VLAN Trunking Protocol (VTP) domain mismatches are a common source of VLAN propagation failures in switched networks. For the CCNA 200-301 exam (objective 2.1), you must be able to identify, diagnose, and resolve VTP domain mismatches that cause VLAN information to be inconsistent across switches. In real networks, a misconfigured VTP domain can silently prevent VLANs from being advertised, leading to connectivity issues that are difficult to trace. Mastering VTP domain troubleshooting ensures you can quickly restore proper VLAN synchronization.
Jump to a section
Imagine an apartment complex where each building has a mailroom, and a central office distributes mail to all buildings. The complex is divided into 'zones' (VTP domains). Each building's mailroom has a sign that says 'Zone A' or 'Zone B'. The mail carrier only delivers mail to buildings whose sign matches the zone written on the mail. If a building's sign is changed to 'Zone B' but the mail is addressed to 'Zone A', that building never receives any mail. Furthermore, if the central office sends out a new directory of tenants (VLAN database), it only updates buildings in the same zone. A building in 'Zone B' will ignore the new directory even if it desperately needs it. Now, suppose a new building is added and its mailroom sign is accidentally left blank or set to 'Zone C'. That building will be completely isolated from mail delivery and directory updates. The mail carrier doesn't even try to deliver; it just passes by. In VTP terms, the switch with a different domain name silently drops VTP advertisements. The mailroom sign is the VTP domain name configured on each switch. The mail carrier is the VTP advertisement sent over trunk links. The tenant directory is the VLAN database. A blank sign is a switch with no VTP domain configured (default domain name is empty or derived from the switch hostname). A 'Zone C' sign is a switch configured with a completely different domain name. The result: no VLAN synchronization, and the switch operates in isolation, potentially causing VLAN inconsistencies that break connectivity for users connected to that switch.
What is VTP Domain Mismatch?
VTP (VLAN Trunking Protocol) is a Cisco proprietary protocol used to distribute VLAN configuration information across trunk links between switches. VTP operates within a VTP domain — a group of switches that share the same VTP domain name and exchange VLAN information. A VTP domain mismatch occurs when two or more switches connected via a trunk link have different VTP domain names. When this happens, VTP advertisements are not processed, and VLAN information is not synchronized between the switches. This can lead to VLAN inconsistencies, where VLANs created on one switch are not known to another, causing connectivity issues for devices in those VLANs.
How VTP Domain Mismatch Works at the Frame Level
VTP messages are encapsulated in Ethernet frames and sent over trunk links (usually 802.1Q or ISL). The VTP domain name is included in every VTP advertisement (Summary Advertisements, Subset Advertisements, and Advertisement Requests). When a switch receives a VTP advertisement, it first checks the VTP domain name in the message against its own configured VTP domain name. If the names match, the message is processed. If they do not match, the message is silently discarded — no error is logged, no alert is generated. This is by design to prevent accidental VLAN corruption from switches in different administrative domains.
VTP operates in three modes: Server, Client, and Transparent. Only servers and clients participate in VTP advertisement exchange. Transparent switches forward VTP advertisements but do not process them or update their VLAN database.
Key States, Timers, and Defaults
VTP Domain Name: A case-sensitive alphanumeric string (max 32 characters). Default is an empty string (null). If no domain name is configured, the switch will not participate in VTP until a domain name is set (either manually or by learning from a VTP advertisement with a domain name).
VTP Mode: Default is Server mode on most Cisco switches (some newer models default to Transparent).
VTP Version: Default is Version 1 on older switches, but Version 2 is common. Version 2 adds support for Token Ring VLANs and some enhancements. The version must match across the domain for proper operation.
VTP Advertisements: Sent every 5 minutes (default) or immediately when a change occurs. Summary Advertisements include the domain name, revision number, and other info.
VTP Revision Number: A 32-bit number that increments with each VLAN change. A higher revision number indicates more recent information. Switches only accept updates with a higher revision number than their current one.
Verifying VTP Configuration with IOS CLI
To check VTP domain configuration on a switch, use the show vtp status command. Example output:
Switch# show vtp status
VTP Version : 2
Configuration Revision : 5
Maximum VLANs supported locally : 1005
Number of existing VLANs : 10
VTP Operating Mode : Server
VTP Domain Name : COURSEIVA
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x12 0x34 0x56 0x78 ...
