VLAN Trunking Protocol (VTP)
VLAN
configuration and trunking on a switch or a small group of switches is fairly
intuitive. Campus network environments, however, usually consist of many
interconnected switches. Configuring and managing a large number of switches,
VLANs, and VLAN trunks quickly can get out of control.
Cisco has
developed a method to manage VLANs across the campus network. The VLAN Trunking
Protocol (VTP) uses Layer 2 trunk frames to communicate VLAN information among
a group of switches. VTP manages the addition, deletion, and renaming of VLANs across
the network from a central point of control. Any switch participating in a VTP exchange
is aware of and can use any VLAN that VTP manages.
VTP
Domains
VTP is
organized into management domains , or areas with common VLAN
requirements. A switch can belong to only one VTP domain, sharing VLAN
information with other switches in the domain. Switches in different VTP domains,
however, do not share VTP information.
Switches
in a VTP domain advertise several attributes to their domain neighbors. Each advertisement
contains information about the VTP management domain, VTP revision number,
known VLANs, and specific VLAN parameters. When a VLAN is added to a switch in
a management domain, other switches are notified of the new VLAN through VTP
advertisements . In this way, all switches in a domain can prepare to
receive traffic on their trunk ports using the new VLAN.
VTP
Modes
To
participate in a VTP management domain, each switch must be configured to
operate in one of several modes. The VTP mode determines how the switch
processes and advertises VTP information. You can use the following modes:
Server
mode : VTP
servers have full control over VLAN creation and modification for their
domains. All VTP information is advertised to other switches in the domain,
while all received VTP information is synchronized with the other switches. By
default, a switch is in VTP server mode. Note that each VTP domain must have at
least one server so that VLANs can be created, modified, or deleted, and VLAN information
can be propagated.
Client
mode : VTP
clients do not allow the administrator to create, change, or delete any VLANs.
Instead, they listen to VTP advertisements from other switches and modify their
VLAN configurations accordingly. In effect, this is a passive listening mode.
Received VTP information is forwarded out trunk links to neighboring switches in
the domain, so the switch also acts as a VTP relay.
Transparent
mode : VTP
transparent switches do not participate in VTP. While in transparent mode, a
switch does not advertise its own VLAN configuration, and it does not
synchronize its VLAN database with received advertisements. In VTP version 1, a
transparent mode switch does not even relay VTP information it receives to other
switches unless its VTP domain names and VTP version numbers match those of the
other switches. In VTP version 2, transparent switches do forward received VTP
advertisements out of their trunk ports, acting as VTP relays. This occurs regardless
of the VTP domain name setting.
Off mode :
Like
transparent mode, switches in VTP off mode do not participate in VTP; however,
VTP advertisements are not relayed at all. You can use VTP off mode to disable
all VTP activity on or through a switch.
Tip: While a switch is
in VTP transparent mode, it can create and delete VLANs that are local only to
itself. These VLAN changes, however, are not propagated to any other switch.
VTP Advertisements
VTP has evolved over time to
include three different versions. Cisco switches can support all three
versions, but the versions are not fully backward compatible with each other.
If a network contains switches that are running different VTP versions, you
should consider how the switches will interact with their VTP information. By default, Cisco switches use VTP Version
1.
Each Cisco switch participating in VTP
advertises VLANs, revision numbers, and VLAN parameters on its trunk ports to
notify other switches in the management domain. VTP Versions 1 and 2 support
VLAN numbers 1 to 1005, whereas only VTP Version 3 supports the full extended
VLAN range 1 to 4094.
VTP advertisements are sent as
multicast frames. A switch intercepts frames sent to the VTP multicast address
and processes them locally. The advertisements can also be relayed or forwarded
out trunk links toward neighboring switches in all VTP modes except off mode.
Because all switches in a management domain learn of new VLAN configuration changes,
a VLAN must be created and configured on only one VTP server switch in the domain.
By default,
management domains are set to use nonsecure advertisements without a password. You
can add a password to set the domain to secure mode. The same password must be
configured on every switch in the domain so that all switches exchanging VTP information use identical encryption
methods.
