Transparent VTP and VTP Pruning
While VTP may sound to make things cooler it also introduces vulnerabilities into the infrastructure if configured incorrectly. VTP pruning is used in conjecture with VTP to ensure that traffic destined to specific VLAN’s are not passed to switches that do not need it. This lab will discuss and demonstrate the configuration and verification of Transparent VTP and VTP Pruning.
Real World Application & Core Knowledge
It is recommended that you have completed Configuring VLAN Trunking Protocol (VTP) before proceeding with this lab so that you’ll be familiar with VTP Server and Client modes. Unlike VTP Server/Client, Transparent mode does not participate in the VTP domain at all however it transparent mode will pass VTP frame from one switch to the next.
Transparent switches are a perfect solution when placing a managed Cisco switch in the transit path of two VTP enabled switches, this way The VTP Server and VTP client(s) can still communicate through the transparent switch and operate correctly
The downfall to transparent switches is that they must have the same VLAN’s IF they are a transit switch in a VTP domain. A common implementation with a transparent switch in the transit path of two VTP enabled switches is the requirement for security. The transparent switch needs to have a specific layer2 or layer 3 enabled VLAN that cannot be anywhere else on the network but still need access to all other VLAN’s.
Another example being a simple edge transparent switch that is considered strictly an access switch and does not trunk nor participate in VTP.
For an example lets say you have a three tier network with Core/Distro/Access layers and you have the VTP server configured on the distribution switches and the VLAN information propagates down to 24 access switches. To get more detailed lets say a twelve floor building with two access switches per floor. Lets say VLAN 112 is configured on the twelfth floor however due to VTP propagating the VLAN information to every single access switch, even switches on the first floor will have VLAN 112. So the big question is, when a host on VLAN 112 sends broadcast traffic, does every single switch receive the broadcast? The simple answer is yes, as the distro will forward the broadcast out every trunk link to every access switch except the one it was received on. If you think about it, that is a big waste of resources. However VTP addresses this issue by a feature called VTP Pruning.
VTP Pruning will “prune” VLAN traffic on inter-switch trunk links if the neighboring switch is not requesting any traffic destined to that switch. If a switch does not have any ports in VLAN 401, why does it need the broadcast traffic from 401?, the simple answer is that it doesn’t and when it receive such traffic; its just a waste of switch resources.
In this lab you will familiarize yourself with the following commands;
| Command | Description |
|---|---|
| vtp mode transparent | This command is executed in global configuration mode on a Cisco Catalyst switch and sets the switch to transparent mode so it does not participate in VTP at all but it does however pass VTP traffic. |
| vtp pruning | This command is executed in global configuration mode on on a Catalyst switch to configure the VTP server to enable the VTP Pruning feature through out the VTP Domain, this setting is also propagated to all VTP clients in the domain. |
| show interface | This command can be executed in user or privileged mode to view the current pruning list on a per link basis. |
| show vtp status | This command can be executed from user or privileged mode to view the current settings configured for VTP. |
| show interface trunk | This command can be executed from user or privileged mode to view which VLAN’s are being forwarded down the trunk links and not pruned. |
Lab Prerequisites
- If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices; SW1, SW2 and SW3.
- Establish a console session with devices SW1, SW2 and SW3 than configure the devices respected hostname(s).
- Configure SW1 as a VTP Server and Switch 3 as a VTP client using the domain name CISCO.
- Shutdown interfaces Fa0/11 and Fa0/12 and configure interface Fa0/10 as a dot1q trunk on SW1
- Shutdown interfaces Fa0/11, Fa0/12, Fa0/14 and Fa0/15 and configure interfaces Fa0/10 and Fa0/13 as dot1q trunk interfaces on SW2.
- Shutdown interfaces Fa0/10 through Fa0/12, Fa0/14, Fa0/15 and configure Fa0/13 as a dot1q trunk on SW3
- Configure VLAN’s 10, 20 and 30 on the VTP Server and SW2.
- Configure layer 3 interfaces for VLAN 10 on SW1 and SW3 using the IP addresses 10.10.13.1/24 and 10.10.13.3/24
Lab Objectives
- Configure SW2 as a VTP Transparent switch and use VTP Version 2, verify your configuration.