Configuration last modified by 192.168.1.1 at 3-1-25 10:00:00
Local updater ID is 192.168.1.1 on interface Vl1 (first interface found)Key fields: VTP Domain Name shows the configured domain. If this differs between switches, mismatch exists. Also check VTP Operating Mode and Configuration Revision.
To see VTP advertisements received and sent, use debug vtp events (enable with caution in production).
Interaction with Related Protocols
VTP operates over trunk links (802.1Q or ISL). A VTP domain mismatch does not affect the trunk itself — the trunk remains up and forwards normal traffic. Only VTP advertisements are dropped. This means that even if VTP is broken, you can still manually configure VLANs on each switch and they will work, provided the VLANs exist on both ends. However, dynamic VLAN propagation is lost.
VTP is often used alongside DTP (Dynamic Trunking Protocol) to automatically form trunks. A domain mismatch can occur if DTP forms a trunk but VTP domains differ.
Common Pitfalls
Case sensitivity: 'DomainA' and 'domaina' are different. Always use consistent case.
Default domain name: If a switch has no domain configured, it will adopt the domain name from the first VTP advertisement it receives. This can cause unexpected mismatches if multiple domains exist.
VTP version mismatch: Even if domain names match, if VTP versions differ (e.g., one switch runs V1, another V2), advertisements may be ignored or cause issues.
VTP password: If a VTP password is configured on one switch but not on another, advertisements are dropped even if domain names match. The password must match on all switches in the domain.
Identify Symptoms of Mismatch
Begin by collecting symptoms. Common signs include: VLANs created on one switch not appearing on another switch connected via trunk; end devices unable to communicate across switches even though they are in the same VLAN; `show vlan` on one switch shows VLANs that are missing on another. Also, `show vtp status` may show different domain names. If VTP is working, the Configuration Revision number should be consistent across switches in the same domain. A mismatch often results in different revision numbers or one switch having a revision of 0 (if it never received updates).
Verify Trunk Status Between Switches
Ensure the link between the switches is a trunk. Use `show interfaces trunk` on both switches. The trunk must be up/up and the allowed VLAN list must include the VLANs in question. If the trunk is down or not a trunk, VTP advertisements cannot traverse. Example: `Switch# show interfaces trunk` shows the trunking mode and allowed VLANs. If the trunk is not established, check DTP settings or manually configure trunking with `switchport mode trunk`.
Check VTP Domain Name on Each Switch
On each switch, run `show vtp status` and examine the 'VTP Domain Name' field. Compare the domain names. If they differ, that is the root cause. Also check for case sensitivity and trailing spaces. If a switch has no domain name (empty), it may have learned a domain from a VTP advertisement, so wait a few minutes. If it remains empty, it is not participating. To change the domain name, use `vtp domain <name>` in global configuration mode.
Verify VTP Mode and Version Consistency
Even with matching domain names, mode and version mismatches can cause issues. Use `show vtp status` to check 'VTP Operating Mode' and 'VTP Version'. For VTP to work, at least one switch must be Server (or Client, but Server is typical). Transparent switches do not participate. Also, VTP version should match (preferably set to Version 2 on all switches using `vtp version 2`). If a switch is in Client mode, it cannot create VLANs locally, so ensure the Server is reachable.
Examine VTP Password Configuration
If a VTP password is configured, it must match on all switches. Run `show vtp password` (if available) or `show running-config | include vtp`. If passwords differ, advertisements are dropped. To set or clear the password, use `vtp password <password>` or `no vtp password`. Note: The password is not shown in cleartext in `show running-config`; it appears as an MD5 hash. Use `show vtp status` to see the MD5 digest; compare digests across switches to detect password mismatches.
Resolve the Domain Mismatch
To fix the mismatch, configure all switches to use the same VTP domain name. On the switch that is misconfigured, enter global configuration mode and issue `vtp domain <correct-domain>`. For example: `Switch(config)# vtp domain COURSEIVA`. This changes the domain name and resets the configuration revision to 0 (in Server mode). Then, if the switch is in Server mode, it will send out advertisements with the new domain. Ensure the VTP mode and version are consistent. After correction, verify with `show vtp status` that all switches now show the same domain name and the configuration revision numbers are synchronized.
