VLAN Trunking Protocol (VTP) – VTP updates are sent out of all active trunking interfaces (dot1Q or ISL). Each VTP advertisement includes a revision number that is incremented by a VTP server, the advertisement will only be processed by VTP servers and VTP clients in the same domain and correct password if the revision number is greater than the one currently stored on the switch. Standard range VLAN information is stored in vlan.dat file stored in the flash.

Cisco switches are VTP servers by default but will not send out VTP advertisements until a VTP domain is configured.

There are 3 main modes a VTP switch can be in Server, Client & Transparent.

Server – In VTP server mode you can create, edit and delete VLAN information on the switch and it will be propagated throughout the VTP domain. VTP servers also originate periodic VTP updates.

Client – VTP client mode is exactly the same as server mode except it is not possible to create edit or delete VLANs on the switch, you will need to edit them on a server in the VTP domain and they will update the client, clients will also originate VTP updates.

Transparent – In VTP transparent mode the switch will forward VTP advertisements but not process any of the advertisements. VLAN information can be changed on the switch but the information will not be propagated and stay local to the switch.

Standard/Extended range VLANs – VTP will only update standard range VLANs which is any VLAN with a number between 1 and 1005. If you wish to configure extended range VLANs (VLAN numbers 1024 to 4094) then the server must be in VTP transparent mode as VTP does not support these.

Note: VLANs 1006 to to 1024 were reserved for compatibility with CatOS based switches and shouldn’t not be used.

Extended range VLANS cant be stored in the vlan.dat file and will be stored in the running configuration, if the startup config and the vlan.dat have any differences only the vlan.dat information will be used.

VLAN Trunking – Interconnects between switches are trunked using either ISL or 802.1Q. ISL is Cisco propriety and encapsulates each frame with a 26 byte header and an additional trailer where as dot1Q which is an IEE standard adds a 4 byte tag after the source address field in the frame. dot1q will not tag the native VLAN on a link therefore any frames receiving on a VLAN trunk without a tag are presumed to be part of the native VLAN, ISL does not support native VLANs.

Dynamic Trunk Protocol (DTP) – DTP allows a switch port to automatically negotiate a trunk, this can be a security issue and personally I am not to keep on this and prefer to manually make each port either a trunk or access port. The DTP modes are;

on - Permanent trunk even if the neighbour cant support it

off - Permanent access port, so wont trunk even if the neighbour cant support it

desirable - Actively sends out DTP frames to attmpt become a trunk but will become a trunk or an access port.

auto - attempts to passively become a trunk, so wont send out frames but will respond if it receives them. Note that if both ends are set to auto then the port will not become a trunk

nonnegotaite - The port  will not send any DTP frames out, its recommended that this should be used when connecting the port to a non cisco switch which could react strangely to DTP frames.  Either use switchport mode trunk or switchport mode access to dictate what mode the port should be in.

It came up very briefly at work today why the STP bridge priority must be a multiple of 4096 so I thought I would post my response on here.

There was only 2 fields in the original STP Bridge ID this was a 2 byte priority which allowed any value for the priority to be set from 0 to 65,535, followed by 6 bytes for the MAC address for those tie breaker situations.

But when multiple spanning trees instances started to appear on networks due to technologies such as PVST+ and MST this caused the switch to have a single BID for all the VLANs as it could not differentiate between the VLANs. So switch vendors like Cisco used a unique MAC address for each VLAN, but this caused a wastage of MAC addresses as each switch could have to reserve up to 4094 addresses if non standard VLANs were used (Im sure there must have been a limit to the amount each switch could reserve, but this was before my time so I don’t have any practical information on this).

Therefore to prevent the overuse of the MAC addresses they turned the 2 bytes which was used in the priority field of the Bridge ID into a 4 bit priority and used the remaining 12 bits for the vlan, the extra information which is used to carry the VLAN number is called the Extended System ID, and this process is sometimes called MAC address reduction as it reduces the number of reserved MAC addresses needed. The 12 bits of extra VLAN information allows support for 4096 VLANs, so there is full support for extended range VLANs. Therefore because of the use of the Extended System ID in the Bridge ID, there is only the first 4 bits of the original 2 byte number to be used for the bridge priority so it only allows multiplies of 4096.

This topic is more relevant to the CCIE SP track so I will just briefly go over the concept of this.

801.1Q-in-Q tunneling AKA Q-in-Q is a method of passing VLAN traffic across a WAN. At a simple level a SP switch tags incoming frames with an extra 802.1Q header and its passed through the WAN, where at the egress port of the SP network the tag is removed. The customer frames then have their original 802.1Q headers preserved after traveling across the WAN.

Q-in-Q allows customer networks to tagged frames across a shared SP WAN, other layer 2 protocols such as CDP and VTP are also allowed and it does not matter if the customer does not have unique VLAN numbers.

Private VLANs (PVLANs) are not something I have been able to lab as I dont have a layer 3 switch (not yet anyway but I am saving my pennies for a Cisco 3550) and I havnt used them at work.

Anyway, PVLANs are a method of isolating ports in the same VLANs to provide security, a good example of their application is in a Service Provider Network where many end customers are connected to ports on a switch. They could put all of the customer ports on an isolated port in the PVLAN (more on that in a bit), and the gateway on a promiscuous port (again more in a bit) and a customer with multiple ports could be in their own community.

There are 3 types of ports in a PVLAN ports, promiscuous, community, and isolated.

Promiscuous ports: These ports can communicate with all other ports in the PVLAN including community and isolated. In the service provider example above the gateway would probably be on a promiscuous port.

Isolated ports: These ports are cant communicate with any other ports, except promiscuous ports. Isolated ports cannot talk to each other and in the example above the customers would be connected to a isolated port.

Community ports: These ports can communicate with other ports in the same community and promiscuous ports, but cant communicate with ports in other communities, or isolated ports. In the example above a customer with multiple connections could be in the their own community, this would allow layer 2 connectivity between the ports and they would still be able to access the gateway but have isolation from isolated ports.

VLANs numbered 1 to 1005 are considered “normal” and ones higher than this are considered extended (VLANs 1006 to 4094). These VLANs cannot be stored in the vlan.dat file which resides in flash as standard range VLANs are, instead they are only stored in the running config. The switch must also be in VTP transparent mode as these VLANs cannot be sent in VTP updates.

VLAN Numbers Summary

VLAN 0 is reserved and not available for use

VLAN 1 is the default  VLAN on all Cisco Switches, the VLAN cant be deleted or changed, its not advertised by VTP as it does not need to be as its a default and cant be removed/changed

VLANs 2 to 1001 Normal range VLANs for allocation

VLANs 1002 to 1005 are used for FDDI and TR translational bridging and shouldn’t be used for anything other than these purposes, they are also not advertised by VTP

VLANs 1006 to 4094 are extended range VLANs which cant be advertised by VTP and the switch must be configured in VTP transparent mode.

Its also an interesting point that when a switch starts up it checks the VTP mode and domain name from the startup-config and vlan.dat file, if they are different it ignores the startup-config and only uses the vlan.dat file