VTP Domain - Server renames other servers?

Answered Question
May 28th, 2010

I was doing some reading in my Cisco Academy Training - Chapter 4 of the Switching Fundamentals and they are going over VTP.

It showed an example where 3 VTP Server's existed. All 3 switches connected - and that all three are VTP Servers (not clients) - -The S1 VTP Server was able to send out the VTP Domain name (Cisco) to replace "null" entries on other VTP Domain Servers.

I was just trying to understand how that is possible? I thought that only Clients could be sent information and instructions.

Why would there be 3 VTP Servers on one network? The example did not make sense....

Of course I am sure I might have overlooked something -- hope to hear from anyone who can help. Thank you in advance - your knowledge is appreciated.

-Joe

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 8 months ago

joealbergo wrote:

Jon

So getting back to VLAN's -

Once I reach my first L3 Router - that is my boundry?

Basically outside of that router VLAN's are different.

S1>------S2>------S3>-------R1>----------S3>----S2>-----S1>

VLAN1-VLAN2-VLAN3-------------|---------VLAN4-VLAN5-VLAN6

These VLAN's are not going to be able to communicate outside the R1 boundry?


Joe

Correct. In your example R1 & R2 form a limit to vlans. So even if it was vlan1-vlan2-vlan3 on both sides they would not be the same vlans.

Bear in mind when you say they can't communicate with each other over a L3 boundary, that is they can't communicate at L2. Obviously devices in vlan 2 for example could communicate with devices in vlan 5 from your above example by routing between the sites.

Jon

Correct Answer by Jon Marshall about 6 years 8 months ago

Joe

You generally wouldn't split up your VTP domain. You could end up with multiple VTP domains in the same company if your company merges with another one and you have to integrate 2 VTP domains into one.

But it's important to realise that a VTP domain is only relevant at L2. So at the last place i worked we had multiple sites and all the sites were connected by L3 routed links. Each site had it's own VTP domain so we had multiple VTP domains within the network but each VTP domain was independant of any of the other and separated by a L3 link.

However there may be times when you would want separate VTP domains within the same L2 network for security reasons ie. you don't want the same vlans on all switches but if you need that you may as well use VTP transparent mode and explicitly configure each switch with the vlans you want.

Jon

Correct Answer by Federico Coto F... about 6 years 8 months ago

Joseph,

As Jon said.... usually 1 VTP server per domain, however you can have two (or more) for redundancy.

Federico.

Correct Answer by Jon Marshall about 6 years 8 months ago

joealbergo wrote:

Alright -

1 VTP Domain has how many servers?

Joe

As a general rule in production networks you have 2 VTP servers per VTP domain.

Jon

Correct Answer by Jon Marshall about 6 years 8 months ago

Joe

As Federico says it is the highest revision number. In practice this means you can update the vlan info on either VTP server because once the switches have all been updated they should have the same VTP revision number. So if both VTP servers have the same revision number it doesn't matter which one you update because it will then have the higher revision number so all the other switches will synchronise to that one including the other VTP server.

Jon

Correct Answer by Federico Coto F... about 6 years 8 months ago

Joseph,

If having multiple VTP servers, they will synchronize to the one that has the latest revision number (no DR/BDR concept).

Federico.

Correct Answer by Jon Marshall about 6 years 8 months ago

Joe

Just to add to Ryan's post. In production network you will often find that at least 2 switches are assigned to be VTP servers. This does not create a problem for the reasons Ryan has covered but it does mean if one of the switches fails you still have an active VTP server to make your vlan updates on.

Jon

Correct Answer by rtjensen4 about 6 years 8 months ago

Hi Joe,

The VTP server is the one that makes the changes to the VTP domain. By default, all switches are VTP servers in the (null) VTP domain. Once a VTP server has been configured with a VTP domain, it starts sending out VTP advertisements with that domain name, and other switches that have a (null) domain join it.

VTP clients can't make updates to their local VLAN database. VTP Servers accept updates from other VTP servers in the same VTP domain. VTP clients accept updates from the VTP servers in the same VTP domain.

There is one gotcha with VTP that would allow a VTP Client to make changes to the VLAN database of the VTP Server and it has to do with the Revision number.

