Demystifying VLAN Trunk Protocol

Transcription

Demystifying VLAN Trunk Protocol
Expert Reference Series of White Papers
Demystifying VLAN
Trunk Protocol
1-800-COURSESwww.globalknowledge.com
Demystifying VLAN Trunk Protocol
Joe Rinehart, MBA, CCIE #14256, CCNP/DP/VP
Introduction
Of the many protocols that Cisco has created over the years, one of the most feared and often misunderstood is
VTP, or Virtual Local Area Network (VLAN) Trunk Protocol. The original intention was simple: create a straightforward, scalable method for VLAN administration across multiple switches in a network. Due to the way that the
technology works, however, significant problems can arise unintentionally and cause widespread outages in an
existing network. The purpose of this white paper is to examine the inner workings of VTP in detail and create
strategies for safe use in production environments.
Figure 1: Large Switched Network
Copyright ©2012 Global Knowledge Training LLC. All rights reserved.
2
The Basics
Figure 2: VLAN Trunk Protocol
Versions
As with most protocols, several versions of VTP exist with some operational differences, particularly the latest
version. These three versions are as follows.
Version 1
VTP was originally introduced as part of the Crescendo Catalyst 5000 switching platform before being acquired
by Cisco in September of 1993. Most of the core features associated with the protocol were introduced in this version. Available on all of the Catalyst switch models, this is the default version even when version 2 is available.
Version 2
VTP version 2 added VLAN support for Token Ring, a switching architecture that originally competed with Ethernet but is now obsolete. VTP and VLAN consistency checks were also added as a minor feature revision as well.
Unfortunately, version 2 is incompatible with version 1, so it represents an “all or nothing” approach. All recent
Cisco switches support version 2.
Version 3
The potential perils of utilizing VTP have been well-publicized both in Cisco’s extensive documentation as well
as volumes of certification studies, including CCENT, CCNA, and CCNP. Version 3 was created with these issues in mind and introduced significant improvements, along with other features. Some of these include 802.1s
Multiple Spanning Tree support, expanded VLAN ranges (e.g., up to 4095), and administrative controls to avoid
affecting the existing VTP topology. In addition, backward compatibility with version 2 is supported. Originally
available only on the Catalyst 6500, VTP version 3 is now supported on the 2960, 3560, 3750 and 4500 platforms as well, from IOS version 12.2(50)SE3 and later.
Copyright ©2012 Global Knowledge Training LLC. All rights reserved.
3
Operational Requirements
VTP is not a “plug and play” type of protocol; it has several minimum requirements in order to function in any
manner. Failure to adhere to these prerequisites will yield disappointing results, although the requirements are
fairly straightforward.
Cisco Switch Platforms
One thing to remember regarding VTP is that it is a Layer 2, Cisco-proprietary protocol, not unlike Cisco Discovery Protocol, though the purposes are far different. IEEE standards with similar functionality include the Generic
Attribute Registration Protocol (GARP), introduced as an extension of 802.1D, and its successor, Multiple VLAN
Registration Protocol (MVRP), defined in 802.1ak. Needless to say, due to its proprietary nature, Cisco switches
are required to make use of the protocol.
Directly Connected Trunk Links Between Member Switches
VTP messages do not traverse ports marked as access (using the switchport mode access interface command) and, in fact, are only sent over trunk links (using the switchport mode trunk command). The trunk
type may be either the Cisco-proprietary ISL or IEEE 802.1Q type, respectively.
VTP Domain Name on VTP Server(s)
In VTP networks, the domain name represents the operational designation for switches participating in the
process. By default, this value is set to null, requiring explicit configuration on member devices. In order to
exchange messages, these values need to match, although switches with the domain set to null will receive the
domain name from the VTP server switch(es) and then set that as their own VTP domain name.
Version
VTP version 1 is the default on Cisco switches, but can be changed using the vtp version command in global
configuration mode. Versions 1 and 2 are incompatible and require that all devices run the same version of VTP,
although version 3 is backward-compatible with version 2. As a network best practice, it is best to use the same
version throughout the switch domain.
VTP Password (if used)
By default, switches configured as VTP servers or clients accept updates within the same domain without any
type of security check whatsoever. In order to prevent the introduction of rogue VTP switches (particularly in
server mode) that could alter the topology, network administrators may elect to set a password. While this parameter is not required, if it is used, all member switches must have matching values. Otherwise, VTP messages
will be discarded by the receiving device.
VTP Modes
For network professionals already familiar with Cisco switch architecture and operation in general, VTP switch
modes are a well-known topic, but still important to review.
Copyright ©2012 Global Knowledge Training LLC. All rights reserved.
4
Server
Cisco switches operate in VTP server mode by default, giving them the ability to add or delete VLANs, as well as
store the VLAN database locally. This database and its configuration have a version number referred to as the
configuration revision number. If a member switch receives updates with a higher number, it will replace its current database with the new one. In practice, having at least one switch in server mode (and one other to provide
redundancy) is necessary for the protocol to function. Another nuance of a switch in this mode is that it sends
update messages to member switches as well.
