Tag: Cisco

STP operates by transitioning ports through different states to avoid loops while still allowing network connectivity. Each port in STP can be in one of the following states:

---

1️⃣ Disabled State

🔴 Not part of STP operation

• The port is administratively shut down or physically disconnected.
• No BPDU (Bridge Protocol Data Unit) frames are sent or received.

🔹 Command to Disable a Port:

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# shutdown

---

2️⃣ Blocking State

🟡 Prevents network loops

• The port listens for BPDUs but does NOT forward traffic.
• The switch does not learn MAC addresses on this port.
• Used for backup links that will only be activated if needed.

🔹 When does a port stay in Blocking?

• When a redundant link exists and a better path is available.
• If the port receives a superior BPDU from another switch.

🔹 Verification Command:

Switch# show spanning-tree

---

3️⃣ Listening State (15 sec, STP only)

🟠 Preparing to forward

• The port is evaluating BPDUs to determine its role (Root, Designated, or Blocking).
• The port is NOT forwarding frames yet.

🔹 Why does it exist?

• To prevent temporary loops before full STP convergence.

---

4️⃣ Learning State (15 sec, STP only)

🔵 Learning MAC addresses

• The switch starts learning MAC addresses but does NOT forward traffic yet.
• The port continues to process BPDUs.

🔹 Why does it exist?

• Helps build the MAC address table before forwarding starts.

---

5️⃣ Forwarding State

🟢 Port is fully operational

• The port forwards traffic normally.
• It learns MAC addresses and processes BPDUs.

🔹 Conditions for Forwarding:

• The port is a Root Port (RP) or Designated Port (DP).
• No superior BPDUs are received.

🔹 Verification Command:

Switch# show spanning-tree interface GigabitEthernet0/1

---

Port State Transition Diagram (STP – 802.1D)

   Blocking → Listening → Learning → Forwarding
         |                                  ↑
         |——> (If better path found) ——→ |

🚨 Total Convergence Time in Classic STP: ~50 sec

---

STP vs RSTP Port States

RSTP (802.1w) removes Listening State and introduces new roles:

STP (802.1D)	RSTP (802.1w)	Function
Blocking	Discarding	Blocks traffic, prevents loops
Listening	(Removed)	Not needed in RSTP
Learning	Learning	Learns MAC addresses
Forwarding	Forwarding	Normal data forwarding

🚀 RSTP Converges in <6 seconds!

Spanning Tree Protocol (STP) is a Layer 2 protocol designed to prevent loops in a switched network. It ensures there is only one active path between switches, preventing broadcast storms, MAC table instability, and duplicate frames.

Why is STP Needed?

In a redundant network, loops can form because switches forward Ethernet frames without a TTL (Time-to-Live) like routers do. Without STP:
🔴 Broadcast storms overwhelm the network.
🔴 MAC table flapping occurs as switches receive the same frame from multiple paths.
🔴 Multiple frame copies reach the destination, causing confusion.

How STP Works

STP builds a loop-free logical topology by:
✅ Electing a Root Bridge (central switch for path calculations).
✅ Blocking redundant paths to prevent loops.
✅ Allowing backup paths to become active if the primary fails.

---

STP Election and Port Roles

1️⃣ Root Bridge Election

• Switch with the lowest Bridge ID (BID) becomes the Root Bridge.
• Bridge ID = Priority (default: 32768) + MAC address.
• The Root Bridge acts as the reference point in the network.

2️⃣ STP Port Roles

Once the Root Bridge is elected, STP assigns roles to switch ports:

Port Role	Description
Root Port (RP)	The best path to the Root Bridge (only one per switch).
Designated Port (DP)	Forwarding port on each segment (best path to Root).
Blocking Port (BP)	A backup path that does not forward traffic (to prevent loops).

---

STP Timers & Convergence

STP takes 50 seconds to converge (transition to a loop-free state).

• Hello Timer: 2 seconds (BPDU exchange interval).
• Listening (15s) → Learning (15s) → Forwarding.

✅ Fast Convergence? Use Rapid Spanning Tree Protocol (RSTP)!