When there's a change to the VLAN information, the VTP revision number is incremented by one and an update is sent out. If a switch recieves an update with a higher revision number, it processes the update. If the recieved update is lower than its revision number, it will simply ignore the message. The gotcha is that if a VTP domain has a revision number of X, if any switch is joined to the network that is configured with the same VTP domain name and its revision is higher even if if it's a VTP client, and that VTP client starts sending VTP messages... The VTP server will see the higher revision number coming from the VTP client switch and update its VLAN database. This could result in all the "Good" VLANs being replaced with junk information. It's important to ensure there is not any "linger" VTP data on a switch that you're adding to the network.

HTH

Ryan.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (11 ratings)
Loading.
Correct Answer
rtjensen4 Fri, 05/28/2010 - 12:03

Hi Joe,

The VTP server is the one that makes the changes to the VTP domain. By default, all switches are VTP servers in the (null) VTP domain. Once a VTP server has been configured with a VTP domain, it starts sending out VTP advertisements with that domain name, and other switches that have a (null) domain join it.

VTP clients can't make updates to their local VLAN database. VTP Servers accept updates from other VTP servers in the same VTP domain. VTP clients accept updates from the VTP servers in the same VTP domain.

There is one gotcha with VTP that would allow a VTP Client to make changes to the VLAN database of the VTP Server and it has to do with the Revision number.

When there's a change to the VLAN information, the VTP revision number is incremented by one and an update is sent out. If a switch recieves an update with a higher revision number, it processes the update. If the recieved update is lower than its revision number, it will simply ignore the message. The gotcha is that if a VTP domain has a revision number of X, if any switch is joined to the network that is configured with the same VTP domain name and its revision is higher even if if it's a VTP client, and that VTP client starts sending VTP messages... The VTP server will see the higher revision number coming from the VTP client switch and update its VLAN database. This could result in all the "Good" VLANs being replaced with junk information. It's important to ensure there is not any "linger" VTP data on a switch that you're adding to the network.

HTH

Ryan.

Correct Answer
Jon Marshall Fri, 05/28/2010 - 12:15

Joe

Just to add to Ryan's post. In production network you will often find that at least 2 switches are assigned to be VTP servers. This does not create a problem for the reasons Ryan has covered but it does mean if one of the switches fails you still have an active VTP server to make your vlan updates on.

Jon

joealbergo Fri, 05/28/2010 - 13:17

Jon

How do the servers know which information to propogate from? One or the other? Does one take presidence over the other? like BR/BDR type deal?

Joe

Correct Answer
Federico Coto F... Fri, 05/28/2010 - 13:19

Joseph,

If having multiple VTP servers, they will synchronize to the one that has the latest revision number (no DR/BDR concept).

Federico.

Correct Answer
Jon Marshall Fri, 05/28/2010 - 13:26

Joe

As Federico says it is the highest revision number. In practice this means you can update the vlan info on either VTP server because once the switches have all been updated they should have the same VTP revision number. So if both VTP servers have the same revision number it doesn't matter which one you update because it will then have the higher revision number so all the other switches will synchronise to that one including the other VTP server.

Jon

joealbergo Fri, 05/28/2010 - 14:49

Everyone,

Forgive me however, I was taught to only use one VTP Domain Server and that you could only have one. I am fully understanding the VTP and really appreciate your replies to my post. Your time is valuable and I thank you for explaining it to me.

I want to run over just quickly and ask another question....

If I have a network, where would I want to use more then just 1 VTP Domain? Thanks again...

Jon Marshall Fri, 05/28/2010 - 15:03

Joe

I think there is a misunderstanding. We are talking about 2 VTP servers for the same domain. Not 2 different domains. You are right that generally speaking you only want one VTP domain per L2 switched network.

Jon

Correct Answer
Jon Marshall Fri, 05/28/2010 - 15:29

joealbergo wrote:

Alright -

1 VTP Domain has how many servers?

Joe

As a general rule in production networks you have 2 VTP servers per VTP domain.

Jon

Correct Answer
Federico Coto F... Fri, 05/28/2010 - 15:29

Joseph,

As Jon said.... usually 1 VTP server per domain, however you can have two (or more) for redundancy.

Federico.

joealbergo Fri, 05/28/2010 - 15:32

Okay so two servers or more for redundancy - got it.

Then how about splitting up the Domain, what situation would cause for more then one Domain?