Client
VTP client mode switches rely entirely on server switches for configuration, as they are unable to create, delete,
modify or even store VLAN information locally. Unlike server mode, client mode must be explicitly configured
and is not enabled by default.
Transparent
Another critical principle to understand is that VLAN Trunk Protocol is always operational on member switches
and that there is no option for turning it off (except in old versions of Catalyst OS, now End-of-Life). The closest
method by which to accomplish the same thing is VTP Transparent Mode. Transparent mode permits creating,
modifying, and deleting VLAN information locally, as well as storing the database locally. It will ignore all VTP
updates, making no changes to the local database in any way, although it will forward updates out all trunks (in
version 2). Running in transparent mode effectively disables the effect of VTP on the switch locally.
Protocol Mechanics
Figure 3: VTP Frame Format (ISL Version)
VTP Message Types
For protocol operations, VTP uses several message types to communicate data between switches, each with a
critical function.
Copyright ©2012 Global Knowledge Training LLC. All rights reserved.
5
Summary
Summary advertisements are sent out every five minutes (300 seconds) by default, and detail operational information such as the VTP domain name, version, and the configuration revision number, which is incremented by
one after any change to VLAN information. If the revision number is greater than or equal to the current one on
the switch, the frame is ignored; otherwise, it is forwarded to other neighbors in the domain.
Subset
When VLAN information is modified on a VTP server, that switch sends out a summary advertisement first (with
an incremented configuration revision value), followed by another type of message called a subset advertisement. VTP switches use these messages to communicate the changes that have been made, in order to synchronize VLAN information throughout the domain. Changes that can trigger this, for example, include creating and
deleting VLANS.
Advertisement Requests
On the surface, it might sound like VTP servers are the only devices that originate VTP messages, since transparent switches do not and client switches cannot change any VLAN data. In reality, however, switches in VTP
client mode may issue an advertisement request to servers in order to clarify information. Situations in
which this may take place include when a client switch has been reset/rebooted, if the VTP domain name has
been changed, or a summary advertisement has been received with a higher configuration revision number. In
response, VTP servers will issue a summary advertisement, followed by one or more subset advertisements.
VTP Pruning
The benefit of an administration protocol such as VTP can be very helpful in theory, but not all VLAN information
is created equal. Two general classifications for VLANs can be detailed as follows.
Local VLANs
When VLANs were first introduced, one of the more common designs was simply to group users together that
existed in close geographic proximity. For example, in a switched campus environment, a VLAN might be limited
to a group of users on a particular floor of a building. Generally speaking, VLAN traffic in this setting follows the
pattern of being 80% local and 20% outside the VLAN.
End-to-End VLANs
While some VLANs in modern networks may still fall into the category of local, the functionality involved can
actually span multiple locations and multiple switches (you may recall that is one of the many purposes of trunk
links). In this scenario, users can be grouped by function rather than location, such as accounting personnel
located on different floors of a building. In this type of setting, only 20% of traffic may stay within the VLAN,
and 80% may be bound elsewhere.
Of the two classifications, the local VLAN grouping does not require propagation throughout the entire VTP
domain, generating extraneous management traffic to switches not hosting that VLAN. One of the beneficial
features of VTP is the concept of VLAN pruning, in which switches not hosting a particular VLAN are removed
from the equation. This feature is not enabled by default and must be explicitly configured for operation.
Copyright ©2012 Global Knowledge Training LLC. All rights reserved.
6
Conclusion
VLAN Trunk protocol is frequently the focus of a proverbial orchestra of exam questions for Cisco certifications and is complex enough to create some misunderstanding and confusion in that regard as well. In my own
professional experience spanning nearly two decades in networking, I have only encountered one production
network using the protocol, but with the version 3 improvements, the “fear factor” may be potentially removed
for its use. As with so many other technologies, a thorough understanding and appropriate use are the best factors influencing the decision whether or not to use it.
Learn More
To learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge,
Global Knowledge suggests the following courses:
SWITCH - Implementing Cisco IP Switched Networks v1.0
ICND1 - Interconnecting Cisco Network Devices 1
ICND2 - Interconnecting Cisco Network Devices 2
Visit www.globalknowledge.com or call 1-800-COURSES (1-800-268-7737) to speak with a Global
Knowledge training advisor.
About the Author
Joe Rinehart, MBA, CCIE #14256, CCNP/DP/VP is a professional trainer specializing in technology, business, and
social media. He is also a successful speaker and published author, as well as a columnist for the Federal Way
Mirror. He is active in the social media space, managing one of the largest groups on LinkedIn, as well as serving
on the national steering committee of the Cisco Collaboration Users Group. Joe also serves as president of the
Seattle Cisco Users Group, serving technology professionals throughout the Puget Sound region.
Joe Rinehart
MBA, CCIE #14256, CCNP/DP/VP
President and Chief Edutainment Officer
Gracestone Professionals, LLC
jrinehart@gracestonecompany.com
Twitter: jjrinehart
Copyright ©2012 Global Knowledge Training LLC. All rights reserved.
7