Verify VLAN Propagation After Fix
After resolving the mismatch, verify that VLANs propagate correctly. On the server switch, create a test VLAN: `vlan 999` and `name TEST`. Then check the client switches with `show vlan brief` or `show vlan id 999`. The VLAN should appear on all switches in the domain. Also confirm end-to-end connectivity by pinging between devices in the same VLAN across switches. If VLANs still do not propagate, check for VTP pruning, trunk allowed VLAN lists, or a higher revision number on a switch that may be overwriting the database.
In a typical enterprise campus network, VTP is used to simplify VLAN management across dozens of access layer switches. For example, a university may have a core switch acting as VTP Server, and each building's wiring closet switches are VTP Clients. The network team creates VLANs on the core, and they automatically propagate to all edge switches. This saves time and reduces configuration errors. However, a VTP domain mismatch can occur when a new switch is added to the network with a different domain name, perhaps because it was pre-configured for a lab or another site. The network engineer might not notice immediately because the trunk comes up and normal traffic flows, but new VLANs never appear on that switch. This can lead to users being unable to access resources in certain VLANs, causing help desk tickets. The engineer must then use show vtp status on the problematic switch and compare it to the core. A quick fix is to change the domain name with vtp domain <name>. Another common scenario is when two separate VTP domains are accidentally merged via a trunk. For instance, after a merger, two companies connect their networks. If both have VTP domains with the same name but different VLAN databases, a revision number conflict can cause one domain's VLANs to overwrite the other's. To prevent this, it's best to set the domain name to a unique value or disable VTP on the interconnecting trunk using vtp mode transparent on both sides. Performance-wise, VTP advertisements are small and infrequent, so they have negligible impact. However, in large networks with many VLAN changes, the revision number can roll over, but that is rare. Misconfiguration can lead to catastrophic VLAN deletion if a switch with a higher revision number and an empty VLAN database is introduced. This is why many production networks disable VTP or use VTP Transparent mode exclusively. The CCNA exam expects you to be aware of these risks and how to troubleshoot domain mismatches.
The CCNA 200-301 exam objective 2.1 covers 'Configure and verify VLANs and trunking', which includes VTP. However, VTP is not as heavily tested as in previous versions, but it still appears in troubleshooting scenarios. Expect questions that present a scenario where VLANs are not propagating between switches, and you must identify the cause. The most common wrong answers candidates choose are: (1) 'The trunk is down' — but the question may state that trunk is up and normal traffic works. (2) 'VTP pruning is blocking the VLAN' — but pruning only blocks VLANs that have no active ports; it does not prevent propagation. (3) 'The VTP revision number is too low' — while revision number matters, a domain mismatch causes complete silence, not just ignoring updates. (4) 'The switch is in VTP Transparent mode' — Transparent mode forwards advertisements, so VLANs would still propagate if domain matches; mismatch is different. The elimination strategy: if VLANs are not appearing on a switch, first check VTP domain name with show vtp status. If domain names match, then check VTP mode and password. If those match, check trunking. Remember: VTP domain mismatch results in no VTP updates being processed, so the switch will not learn any new VLANs via VTP. Also, be aware of the default domain name behavior: a switch with no domain name will adopt the domain from the first VTP advertisement it receives. This can cause unexpected domain changes. On the exam, you might see output from show vtp status with different domain names or a missing domain. The fix is straightforward: configure the correct domain name. Know the command: vtp domain <name>. Also, know that changing the domain name resets the revision number to 0. This is important because if you change the domain on a Server, it will start advertising with revision 0, and other switches may reject it if they have a higher revision. In that case, you may need to change the domain on all switches simultaneously or set the server to a higher revision by making a VLAN change.
VTP domain mismatch causes VTP advertisements to be silently discarded, preventing VLAN propagation.
Use `show vtp status` to check VTP domain name, mode, version, and revision number.
VTP domain name is case-sensitive and must match exactly on all switches in the domain.
Default VTP mode is Server on most switches; default domain name is empty (null).
VTP advertisements are sent every 5 minutes by default and immediately on VLAN changes.
VTP password, if configured, must match on all switches; use MD5 digest to verify.
Changing the VTP domain name resets the configuration revision to 0.
These come up on the exam all the time. Here's how to tell them apart.
