VLAN Trunking Protocol (VTP) is Cisco's proprietary protocol for managing VLAN configurations across a switched network. On the CCNA 200-301 exam (objective 2.1), you must understand VTP versions, modes, and the risks of misconfiguration. Real-world engineers often disable VTP to avoid catastrophic VLAN propagation errors, but exam questions still test your knowledge of how VTP works and when to use it safely.
Jump to a section
Imagine a library with multiple branches. Each branch has its own set of books (VLANs). The central librarian (VTP server) maintains a master card catalog (VLAN database). When the library acquires new books, the central librarian updates the master catalog and sends updated index cards (VTP advertisements) to all branches. Branches can be set to one of three roles: 'Server' branches can create new books and update the catalog; 'Client' branches can only read the catalog and cannot add books; 'Transparent' branches maintain their own local catalog and pass index cards along but never update their own catalog from the central one. The version of the card catalog system matters: VTP version 1 is like an old system that only understands the basic Dewey Decimal System; VTP version 2 adds support for more book types (like token ring); VTP version 3 is a modern system that allows the central librarian to designate certain book collections as 'private' (VLANs with limited distribution) and even lets branches become 'offline' servers that can be promoted later. The revision number on the index cards is critical: if a branch accidentally sends out a card with a higher revision number that says 'all books are removed', the central librarian trusts it and deletes the entire catalog. This is why real libraries disable automatic catalog updates (VTP) and manually configure each branch.
What is VTP and Why Does It Exist?
VLAN Trunking Protocol (VTP) is a Cisco proprietary Layer 2 protocol that allows a network administrator to centrally manage VLAN configurations across multiple switches. Instead of manually creating, deleting, or renaming VLANs on each switch, the administrator configures one VTP server switch, and the changes are automatically propagated to all VTP clients in the same VTP domain. VTP operates over trunk links (802.1Q or ISL) and uses multicast frames (01-00-0C-CC-CC-CC) to exchange VLAN information.
VTP Modes
VTP defines three operational modes:
Server mode (default): A VTP server can create, modify, and delete VLANs. It advertises its VLAN configuration to other switches in the same domain and synchronizes with advertisements from other servers (based on revision number). Changes are stored in NVRAM (VLAN database).
Client mode: A VTP client cannot create, modify, or delete VLANs. It learns VLAN information from VTP advertisements and synchronizes its VLAN database accordingly. Client switches do not store the VLAN database in NVRAM; they lose it on reload unless they receive an advertisement. However, in VTP version 3, clients can store the database locally.
Transparent mode: A VTP transparent switch does not participate in VTP. It maintains its own VLAN database (stored locally in NVRAM) and forwards VTP advertisements out trunk ports, but it does not update its own database based on received advertisements. It can create, modify, and delete VLANs locally, and those changes are not advertised to other switches.
VTP Versions
Cisco CCNA 200-301 covers VTP versions 1, 2, and 3.
VTP Version 1: The original version. Supports only normal-range VLANs (1-1005). Does not support Token Ring or FDDI VLANs. VTP version 1 does not propagate VLAN pruning information.
VTP Version 2: Adds support for Token Ring and FDDI VLANs. Also supports VLAN pruning (propagation of pruning information). VTP version 2 is backward compatible with version 1 (a VTP version 2 switch can operate in a domain with version 1 switches, but the domain must be configured as version 2).
VTP Version 3: Introduces significant enhancements: supports extended-range VLANs (1006-4094), private VLANs, and the ability to have multiple VTP servers in a domain with a primary/secondary model. VTP version 3 also introduces the concept of a 'VTP primary server' – only the primary server can create/modify/delete VLANs. Other servers become secondary and can only be promoted by the primary. VTP version 3 also allows clients to store the VLAN database in NVRAM, preventing loss on reload. Additionally, VTP version 3 supports VTP mode 'off' which completely disables VTP processing (different from transparent mode).
How VTP Works – Step by Step
VTP Domain: Switches must be configured with the same VTP domain name to exchange VTP information. Domain names are case-sensitive. A switch ignores VTP advertisements from a different domain.
VTP Advertisements: VTP advertisements are sent as multicast frames every 5 minutes (or when a change occurs). The advertisement contains the VTP domain name, configuration revision number, and VLAN information.
