So before going to deep, What is it?
Well in a nutshell, it is a protocol that should make your life easier by propagating VLAN information throughout your switching infrastructure.
VTP Version and Feature differences
VTP version 1
- Only supports the "normal" range VLANs (1 - 1005)
- Default VTP version on Enterprise IOS based switches
- Plain Text password or MD5 password
- Modes operated in : Server/Client or Transparent modes
VTP version 2
- Supports the normal range VLANs (1 - 1005)
- If Extended VLAN (1006 -4094) support is needed, then the switch needs to be put in the Transparent mode.
- Adds unknown TLV support
- Supports Token Ring Concentrator Relay Function and Bridge Relay Function
- Optimized VLAN database consistency checks
- Plain Text password or MD5 password
- Modes operated in : Server/Client or Transparent modes
VTP version 3
- Supports Extended VLANs.
- Private VLAN support
- VTP "off" mode support (also supported per interface basis)
- SPAN VLAN support
- Password Storage and usage has been improved
- Option to store the password in encrypted format (so you can't read the real password from the configuration file). The encrypted string can be applied (copy pasted) to other switches directly. This password should be entered in plain text when you promote the server to the PRIMARY server (find more info on primary servers below).
- To improve security (specially to remedy some of the major issues with VTP v1/v2), following server roles are defined.
- Primary Server
- Secondary server
- The Primary server state is a run-time state and kept in the running-config only. Only the Primary server is allowed to modify VTP Domain content. Secondary server CAN NOT change anything unless you promote it to be the Primary server in which case the existing primary server will go back to being a Secondary server. The server role is changed at the privilege exec level.
- If the configured domain is NULL (which is what you get if you didn't configure anything), All VTP versions will pass VTP messages without checking the domain name of the incoming VTP message.
- If the Domain is configured, then only the matching VTP messages will be forwarded everything else will be dropped.
VTP version 1 & 2 message Structure
Message Types:
- Summary Advertisement
- Subset Advertisement
- Advertisement Request
- Join Messages
Summary Advertisement:
- Sent by the Server and Client every 5 Mins and at each modification to the VLAN Database
- This carries the info about: Domain Name, Revision Number, ID of the last update, Timestamp, Last update timestamp, MD5 hash calculated over the content of VLAN database and the VTP Password (- if configured ) and the number of Subset Advertisement messages that optionally follow this Summary Advertisement. Summary Advertisements DO NOT carry any VLAN Database contents.
Subset Advertisement:
- Sent by Servers and Clients after a modification is made on the VLAN database
- Carries full content of the VLAN Database
- If the VLAN DB is too big, there may be more than one Subset Ads being sent
Advertisement Request:
- Originated by both the VTP Server and the clients when reloaded, When a switch goes in to the client mode or when a Summary Advertisement is received with a higher configuration revision number.
Join Message:
- Sent by Every server and client every 6 seconds IF VTP pruning is active. This message includes information as to which VLANs are actually being used or not (=pruned)
VTP v1/v2 important notes:
- Both the Client and Server can send VTP updates. So even the client can update a server as long as the VTP revision number is higher and the Password/domain name is the same.
- The VTP Summary Advertisement carries a MD5 hash calculated on the Database content and the Password.
- The MD5 password DOES NOT provide any protection to the data.. it is only used to indicate changes taken place in the vlan database or the password itself.
VTP v3 improved Security and Features
- Only the primary server's VTP updates are allowed to propagate within the network.
- Switch will only update its database if the incoming VTP agrees with the domain, the primary server and VTP password.
- You can only make VLAN changes to the primary server.
- You can't make changes to the vlans while the switch is either in Client mode or a secondary server mode (not the Primary Server). If you try to add VLANs on a client switch or a secondary server, it will throw an error
- When a switch is made a primary server (using "vtp primary" command), it will flood it's vlan database and all clients will install and flood it further down EVEN IF THE primary servers revision number is lower.
- With version 3, it is no longer possible to reset the revision number by putting the switch in to transparent mode and back. This can only be achieved by changing the VTP password or changing the domain name.
- With VTP v3, Since it also supports distribution of other "kinds" of information such as MST information, you can change the role of the VTP server per feature separately. For an example, within the same switch, you can make the switch primary for the "feature" VLAN and secondary of the feature MST.
VLAN-DB Storage and Configuration Chart.
| Item | Version 1 | Version 2 | Version 3 |
| normal VLAN range supported? (1 - 1005) | Yes | Yes | Yes |
| normal VLAN range configuration kept in.. | vlan.dat : in normal modes
running-confi : in Transparent mode
| vlan.dat : in Normal modes running-confi : in Transparent mode | vlan.dat : in Normal modes running-config : in Transparent/Off mode |
| Normal Range can be configured in | vlan-db mode or Gloabal configuration mode | vlan-db mode or Gloabal configuration mode | Global configuration mode (There is no vlan-db mode) |
| Extended vlan support ? (1006 - 4094) | NO | Only in Transparent mode | Yes - in All modes |
| Extended Range VLAN configuration kept in | N/A | running-config : In Transparent mode only | vlan.dat: in Normal modes running-config: in Transparent/Off mode |
| Extended Range can be configured in | - | vlan-db mode or
Global configuration mode
| Global configuration mode (There is no vlan-db mode) |
Security Analysis and Best Practice
VTP version 1 & 2
The most talked about security issue when considering VTP is the complete deletion or rewrite of the VLAN database. This is quite possible especially with version 1 & 2 due to the fact that the protocol allows any switch ( regardless of whether it is a Client or a Server) to flood seemingly a "newest" copy of the vlan database resulting in all of the other switches rewriting their vlan database.
