Implementing Cisco IP Switched Networks (642-813 SWITCH) Tutorials
Switch and VLAN Basics / VLAN Trunking Protocol pt. 2
Subtitles of the Movie (Implementing Cisco IP Switched Networks (642-813 SWITCH) / Switch and VLAN Basics / VLAN Trunking Protocol pt. 2)
So let's continue on with our discussion of the VLAN Trunking Protocol. Now there are three key VTP Settings that you have to have in order for VTP to work properly and really only one of them's really required but you really need to set all three of them if you're going to actually use VTP to it's fullest potential. The first is the VTP Domain, the VTP Domain is the name of the VTP area and I've used those quotes there because those aren't actually official terms, it's just the name that you give your VTP Domain, hence the VTP Domain Name. That's really the best way I can think of to describe it, it'll make a little more sense here when we actually set up VTP in the lab. Now the VTP Domain Name will default to null, but it will set itself to be whatever the neighbor is sending if it's a VTP client or in some cases, even if it's a VTP server. Now obviously the VTP Domain Name has to be the same on all the switches. You'll recall when we talked about the Dynamic Trunking Protocol, that if the VTP Domain Name was not the same on two switches that we're trying to negotiate a trunk, the trunk just wouldn't come up and you'd get that error message that says, hey their VTP Domain Name is different than mine. The second is the VTP Password, the VTP Password is not required but again it is useful because the VTP information as far as the VTP Domain anyway, is actually sent in plain text across the network. So if someone sniffs the VTP Domain Name out of the VTP packets and then configures that on their switch without a password, then they could in theory associate with your VTP Domain and do all kinds of interesting things to VTP. Configure themselves as a server and make their VTP database revision higher than the production revision and well, we'll see what happens when that occurs later on in the, the slide deck here. The VTP Password can be learned in the same manner as the VTP Domain Name. So if you have a switch that's set up as null and it's set up as a client, it will absorb both the password and the VTP Domain. Real useful there but if you're going to set up VTP, you need to at least set up a password, at least take the (unintelligible) of security that's available to you. And lastly the VTP Version, you set the VTP Version on the server, it must match on all the switches and when you set it on the server, it's automatically pushed out to all of the clients and they just automatically update to VTP Version 2. So how does VTP work, at least from a high level view? Well here's a little diagram that I used on the CCNA slide deck and it, it works pretty well, so I'm going to use it here. So you've got a network that's set up like this, you've got a VTP server there up top and all the other switches are VTP clients configured per the actual best practices from Cisco. Let's say you update the VLAN information on the VTP server and it goes from Revision 6 to Revision 7. Well the server sends out a notification to all of it's directly connected switches saying, hey there's a VLAN database update, go to version 7 and here's the changes. Those clients then absorb those changes, they push them out to their directly connected switches, hey there's an update, version 6 to version 7, here you go and so on and so forth. If you've got 300 switches in your VTP Domain, well then you've got 300 iterations of this and this all happens pretty quickly, I mean, you've seen routing updates and other STP updates on switches before and this happens very quickly, just like those updates. So how can VTP kill your network? Well let's go back to our previous little network design minus a switch. You got a VTP server up here and it has VLAN database revision 27 with those three VLANs, VLAN 10, 20 and 30. We'll assume for this diagram that everything else is a client and so they'll all just accept these updates, I didn't draw them out on here just to save space. Well let's say you have a switch that's in a lab or you have a switch that's a malicious attack or whatever, it's configured as a VTP server and you connect it to this switch here and it has VLAN database revision 187, which is obviously higher than 27. And it advertises that VLAN database out to it's directly connected client, however this switch is saying, I know about a VLAN 42, 44 and 46. Well since this VLAN database revision is higher, everybody else says well yours is higher, yours must be better, let me just overwrite my VLAN Configuration and put in yours. Well what that means is, that all of these Access Switch Ports that were in VLANs 10, 20 and 30, now they're not in any VLAN at all, so they're just kind of like, well what happened? My VLAN went away, what happens if you're in a wiring closet when this happens, is that all the Switch Ports go amber. It's really fun to watch, plug up the switch and everything goes amber and you just go, oh my goodness, I've just killed the network. So now you're left running around all these switches, restoring the configuration, you've got a major network outage, this is the reason why most administrators just completely disable VTP or they set it all in Transparent Mode which is pretty much disabling it. So the last thing we'll talk about is VTP Pruning and this is one of the advantages of having VTP running, is that VTP will handle pruning out VLANs that are not necessary. For example, up here on the router garlic we have, all of these different colored VLANs here. Well obviously down in this path, we don't have any Switch Ports that are in VLAN 5 and so on this path, VLAN 5 is pruned out and down here, VLAN 2 is pruned out because we don't have anything in 2 or 5. So we're not even going to pass those broadcasts down this path. Obviously down here we have no pruning because we've got switches down here that have all of the ports and all of the VLANs but on these two links to Gorgonzola and Brie we are pruning 4 and 6 and 3 and 5 because you'll see there are no ports and those VLANs on those switches. Now you can do this manually in the configuration, you can go into your VLAN Trunks and say, hey I don't want to pass VLAN 4 or VLAN 6 or whatever. VTP if you're running it, will automatically for you if VTP Pruning is enabled. And we'll show you how that works in the lab but again in order to do this, you have to be running VTP, again most people don't because you can just kill your entire network. And that concludes our discussion of the VLAN Trunking Protocol.
Tutorial Information
| Course: | Implementing Cisco IP Switched Networks (642-813 SWITCH) |
| Author: | Greg Dickinson |
| SKU: | 34304 |
| ISBN: | 978-1-61866-041-1 |
| Release Date: | 2012-04-20 |
| Duration: | 8.5 hrs / 102 lessons |
| Captions: | No |
| Compatibility: |
Vista/XP/2000, OS X, Linux QuickTime 7, Flash 8 |
VTC Sign up & Benefits
- Unlimited Access
- 81,350 Video Tutorials (14,200 free)
- Video Available as Flash or QuickTime
- Over 715 Courses
- $30 for One Month Access
- Multi-User Discounts Available
