VTP : Moving to another VTP domain

We use VTP to propagate VLAN defenitions to all of our switches. There are cons to the use of VTP but I feel the benfit of not having to configure the VLANs on dozens of switches (or more) can sometimes outway the risk that comes with using a protocol that can wipe your entire VLAN database in seconds when misconfigured. I felt like I needed to make that statement because there is a risk and you should know about it, make sure you know the pro’s and cons of this protocol before you implement it by reading the Cisco documentation.

As you may know you need to have your switches in the same VTP domain to have the VLAN defenitions propagated between your switches. At our company we normally create a seperate network for larger customers. The customer has its’ own dedicated switches, routers, firewalls, etc. This also means we use a unique VTP domain for the customer and normally there is no layer 2 link between us and the customer. But sometimes there are exceptions. Maybe a customer started small in a shared rack and grew to where a dedicated platform makes sense.
We’ve had one such case recently and one of the challenges we faced was dedicating some switches to the customer and moving them to their own VTP domain while keeping a layer 2 link to our network. The layer 2 link is needed temporary as an in-between solution untill the last shared vlan can be phased out.
So, we need to move some switches to their own VTP domain without loosing their existing VLAN defenitions and without downtime. A nice project to test in a lab.

Here is the lab we used (click for a larger image):

vtp_lab

SW1 is the current VTP master.

sw1#sh vtp st
VTP Version                     : 2
Configuration Revision          : 12
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 10
VTP Operating Mode              : Server
VTP Domain Name                 : Corp
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x90 0x10 0xAA 0x3C 0x56 0x94 0x8F 0x34
Configuration last modified by 0.0.0.0 at 3-1-93 00:10:41
Local updater ID is 0.0.0.0 (no valid interface found)

On a VTP client we see this:

sw4#sh vtp st
VTP Version                     : 2
Configuration Revision          : 12
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 10
VTP Operating Mode              : Client
VTP Domain Name                 : Corp
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x90 0x10 0xAA 0x3C 0x56 0x94 0x8F 0x34
Configuration last modified by 0.0.0.0 at 3-1-93 00:10:41

These are the VLANs we have:

sw4#sh vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Gig0/1, Gig0/2
10 dmz active
20 office active
30 management active
40 cust1 active
50 cust2 active

The goal of this lab is to move sw3 and sw2 to the VTP domain “Cust” but keeping the existing VLANs in the process. The documentation states that to do so we need to first put the sw3 and sw2 in VTP transparant mode and then move them to another VTP domain.
Let’s test it.

First let’s move sw3 to another domain and make it a VTP server:

sw3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
sw3(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
sw3(config)#vtp domain Cust
Changing VTP domain name from Corp to Cust
sw3(config)#vtp password qwe123
Setting device VLAN database password to qwe123
sw3(config)#vtp mode server
Setting device to VTP SERVER mode.

sw3#show vtp status 
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 10
VTP Operating Mode              : Server
VTP Domain Name                 : Cust
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x03 0x21 0x36 0x8E 0xD6 0xED 0xC9 0x39 
Configuration last modified by 0.0.0.0 at 3-1-93 00:10:41
Local updater ID is 0.0.0.0 (no valid interface found)

So sw3 is indeed a VTP server for the domain “Cust”. Immediately we get error messages like this:

00:21:41 %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/24 because of VTP domain mismatch.

This means that DTP (dynamic trunking protocoll) will not automatically form a trunk because of the domain name mismatch. Something to keep in mind. But because we hard coded the interface to be a trunk on both sides (with the “switchport mode trunk” command) this is not a problem for us. But let’s verify:

sw3#show interfaces trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      1
Fa0/24      on           802.1q         trunking      1

So, Fa0/24 is still a trunk. Good! On to sw2:

sw2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
sw2(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
sw2(config)#vtp domain Cust
Changing VTP domain name from Corp to Cust
sw2(config)#vtp password qwe123
Setting device VLAN database password to qwe123
sw2(config)#vtp mode client
Setting device to VTP CLIENT mode.

And here we also get the error message:

00:23:35 %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/1 because of VTP domain mismatch.

We know this not the be a problem, but I’d like to supress this error message. I will come back to that later in this posting. For now, let’s verify that sw2 is indeed a client and is moved to the domain “Cust”:

sw2#sh vtp st
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 10
VTP Operating Mode              : Client
VTP Domain Name                 : Cust
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x03 0x21 0x36 0x8E 0xD6 0xED 0xC9 0x39
Configuration last modified by 0.0.0.0 at 3-1-93 00:10:41

Good. sw2 is moved to the Cust domain and is a VTP client. The revision has been reset to “0″ as the documentation said it would. Let’s check if we still have all the VLANs:

sw2#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Gig0/1, Gig0/2
10   dmz                              active
20   office                           active
30   management                       active
40   cust1                            active
50   cust2                            active

Now let’s remove VLAN 10, 20, 30 and 50 from the Cust switches:

sw3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
sw3(config)#no vlan 10
sw3(config)#no vlan 20
sw3(config)#no vlan 30
sw3(config)#no vlan 50
sw3(config)#end
sw3#
%SYS-5-CONFIG_I: Configured from console by console
wr
Building configuration...
[OK]
sw3#

Two things left to do, check that sw2 also has learned about the removal of VLAN 10, 20, 30 and 50 and check that these VLANs do still exist in the Corp VTP domain:

sw2#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Gig0/1, Gig0/2
40   cust1                            active
sw4#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Gig0/1, Gig0/2
10   dmz                              active
20   office                           active
30   management                       active
40   cust1                            active
50   cust2                            active

Nice! We now have two seperate VTP domains and we only share VLAN 40 untill such time as we can replace the layer 2 link by a layer 3 link and put a firewall in between. No downtime was caused by the change. The one remaining problem is the syslog messages that show that DTP is complaining about the VTP domain mismatch. The solution is to turn off DTP by hard coding the interface as a trunk and using the “switchport nonegotiate” command on the interfaces that connect to the other VTP domain. As an example we will do this on the link between sw1 and sw3:

sw3#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID    Local Intrfce   Holdtme    Capability   Platform    Port ID
sw1          Fas 0/24         153                    3560        Fas 0/24
sw2          Fas 0/1          144                    3560        Fas 0/24
sw3#

sw3#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
sw3(config)#interface fastEthernet 0/1
sw3(config-if)#switchport nonegotiate
sw3(config-if)#end
sw3#
%SYS-5-CONFIG_I: Configured from console by console
wr
Building configuration...
[OK]
sw3#

sw3#show interfaces trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      1
Fa0/24      on           802.1q         trunking      1

So the interface is still a trunk and the error messages have stopped. Remember to do this on both sides of the trunk.

I hope this post helps you when you find yourself in a simular situation. I’d like to thank Yasar Ertur for his help with this lab. Also, I must mention a blog that I found while refreshing my mind about turning off DTP, it is this CCIE Pursuit blog that helped me remember the “switchport nonegotiate” command.

This entry was posted in Cisco, Networking. Bookmark the permalink.