over the
00:21:31 - trunk link. Moral of the story, it is so important that you hard
00:21:36 - code every port going into a cubicle as an access port. Do not
00:21:41 - let it negotiate trunks, because if it does, you're doomed. In
00:21:45 - a way. So what I'm going to do I just want to show you how this
00:21:50 - works. I'm going to telenet on over to switch B to show VTP status
00:21:55 - over there.
00:21:57 - You can see server everything is blanked out as well. I'll go
00:22:01 - to switch C and do a show VTP status.
00:22:06 - Blank. Everything is blank. So our organization currently has
00:22:09 - nothing. So step one is going to be configuring the VTP domain
00:22:13 - name. Go into global config mode and type VTP domain and follow
00:22:18 - that up with the name of the domain. We'll call it CBTNugget.
00:22:25 - Enter. You can see right away it says changing from null or blank
00:22:29 - to CBTNugget. I exit back out, do a show VTP status.
00:22:35 - And sure enough CBTNugget it is. Now I'll hop over to V, show
00:22:40 - VTP status over there. Look at that. See what I mean? Immediately,
00:22:45 - poof, since it was null it became the first name that came to
00:22:50 - it. I'm going to jump on over to switch C. Just do that show
00:22:54 - VTP stat. Up arrow. And sure enough it is CBTNugget as well.
00:22:59 - When it is null, it is susceptible. It will become whatever the
00:23:03 - first name is that you advertise. So with that in place, well,
00:23:09 - I guess we don't have too much excitement going on, because I
00:23:12 - have not created any VLANs on here and that is why on my server,
00:23:15 - when I do a show VTP status, my config REV is currently 0. So
00:23:20 - if I go into global config mode and type in VLAN 10, we'll say
00:23:24 - name Sales, VLAN 20, name Accounting,
00:23:33 - VLAN 30, name Isabella. That's the name of my first little daughter.
00:23:39 - And I'll exit out and do a show VTP stat.
00:23:43 - You can see the config REV has moved up to 3 to show a VLAN,
00:23:47 - and there's my three VLANs. Theoretically,
00:23:51 - well, it should be working. If I jump on over to switch B and
00:23:55 - do a show VLAN, poof, the same VLANs pop up. Do a show VTP status,
00:23:59 - you can see the config REV is 3. I know I'm zooming through this.
00:24:03 - Hopefully the video is keeping up. If not, it's the beauty of
00:24:06 - video: Rewind. So the VLANs are replicating over to switch B
00:24:12 - and switch C. You can see the config REV as 3. Show VLAN. And
00:24:21 - there's my VLANs that are showing up. So VTP is working. It is
00:24:26 - operational. Now, a few
00:24:30 - other things. I'm trying to think that's it. That's wait thank
00:24:35 - you. I put a list over here for myself. Configure the domain
00:24:38 - name and password. The password is configured just by going into
00:24:43 - global config mode and typing VTP password. You can see it right
00:24:46 - there. And voila. By the way, also while we're here that's how
00:24:50 - you turn on VTP pruning. VTP version or VTP mode will set
00:24:58 - whoops. What mode it runs in. You can see the transparent server
00:25:02 - and client VTP version is version one or two. The difference
00:25:05 - between version one and two that would be a good thing to know.
00:25:08 - VTP version two adds support for token ring. Whoohoo, just in
00:25:13 - time, right, but it also gives transparent switches the capability
00:25:18 - to forward VTP information through them. If you're running VTP
00:25:22 - version 1, which all switches are running by default, even though
00:25:25 - it says VTP version 2, you can see version 2 mode is disabled.
00:25:30 - If you're running version 1, the transparent mode switches will
00:25:34 - stop VTP broadcast. They absorb them rather than pass them on.
00:25:39 - So let's see. Where am
00:25:42 - I? VTP domain password. VTP mode, we've seen configuring the
00:25:47 - servers, or
00:25:50 - all of them are servers by default. So let me hop back over here.
00:25:55 - I'm going to set these guys up as VTP mode client. You can see
00:25:59 - when I do a show VTP status,
00:26:02 - it is now in client mode. And what that means is this can no
00:26:07 - longer create or delete VLANs from the domain. I'll just type
00:26:11 - in VLAN 40 to create a new one. It will tell me VLAN not allowed
00:26:16 - while the device is in client mode. This is where I was mentioning,
