Wednesday, January 20, 2010

BCMSN Lab - Basic Switch Configuration III [CCNA Rev]

Step 3 - Base Configuration - VTP (VLAN Tunneling Protocol)

VTP helps automatically transfer the VLAN's you created on S1 to other switches connected in the LAN using the 802.1Q protocol of tagging or ISL cisco proprietary protocol of trunking.

Steps towards setting up VTP:

Actually before jumping onto step 3, always, verify the vtp status of your switch and its 'configuration revision' (show vtp status). In-case there are pre-configured vlan's there you need to delete them. You can do so by deleting the file 'vlan.dat' located in flash (not in running-config or NVRAM).
If you do a write erase it still maintains the vlan.dat file (holding all exisiting vlan info). It also corrupts the vlan.dat file if you simply do a write erase and then add in new vlan info, so best bet is to do a write erase AND delete the vlan.dat file after which it works like a charm. Following is the command to reset the switch and delete all existing VLAN data (surprisingly not a very well documented command):

S1#delete flash: vlan.dat (and reboot).

(1) VTP Domain Name - Set up a vtp domain name. Extremely crucial as it prevents someone from bringing in their own switch whereupon connecting it could override the existing VLAN setup should the new switch carry a higher revision number.

(2) VTP Mode - Setup VTP in 'server' mode on the primary switch, the one connecting to most areas (and one likely to connect also to the distribution layer switch a.k.a Layer3 switch or a router). All the other switches should be set to 'client' mode following best practice. Whilst at times it could be tempting to simply change the mode from 'client' to 'server' in-order to say, add another VLAN. You don't. The best way would be to refer to proper documentation and login to the primary switch and make changes from there otherwise the end result is likely one where all switches in the area are running in vtp server mode, whereupon any network administrator having access to even one of those switches can create havoc if they don't realise what they are doing (i.e: remove vlan's etc).

I'm against running all switches in vtp server mode. However if one chooses to go for that option, they could use the 'vtp pruning' ability to restrict VTP broadcast in unused VLAN's should they run VTP in server mode on ALL switches in their LAN.

There is also the 'Transparent' mode where the switch maintains it's own VLAN table and ignores but passes on VTP information to other switches connected or daisy-chained to it.

(3) vtp password - Optional and rarely used. I particularly don't use this myself and wouldn't recommend anyone else to either, but basically a switch won't participate in the vtp process unless it has the right password along with the right vtp domain name. Unless the vtp domain name you use in your corporate/branch network is blatantly obvious or an extremely common word so much so that the chances of a random external switch having the same vtp domain is high, or if you have ever experienced the first-hand destruction caused by vpn and are vary of using it again, go for this option.

Configuration:

Configuring S1

S1#show vtp status
S1#conf t
S1(config)#vtp mode server
S1(config)#vtp domain ccnpcert.tk (If the domain-name on S2 and S3 are null, they will adapt to whatever domain-name the connected switch running in vtp server mode holds.)
S1(config)#vtp password xxx (optional - Wouldn't recommend it as you'd have to manually enter this on S2 and S3, thus more work for the network admin and kind of beating the purpose of having vtp)
S1(config)#vtp pruning (Note: This will only work if all switches in your LAN are running in 'vtp server mode'. I don't intend to do so for reasons above thus this cmd will be skipped. If however, you do plan to enable pruning with all switches set in server mode then I believe you only need to type this command on 1 of the switches that is running in server mode. This can always be confirmed by running the show vtp status command on the other switches.)
S1(config)#do show vtp status
S1(config)#do wr

Configuring S2

S2#show vtp status (You should be seeing VLAN's 10, 20 and 30 - ENGINEERING, MARKETING and SALES)
S2#conf t
S2(config)#vtp password xxx (if enabled it, I didn't thus all I need to type in is the following next command)
S2(config)#vtp mode client (This means vlan's cannot be 'created' on this switch, unless the mode is changed back to server. If some fellow network-admin working under you can't be trusted, you can enable the password for vtp as well. So in-case he tries to mess up the network by creating or deleting your VLAn's he'd not just easily be able to change the mode by typing the one command and do so but he'd also need the right 'password' to do so because if the switch wants to participate in the vtp process it'd need to be in the correct domain and have the right password if the latter is enabled. The upside is it's much secure however the downside is that you'd need to type this command on all switches participating in the vtp process)
S2(config)#do wr

Configuring S3

S3#show vtp status
S3(config)#vtp mode client
S3(config)#do wr

and that's it. Well, that's all we were tested for the CCNA. There's a bit more about vtp in the BCMSN for CCNP. I'll be covering that in the following post.

No comments:

Post a Comment