VTP switches use an index called the VTP
configuration revision number to keep track of the most recent information. Every
switch in a VTP domain stores the configuration revision number that it last
heard from a VTP advertisement. The VTP
advertisement process always starts with configuration revision number 0.
When
subsequent changes are made on a VTP server, the revision number is incremented
before the advertisements are sent. When listening switches (configured as
members of the same VTP domain as the advertising switch) receive an
advertisement with a greater revision number than is stored locally, they
assume that the advertisement contains new and updated information. The
advertisement is stored and overwrites any previously stored VLAN information.
VTP
advertisements usually originate from server mode switches as VLAN
configuration changes occur and are announced. Advertisements can also originate
as requests from client mode switches that want to learn about the VTP database
as they boot.
VTP advertisements can occur in three
forms:
Summary
advertisements : VTP domain servers send summary advertisements every 300
seconds and every time a VLAN database change occurs. The summary advertisement
lists information about the management domain, including VTP version, domain
name, configuration revision number, time stamp, MD5 encryption hash code, and
the number of subset advertisements to follow. For VLAN configuration
changes,
summary advertisements are followed by one or more subset advertisements with
more specific VLAN configuration data.
Subset
advertisements : VTP domain servers send subset advertisements after a VLAN
configuration change occurs. These advertisements list the specific changes that
have been performed, such as creating or deleting a VLAN, suspending or
activating a VLAN, changing the name of a VLAN, and changing a VLAN’s maximum transmission
unit (MTU). Subset advertisements can list the following VLAN parameters: status
of the VLAN, VLAN type (such as Ethernet or Token Ring), MTU, length of the
VLAN name, VLAN number, security association identifier (SAID) value, and VLAN
name. VLANs are listed individually in sequential subset advertisements.
Advertisement
requests from clients: A VTP client can request any VLAN
information it lacks. For example, a client switch might be reset and have its
VLAN database cleared, and its VTP domain membership might be changed, or it
might hear a VTP summary advertisement with a higher revision number than it
currently has. After a client advertisement request, the VTP domain servers
respond with summary and subset advertisements to bring it up to date.
Catalyst
switches in server mode store VTP information separately from the switch
configuration in NVRAM. VLAN and VTP data are saved in the vlan.dat file on the
switch’s flash memory file system. All VTP information, including the VTP
configuration revision number, is retained even when the switch power is off.
In this manner, a switch can recover the last known VLAN configuration from its
VTP database after it reboots.
VTP Synchronization
Whenever a switch receives a VTP
advertisement with a configuration revision number that is greater than the
value stored locally, it considers the advertisement to contain newer
information. The switch will overwrite its own VLAN data with the newer
version—even if the newer version contains irrelevant information. Because of
this, it is very important to always force any newly added network switches to
have revision number 0 before being attached to the network. Otherwise, a
switch might have stored a revision
number that is greater than the
value currently in use in the domain.
The VTP
revision number is stored in NVRAM and is not altered by a power cycle of the switch;
therefore, the revision number can be initialized to 0 only by using one of the
following methods:
■
Change the switch’s VTP mode to transparent and then change the mode back to server.
■
Change the switch’s VTP domain to a bogus name (a nonexistent VTP domain), and then
change the VTP domain back to the original name.
If the VTP
revision number is not reset to 0, the switch might enter the network as a VTP server
and have a preexisting revision number (from a previous life) that is higher
than in previous legitimate advertisements. The new switch’s VTP information
would be seen as more recent, so all other switches in the VTP domain would
gladly accept its database of VLANs and overwrite their good VLAN database
entries with null or deleted VLAN status information.
In other
words, a new server switch might inadvertently cause every other working switch
to flush all records of every VLAN in production. The VLANs would be deleted
from the VTP database and from the switches, causing any switch port assigned
to them to be returned to the default VLAN 1. This is referred to as a VTP synchronization problem. For
critical portions of your network, you should consider using VTP transparent or
off mode to prevent the synchronization problem from ever becoming an issue.
No comments:
Post a Comment