VTP V2 Transparent Mode: Mismatched Domain Names Cause Advertisements to Be Dropped

7 October 2012 by 10 Comments

Cisco’s documentation on VTP version 2 transparent mode states that it will pass VTP messages without inspecting the domain name. Let’s verify this for ourselves. We are going to use the simple topology below to test this.

Let’s start with a basic configuration for all three switches that we know will work. Let’s make SW1 the VTP server. Here is what we will start with on SW1.

SW1#conf t
SW1(config)#vtp version 2
SW1(config)#vtp mode server
SW1(config)#vtp domain CISCO
SW1(config)#end
SW1#

For SW2 and SW3, we will start off configuring them as clients so we can verify that VTP is working normally. We will use the same config below for both of these switches.

SW2#conf t
SW2(config)#vtp version 2
SW2(config)#vtp mode client
SW2(config)#vtp domain CISCO
SW2(config)#end
SW2#

Here is the VTP status of the switches in our topology.


Only the default VLANs currently exist on these switches. Let’s add VLANs 10, 20, and 30 to verify that VTP is working across all three switches. I will use the following commands on SW1 only to create three VLANs.

SW1#conf t
SW1(config)#vlan 10
SW1(config-vlan)#vlan 20
SW1(config-vlan)#vlan 30
SW1(config-vlan)#end
SW1#

Those VLANs should now be created on SW1, and SW1 should have sent VTP messages, one for each VLAN change, to SW2. SW2 should, in turn, forward the VTP messages to SW3. Let’s verify.

It appears that VTP is working. The new VLANs have propagated to all switches in the topology, and the configuration revision number (3) matches on all three switches.

Now, let’s test SW2 in transparent mode. We will change SW2 to transparent mode and the VTP domain to PACKETPUSHERS. Then on SW1, we will add VLANs 40, 50, and 60. If VTP version 2 in transparent mode does not inspect the domain name, then SW3 should get the new VLANs, and its configuration revision number should match SW1. Here are the changes I will make.

SW2:

SW2#conf t
SW2(config)#vtp mode transparent
SW2(config)#vtp domain PACKETPUSHERS
SW2(config)#
SW2(config)#end
SW2#

SW1:

SW1#conf t
SW1(config)#vlan 40
SW1(config-vlan)#vlan 50
SW1(config-vlan)#vlan 60
SW1(config-vlan)#end
SW1#

With those configuration changes complete, let’s verify and see what our VLAN databases look like now.

From this output, we can see the VLANs have been created on SW1, but they do not exist on SW2 or SW3. We don’t expect to see them on SW2 because it is in transparent mode, but SW2 should pass them on to SW3. However, neither does SW3 does have the new VLANs, nor has its VTP revision number changed. The documentation clearly states that in VTP version 2 a switch in transparent mode will not inspect the domain name, but we can see from this test that it does appear to inspect the domain name and does not pass along messages that do not match its configured domain name.

Let’s do one more test. I will configure the same domain name on SW2, but leave it in transparent mode. Then on SW1 I will add VLAN 70. Here are the commands that I will use.

SW2:

SW2#conf t
SW2(config)#vtp domain CISCO
SW2(config)#end
SW2#

SW1:

SW1#conf t
SW1(config)#vlan 70
SW1(config-vlan)#end
SW1#

Now let’s see what our VLAN databases look like.

So, the only thing we changed was to make the VTP domain name to match on SW2, which remained in VTP transparent mode.

While documentation is good, it is not always completely accurate. Before you start configuring something in production or on a lab exam, be sure you know how it really works.

Filed Under: Blogs, Switching Tagged With: , , , ,
About Charles Galler

Charles is a network and UC engineer for a mainly Cisco reseller. He has worked in the networking industry for about 12 years. He started as a network administrator for a small CLEC (carrier) where he did it all in IT and worked on the carrier network. After the CLEC, Charles went to work for a large healthcare organization in the Houston area and stayed with them for about three and a half years. Now he works for a reseller in the professional services part of the organization. He is currently studying for his CCIE in Routing and Switching and plans on passing it before the end of 2012. You can find him on the Twitter @twidfeki.

  • http://www.facebook.com/ygunsburg Yosef Gunsburg

    So according to this, one cannot just set an intermediate switch to transparent mode and expect other switches to receive proper updates. The intermediate switch must be configured with the same VTP domain as the other switches, even though the transparent switch is merely forwarding the updates. Interesting. Nice catch!

    • Charles Galler

      I like to put everything in transparent mode and manually create the VLANs on the switches that I know need the VLANs. Also prune the VLANs manually where I know they need to be pruned.

      • arteq

        definitely the way to go… vtp is a complete waste of effort, and utterly irrelevant… one day cisco will finally allow vtp to quietly expire like isl…. also, anyone using dtp should seek therapy…

  • http://twitter.com/danieldibswe Daniel Dib

    Another interesting thing is that DTP relies on the VTP domain name as well. So you can have trunks not forming if there is a mismatch. I always hardcode my trunks but I was very surprised by that the first time I saw it.

    • Charles Galler

      I always hardcode my trunks as well, but I have heard of this issue too.

  • http://libertysys.com.au/ Paul Gear

    This post hardens my resolve to permit only switches which support GVRP on my networks.

    • Charles Galler

      Or not use dynamic protocols to create VLANs.

  • john

    what model switch and what IOS version did you test this on? can you confirm whether this is the behaviour on different platforms and code versions? what documentation were you referencing?

    • john

      sorry, found the link to the doc. it was software config guide for 3560 IOS 12.2(52)SE

    • Charles Galler

      I have tried it on 3560s, 3750s, and 3550s. I haven’t tried it on other models. The documentation on the 3560 platform that is linked at the beginning of the post specifically says it will pass the VTP messages on that platform.