Everything you ever wanted to know about VTP Transparent switch operation

OK, so I’m not really going to go over everything you ever wanted to know.  That was just a catchy title to draw you in.  Most people at the CCNA level and above are pretty well versed in the basics of VTP already.  So I’m not going to talk about the stuff that most people read from their study material.  But there are some details about how the different modes of VTP interact with each other that you might not encounter in your reading.  So I thought that I would share the details of what I discovered about how VTP Transparent mode interacts with Client/Server mode.

For the following examples, we have 3 switches (switches A, B, and C).  Switches A and C are both connected only to Switch B.  Switches A and C are in VTP Server mode and Switch B is in VTP Transparent mode.  So in order for Switches A and C to use VTP to update each other, they have to go through Transparent mode Switch B.

Passing VTP messages through a Transparent mode switch

The first thing that we’ll look at is getting Switch B to allow the other switches to exchange VTP information.  Here is a snippet of the Catalyst 3550 documentation regarding VTP.
Version-Dependent Transparent Mode—In VTP version 1, a VTP transparent switch inspects VTP
messages for the domain name and version and forwards a message only if the version and domain
name match. Because VTP version 2 supports only one domain, it forwards VTP messages in
transparent mode without inspecting the version and domain name.

Unfortunately, this is not how things actually work.  The VTP transparent mode switch only needs to have the domain match in order to forward on the message.  Also, the domain must match in order to have the transparent mode switch forward the messages regardless of if it is running VTP version 1 or 2.

I ran through tests, where all switches had the same VTP domain, mixing and matching the VTP versions.  I also ran tests where Switch B had  a different domain name than Switches A and C, also mixing and matching versions.  During the tests, I enabled debugging of VTP packets and events to watch what was happening.

Test 1

On the first test, all switches started with the same VTP version, and the same VTP domain name.  Here is the debug info from Switch B when it receives a VTP messages from Switch C.

1d17h: VTP LOG RUNTIME: Relaying packet received on trunk Fa0/24 – in TRANSPARENT MODE (nc = false)

I got these messages on all permutations of VTP versions between the Server and Transparent mode switches.  Also, Switches A and C stayed synced up with their VLANs the whole time.  So as long as the domains are consistent, the transparent mode switch will forward VTP messages regardless of version.

Test 2

The second round of testing was with Switch B using a different VTP domain than switches A and C.  Here is the debug info from Switch B again when it receives VTP messages from switch C.

1d17h: VTP LOG RUNTIME: Dropping packet received on trunk Fa0/24 – not in domain ccie

I then switch between VTP mode 1 and 2 on switch B and the results are the same.  So as long as the transparent mode switch uses a different domain name, it will not forward VTP message regardless of version.

Making it work

So now we know that VTP Transparent switches will not forward VTP messages from other switches in different VTP domains.  You may have seen posters talking about this apparent bug on other blogs or forums.  But I wanted to include it here for those that hadn’t, and for completeness.

So what if the CCIE lab asks you to make it happen?  Well, there is a solution.  You can use layer 2 tunnels to have the transparent mode switch forward the VTP messages without processing them.

The config is actually quite simple.  On Switch B, we first create a new VLAN for the tunnel.  This VLAN should not be used elsewhere in the network to avoid any possible negative side effects.  Then you set the ports that connect to switches A and C to access mode and set up the layer 2 tunnel as shown below.

vlan 999 (create the unique VLAN for tunnel)
int range fa0/20 , fa0/24  (these ports connect to switches A and C)
switchport access vlan 999
switchport mode access
l2protocol-tunnel stp
l2protocol-tunnel vtp
end

Also, on the ports on Switches A and C connecting them to Switch B, you need to force trunking with the “switchport mode trunk” command.

You might wonder why we are pushing STP over the tunnel.  If you don’t, this is what happens.

00:16:08: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk FastEthernet0/20 VLAN999.
00:16:08: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking FastEthernet0/20 on VLAN0999. Inconsistent port type.

