Demystifying VLAN Trunk Protocol
Transcription
Demystifying VLAN Trunk Protocol
Expert Reference Series of White Papers Demystifying VLAN Trunk Protocol 1-800-COURSESwww.globalknowledge.com Demystifying VLAN Trunk Protocol Joe Rinehart, MBA, CCIE #14256, CCNP/DP/VP Introduction Of the many protocols that Cisco has created over the years, one of the most feared and often misunderstood is VTP, or Virtual Local Area Network (VLAN) Trunk Protocol. The original intention was simple: create a straightforward, scalable method for VLAN administration across multiple switches in a network. Due to the way that the technology works, however, significant problems can arise unintentionally and cause widespread outages in an existing network. The purpose of this white paper is to examine the inner workings of VTP in detail and create strategies for safe use in production environments. Figure 1: Large Switched Network Copyright ©2012 Global Knowledge Training LLC. All rights reserved. 2 The Basics Figure 2: VLAN Trunk Protocol Versions As with most protocols, several versions of VTP exist with some operational differences, particularly the latest version. These three versions are as follows. Version 1 VTP was originally introduced as part of the Crescendo Catalyst 5000 switching platform before being acquired by Cisco in September of 1993. Most of the core features associated with the protocol were introduced in this version. Available on all of the Catalyst switch models, this is the default version even when version 2 is available. Version 2 VTP version 2 added VLAN support for Token Ring, a switching architecture that originally competed with Ethernet but is now obsolete. VTP and VLAN consistency checks were also added as a minor feature revision as well. Unfortunately, version 2 is incompatible with version 1, so it represents an “all or nothing” approach. All recent Cisco switches support version 2. Version 3 The potential perils of utilizing VTP have been well-publicized both in Cisco’s extensive documentation as well as volumes of certification studies, including CCENT, CCNA, and CCNP. Version 3 was created with these issues in mind and introduced significant improvements, along with other features. Some of these include 802.1s Multiple Spanning Tree support, expanded VLAN ranges (e.g., up to 4095), and administrative controls to avoid affecting the existing VTP topology. In addition, backward compatibility with version 2 is supported. Originally available only on the Catalyst 6500, VTP version 3 is now supported on the 2960, 3560, 3750 and 4500 platforms as well, from IOS version 12.2(50)SE3 and later. Copyright ©2012 Global Knowledge Training LLC. All rights reserved. 3 Operational Requirements VTP is not a “plug and play” type of protocol; it has several minimum requirements in order to function in any manner. Failure to adhere to these prerequisites will yield disappointing results, although the requirements are fairly straightforward. Cisco Switch Platforms One thing to remember regarding VTP is that it is a Layer 2, Cisco-proprietary protocol, not unlike Cisco Discovery Protocol, though the purposes are far different. IEEE standards with similar functionality include the Generic Attribute Registration Protocol (GARP), introduced as an extension of 802.1D, and its successor, Multiple VLAN Registration Protocol (MVRP), defined in 802.1ak. Needless to say, due to its proprietary nature, Cisco switches are required to make use of the protocol. Directly Connected Trunk Links Between Member Switches VTP messages do not traverse ports marked as access (using the switchport mode access interface command) and, in fact, are only sent over trunk links (using the switchport mode trunk command). The trunk type may be either the Cisco-proprietary ISL or IEEE 802.1Q type, respectively. VTP Domain Name on VTP Server(s) In VTP networks, the domain name represents the operational designation for switches participating in the process. By default, this value is set to null, requiring explicit configuration on member devices. In order to exchange messages, these values need to match, although switches with the domain set to null will receive the domain name from the VTP server switch(es) and then set that as their own VTP domain name. Version VTP version 1 is the default on Cisco switches, but can be changed using the vtp version command in global configuration mode. Versions 1 and 2 are incompatible and require that all devices run the same version of VTP, although version 3 is backward-compatible with version 2. As a network best practice, it is best to use the same version throughout the switch domain. VTP Password (if used) By default, switches configured as VTP servers or clients accept updates within the same domain without any type of security check whatsoever. In order to prevent the introduction of rogue VTP switches (particularly in server mode) that could alter the topology, network administrators may elect to set a password. While this parameter is not required, if it is used, all member switches must have matching values. Otherwise, VTP messages will be discarded by the receiving device. VTP Modes For network professionals already familiar with Cisco switch architecture and operation in general, VTP switch modes are a well-known topic, but still important to review. Copyright ©2012 Global Knowledge Training LLC. All rights reserved. 