Configuration Revision Number: This is a 32-bit number that starts at 0. Every time a VLAN is added/deleted/modified on a VTP server, the revision number increments by 1. When a switch receives an advertisement, it compares the revision number with its own. If the received revision number is higher, the switch overwrites its VLAN database with the received information. If lower, the switch ignores the advertisement. If equal, no change.
Synchronization: When a VTP client or server (secondary in VTPv3) receives an advertisement with a higher revision number, it synchronizes its VLAN database to match the sender. This can cause entire VLAN databases to be deleted if a switch with a higher revision number but fewer VLANs (e.g., a switch with default configuration) is connected to the network.
VTP Pruning: VTP pruning reduces unnecessary broadcast/multicast traffic on trunk links. When enabled, the VTP server informs other switches which VLANs are active on which switch, allowing switches to prune VLANs from trunks that are not needed. VTP pruning is only supported in VTP version 2 and 3.
VTP Configuration and Verification Commands
Configuration Commands:
Set VTP domain: vtp domain DOMAIN_NAME
Set VTP password (optional): vtp password PASSWORD
Set VTP mode: vtp mode {server | client | transparent | off} (off only in v3)
Set VTP version: vtp version {1 | 2 | 3}
Enable VTP pruning: vtp pruning (must be on server)
Verification Commands:
show vtp status – Displays VTP domain, version, mode, revision number, last updater, and pruning status.
show vtp password – Displays the VTP password (if configured).
show interfaces trunk – Shows trunk interfaces and their allowed VLAN lists.
Example output of show vtp status:
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNA
VTP Pruning Mode : Enabled
VTP Traps Generation : Disabled
Device ID : 0a1b.2c3d.4e5f
Configuration last modified by 0.0.0.0 at 3-1-02 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)
Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 10
Configuration Revision : 3
MD5 digest : 0x12 0x34 0x56 ...Interaction with Other Protocols
VTP relies on trunk links (802.1Q) to propagate advertisements. It does not interact directly with Spanning Tree Protocol (STP), but VTP pruning can affect STP topology by removing VLANs from trunks. VTP also interacts with DTP (Dynamic Trunking Protocol) because trunk negotiation must succeed for VTP advertisements to pass. In modern networks, VTP is often disabled (set to transparent mode) to avoid accidental VLAN deletion due to revision number mismatches.
Configure VTP domain and mode
The first step is to set the VTP domain name on all switches that should share VLAN information. Use the command `vtp domain DOMAIN_NAME` in global configuration mode. The domain name is case-sensitive and must match exactly. Then set the VTP mode: for the central management switch, use `vtp mode server`; for switches that should learn VLANs, use `vtp mode client`; for switches that should not participate, use `vtp mode transparent`. In VTP version 3, you can also use `vtp mode off` to completely disable VTP. Example: `Switch(config)# vtp domain CCNA` and `Switch(config)# vtp mode server`.
Set VTP version
Choose the VTP version that matches your network requirements. Use `vtp version {1 | 2 | 3}`. For CCNA, version 2 is commonly tested. Note that all switches in the domain must support the configured version. If you have a mix of version 1 and version 2 switches, the domain must operate in version 1 (the lower common version). VTP version 3 is backward compatible but requires all switches to support v3. Example: `Switch(config)# vtp version 2`.
Configure VTP password (optional)
To prevent unauthorized switches from joining the VTP domain, you can set a VTP password using `vtp password PASSWORD`. The password is used to generate an MD5 digest that is included in advertisements. Switches with a mismatched password will ignore advertisements. Note that the password is case-sensitive and can be up to 64 characters. Example: `Switch(config)# vtp password Cisco123`.
Enable VTP pruning (optional)
VTP pruning reduces unnecessary traffic on trunk links by dynamically pruning VLANs that are not active on the remote switch. Enable pruning on the VTP server using `vtp pruning`. Pruning is only supported in VTP version 2 and 3. Once enabled, the VTP server informs other switches of active VLANs, and switches automatically remove unused VLANs from their trunk allowed list. Example: `Switch(config)# vtp pruning`.
Verify VTP configuration
Use `show vtp status` to verify the VTP domain, version, mode, revision number, and pruning status. Also use `show vtp password` to confirm the password (if configured). Verify that trunk links are operational with `show interfaces trunk`. Check that the revision number is consistent across switches; a higher revision number on a newly connected switch can cause VLAN database overwrite. Example: `Switch# show vtp status`.