The reason for this is that one end of the link is an access port and the other is a trunk port.  STP doesn’t like that.  Adding STP to the tunnel prevents the ports on Switch B from processing the STP messages.  It just forwards them on through the tunnel.  Also, we could make the Switch B ports trunks as well, but making them access ports simplifies things and helps to avoid issues resulting from loops caused by the tunnels.

VTP Pruning across VTP Transparent mode switches

The last topic for this post will be how going across a Transparent mode switch will affect VTP pruning between VTP Clients/Servers.  The quick explanation is that the transparent mode switch does not affecting things at all.  In our example, it works as if Switches A and C were directly connected.  Switch B will not remove any VLANs from the trunks of Switches A and C, even if Switch B doesn’t even have the VLANs configured.

Here is an output from a “show interface trunk” from Switch A.  Please note that Switch B only has VLANs 1, 10, 20, 30, 40, and 50 configured.  VTP pruning has been enabled on Switches A and C.

Port        Mode         Encapsulation  Status        Native vlan
Fa0/20      desirable    802.1q         trunking      1

Port      Vlans allowed on trunk
Fa0/20      1-4094

Port        Vlans allowed and active in management domain
Fa0/20      1,10,15,20,25,30,35,40,45,50,55

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/20      1,10,15,20,25

So you can see that even though Switch B does not have VLANs 15 and 25 configured, the VLANs do not get pruned across the trunks.  So everything appears to be working fine, but it can cause problems for us humans.  We might look at the trunks on either Switch A or Switch C and think that the VLANs are operating normally between switches.  But since Switch B does not have VLANs 15 or 25, devices on those VLANs will not be able to communicate across Switch B.

The lesson here is that the trunks on Switches A and C won’t remind you about this.  So you either need to make sure that all VLANs get manually configured on the Transparent mode switch, or keep in mind that certain VLANs will not be traversing it.

Study Plan Posted

I have my study plan page up (see the links along the top).  If you have already passed your CCIE written, or if you are currently working on yours, I’d appreciate any feedback.

Today also marks the end of my first week of study.  I ended up logging 25 hours of study in this week, which is definitely a record for me in terms of certification study hours.  It has been a bit tiring, but also kind of exciting.  The journey to the CCIE starts with a single step, and I have taken mine.  I know I have a long road ahead, but I’m pretty pumped to think about how much my skills and effectiveness will improve as I go along.

IP Expert Blended Learning Solution First Impressions

I hadn’t planned on picking up IP Expert’s Blended Learning Solution (BLS) until I had passed my written test.  But when I found out that the price was jumping from the promotional cost of $1000 up to $2000, I had to pick it up.  Since then, it has become one of my main study sources.

I’m sure most of you are familiar with the product.  But if not, head on over to http://www.ipexpert.com/index.cfm/product/sku/Self_Study_Blended_Learning_Solution_CCIE_RS_Lab_Exam (after reading the rest of my post of course ).  It contains 2 main study sources: workbooks and lectures.  The lectures can be viewed as a video or listened to as MP3s.  The MP3s are nice for getting some study time in the car or on the go.  Everything is contained on a USB hard drive that gets shipped out to you.  The workbooks and audio files are also downloadable from the IP Expert website.

The lectures are given by Scott Morris (or at least the ones that I have viewed so far).  Scott has a nice teaching style and keeps things from getting too dry.  The videos go through the normal CCIE lab topics, and Scott does a nice job of pointing out good things to keep in mind for the test.

Typically for each major topic, there is an “Exercises” video lecture on the topic that goes through actual configurations and troubleshooting of the topic.  These videos are extremely helpful.  It’s helpful to watch the configs happening.  But it’s great to watch how Scott does his troubleshooting even though it’s probably pre-planned for the most part.  That has been the most helpful method for me to get the different technologies cemented in my mind.  The exercises lectures are not available in the MP3s.  But they really wouldn’t work in an audio-only format.