---

Types of STP

Type	Features	Convergence Time
Classic STP (802.1D)	Standard version, slow convergence	50 sec
Rapid STP (802.1w)	Faster convergence, uses alternate ports	<6 sec
Multiple STP (802.1s)	Supports multiple VLANs in one instance	<6 sec
Per VLAN STP (PVST/PVST+)	Separate STP instance for each VLAN (Cisco)	50 sec (STP) / Fast (PVST+)

---

Basic STP Configuration (Cisco)

1️⃣ Set STP Mode

bashCopyEditSwitch(config)# spanning-tree mode rapid-pvst  # Use RSTP for fast convergence

2️⃣ Manually Set Root Bridge Priority

bashCopyEditSwitch(config)# spanning-tree vlan 10 priority 4096

📌 Lower priority wins! Default is 32768.

3️⃣ Verify STP Status

bashCopyEditSwitch# show spanning-tree

---

Troubleshooting STP Issues

Issue	Possible Cause	Solution
Switch not Root Bridge	Another switch has lower priority	Manually configure spanning-tree vlan X priority Y
Network loops	STP disabled/misconfigured	Ensure STP is enabled (show spanning-tree)
Slow convergence	Using classic STP (802.1D)	Use RSTP (802.1w) for faster recovery

---

Conclusion

STP is essential for loop prevention in Layer 2 networks. By selecting a Root Bridge, defining port roles, and blocking redundant links, it ensures a stable network. 🚀

Scenario:

A network administrator configures EtherChannel between two Cisco switches using LACP, but the link is not forming, and some VLANs are not passing traffic.

Network Setup:

• Two switches: SW1 and SW2
• Ports Gi0/1 and Gi0/2 are used for EtherChannel.
• VLANs 10, 20, and 30 should be allowed on the trunk.

---

Step 1: Verify EtherChannel Status

Check the current EtherChannel summary on SW1

SW1# show etherchannel summary

Output:

Group  Port-channel  Protocol  Ports
------  ------------  --------  ------------------------
1      Po1(SD)       LACP      Gi0/1(P) Gi0/2(D)

🚨 Problem Detected:

• “SD” (Layer 2, Down): The EtherChannel is configured but not operational.
• “D” (Down): Gi0/2 is not active in the group.

---

Step 2: Check Interface Configurations

Check Gi0/1 and Gi0/2 settings

SW1# show running-config interface Gi0/1
SW1# show running-config interface Gi0/2

Output (SW1):

interface GigabitEthernet0/1
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30
  channel-group 1 mode passive  # LACP mode
!
interface GigabitEthernet0/2
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30
  channel-group 1 mode passive  # LACP mode

Check the same on SW2

bashCopyEditSW2# show running-config interface Gi0/1
SW2# show running-config interface Gi0/2

Output (SW2):

interface GigabitEthernet0/1
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30
  channel-group 1 mode passive  # LACP mode
!
interface GigabitEthernet0/2
  switchport mode trunk
  switchport trunk allowed vlan 10,20,30
  channel-group 1 mode passive  # LACP mode

🚨 Problem Detected:

• Both sides are set to “passive” in LACP.
• LACP requires at least one side to be “active” to initiate EtherChannel.

✅ Fix: Change SW1 to “active”

SW1(config)# interface range Gi0/1 - 2
SW1(config-if-range)# channel-group 1 mode active
SW1(config-if-range)# exit

👉 Expected Result: LACP will now negotiate the EtherChannel.

---

Step 3: Verify if the EtherChannel is Now Up

SW1# show etherchannel summary

Output (Expected):

cssCopyEditGroup  Port-channel  Protocol  Ports
------  ------------  --------  ------------------------
1      Po1(SU)       LACP      Gi0/1(P) Gi0/2(P)

✅ “SU” (Layer 2, Up) means EtherChannel is working!
✅ “P” (Port is active in EtherChannel) shows both interfaces are bundled.

---

Step 4: Verify VLANs on the Trunk

If VLAN traffic is still not passing, check allowed VLANs on the trunk:

SW1# show interfaces trunk

Output:

Port      Mode         Encapsulation  Status        Allowed VLANs
Po1       on          802.1q         trunking      1,10,20,30

🚨 Problem Detected:

• VLAN 1 is allowed by default but is not needed.

✅ Fix: Explicitly allow VLANs

SW1(config)# interface Port-channel 1
SW1(config-if)# switchport trunk allowed vlan 10,20,30
SW1(config-if)# exit

👉 Now, only the necessary VLANs are allowed.

---

Step 5: Final Verification

Check VLANs Allowed on Trunk

SW1# show interfaces trunk

✅ Expected Output:

Port      Mode         Encapsulation  Status        Allowed VLANs
Po1       on          802.1q         trunking      10,20,30

Check Spanning Tree

# show spanning-tree active

✅ Ensure Port-Channel 1 is forwarding traffic.

