VLAN Trunking Protocol (VTP) in CCNP / BCMSN Exam

VTP is a messaging protocol that CISCO designed to synchronize the VLAN database (vlan.dat) between switches in a common administratively controlled group (VTP domain). This information is only propagated as Layer 2 multicast advertisements across trunk ports. VTP is a Cisco-proprietary protocol that is available on most of the Cisco Catalyst series products using both Cisco IOS and Cisco CatOS system software.

Passing the BCMSN exam and getting one step closer to the CCNP certification means learning and noticing details that you were not presented with in your CCNA studies. One protocol you've got to learn more details about is VTP, which seemed simple enough in your CCNA studies! Part of learning the details is mastering the fundamentals, so in this tutorial we'll review the basics of VTP.

VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1 and VLANs 1002 to 1005 are always pruning-ineligible; traffic from these VLANs cannot be pruned. For instance, VTPv1 does more consistency checking on messages, which can add overhead. As long as the MD5 digest on a message is correct, VTPv2 will forward it. VTP Transparent mode actually means that the switch isn t participating in the VTP domain as Servers and Clients do.

VLANs can span switch ports, switches within a switch block, or closets and buildings. VLANs group users and devices into common workgroups across geographical areas. For instance, VLAN mapping allows to limit VLANs across a trunk, and allows you to control what is dropped. This can improve bandwidth and processor utilization.

In show VTP status readouts, the "VTP Operating Mode" is set to "Server" by default. The more familiar term for VTP Operating Mode is simply VTP Mode, and Server is the default. It's through the usage of VTP modes that we can place limits on which switches can delete and create VLANs.

In Server mode, a VTP switch can be used to create, modify, and delete VLANs. This means that a VTP deployment has to have at least one switch in Server mode, or VLAN creation will not be possible. Again, this is the default setting for Cisco switches.

Switches running in Client mode cannot be used to create, modify, or delete VLANs. Clients do listen for VTP advertisements and act accordingly when VTP advertisements notify the Client of VLAN changes.

VTP Transparent mode actually means that the switch isn't participating in the VTP domain as Servers and Clients do. Transparent VTP switches don't synchronize their VTP databases with other VTP speakers. They don't even advertise their own VLAN information! Therefore, any VLANs created on a Transparent VTP switch will not be advertised to other VTP speakers in the domain, making them locally significant only. (I know you remember that phrase from your CCNA studies!)

Devices running VTP Transparent mode do have a little something to do with the other switches in the VTP domain, though. When a switch running in Transparent mode receives a VTP advertisement, that switch will forward that advertisement to other switches in that VTP domain.

Configuring switches as VTP Clients is a great way to “tie down” VLAN creation capabilities to switches that are under your physical control. However, this occasionally leads to a situation where only the VTP clients will have ports that belong to a given VLAN, but the VLAN still has to be created on the VTP server. Bear in mind that VLANs can be created and deleted in transparent mode, but those changes aren't advertised to other switches in the VTP domain.

VLAN hopping was considered a "dead" attack that was almost a waste until IP Telephony converged together with an IP Network. Now, there are several VOIP tools out there that take advantage of this because now this attack has re-emerged into a crippling one. VLAN hopping can disable any security measures users may have in place on the device which maps routes between the VLAN's. VLAN hopping can disable any security measures users may have in place on the device which maps routes between the VLAN's. This is why hackers use VLAN hopping to capture sensitive information such as bank account details and passwords from targeted network subscribers.

VLANs are a very efficient way to design a network . In fact they are quite seriously promoted in network design. VLANs are also often used to provide additional security on networks because computers on one VLAN cannot talk to users on another VLAN without explicit access through the use of inter-VLAN routing or a multilayer switch. However, as you shall soon see, VLANs by themselves are not enough to secure your environment.