ccie blog

Does VTP transparent mode relay VTP advertisements or not (All Scenarios Tested)?

Does VTP transparent mode relay VTP advertisements or not (All Scenarios Tested)?

There has been a lot of controversy about the VTP transparent mode switch, on whether or not it relays VTP information. In the Cisco documentation there is a completely incorrect statement that has caused excessive confusion throughout the networking community. This statement is:

  • “In VTP version 1, a VTP transparent switch inspects VTP messages for the domain name and version and forwards a message only if the version and domain name match. Because VTP version 2 supports only one domain, it forwards VTP messages in transparent mode without inspecting the version and domain name.”

Both statements are invalid.  In short; for all scenarios, regardless of VTP version, only the VTP domain names need to match.  The VTP version can be different on the transparent switch, but as long as the domain name is the same, the switch will relay the VTP advertisements as we will see in my testing below. I’m about to use the network below to start my testing. All switches will be put in VTP version 1. Sw1 & Sw3 will be configured as a server, and Sw2 will be configured as transparent mode.

 

 

Sw1#sh vtp status
VTP Version                     : running VTP1 (VTP2 capable)
Configuration Revision          : 10
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 : test

 

Sw2#sh vtp status
VTP Version                    : running VTP1 (VTP2 capable)
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Transparent
VTP Domain Name                 : test

 

Sw3#sh vtp status
VTP Version                    : running VTP1 (VTP2 capable)
Configuration Revision          : 10
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 : test

 

Let’s add VLAN 100 on Sw1 and check that Sw3 gets it. This is just a verification step to ensure my VTP domain is working before we start any testing.

Sw1(config)#vlan 100
Sw1(config-vlan)#name vlan100

Sw1#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Gi0/1
                                                Gi0/2
100 vlan100 active

 

Sw3#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Gi0/1
                                                Gi0/2
100 vlan100 active

Ok that’s working just fine. Let’s start doing some testing. The information from the Cisco documentation suggested that Sw2 will not relay VTP info unless it’s got the same version AND domain name. I’m gonna test it first by changing just the domain name (i.e. all VTP versions are the same).

Sw2(config)#vtp domain nottest
Changing VTP domain name from test to nottest
Sw2(config)#end
*Mar  1 01:12:45.817: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to nottest.

Let’s just add a couple vlans on Sw1 and see if Sw3 gets it.

Sw1(config)#vlan 200
Sw1(config-vlan)#name vlan200
Sw1(config-vlan)#vlan 300
Sw1(config-vlan)#name vlan300

 

Sw3#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Gi0/1
                                                Gi0/2
100  vlan100                          active

As the documentation anticipated, VLANs 200 and 300 haven’t propagated over to Sw3. By checking the debug messages on Sw2, we can see the VTP information is being dropped because the domain name doesn’t match.

Sw2#
*Mar  1 01:19:02.457: VTP LOG RUNTIME: Dropping packet received on trunk Fa0/13 - not in domain test

*Mar  1 01:19:02.457: VTP LOG RUNTIME: Dropping packet received on trunk Fa0/13 - not in domain test

Let’s change the domain name back on Sw2 and get this VTP information flowing over to Sw3 again.

Sw2(config)#vtp domain test
Changing VTP domain name from nottest to test

*Mar  1 01:22:37.130: VTP LOG RUNTIME: Relaying packet received on trunk Fa0/13 - in TRANSPARENT MODE (nc = false)

*Mar  1 01:22:37.147: VTP LOG RUNTIME: Relaying packet received on trunk Fa0/16 - in TRANSPARENT MODE (nc = false)

 

Sw3#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Gi0/1
                                                Gi0/2
100  vlan100                          active
200  vlan200                          active
300  vlan300                          active

Good. So now VLAN 200 and 300 have now propagated over to Sw3. Let’s finish the testing, by leaving the domain name the same, but changing just the VTP version on our VTP transparent mode Switch2.

Sw2(config)#vtp version 2
Sw2(config)#end
Sw2#sh vtp status
VTP Version : running VTP2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 5
VTP Operating Mode              : Transparent
VTP Domain Name                 : test
VTP Pruning Mode                : Disabled
VTP V2 Mode : Enabled

So according to the documentation if I now add a new VLAN on Sw1, it should not propagate to Sw3 because the VTP versions mismatch between the transparent mode switch and the other switches. Let’s test it.

Sw1(config)#vlan 400
Sw1(config-vlan)#name vlan400
Sw1(config-vlan)#end

 

Sw2#
*Mar  1 01:32:33.191: VTP LOG RUNTIME: Relaying packet received on trunk Fa0/13 - in TRANSPARENT MODE (nc = false)

*Mar  1 01:32:33.216: VTP LOG RUNTIME: Relaying packet received on trunk Fa0/16 - in TRANSPARENT MODE (nc = false)

 

Sw3#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Gi0/1
                                                Gi0/2
100  vlan100                          active
200  vlan200                          active
300  vlan300                          active
400  vlan400                          active

 

So in my testing here, the version clearly doesn’t matter. The VTP v1 information was relayed by our VTP V2 transparent switch.  For completeness of this post, I’ve also tested this in various ways.  In the bullet points below, assume Sw1 is the VTP server, switch 2 is in VTP transparent mode, and Sw3 is the VTP client.  In every instance, VTP information was never relayed between Sw1 and Sw3 if the VTP domain name was different on Sw2(the transparent switch).  However, if the domain name was the same, then the VTP messages were relayed by the transparent mode switch (and I’ve pretty much tested this will all VTP version combinations).

  • Sw1 (VTPv1) — Sw2(VTPv2) — Sw3(vtpv1)
  • Sw1 (VTPv2) — Sw2(VTPv1) — Sw3(vtpv2)
  • Sw1 (VTPv3) — Sw2(VTPv1) — Sw3(vtpv3)
  • Sw1 (VTPv1) — Sw2(VTPv3) — Sw3(vtpv1)
  • Sw1 (VTPv3) — Sw2(VTPv2) — Sw3(vtpv3)
  • Sw1 (VTPv2) — Sw2(VTPv3) — Sw3(vtpv2)
  • sw1 (VTPv3) — Sw2(VTPv2) — Sw3(vtpv3)

 

So to summarize, the VTP domain MUST match between all switches (for all scenarios no matter what).  With regards to the VTP version; a transparent mode switch in any version will be able to relay VTP message (regardless of the version it needs to relay)!  So server and client can use VTP v3, and the VTP transparent switch2 in the middle can run VTP v1 and still relay the message.  I did extensive testing with this to make sure 🙂

5 Comments

[…] going to use the same network as my previous post on VTPv1 to start my testing. All switches will be put in VTP version 2. Sw1 & Sw3 will be configured as […]

[…] going to use the same network as my previous post on VTPv1 to perform my test. All switches will be put in VTP version 2. Sw1 & Sw3 will be configured as […]

cheap barbour coatsSeptember 4th, 2013 at 6:53 am

Major thanks for the blog.Much thanks again. Great.

Tarun AroraFebruary 16th, 2017 at 12:31 pm

Hi This is Tarun ,
Suppose if i have removed the VLAN 1 from trunk port.will it receive VTP packets?

StephenGarbettApril 18th, 2017 at 7:21 am

Correct! There is a minimalistic mode that VLAN1 operates in that allows the control traffic to still be sent i.e. DTP, CDP, VTP and PAgP messages.

Leave a comment

Your comment