- Configure VTP Pruning on the VTP server verify and that the configuration was propagated to the VTP Client.
- Verify that VTP Pruning is functioning properly by viewing the pruning list on SW1.
Lab Instruction
Step 1. – Configure SW2 as a VTP Transparent switch and use VTP Version 2, verify your configuration.
To configure SW2 as a VTP transparent switch you’ll use the vtp mode transparent command in global configuration; to verify your configuration change you’ll use the show vtp status command in user or privileged mode as shown below;
SW2 con0 is now available Press RETURN to get started. SW2>enable SW2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW2(config)#vtp mode transparent SW2(config)#vtp version 2 Setting device to VTP TRANSPARENT mode. SW2(config)#end SW2#show vtp status SW2#show vtp status VTP Version : running VTP2 Configuration Revision : 0 Maximum VLANs supported locally : 1005 Number of existing VLANs : 8 VTP Operating Mode : Transparent VTP Domain Name : VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0x06 0x97 0x82 0xDA 0x39 0x52 0x1E 0xF2 Configuration last modified by 192.168.255.252 at 0-0-00 00:00:00 SW2#
Step 2. – Configure VTP Pruning on the VTP server verify and that the configuration was propagated to the VTP Client.
To configure VTP pruning you’ll use the vtp pruning command in global configuration on the VTP Server only. this setting gets propagated to all VTP clients in the same VTP domain as shown below;
SW1 con0 is now available Press RETURN to get started. SW1>enable SW1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#vtp pruning Pruning switched on SW1(config)#end SW1#show vtp status VTP Version : 2 Configuration Revision : 2 Maximum VLANs supported locally : 36 Number of existing VLANs : 8 VTP Operating Mode : Server VTP Domain Name : CISCO VTP Pruning Mode : Enabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0x2E 0x9F 0x5E 0x57 0xE3 0x87 0x46 0xFA Configuration last modified by 10.1.5.1 at 3-1-02 00:10:56 Local updater ID is 10.1.5.1 on interface Vl5 (lowest numbered VLAN interface found) SW1#
Show below is the verification that VTP Pruning is being properly propagated to SW3 from the VTP Server (SW1);
SW3#show vtp status
VTP Version : 2
Configuration Revision : 3
Maximum VLANs supported locally : 36
Number of existing VLANs : 8
VTP Operating Mode : Client
VTP Domain Name : CISCO
VTP Pruning Mode : Enabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x77 0xF2 0x86 0xA4 0x3C 0x21 0x09 0xC0
Configuration last modified by 10.1.5.1 at 3-1-02 00:17:21
SW3#
Step 3. – Verify that VTP Pruning is functioning properly by viewing the pruning list on SW1.
To view this information you can use the show interface trunk command in user or privileged mode as shown below;
SW3#show interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/13 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/13 1-4094
Port Vlans allowed and active in management domain
Fa0/13 1,10,20,30
Port Vlans in spanning tree forwarding state and not pruned
Fa0/13 1,10
SW3#
As shown above from the SW3 show interface trunk output you can see that on port Fa1/13 the VLAN’s that are forwarding and not pruned on that trunk link are VLAN’s 1 and 10.
When having a transparent switch in a VTP Transit path you obviously must have IP connectivity. Keep in mind for traffic to pass through the transparent switch, the transparent switch must have the VLAN configure for the traffic. For example, Traffic from SW1 VLAN 10 going to SW2 VLAN 20, SW3 must have VLAN10 configured on it or the traffic would get dropped.
You can verify this by pinging SW3’s VLAN 10 interface from SW1 as shown below;
SW1#ping 10.10.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.13.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
SW1#
The ping is successful because VLAN 10 is already configured on SW2 as per the lab prerequisites. However if you remove VLAN 10 from SW2 and try to ping SW3’s VLAN10 interface from SW1 again it will fail as shown below;
SW2#configure terminal SW2(config)#no vlan 10 SW2(config)#end SW2#
SW1#ping 10.10.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.13.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW1#