I started looking at a few of the workbook labs, and they look nice.  The workbooks come with proctor guides that explain how to solve all of the labs.  The IP Expert labs do require a lot of hardware to follow along with.  I believe they use about a dozen routers and 4 switches.  You can rent online racks.  But creating your own setup will cost you.  You will need 3550s and 3560s to do the layer 2 labs.  I’m pretty sure you can get by with lower-end stuff for the routers though.

So far the BLS is a great product.  The material is high quality.  At $1000, it was a no-brainer to get.  At $2000, I would be thinking hard about it as I also am planning on picking up Internetwork Expert’s products as well.

Feel free to ask me any questions about the product.  I’ll give you my unbiased opinion.

Is there such a thing as an accurate practice test?

As I prepare for the written part of my CCIE, I have started reading the Cisco Press Official Exam Certification Guide.  As most everyone who buys Cisco Press books knows, the Exam Cert Guides come with practice tests.  Historically, these tests have been the source of many a gripe on the NetPro forums.

I don’t know why I thought the test for the CCIE would be different.  But for some reason my brain was thinking that Cisco would hold their test supplier (Boson) to a higher standard for the CCIE.  My hopes were raised further as I first installed the practice tests engine.  This time, it was different from all of the rest.  It actually used the Boson Exam Environment instead of the Cisco Press specific environment like the CCNA and CCNP tests did.  My hopes soared as I saw that the test wasn’t actually on the CD, but downloaded directly from Boson.  That must mean that this content is fresh, right?

So I fired up the exam and chose the layer-2 subjects that I have been studying this week to get a feel for how well I was absorbing the material.  Just a few questions into the test, my hopes were dashed and I came crashing down to reality.  One of the questions showed a diagram of 4 switches and was asking STP questions referencing ports P1 and P2 on SW1.  The problem being, the diagram had labeled all of the ports on SW1 and none of them were labeled P1 and P2.  That short of makes it hard to answer the question when you don’t know what ports they are talking about.

So I pressed on from there and quickly ran into a question about negotiated trunking.  The scenario said that a switch with the stated port configs was connected to 3560s on each port and asked which ports would establish a trunk.  So I chose only the ports with Dynamic Desirable or Trunk On (with negotiation still enabled).  According to the test engine, I was wrong.  So I had it show me the answers to see what I missed.  That’s where I find out that the test thinks that the default port setting on a 3560 is Dynamic Desirable.  Shortly after this, I just quit the test because I was mad.  Partly I was mad at Cisco for allowing Boson to supply bad practice tests, and partly I was mad at myself for being silly enough to believe that this time would be different.

Well, this morning I felt like giving it another try.  I even found the update option and clicked on it.  To my surprise, it actually said that it was downloading a couple of things.  My hopes raised again.  But, whatever the updates did, they did not fix the 2 questions that I described above.  Back to reality I guess…  I did send notice to Boson about their mistakes.  But something tells me that if the test has been around for as long as the book (1 year), then Boson really isn’t fixing exam content issues.

Fleshing out the site and belated birthday presents

I got the blogroll populated.  These are the blogs that I check out on a daily basis.  Be sure to check out any of the ones that you don’t already read.  They all have good stuff on them.  I also listed some helpful forums for CCIE wannabes and other Cisco enthusiasts.

I’m hoping to get done with the majority of the static content of the site by the end of the weekend.  Then I can get down to some real blog writing.

I also received some belated birthday gifts at work today.  Lots of boxes with CIsco printed on the side.  So I have some fun new stuff to setup over the next few weeks.  It’s always a good day when new Cisco stuff arrives.

Welcome to my blog

Thanks for stopping by my little sliver of the blogiverse.  Hopefully you’ll find something that makes you want to come back again and again.  Check out my About page to find out a bit about who I am and why I felt the need to create yet another CCIE study related blog.

As you check back in on my blog (like how I’m creating expectations?), you’ll find posts about my journey along with posts about CCIE topics and technologies.  I’ll probably throw in general interest posts about Cisco and other networking topics as well.

That’s it for my first post.  Hope to see you back soon!