---

Summary of Troubleshooting Steps

Issue	Cause	Solution
EtherChannel is down (SD)	Both sides set to passive in LACP	Change one side to active.
One port is down (D)	Speed/duplex mismatch	Set speed/duplex manually.
VLAN traffic not passing	VLANs not allowed on the trunk	Use switchport trunk allowed vlan X.
STP blocking the EtherChannel	Spanning Tree treating Port-Channel as a loop	Check show spanning-tree and adjust priority.

---

Best Practices for EtherChannel Configuration

✅ Use LACP instead of PAgP (open standard, more stable).
✅ Manually set trunk mode on Port-Channel interfaces (switchport mode trunk).
✅ Ensure the same speed, duplex, and VLAN settings on both sides.
✅ Check for STP blocking with show spanning-tree.
✅ Use show etherchannel summary to monitor link status.

---

Conclusion

In this real-world case, the EtherChannel was down due to LACP passive mode on both switches. Changing one side to active resolved the issue. Additionally, VLAN traffic issues were fixed by explicitly allowing the required VLANs.

1. What is EtherChannel?

EtherChannel is a link aggregation technology used to combine multiple physical links into a single logical link. It improves bandwidth, redundancy, and load balancing between switches, routers, or servers.

✅ Increases bandwidth by combining links (e.g., 2x1Gbps = 2Gbps).
✅ Provides redundancy—if one link fails, traffic continues on the others.
✅ Prevents loops because it appears as one logical connection to Spanning Tree Protocol (STP).

EtherChannel Protocols

EtherChannel can be configured using two protocols:

Protocol	Description	Modes Available
PAgP (Port Aggregation Protocol)	Cisco proprietary. Ensures both sides agree before forming an EtherChannel.	Auto, Desirable
LACP (Link Aggregation Control Protocol – IEEE 802.3ad)	Open standard, works with non-Cisco devices.	Passive, Active

EtherChannel can also be manually configured (static mode) without PAgP or LACP.

---

2. EtherChannel Configuration

A. Verify Requirements Before Configuration

✔ All ports must have the same speed and duplex settings.
✔ All ports must be in the same VLAN (if access ports) or trunk mode (if trunk ports).
✔ STP treats the EtherChannel as one logical link, preventing loops.

---

B. Configure EtherChannel Using LACP (Recommended for Open Standard)

Scenario: Create an EtherChannel with Gi0/1 and Gi0/2 using LACP.

interface range GigabitEthernet0/1 - 2
  channel-group 1 mode active   # LACP mode (Active initiates negotiation)
  channel-protocol lacp         # (Optional) Ensures only LACP is used
  exit

interface Port-channel 1
  switchport mode trunk         # Configure as trunk if needed
  switchport trunk allowed vlan 10,20,30
  exit

📌 Active Mode ensures the switch actively tries to form an EtherChannel.

Other LACP mode options:

Mode	Description
active	Actively tries to form EtherChannel.
passive	Waits for the other side to initiate.

---

C. Configure EtherChannel Using PAgP (Cisco Proprietary)

Scenario: Create an EtherChannel with Gi0/3 and Gi0/4 using PAgP.

interface range GigabitEthernet0/3 - 4
  channel-group 2 mode desirable   # PAgP mode
  channel-protocol pagp
  exit

interface Port-channel 2
  switchport mode access           # Use access mode if needed
  switchport access vlan 20
  exit

Other PAgP mode options:

Mode	Description
desirable	Actively tries to form EtherChannel.
auto	Waits for the other side to initiate.

---

D. Configure Static EtherChannel (Manual, No Protocols)

If you don’t want LACP or PAgP, you can configure a static EtherChannel:

interface range GigabitEthernet0/5 - 6
  channel-group 3 mode on         # Forces EtherChannel (No LACP/PAgP)
  exit

interface Port-channel 3
  switchport mode trunk
  switchport trunk allowed vlan 10,30
  exit

📌 Mode “on” means no negotiation—both sides must be manually configured.

---

3. Verify and Troubleshoot EtherChannel

Check EtherChannel Status

show etherchannel summary

• Displays all EtherChannel groups and their status.
• Look for “SU” (Layer 2, working) or “SD” (Down).

Check Detailed Interface Information

show interfaces port-channel 1

• Verifies if traffic is flowing properly.