Correct Answer
Jon Marshall Fri, 05/28/2010 - 15:39

Joe

You generally wouldn't split up your VTP domain. You could end up with multiple VTP domains in the same company if your company merges with another one and you have to integrate 2 VTP domains into one.

But it's important to realise that a VTP domain is only relevant at L2. So at the last place i worked we had multiple sites and all the sites were connected by L3 routed links. Each site had it's own VTP domain so we had multiple VTP domains within the network but each VTP domain was independant of any of the other and separated by a L3 link.

However there may be times when you would want separate VTP domains within the same L2 network for security reasons ie. you don't want the same vlans on all switches but if you need that you may as well use VTP transparent mode and explicitly configure each switch with the vlans you want.

Jon

joealbergo Fri, 05/28/2010 - 15:59

I understand the placement of VTP Domains and when I can seperate them.

Your example really made a lot of sense to me.

--If I am trying to be extra secure with my VLAN setup I can:

     1. Setup VLAN's (xx) and (xxx) on one group of switches

     2. This group of switches will be seperate and have their own VTP Domain.

-and-

     3. Setup VLAN's (aa) and (aaa) on another group of switches

     4. These will have their own VTP Domain as well.

Complete seperation of VLAN's - easier to manage perhaps in case of an outage.

-------------------------------------------------------------------------------------------------------

If I was working with different sites, each site will have different cable and equipment setups so I would have to maintain VTP Domains at each site.

If seperated at Level 3 Router at each site - I can still communicate through the VLAN's - just my VTP Domains will be controlled by the Server dedicated to each site.

I think Im following...

Jon Marshall Fri, 05/28/2010 - 16:10

Joe

If I was working with different sites, each site will have different cable and equipment setups so I would have to maintain VTP Domains at each site.

Whether you need to run different VTP domains at each site depends on the connectivity between sites ie. if they are L2 connections then yes you could run a common VTP domain. If L3 you can't.

If seperated at Level 3 Router at each site - I can still communicate through the VLAN's - just my VTP Domains will be controlled by the Server dedicated to each site.

If 2 sites are separated by a L3 link you can't have the same vlan in both places. You can use the same vlan number but they won't be the same L2 vlan.

If you really want to be secure you are better looking to use VTP transparent which gives you ultimate control over which vlans are on which switch.

Jon

joealbergo Fri, 05/28/2010 - 16:16

Jon

So getting back to VLAN's -

Once I reach my first L3 Router - that is my boundry?

Basically outside of that router VLAN's are different.

S1>------S2>------S3>-------R1>----------S3>----S2>-----S1>

VLAN1-VLAN2-VLAN3-------------|---------VLAN4-VLAN5-VLAN6

These VLAN's are not going to be able to communicate outside the R1 boundry?

Correct Answer
Jon Marshall Fri, 05/28/2010 - 16:24

joealbergo wrote:

Jon

So getting back to VLAN's -

Once I reach my first L3 Router - that is my boundry?

Basically outside of that router VLAN's are different.

S1>------S2>------S3>-------R1>----------S3>----S2>-----S1>

VLAN1-VLAN2-VLAN3-------------|---------VLAN4-VLAN5-VLAN6

These VLAN's are not going to be able to communicate outside the R1 boundry?


Joe

Correct. In your example R1 & R2 form a limit to vlans. So even if it was vlan1-vlan2-vlan3 on both sides they would not be the same vlans.

Bear in mind when you say they can't communicate with each other over a L3 boundary, that is they can't communicate at L2. Obviously devices in vlan 2 for example could communicate with devices in vlan 5 from your above example by routing between the sites.

Jon

joealbergo Fri, 05/28/2010 - 19:44

The VTP Domain traffic is at layer 2 on the switches -

So VTP traffic is not sent across.

The layer 3 Router will allow data between the VLAN's because it will re-route the data back to the VLAN's going through the Router's Sub Ethernet Interfaces.

Switches - sending traffic from one VLAN to OTHER VLAN's (with different ID's) must use a Router.

A Router will receive the traffic from VLAN 30 with the desination to VLAN 20 -

The Router will re-tag the data and send it back with the destination tag of VLAN 20.

The proper switch and VLAN receives that then?

I hope I am still with you - but speak on brother, speak on wise one.