00:26:18 - this is where self discipline comes in, because you want to make
00:26:21 - sure you don't just change it back over to a server and make
00:26:25 - the change because that kind of defeats the purposes of clients.
00:26:29 - VTP version number, I already showed you that. So, hmm,
00:26:35 - just trying to think if there's anything else. VTP just it's
00:26:38 - all about the concepts. Like most things in Cisco, not too much
00:26:42 - to the configuration. Last thing I'll do is hop on over to the
00:26:47 - VTP switch C, change that
00:26:51 - over to VTP mode client. Now, let me show you
00:26:56 - some gotchas. I'm going to type in on switch A show flash. And
00:27:03 - you can see I showed you this right before we got started, there
00:27:06 - was no VLAN.dat file. Now there's a VLAN.dat. All of your VTP
00:27:11 - stuff and VLAN stuff, I'll do a show run include VLAN, you can
00:27:15 - see that there is nothing in the running config about VLANs.
00:27:19 - All of that stuff is stored in that VLAN database file. One of
00:27:24 - the tips that I'll give you now, this is not certification world.
00:27:28 - This is just real world stuff I've run into, one of the tips
00:27:32 - that I will give you is if you're working on a used switch, meaning
00:27:36 - one that's maybe been in production for a while, and you reconfigure
00:27:40 - it to be in a new VTP domain name or joining a new domain of
00:27:43 - switches or something to that effect, I have had it happen where
00:27:48 - I have the domain name, the password, everything exactly correct,
00:27:52 - and, by the way, I should mention as I'm talking, this domain
00:27:56 - name is case sensitive. So it's lower case, upper case does matter.
00:28:00 - I've had everything correct and mode is correct and trunk links
00:28:03 - are operational and it does not replicate. I have found that
00:28:08 - sometimes the VLAN database file cannot handle changes from one
00:28:14 - domain to another. Like if you do a write erase, and this is
00:28:18 - a good rule of thumb, I think of all these things as I go here,
00:28:21 - if you do a write erase to erase the switch, it does not erase
00:28:25 - the VLAN.dat file. So it will maintain its VLANs and it will
00:28:29 - maintain all its VTP stuff. I've found a lot of times if you
00:28:32 - do a write erase and forget to delete the VLAN database file,
00:28:36 - the next time you try to set it up for VTP, it gets corrupted.
00:28:40 - My point in saying all of this, is that if you're having trouble
00:28:45 - with VTP and you know everything is right, you know you've got
00:28:49 - everything set up correctly,
00:28:52 - try this: Delete the VLAN database file. Do a delete/:VLAN.dat.
00:28:59 - It will ask you to confirm, run through a couple times, enter,
00:29:02 - enter and confirm it. You'll have to reboot the switch to clear
00:29:06 - everything out because it's still in RAM. But a lot of times
00:29:10 - I find if you have a used switch and you're moving it between
00:29:12 - VTP domains, that VLAN database file can't handle it and it kind
00:29:16 - of gets corrupted in the sense that it won't work any more for
00:29:21 - the new VTP domain. You've just got to delete it and start over.
00:29:26 - Now that I think about it I just jumped a little ahead of myself.
00:29:29 - I was going to save that for this common VLAN problems slide.
00:29:34 - One of the problems that you might have, and that's down at the
00:29:37 - very bottom, is that VLAN database file gets corrupt. So just
00:29:40 - type in that delete/:/VLAN.dat,
00:29:44 - reboot the switch and that will solve a lot of the VLAN problems.
00:29:47 - I've had that happen a dozen times or so and I've gotten used
00:29:52 - to deleting the VLAN database file on older switches. Let me
00:29:56 - hit the rest of the common VLAN problems you run into as we wrap
00:30:00 - up this VLAN subsection here. First off, number one problem I've
00:30:04 - seen is the native VLAN mismatch. You keep getting all these
00:30:07 - messages across your console: Native VLAN mismatch. We already
00:30:10 - talked about the native VLAN, but a mismatch happens when it's
00:30:13 - assigned differently on both sides of the connections. You want
00:30:16 - to hard code it, so it's the same. Otherwise you end up with
00:30:20 - VLAN information bleeding amongst each other. Meaning if one