Now.. this is not that simple, In order for the switches to accept a new copy of vlan database via VTP protocol (version 1 & 2) it should pass following conditions (- So yeah.. we do have some security measures :)
Now.. this is not that simple, In order for the switches to accept a new copy of vlan database via VTP protocol (version 1 & 2) it should pass following conditions (- So yeah.. we do have some security measures :)
- Domain name should be the same
- VTP configuration revision number should be higher than what is currently stored in the vlan db
- The password should be the same - If configured
So if you think about the scenarios that this can happen,
the most likely cases are, you plugging in your own LAB switch in to the network (which already configured with password and Domain name) and sadly wipe out everything. Of course this is recoverable if you backed up your vlan.dat file - which is where the VTP information is stored.
Another case would be that a bad person gains access to your network, plugs in his/her switch and wipes the VLAN information within the network. Now in this case, if you haven't configured a password, the attacker can simply plug in a switch and even learn the Domain name by simply not configuring a domain name in his/her switch initially. So make sure you configure a password if you are running VTP version 1/2. Also never leave your switch ports at default allowing them to perform trunking with attacker's switch ( VTP only passes through Trunks and NOT through Access Ports).
Also the fact that there can be more than one VTP server in the network, can make things a little bit confusing when administering the network. But of course if you (and your colleagues) are well disciplined to always use a single server switch , This shouldn't be an issue.
Furthermore, These versions don't support extended VLANs. So you are stuck with the normal VLAN range which may not be a big issue.. but personally I like the freedom of using all available numbers in a sensible manner.
VTP version 3
Compared to it's predecessors, This is the best version yet from both feature and security stand points.
The "complete VLAN loss" problem we talked about earlier is highly unlikely here with the introduction of the Primary and Secondary server concept.
Well, let's talk about this briefly..
Well, let's talk about this briefly..
So the idea is, you can still have multiple servers but at any given time, You would only have a SINGLE primary server and there can be as many Secondary servers or none. But wait.. what if we configure all of them to be primary servers ??
well.. you can't. Being the "Primary Server" is only a run-time state and is not pre-configurable in the start-up config or any other place. All the switches in the domain will agree on who is the Primary server at a given time and accept and flood VTP information that belong to this Primary Server only. If you go to a secondary server and make it a primary server, the previous Primary will become a secondary AUTOMATICALLY. So no conflicts. Does this mean that you can simply change any Secondary server to a Primary? Not really, you need to enter the VTP password first (which is not readable off the config file like in v1/v2). So there is some security layer.
well.. you can't. Being the "Primary Server" is only a run-time state and is not pre-configurable in the start-up config or any other place. All the switches in the domain will agree on who is the Primary server at a given time and accept and flood VTP information that belong to this Primary Server only. If you go to a secondary server and make it a primary server, the previous Primary will become a secondary AUTOMATICALLY. So no conflicts. Does this mean that you can simply change any Secondary server to a Primary? Not really, you need to enter the VTP password first (which is not readable off the config file like in v1/v2). So there is some security layer.
What would happen If you take the existing switch off of the network, then put it in to the Primary Server mode (if not already the primary), and change some vlans and add it back to the network?,
Even though this switch has a higher revision number and it has been a Primary Server previously with the correct password, All other member switches will NOT agree on it's validity of being a Primary server anymore (Since they already have a legit primary server registered at the time). So the neighbor switches will not accept any updates from this switch.
Another thing to remember when deciding to use (or migrate to) VTP version 3 is that, it does not work with VTP version1-only switches. If the VTP v3 switch detects switch that supports v1 and v2 it will force the switch to work on VTP version2 (thanks to Martin @ IEOC for pointing out this missing infomation)
Another thing to remember when deciding to use (or migrate to) VTP version 3 is that, it does not work with VTP version1-only switches. If the VTP v3 switch detects switch that supports v1 and v2 it will force the switch to work on VTP version2 (thanks to Martin @ IEOC for pointing out this missing infomation)
Summary
- If you have the option, definitely go with Version 3. It's much more secure and feature-rich.
- There is no reason to use VTP version 1 since almost all the switches today support version 2 so use that
- If you are using VTP version 2, make sure you have a password configured and port security is maintained
- If you are suing VTP version 2, Definitely keep an updated vlan.dat backup somewhere safe
- Be mindful when swapping out switches.
VTP is not a bad thing if you are using it right, It will make your life so much easier when dealing with large number of switches.
Let me know what you guys think.. Have I missed any points here. Please leave a comment below.