Jon Marshall Sat, 05/29/2010 - 04:23

joealbergo wrote:

The VTP Domain traffic is at layer 2 on the switches -

So VTP traffic is not sent across.

The layer 3 Router will allow data between the VLAN's because it will re-route the data back to the VLAN's going through the Router's Sub Ethernet Interfaces.

Switches - sending traffic from one VLAN to OTHER VLAN's (with different ID's) must use a Router.

A Router will receive the traffic from VLAN 30 with the desination to VLAN 20 -

The Router will re-tag the data and send it back with the destination tag of VLAN 20.

The proper switch and VLAN receives that then?

I hope I am still with you - but speak on brother, speak on wise one.

Joe

Not sure about the "wise one"

Some examples will help with this but first a few key points.

1) a vlan is a L2 concept only. To forward packets within the same vlan mac-addresses are used as the destination address.

2) 99% of the time there is a 1-1 relationship between a L2 vlan and a L3 IP subnet.

3) To send data from one vlan to another vlan you do indeed need a L3 device, either a router or a L3 switch.


vlans 5/6 -> sw1 -> L2 trunk -> R1 -> routed link -> R2 -> L2 trunk -> sw2 -> vlans 7/8

in the above R1 and R2 are using 802.1q subinterfaces on their LAN interfaces. The link between R1 & R2 is a simple routed link. sw1 & sw2 are L2 switches.

vlan 5 = 192.168.5.0/24
vlan 7 = 192.168.6.0/24

H1 = 192.168.5.10
H2 = 192.168.6.10

H1 sends a packet to H2

1) H1 knows it is on network 192.168.5.0 because it knows it's address and it knows it subnet mask.
2) H1 compares H2's IP address with it's own subnet mask and works out that H2 is on the 192.168.6.0 network. Because the networks do not match H1 needs to send the packet to it's default-gateway which is the subinterface for vlan 5 on R1.
3) Assuming H1 has the mac-address of R1's vlan 5 subinterface it sends the frame out of it's NIC.
4) sw1 receives the packet on a port allocated to vlan 5, sees the destination IP is for R1 vlan 5 subinterface, also sees that is via a trunk so adds an 802.1q tag identifying this frame to be in vlan 5 and sends it to R1.
5) R1 receives the frame, strips the tag, lookups the destination IP, realises it has to send it to R2.
6) Assuming R1 has R2's L2 address it sends it to R2.
7) R2 does a lookup on the destination IP, sees it is on a directly connected subinterface, adds a vlan tag and sends it to sw2.
8) sw2 strips the tag and sends it to H2.

Note that vlan tags were only relevant between the L2 switch and the LAN interfaces of the routers. When the packet was routed between R1 & R2 there was no vlan tag and in fact there was no real concept of a vlan. The reason i specified R2's L2 address in point 6) above was that the routed link could be across ethernet in which case it would be a mac-address but it could also be frame-relay using DLCIs, ATM using VPI/VCIs etc..

Next example is a setup you are far more likely to see in production networks -

vlans 5/6 -> sw1 -> L2 trunk -> sw2 -> routed link -> R1 -> routed link -> R2 -> routed link -> sw3 ->  L2 trunk -> sw4 -> vlans 7/8

sw1 and sw4 are still L2 only switches.
sw2 and sw3 are L3 switches which are now responsible for routing between vlans.
R1 and R2 are not now using subinterfaces and are not running 802.1q.

If H1 sends a packet to H2 it's pretty much the same process as above except that the vlan tagging only takes place between the switches in either sites. When the routers receive the frames on their LAN interfaces there is no vlan tagging at all.

In both the above examples each site would have it's own VTP domain and there would be no communication between the 2 domains. You could if you wanted give them the same name and it would make no difference ie. they would still be independant VTP domains with no communication between each other. Note also that in the above examples the vlan numbers are different in each site but you could if you wanted use the same vlan numbers in each site. This does not make them the same vlan ie. a host in vlan 5 in site1 is not in the same vlan as a host in vlan 5 in site2.

What you can't do is have a vlan in site1 using the same IP subnet as a vlan in site2 and then expect them to be able to communicate with each other. Because you cannot route to the same subnet. You can switch within the same subnet but not route within the same subnet.

Jon

Actions

This Discussion