VTP

VLAN Trunking Protocol (VTP) is a Cisco proprietary Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis. Virtual Local Area Network (VLAN) Trunk Protocol (VTP) reduces administration in a switched network. When you configure a new VLAN on one VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. To do this VTP carries VLAN information to all the switches in a VTP domain. VTP advertisements can be sent over ISL, 802.1q, IEEE 802.10 and LANE trunks. VTP traffic is sent over the management VLAN (VLAN1), so all VLAN trunks must be configured to pass VLAN1. VTP is available on most of the Cisco Catalyst Family products. [http://www.javvin.com/protocolVTP.html Cisco VTP: VLAN Trunking Protocol ] ]

The comparable IEEE standard in use by other manufacturers is GVRP.

VTP Modes

VTP operates in one of three modes:1:server;2:client;3:transparent .
* Server – In this VTP mode you can create, remove, and modify VLANs. You can also set other configuration options like the VTP version and also turn on/off VTP pruning for the entire VTP domain. VTP servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize their VLAN configuration with other switches based on messages received over trunk links. VTP server is the default mode. The VLANs information are stored on NVRAM and they are not lost after a reboot.

* Client – VTP clients behave the same way as VTP servers, but you cannot create, change, or delete VLANs on the local device.

* Transparent – When you set the VTP mode to transparent, then the switches do not participate in VTP. A VTP transparent switch will not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received messages. VLANS can be created, changed or deleted when in transparent mode. In VTP version 2, transparent switches do forward VTP messages that they receive out their trunk ports.

VTP sends messages between trunked switches to maintain VLANs on these switches in order to properly trunk. VTP messages are exchanged between switches within a common VTP domain. If the domain name is different, the switch simply ignores the packet. If the name is the same then it checks by a revision number. If the revision number of an update received on a client or server VTP switch is higher than the previous revision, then the new configuration is applied. Otherwise, the configuration is ignored.

When new devices are added to a VTP domain, revision numbers should be reset on the entire domain to prevent conflicts. Utmost caution is advised when dealing with VTP topology changes, logical or physical. Exchanges of VTP information can be controlled by passwords. You need to put the same password on every switch for it to work.

VTP Versions

VTP version 2 supports the following features not supported in version 1:http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800e47e3.html]

VTP security

VTP may operate unauthenticated, in which case an attacker can easily inject spoofed VTP packets in order to add/delete VLAN information. Tools such as Yersinia are freely available to do that.A password can be set for the VTP domain: it is used in conjunction with the MD5 hash function to provide authentication of VTP packets.However, this optional password authentication should not conceal the fact that it is very risky to use VTP in sensitive environments.

VTP Problems

When inserting a vtp client or server with a higher config revision number, the other switches will delete their configuration information and take the VLAN information from the inserted switch. The only way to get the deleted information back is to add the missing VLANs and delete the unwanted VLANs. To avoid this you should set the switch you're inserting into the network to transparent mode because that resets the configuration number, then switch it back to client or server mode. Another way of resetting the configuration number is to change the domain name to something else, like "test", then change it back.

Another problem can happen when you are inserting a switch with a different VTP domain name.

VTP can affect DTP (Dynamic Trunking Protocol) - switches will not form trunks unless they have matching VTP domain names.

References

ee also

*Dynamic Trunking Protocol (DTP)
*GARP VLAN Registration Protocol

External links

* [http://www.cisco.com/warp/public/473/vtp_flash/ Cisco Flash animation explaining VTP operation]
* [http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_4_2/config/vlans.htm Cisco documentation: Configuring VTP and Virtual LANs on Catalyst 5000 Series]
* [http://www.yersinia.net Yersinia, a framework for Layer 2 protocols and attacks]
* [http://www.areanetworking.it/index_docs.php?title=Cisco_VLAN_Trunking_Protocol Cisco VLAN Trunking Protocol italian's document]
* [http://www.ciscopress.com/articles/article.asp?p=102157&seqNum=3&rl=1 CCNA Self-Study (ICND Exam): Extending Switched Networks with Virtual LANs > VLAN Trunking Protocol:]
* [http://www.cramsession.com/articles/files/vlan-trunking-protocol-ba-9172003-0937.asp VLAN Trunking Protocol Basics - Adminstering VLANS using VTP]
* [http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/vlans.htm#wp1020364 How to configure VLANs on the Catalyst 6500 series switches.]
* [http://www.firewall.cx/vlans-vtp.php Introduction to VTP]
* [http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml Cisco documentation: Understanding VLAN Trunk Protocol (VTP)]