R&S Blog

Just another WordPress.com site


As the layer 2 network grows managing the vlan numbers and allowed list involves large administration overhead. The Vlan trunking protocol is a way to manage vlans across multiple switches to ensure all vlan’s are consistent.

VLAN Trunk Protocol used to dynamically advertise the addition,removal, deletion of Vlan properties by incrementing the revision number and then replicates those changes to other switches in the same VTP domain. This does not affect the actual vlan port assignment.

Negotiate Trunking allowed list VTP Pruning discussed later…

How it Works ?

VTP Mode
– Controls who can advertise new/modified information modes are…
• Server
• Client
• Transparent

VTP Revision Number
– Sequence number to ensure consistent databases
– Higher revision indicates newer database

VTP Server Mode
• Default mode
• Allows addition, deletion, and modification of VLAN information
• Changes on server overwrite the rest of the domain
• Configured as vtp mode server

VTP Client Mode
• Cannot add, remove, or modify VLAN information
• Listens for advertisements originated by a server, installs them, and passes them on
• Configured as vtp mode client

VTP Transparent Mode
• Keeps a separate VTP database from the rest of the domain
• Does not originate advertisements
• “Transparently” passes received advertisements through without installing them
• Needed for some applications like Private VLANs
• Configured as vtp mode transparent

VTP Security
• VTP susceptible to attacks or misconfiguration where VLANs are deleted
– Access ports in a VLAN that does not exist cannot forward traffic
• MD5 authentication prevents against attack
– vtp password [password]
• Does not prevent against misconfiguration
– VTP transparent mode recommendation

When does VLAN pruning occur

what triggers VLAN pruning? Specifically, will a switch only allow pruning of a VLAN from a trunk if it has no access ports configured for that VLAN? Or is it enough to have merely no active ports?

Consider a simple trunking scenario:


Switch 1 is the VTP server, and has propagated VLANs 10, 20, and 30 to switch 2. The interfaces to which hosts A and B attach are configured as access ports in VLAN 10, and an 802.1Q trunk is formed between the two switches. By examining the trunk status on either switch we can verify that VLANs 1 and 10 are being passed while the others are pruned in both directions.

S1# show interface trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1

Port      Vlans allowed on trunk
Gi0/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/1       1,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1,10

Switch 2:

S2# show interface trunk
Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1,10

When host B is disconnected, its interface on switch 2 becomes inactive. As switch 2 has no remaining active ports in VLAN 10, VLAN 10 becomes eligible for pruning. After roughly 30 seconds pass, we can see that switch 1 is now pruning VLAN 10 from the trunk (VLAN 10 is absent from the last line of the output):

S1# show interface trunk
Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1

The VLAN remains unpruned on switch 2’s end of the trunk, because it knows switch 1 still has at least one active port in VLAN 10:

S2# show interface trunk
Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1,10

Single Post Navigation

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: