Friday, April 9, 2010

Why Do We Need VTP ?

One of my favorite interview question about Switching to network candidate is - Why Do We Need VTP In Switched Network ?

And I always hear something back very common like - VTP helps us managing VLANs throughout switched network. So basically if we create a VLAN on VTP server and then it will reflect over all switches inside switching network very quicly so we need not to hop on to every switch in network in order to create vlans.

So in short it basically  - VLAN Trunk Protocol (VTP) reduces administration in a switched network.

So what I always asks them back is  - That's it or something else too ?

I mean if you have few months of experience with Cisco Switches or if you have attempted CCNP BCMSN exam AKA SWITCH now, you must be aware that if I go inside interface configuration mode of switch and run the command -> Switch# switchport access vlan 2

Even if VLAN didn't exist in vlan database of switch earlier, the switch will create vlan 2 and will move this port to vlan 2.

Lets hop on to Real Switch and test this out:

core-switch(config)#int gi0/27
core-switch(config-if)#switchport access vlan 500
% Access VLAN does not exist. Creating vlan 500
core-switch(config-if)#do sh vlan id 500

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
500  VLAN0500                         active    Gi0/27

So as you can see in this case the vlan 500 was not in vlan database. But as soon as I tried port Gi0/27 to move into vlan 500, the switch created VLAN 500 and moved port Gi0/27 to it.

On the flip side what you think could be the benefit of creating vlans and propagating them using VTP when in the end of the day it's Admin who has to hop on to different switches inside the network in order to move ports in vlan in order to use it.

So when I have to move port manually into vlan, so why I need vtp? I can just go to the port and move it to vlan and vlan will be created automatically. So what's the real benefit of VTP? let me now just kill the suspense with a short scenario presented in the diagram above. (VTP disabled on all three switches)

SW1, SW2 and SW3 are connected to each other through Trunks. On SW1 we have 3 different vlan - Vlan 1,2,3. On SW2 we have 2 VLANs only - VLAN 1,3. Over SW3 we have 3 vlans again - VLAN 1,2,3.

No When SW 1 send traffic from a user sitting in its local vlan 2 to another user sitting in vlan 2 of SW 3, the traffic comes to SW2 over trunk. Now SW2 sees the incoming frame tagged with vlan 2. SW2 checks it's local vlan database and finds no entry about VLAN 2. So all it does now is .....PUMMMMM. It drops the frame silently and frame never reaches to user inside VLAN 2 of SW 3.

So to over come this situation we need VTP. Although once all set we can turn off VTP later. Engineers always debate if we should use VTP or not. But in my personal opinion there are many of them who don't understand the function of VTP which I just explained here. Personally I like secure vtp environment further you can use VTP password option. But the funny thing about that is it never shows up in config but only with " sh vtp password" command. :)

So Myth Busted....

Best Regards,
Deepak Arora


Mohan.Jeerankalagi said...

Good explanation

sanjeev singh said...

Powerful explanation and understandable & Interesting

Anonymous said...

Sounds like VTP pruning which is disabled by default, in that case Sw2 doesn't need Vlan 2 for traffic to flow between Sw1 and Sw3

Also when VTP pruning is enabled it is not Sw2 that will drop the packet, it will be Sw1

And of course there is all the trouble if a transparent VTP switch is in the mix somewhere.

Bad interview question as it is very ambiguous

Anonymous said...

Hi Deepak, i just went through this article looking for one question popped in my head, what is the real use of vtp..but in your explanation why the vlan2 frame is dropped on SW2..? As per IEEE Standars, "if Switch does not have the VLAN indicated on the IEEE 802.1q frame tag, It sends the frame to all other trunk ports with this VLAN allowed"... So, the frame should be forwarded to the trunk port between sw2 and sw3 as a multicast address.

Deepak Arora said...

In the backend it has to do with spanning tree.

The switch will simply run " sh spanning-tree vlan 2" and will come to know that there is no Spanning-Tree instance for vlan 2 which means it cannot learn any mac addresses for that vlan.

Makes Sense ? :)