00:30:24 - side is VLAN 1 and the other side is VLAN 10, you've essentially
00:30:28 - linked those two VLANs through the native VLAN mismatch. That's
00:30:33 - why it's not a message to ignore. I've been into many networks
00:30:37 - where I log in, you've got a native VLAN mismatch. Oh, I've seen
00:30:41 - that message forever. And I don't know how to fix it. I go you
00:30:44 - want to fix that, because you've essentially bridged VLAN 1 and
00:30:48 - VLAN 10 when you do that since the broadcast for VLAN 10 ends
00:30:52 - up going across into VLAN 1.
00:30:55 - So make sure those are matched. Second, trunk auto negotiation
00:30:59 - message use. My message don't use the auto negotiation.
00:31:03 - The number one problem is auto to auto does not become a trunk.
00:31:07 - And that is by design. The auto mode does not send out VTP sorry,
00:31:15 - DTP messages that tried to negotiate a trunk for the other side.
00:31:20 - So both of them are just sitting there idle saying, okay, is
00:31:23 - somebody going to do something? But nobody does anything. So
00:31:26 - if possible avoid the DTP and set all your trunks to non negotiate.
00:31:31 - That's the best way to hard code everything. The last thing is
00:31:35 - what we just talked about, VTP updates not applying. Number one
00:31:38 - steps is to go through and make sure everything matches. Check
00:31:42 - your domain. Check your password. Check your version on all your
00:31:45 - switches. Are they all running version 1 or 2 or you can't have
00:31:48 - a mix. Verify your trunk links. A lot of people overlook that.
00:31:52 - VTP is called the VLAN trunking protocol. It's not a trunking
00:31:56 - protocol. I already mentioned that. But it does only work over
00:32:00 - trunk links. Make sure you have trunk links between your switches.
00:32:03 - And the last one I already talked about to delete that file and
00:32:07 - reboot as a last resort.
00:32:10 - A lot of stuff on VTP. The good, the bad and the ugly. What do
00:32:14 - you think? I'm curious. I'm really curious. I wish I could take
00:32:17 - a poll. How many of you will use VTP, or are using VTP in your
00:32:23 - organization? And after seeing the ugly, if you will, of VTP,
00:32:27 - how many of you still want to use it? I will say I still use
00:32:32 - it. Just to give you a personal experience, I have had it wipe
00:32:37 - out a network, but I'm telling you for me the advantages outweigh
00:32:42 - the disadvantages. But that's not an opinion for everybody. VTP
00:32:46 - modes, we talked about. Server client, transparent. Transparent
00:32:49 - being disabling VTP. Pruning being the feature you can turn on
00:32:53 - from global config mode, just one command line. VTP pruning,
00:32:57 - enable, and that will turn on pruning for the switches. They
00:33:01 - have to be the server mode VTP switches to enable the pruning.
00:33:05 - We walked through the VLAN configuration step by step and finally
00:33:09 - looked at troubleshooting common VLAN issues as we wrap up this
00:33:13 - VLAN subsection of the BCMSN series. I hope this has been informative
00:33:17 - for you and I'd like to thank you for viewing.

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2

STP: Rapid Spanning Tree Concepts and Configuration

EtherChannel: Aggregating Redundant Links

L3 Switching: InterVLAN Routing Extraordinaire

L3 Switching: Understanding CEF Optimization

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

Campus Security: Basic Port Security and 802.1x

Campus Security: VLAN and Spoofing Attacks

Campus Security: STP Attacks and Other Security Considerations

Campus VoIP: Overview, Considerations, and AutoQoS

Wireless LAN: Foundation Concepts and Design Part 1

Wireless LAN: Foundation Concepts and Design Part 2

Wireless LAN: Frequencies and 802.11 Standards

Wireless LAN: Understanding the Hardware

The Switches Domain: Additional Life-Saving Technology

Monitoring: Your Pulse on the Network

Campus Security: VACLs

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Premium Features

Transcender® Practice Exams

These practice tests help you review your knowledge and prepare you for exams.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Stay Connected

Get the latest updates on the subjects you choose.

  © 2015 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS