Vlan Trunking Protocol (VTP), isn’t really a trunking protocol at all. That’s a shock right? It’s really more of a vlan propagation technology and thus, it may have been better named VPP.

Anyway, simply put, It is a Cisco proprietary protocol used to replicate a vlan database from one switch to another. It aims to synchronise the vlans across all participating switches – this is known as the VTP domain. In order for this information to be communicated between participating switches, they must have certain configurations present and must be connected to each other over a trunk link: VTP is only propagated across trunk links. In addition to the trunk requirement, they must also have matching VTP domain information. This consists of the domain name and password, the fields can contain either a string or a null value (no authentication). Either way, they must match for switches to share information.

Three versions of Vlan Trunking Protocol exist and are supported by the newest Cisco ios versions. Although the versions of VTP are often backward compatible, it is usually best to keep them the same between switches if possible. This ensure that the latest features are supported. The three versions can be thought of as having the following features:

VTP V1: This is the original version, with the most basic feature set. It is no longer in use in modern topologies.

VTP V2: Version 2, introduced; support for token-ring networks and integrity checks of vtp frames. In this version, transparent switches pass on VTP frames to a peer without checking the version information. This is a change from V1, where the domain information was checked before forwarding the information.

VTP V3: This is the newest version, with added support for hidden passwords. This version adds the ability to propagate many other databases besides the vlan db (MST etc). There is also added protection against overwritting the current vlan database by accident or attack.

Additional to the versions, VTP switches can traditionally operate in three modes*:

Server: This is usually the default mode, which allows a switch to create, edit and propagate vlan information with peers. In VTP V3, the concept of a primary and secondary server is introduced to control which switches can edit the current vlan database. Only the primary can make changes – this prevents the database being overwritten by incorrect information.

Client: A client cannot manipulate vlans in the same way a server can. Instead the client learns the current database from a server or peer with a new version of the vlan database.

Transparent: A transparent switch does not participate in the vlan trunking protocol process. Although, it does (depending on version) propagate the VTP messages to other switches without storing the information itself. Switches in this mode keep their own local vlan database and thus, can manipulate vlans locally in the same way a VTP server can for the entire VTP domain

*VTP V3 adds the ability to completely disable VTP, this is sometimes counted as another mode.

A note on the configuration revision:

The vlan database includes the name and number of the vlans, as well as other associated information. Each time a change is made, a change control mechanism known as the configuration revision is updated. Simply, the higher the integer value, the newer the information is thought to be. This meant that in older VTP versions, a switch which received information with a higher config revision value would update its vlan database with the information included in the VTP update. This also means removing any vlans no longer present, in what is thought to be, the latest version of the information.

The problem with this, is that it wasn’t unheard of for an engineer to attach a new switch to the network and VTP domain, which had previously been used elsewhere and thus, may have a higher config revision than the current vlan database version. This meant that in some situation, the network admin may accidentally wipe out all of the vlans on the production network with a few useless vlans that were previously used on an old switch somewhere. To mitigate this risk, and the associated attack possibilities, VTP V3 introduced the concept of a primary and secondary server, so that only the one primary server could be used (if so desired by the admin) to edit the vlan database.

For information on how to configure VTP on Cisco ios, see my post here: Configuring VTP