4 Server Cisco switches operate in VTP server mode by default, giving them the ability to add or delete VLANs, as well as store the VLAN database locally. This database and its configuration have a version number referred to as the configuration revision number. If a member switch receives updates with a higher number, it will replace its current database with the new one. In practice, having at least one switch in server mode (and one other to provide redundancy) is necessary for the protocol to function. Another nuance of a switch in this mode is that it sends update messages to member switches as well. Client VTP client mode switches rely entirely on server switches for configuration, as they are unable to create, delete, modify or even store VLAN information locally. Unlike server mode, client mode must be explicitly configured and is not enabled by default. Transparent Another critical principle to understand is that VLAN Trunk Protocol is always operational on member switches and that there is no option for turning it off (except in old versions of Catalyst OS, now End-of-Life). The closest method by which to accomplish the same thing is VTP Transparent Mode. Transparent mode permits creating, modifying, and deleting VLAN information locally, as well as storing the database locally. It will ignore all VTP updates, making no changes to the local database in any way, although it will forward updates out all trunks (in version 2). Running in transparent mode effectively disables the effect of VTP on the switch locally. Protocol Mechanics Figure 3: VTP Frame Format (ISL Version) VTP Message Types For protocol operations, VTP uses several message types to communicate data between switches, each with a critical function. Copyright ©2012 Global Knowledge Training LLC. All rights reserved. 5 Summary Summary advertisements are sent out every five minutes (300 seconds) by default, and detail operational information such as the VTP domain name, version, and the configuration revision number, which is incremented by one after any change to VLAN information. If the revision number is greater than or equal to the current one on the switch, the frame is ignored; otherwise, it is forwarded to other neighbors in the domain. Subset When VLAN information is modified on a VTP server, that switch sends out a summary advertisement first (with an incremented configuration revision value), followed by another type of message called a subset advertisement. VTP switches use these messages to communicate the changes that have been made, in order to synchronize VLAN information throughout the domain. Changes that can trigger this, for example, include creating and deleting VLANS. Advertisement Requests On the surface, it might sound like VTP servers are the only devices that originate VTP messages, since transparent switches do not and client switches cannot change any VLAN data. In reality, however, switches in VTP client mode may issue an advertisement request to servers in order to clarify information. Situations in which this may take place include when a client switch has been reset/rebooted, if the VTP domain name has been changed, or a summary advertisement has been received with a higher configuration revision number. In response, VTP servers will issue a summary advertisement, followed by one or more subset advertisements. VTP Pruning The benefit of an administration protocol such as VTP can be very helpful in theory, but not all VLAN information is created equal. Two general classifications for VLANs can be detailed as follows. Local VLANs When VLANs were first introduced, one of the more common designs was simply to group users together that existed in close geographic proximity. For example, in a switched campus environment, a VLAN might be limited to a group of users on a particular floor of a building. Generally speaking, VLAN traffic in this setting follows the pattern of being 80% local and 20% outside the VLAN. End-to-End VLANs While some VLANs in modern networks may still fall into the category of local, the functionality involved can actually span multiple locations and multiple switches (you may recall that is one of the many purposes of trunk links). In this scenario, users can be grouped by function rather than location, such as accounting personnel located on different floors of a building. In this type of setting, only 20% of traffic may stay within the VLAN, and 80% may be bound elsewhere. Of the two classifications, the local VLAN grouping does not require propagation throughout the entire VTP domain, generating extraneous management traffic to switches not hosting that VLAN. One of the beneficial features of VTP is the concept of VLAN pruning, in which switches not hosting a particular VLAN are removed from the equation. This feature is not enabled by default and must be explicitly configured for operation. Copyright ©2012 Global Knowledge Training LLC. All rights reserved. 6 Conclusion VLAN Trunk protocol is frequently the focus of a proverbial orchestra of exam questions for Cisco certifications and is complex enough to create some misunderstanding and confusion in that regard as well. In my own professional experience spanning nearly two decades in networking, I have only encountered one production network using the protocol, but with the version 3 improvements, the “fear factor” may be potentially removed for its use. As with so many other technologies, a thorough understanding and appropriate use are the best factors influencing the decision whether or not to use it. Learn More To learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge, Global Knowledge suggests the following courses: SWITCH - Implementing Cisco IP Switched Networks v1.0 ICND1 - Interconnecting Cisco Network Devices 1 ICND2 - Interconnecting Cisco Network Devices 2 Visit www.globalknowledge.com or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledge training advisor. About the Author Joe Rinehart, MBA, CCIE #14256, CCNP/DP/VP is a professional trainer specializing in technology, business, and social media. He is also a successful speaker and published author, as well as a columnist for the Federal Way Mirror. He is active in the social media space, managing one of the largest groups on LinkedIn, as well as serving on the national steering committee of the Cisco Collaboration Users Group. Joe also serves as president of the Seattle Cisco Users Group, serving technology professionals throughout the Puget Sound region. Joe Rinehart MBA, CCIE #14256, CCNP/DP/VP President and Chief Edutainment Officer Gracestone Professionals, LLC [email protected] Twitter: jjrinehart Copyright ©2012 Global Knowledge Training LLC. All rights reserved. 7