In the last post we looked at VLANs and switch ports, One of the details we learned is that switch ports can only exist in one VLAN and if we want to connect multiple VLANs from one or more switches, to a router, we have to use trunks. Trunks can forward all VLAN traffic.
You can see in the image above, if the connection to the router was an access port, it could only be in one VLAN. If we make it a trunk, all three VLANs can access the router from the switch. So switch ports can either be an access port or a trunk port.
We have looked at how to configure access ports but lets take a look at configuring trunk ports.
Note: you can’t actually turn off trunk mode, but if you change the mode to access, it is no longer trunking.
show interface trunk – show the ports used for trunking and gives details about trunk mode.
To configure trunk on a per port basis, we use switchport mode :
- access – turn off trunk mode, puts the port into access mode
- dynamic auto – Will trunk but must be initiated by remote port
- dynamic desirable – will try to trunk if the remote port is ok.
- trunk – forces the port to trunk mode
- Switchport no negotiate – turn off DTP (Dynamic Trunk Protocol) to reduce overhead and prevent dynamic trunk changes
So now that we have trunks connecting our switches and routers, we have to have the switches understand each other’s VLANs. Also, some VLANs may span two or more switches, and we don’t need to be configuring all that manually. There is a mechanism for the switches to communicate all of this automatically, and it is called VTP (VLAN Trunking Protocol)
VLAN Trunking Protocol (VTP)
The first thing we should note about VTP is it is Cisco proprietary.
VTP Domains – A named area encompassing a number of switches. We can configure domains on a per switch basis. If VTP is running, there must be a domain name set. Domain names are case sensitive – beware.
Within a VTP domain the switches can be configured in one of 3 VTP modes:
- Server – Can create, modify or delete VLANs.
- Client – can receive VLAN info but cannot change VLANs
- Transparent – can forward VTP ads, but will not process the info. This mode has locally significant VLANs only; the VLAN info is not passed to other servers or clients
Note: in all cases ports can be added or removed from the VLAN.
Communication from server to client and server to server is achieved through the use of the Summary Advertisement. This is a data packet, sent every 5 minutes or immediately upon a change.
A VTP server stores the VLAN config in NVRAM, so on reload, the info is immediately available. A client however does not and must get its VLAN config from a summary advertisement.
VTP Revision Numbers
Every time a VTP server sends out a summary advertisement, it attaches a configuration revision number. This is to ensure that the information received by the other servers in our switch network is the latest and greatest. When a summary is received by another server, the server compares the incoming revision number with its own and if the incoming is greater, it uses that info. If it is not, it drops the packet, and does not forward it.
We can authenticate our VTP info using the command vtp password. As always the password is case sensitive. Check to make sure you have service-password encryption on so that the clear text password is not clear text, however, this is the one password that does not get encrypted. Yeah – maybe in the next version of VTP.
Also be aware that if we set a password, we have to configure that password on all the switches in the VTP domain.
One of the problems with trunks is that they forward broadcast and multicast packets from all VLANs on that switch, regardless of weather the destination switch even has those VLANs. This of course is a big waste of bandwidth and resource so how do we limit this? We have a whole post about that…