VTP Domain Mismatch
Domain names differ between switches
VTP advertisements are silently dropped
No VLAN propagation occurs
Trunk link remains up
Fix: configure matching domain name
VTP Version Mismatch
VTP versions (1 vs 2) differ
VTP advertisements may be ignored or cause errors
VLAN propagation may fail or be unreliable
Trunk link remains up
Fix: set consistent VTP version with `vtp version 2`
Mistake
VTP domain mismatch causes the trunk link to go down.
Correct
VTP domain mismatch does not affect the trunk link state. The trunk remains up and forwards normal traffic; only VTP advertisements are dropped.
Candidates often assume that any mismatch in a protocol (like VTP) affects the underlying link, but VTP operates at Layer 2 above the trunk.
Mistake
A switch with no VTP domain name cannot learn VLANs via VTP.
Correct
A switch with no VTP domain name will actually adopt the domain name from the first VTP advertisement it receives (if it is in Server or Client mode). This can lead to unexpected domain membership.
This is counterintuitive; many think 'no domain' means no VTP participation, but the switch dynamically learns a domain.
Mistake
VTP Transparent mode switches forward VTP advertisements regardless of domain name.
Correct
VTP Transparent mode switches forward VTP advertisements out all trunk ports, but they do not process them. However, they still check the domain name and will not forward advertisements with a different domain name? Actually, they do forward them regardless of domain name? The correct behavior: Transparent switches forward VTP advertisements received on a trunk out other trunk ports, but they do not update their own VLAN database. They do not check the domain name for forwarding; they just forward. But they will not learn VLANs from mismatched domains. The misconception is that Transparent mode ignores domain mismatch; in reality, they forward, but the next switch may drop if domain mismatches.
The forwarding behavior of Transparent mode is often misunderstood; they are like 'bump in the wire' for VTP.
Mistake
VTP domain mismatch can be resolved by changing the VTP mode to Transparent.
Correct
Changing to Transparent mode only prevents the switch from participating in VTP; it does not resolve the domain mismatch. The switch will still not learn VLANs via VTP, and the mismatch remains for other switches. The correct fix is to change the domain name to match.
Candidates think Transparent mode 'bypasses' the mismatch, but it only stops the switch from participating, not fixing the root cause.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No. VTP domain mismatch does not affect the trunk link state. The trunk remains operational and forwards normal traffic. Only VTP advertisements are dropped because the domain name in the advertisement does not match the receiving switch's domain. This is a common misconception. Always check the trunk with `show interfaces trunk` separately from VTP issues.
Configure all switches in the VTP domain with the same domain name using the `vtp domain <name>` global configuration command. Ensure the name is case-sensitive and matches exactly. Also verify that VTP mode and version are consistent. After changing the domain, the switch's configuration revision resets to 0. You may need to make a VLAN change on the server to increment the revision so that clients accept the update.
The default VTP domain name is an empty string (null). When no domain is configured, the switch will not send VTP advertisements until it learns a domain name from a received VTP advertisement (if in Server or Client mode). Once it learns a domain, it uses that domain name. This can lead to unexpected domain membership if multiple domains exist.
Yes. If a VTP password is configured on one switch but not on another, or if the passwords differ, VTP advertisements are dropped. The symptoms are similar: VLANs do not propagate. To verify, compare the MD5 digest in `show vtp status` across switches. If they differ, passwords are likely mismatched. Use `vtp password <password>` to set the same password on all switches.
Yes, but they must be separated by switches that do not forward VTP advertisements between domains. Typically, you would use VTP Transparent mode on the boundary switches, or disable VTP on the trunk links connecting the domains. If two domains are connected via a trunk, VTP advertisements from one domain will be dropped by switches in the other domain due to domain mismatch, so they remain isolated.
VTP domain mismatch occurs when domain names differ; advertisements are dropped. VTP version mismatch occurs when switches run different VTP versions (1 vs 2). In version mismatch, advertisements may still be processed if the receiving switch supports both versions, but features like Token Ring VLANs are not supported in V1. Cisco recommends using VTP Version 2 for consistency. The fix for version mismatch is to set `vtp version 2` on all switches.
VTP pruning relies on VTP advertisements to inform switches which VLANs are active. If there is a domain mismatch, VTP advertisements are not exchanged, so pruning information is not shared. This can result in unnecessary flooding of VLAN traffic across trunks. However, the immediate symptom is lack of VLAN propagation, not pruning issues.
You've just covered Troubleshoot: VTP Domain Mismatch — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?