On trunks, 802.1Q does not tag frames sent inside the native VLAN, and assigns all received untagged frames to the native VLAN. The native VLAN feature allows a switch to attempt to use 802.1Q trunking on an interface, but if the other device does not support trunking, the traffic for that one native VLAN can still be sent over the link.It is absolutely necessary that the native VLANs on both ends of a trunk link match; otherwise a native VLAN mismatch occurs, causing the two VLANs to effectively merge.
As a best practice, on each trunk, its native VLAN should be changed from VLAN 1 to a different VLAN, and this VLAN should not be used for any other purpose except being configured as a native VLAN. This prevents users from attempting a VLAN hopping attack by sending double-tagged frames that would be detagged on trunks if the top tag matches the trunk’s native VLAN
DTP modes - Dynamic auto: The port will negotiate the mode automatically; however, it prefers to be an access port. Dynamic desirable: The port will negotiate the mode automatically; however, it prefers to be a trunk port.
While DTP and VTP are independent protocols, DTP carries the VTP domain name in its messages. Switches will successfully negotiate the link operating mode only if the VTP domain name on both switches is the same, or one switch has no VTP domain name configured yet (that is, it uses a NULL domain name).
Commands to check trunk
show interfaces trunkshow interfaces f0/1 trunk
show interfaces f0/1 switchport
show dtp
Configuring Trunk on Routers
Use subinterface numbers starting with 1; the subinterface number 0 is the physical interface itself (for example, interface Fa0/0.0 is the Fa0/0 itself).You can configure 802.1Q native VLANs under a subinterface or under the physical interface on a router. If they are configured under a subinterface, you use the encapsulation dot1q vlan-id native subcommand.If not configured on a subinterface, the router assumes that the native VLAN is associated with the physical interface. In this case, the encapsulation command is not needed nor supported under the physical interface; the associated IP address, however, would need to be configured under the physical interface.
ISL configuration with no native VLAN
#interface f0/0
#no shut
#interface f0/0.1
#encapsulation isl 21
#ip address 10.1.21.1 255.255.255.0
#interface f0/0.2
#encapsulation isl 22
#ip address 10.1.22.1 255.255.255.0
802.1Q configuration with native VLAN (vlan21) on physical interface
#interface f0/0
#ip address 10.1.2.1.1 255.255.255.0
#no shut
#interface f0/0.2
#encapsulation dot1q 22
#ip address 10.1.22.1 255.255.255.0
VLAN Trunking Protocol
VTP advertises VLAN configuration information to neighboring switches so that the VLAN configuration can be made on one switch, with all the other switches in the domain learning the VLAN information dynamically. VTP advertises the VLAN ID, VLAN name, and VLAN type and state for each VLAN.
In VTPv1 and VTPv2, a transparent switch whose VTP domain was NULL (that is, unconfigured) forwarded all VTP messages happily. A transparent switch with a configured domain forwarded VTP messages only if their domains matched.
One of the enhancements in VTPv3 is - The server role has been modified: There are two server types in VTPv3: primary and secondary. A primary server is allowed to modify VTP domain contents, and there can be at most one primary server per VTP domain at any time. A secondary server (often called just a server) is not allowed to modify VTP domain contents, but it can be promoted to the role of primary server, retaking the role from the existing primary server if it exists.
VTPv1 and VTPv2 use four types of messages
Summary Advertisement: This message is originated by VTP Server and Client switches every 5 minutes and, in addition, after each modification to the VLAN database. This message carries information about VTP domain name, revision number, identity of the last updater, time stamp of the last update, MD5 sum computed over the contents of the VLAN database and the VTP password (if configured), and the number of Subset Advertisement messages that optionally follow this Summary Advertisement. Summary Advertisement messages do not carry VLAN database contents.
Subset Advertisement: This message is originated by VTP Server and Client switches after modifying the VLAN database. Subset Advertisements carry full contents of the VLAN database.
Advertisement Request: This message is originated by VTP Server and Client switches to request their neighbors send the complete VLAN database or a part of it.
Join: This message is originated by each VTP Server and Client switch periodically every 6 seconds if VTP Pruning is active.
Cisco switches default to use VTP server mode, but they do not start sending VTP updates until the switch has been configured with a VTP domain name.
At that point, the server begins to send its VTP updates, with an updated database and revision number each time its VLAN configuration changes. However, the VTP clients actually do not have to have the VTP domain name configured. If not configured yet, the client will assume that it should use the VTP domain name in the first received VTP update.
MD5 hash is computed from vlan database and own VTP pasword. The receiving switch computes its own MD5 hash over the contents of the VLAN database reconstituted from these messages and its own VTP password, and compares it to the MD5 hash value indicated in the Summary Advertisement.
VTPv3 servers and clients will share their VLAN database only if they agree both on the
domain name and on the identity of a primary server (given by its base MAC address).
Even in VTPv3, a secondary server or a client switch with a higher revision number can overwrite a neighbor’s VLAN database, but for this to occur, these switches must first match on the domain name, primary server’s identity, and VTP password.
The state of two or more server or client switches in a VTPv3 domain having different opinions about the identity of a primary server is called a conflict . Conflicting switches do not synchronize their VLAN databases even if all other VTP parameters match.
A switch newly promoted to the role of a primary server using the vtp primary command will flood its VLAN database to its neighbors, and they will install and flood it further even if the new primary server’s revision number is lower.
VTP Configuration
VTP sends updates out all active trunk interfaces (ISL or 802.1Q) by default.
Interface option specifies the interface whose IP address is used to identify this switch as an updater in VTP updates. By default, a configured IP address from the lowest numbered VLAN SVI interface will be used.
In VTPv3, each switch must be configured individually for version 3 operation.
#vtp version 3
#vtp mode client
cannot create new Vlan on vtp client mode or on normal sever mode
server#do vtp primary
setting vtp pasword with hidden will never display clear text in config
server#vtp password cisco123 hidden
This encrypted string can be used to populate password settings on other switches
server#do show vtp password
VTP Password: 8C70EFBABDD6EC0300A57BE402409C48
After password is configured in the secret form,any attempt to promote a switch to the primary server role will require entering the password in the plain text form. So, without knowing the plaintext form of the password, it's not possible to designate a switch as a primary server.
If using VTPv1 or VTPv2, these additional VLANs cannot be configured in VLAN database mode, nor stored in the vlan.dat(in flash) file, nor advertised through VTP. To configure them, the switch must be in VTP transparent mode. VTPv3 removes these limitations: Both normal- and extended-range VLANs can be advertised by VTPv3. Also, with VTPv3, information about all VLANs is again stored in the vlan.dat file in Flash.