Troubleshoot VTP issues
Common VTP problems include: mismatched domain names (check with `show vtp status`), mismatched VTP passwords (check MD5 digest), revision number conflicts (reset revision by changing to transparent mode and back, or by changing domain name), and trunk link issues (ensure trunking is established with `show interfaces trunk`). If a switch loses its VLAN database, it may be because a client received an advertisement with a higher revision number that deleted VLANs. To recover, set the switch to transparent mode, reconfigure VLANs manually, then change back to client mode after resetting the server's revision number.
In enterprise networks, VTP is often considered dangerous and is typically disabled. I've worked in environments where a junior engineer plugged in a switch with a higher revision number and accidentally wiped out the entire VLAN database across hundreds of switches, causing a major outage. For this reason, many organizations set all switches to VTP transparent mode. This allows local VLAN management without the risk of propagation errors.
However, VTP version 3 has mitigated some risks by introducing the primary/secondary server model and the ability to store VLAN databases on clients. In a large campus network with hundreds of switches, VTPv3 can be useful for central management, but it requires careful planning: designate a single primary server, ensure all switches support v3, and use passwords to prevent unauthorized access. VTP pruning is another feature that can be beneficial in large networks to reduce broadcast traffic on trunks, but it adds complexity and is often replaced by manual pruning or using private VLANs.
A common scenario is a data center with top-of-rack switches that need to have the same VLANs. Using VTPv3, the network engineer can configure VLANs on the primary server and have them automatically propagated to all leaf switches. However, due to the risk of misconfiguration, many engineers prefer to use configuration management tools (like Ansible) to push VLAN configurations consistently, rather than relying on VTP.
When VTP is misconfigured, the most common problem is the 'VTP VLAN deletion' scenario: a switch with a higher revision number but fewer VLANs is added to the network, causing all other switches to delete their VLANs. To prevent this, always reset the revision number on a switch before adding it to the network. This can be done by changing the VTP domain name temporarily (which resets the revision to 0) or by setting the switch to transparent mode, then back to server/client mode (which resets the revision).
The CCNA 200-301 exam objective 2.1 (Configure and verify VLANs) includes VTP as a subtopic. You need to know VTP versions, modes, and the effects of misconfiguration. The exam will test your understanding of how VTP propagates VLAN information and the dangers of revision numbers.
Common Wrong Answers: 1. 'VTP client switches can create VLANs locally' – Wrong. Clients cannot create VLANs. They only learn from servers. 2. 'VTP transparent switches do not forward VTP advertisements' – Wrong. They do forward advertisements, but they do not synchronize their own database. 3. 'VTP version 3 is backward compatible with version 1' – Partially true, but version 3 switches can operate in a version 1 domain only if they are configured to run version 1. They cannot mix versions on the same trunk without configuration. 4. 'The VTP revision number is stored in the running-config' – Wrong. It is stored in the VLAN database (vlan.dat) and is not part of the running-config. That's why a switch with default config can have a high revision number if it was previously used.
Specific Values and Commands to Memorize:
- VTP advertisements are sent every 5 minutes or on change.
- Default VTP mode is server.
- Default VTP domain is null (no domain).
- VTP revision number is 32-bit and increments on each change.
- To reset revision number: change domain name, or change mode to transparent then back.
- show vtp status displays revision number.
- show vtp password displays the password (but it's hidden with asterisks).
Decision Rule for Scenario Questions: If a question describes a switch that loses its VLAN database after a reboot, it is likely a VTP client that hasn't received an advertisement. If a question describes VLANs disappearing after connecting a new switch, it is likely due to a higher revision number on the new switch.
VTP has three modes: server (default), client, and transparent.
VTP advertisements are sent every 5 minutes or on change using multicast 01-00-0C-CC-CC-CC.
Configuration revision number is 32-bit; higher number overwrites lower number.
VTP version 3 supports extended VLANs (1006-4094), private VLANs, and primary/secondary servers.
VTP transparent switches forward advertisements but do not synchronize their own database.
To reset revision number, change VTP domain name or change mode to transparent then back.
VTP pruning reduces unnecessary broadcast traffic on trunk links (v2 and v3 only).
These come up on the exam all the time. Here's how to tell them apart.
VTP Version 2
Supports normal-range VLANs (1-1005)
Does not support extended VLANs (1006-4094)
Does not support private VLANs
Any server can create/modify/delete VLANs (no primary/secondary)
Client switches do not store VLAN database in NVRAM; lose on reload
VTP Version 3
Supports normal and extended-range VLANs (1-4094)
Supports private VLANs
Introduces primary and secondary server roles; only primary can change VLANs
Client switches can store VLAN database in NVRAM (optional)
Supports VTP mode 'off' (completely disables VTP)
Mistake
VTP client switches can create VLANs locally and the changes will be propagated.
Correct
VTP client switches cannot create, modify, or delete VLANs. They only learn VLAN information from VTP servers. Any local VLAN changes on a client are rejected.
Candidates confuse client mode with transparent mode, where local VLAN changes are allowed.
Mistake
VTP transparent switches do not forward VTP advertisements.
Correct
VTP transparent switches do forward VTP advertisements out trunk ports, but they do not update their own VLAN database based on received advertisements. They act as a relay.
The word 'transparent' might imply they don't participate, but they do forward.
Mistake
The VTP revision number is stored in the running configuration and can be reset by reloading the switch.
Correct
The VTP revision number is stored in the VLAN database file (vlan.dat) in flash memory. Reloading the switch does not reset it; it persists across reloads. To reset it, you must change the VTP domain name or change the VTP mode to transparent and then back to server/client.
Candidates think that rebooting resets everything, but vlan.dat is preserved.
Mistake
VTP version 2 is not backward compatible with version 1.
Correct
VTP version 2 is backward compatible with version 1. A VTP version 2 switch can operate in a domain with version 1 switches, but the domain must be configured as version 2 (the version 1 switches will see version 2 advertisements as version 1). However, version 2 features (like Token Ring support) are not available if the domain is operating as version 1.
Candidates assume version 2 is a complete replacement, but backwards compatibility exists.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default VTP mode is server. However, on some newer switches (like Catalyst 2960-X), the default mode is transparent. Always verify with `show vtp status`. For CCNA, remember that historically the default is server, but you should check the specific model. In exam scenarios, if not specified, assume server mode.
To reset the revision number to 0, you can either change the VTP domain name to a different name (then change it back) or change the VTP mode to transparent (which resets the revision to 0) and then change back to server or client. Another method is to delete the vlan.dat file and reload the switch, but that is more drastic. The revision number is stored in vlan.dat, not in running-config.
No, VTP is a Layer 2 protocol and only operates on switches. It does not cross Layer 3 boundaries. VTP advertisements are sent as multicast frames and are confined to a single broadcast domain (VLAN 1 typically). To manage VLANs across routers, you would need to use a different mechanism, such as manual configuration or a network management system.
VTP transparent mode still forwards VTP advertisements and can participate in pruning (if enabled), but it does not synchronize its VLAN database. VTP off mode (available in version 3) completely disables VTP processing: the switch does not send, receive, or forward VTP advertisements. It behaves as if VTP is not running. Off mode is more secure because it does not process any VTP messages.
The revision number ensures that the most recent changes are propagated. When a switch receives an advertisement, it compares the revision number with its own. If the received number is higher, the switch updates its VLAN database to match. If lower, it ignores the advertisement. This prevents older configurations from overwriting newer ones. However, it also creates a risk: a switch with a higher revision number but an empty VLAN database can wipe out all VLANs.
No, VTP version 3 is not backward compatible with version 2. All switches in the domain must support version 3 to use it. If you have a mix, the domain must operate at the lowest common version (version 2). However, a version 3 switch can be configured to run version 2 to interoperate with older switches.
VTP pruning reduces unnecessary broadcast and multicast traffic on trunk links. When enabled, the VTP server informs other switches which VLANs are active on which switch. Each switch then dynamically prunes (removes) VLANs from its trunk allowed list that are not needed on the remote end. For example, if Switch A has VLAN 10 and Switch B does not, VLAN 10 traffic will not be sent across the trunk between them. Pruning is only supported in VTP version 2 and 3.
You've just covered VTP Versions and Configuration — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?