Check Which Ports Are in the EtherChannel

show etherchannel port-channel

Check for Configuration Mismatches

show spanning-tree active

• Ensures STP is treating the EtherChannel as a single logical link.

---

4. Troubleshooting EtherChannel Issues

Issue	Possible Cause	Solution
Port-channel is down (SD)	Speed, duplex, VLAN, or trunk settings don’t match.	Ensure all interfaces have the same config.
EtherChannel not forming	Mismatched modes (e.g., auto-auto in PAgP or passive-passive in LACP).	Use desirable-active (LACP) or desirable-auto (PAgP).
Traffic not passing through	VLANs missing on trunk port-channel.	Use switchport trunk allowed vlan add X.
High CPU utilization	Flapping links due to mismatches.	Check logs with show logging.

---

5. Best Practices for EtherChannel

✅ Use LACP (IEEE standard) instead of PAgP (Cisco proprietary).
✅ Always verify settings on both ends before enabling EtherChannel.
✅ Avoid using mode “on” unless you are sure both sides match.
✅ Use “active” and “passive” for LACP, or “desirable” and “auto” for PAgP.
✅ Check EtherChannel consistency (show etherchannel summary).

---

Conclusion

EtherChannel is an efficient way to improve bandwidth and redundancy in a network. Proper configuration using LACP, PAgP, or static mode ensures reliable link

VLAN and trunking issues can cause communication failures between devices in different VLANs. Below is a step-by-step guide to diagnose and resolve VLAN and trunking problems.

---

1. Check VLAN Configuration

Issue: Devices in the same VLAN cannot communicate.

Solution:

• Verify the VLAN exists on the switch:bashCopyEditshow vlan brief
• If the VLAN is missing, create it:bashCopyEditconfigure terminal vlan 10 name Sales exit
• Ensure the ports are assigned to the correct VLAN:bashCopyEditshow interfaces GigabitEthernet0/1 switchport
  • If needed, assign the correct VLAN:bashCopyEditinterface GigabitEthernet0/1 switchport mode access switchport access vlan 10
• If the device still cannot communicate, check if the VLAN is allowed on the trunk.

---

2. Verify Trunk Links

Issue: Devices in different VLANs cannot communicate across switches.

Solution:

• Check if the port is in trunk mode:bashCopyEditshow interfaces trunk
  • If the port is missing, it is not operating as a trunk.
• Enable trunk mode manually:bashCopyEditinterface GigabitEthernet0/1 switchport mode trunk
• Check if VLANs are allowed on the trunk:bashCopyEditshow interfaces trunk
  • If VLANs are missing, allow them manually:bashCopyEditinterface GigabitEthernet0/1 switchport trunk allowed vlan 10,20,30

---

3. Check Native VLAN Mismatch

Issue: Trunk is up, but VLAN traffic is not passing correctly.

Solution:

• Verify native VLANs on both ends of the trunk:bashCopyEditshow interfaces trunk
  • If one switch has VLAN 1 as native and another has VLAN 99, packets may be dropped.
• Fix the mismatch by setting the same native VLAN on both switches:bashCopyEditinterface GigabitEthernet0/1 switchport trunk native vlan 99

---

4. Check Spanning Tree (STP) Blocking

Issue: Some VLANs work, others don’t.

Solution:

• Check if STP is blocking the trunk port:bashCopyEditshow spanning-tree interface GigabitEthernet0/1
• If a port is in blocking mode, try:bashCopyEditshow spanning-tree vlan 10
  • If STP is incorrectly blocking the trunk, consider changing the STP priority:bashCopyEditspanning-tree vlan 10 priority 4096
  • If needed, manually enable the port:bashCopyEditinterface GigabitEthernet0/1 no shutdown

---

5. Check Inter-VLAN Routing Issues

Issue: Devices in different VLANs cannot communicate.

Solution:

• If VLANs need to communicate, a router or Layer 3 switch is required.
• Verify if SVIs (Switched Virtual Interfaces) are configured:bashCopyEditshow ip interface brief
• If missing, create an SVI for each VLAN:bashCopyEditinterface vlan 10 ip address 192.168.10.1 255.255.255.0 no shutdown
• Ensure the default gateway is set on end devices:
  • If VLAN 10 uses 192.168.10.1, set this as the gateway.

---

6. Check VTP Configuration

Issue: VLANs are not propagating between switches.

Solution:

• Verify VTP mode:bashCopyEditshow vtp status
  • Ensure one switch is in VTP Server mode and others are in VTP Client mode.
• If VLANs are not syncing, try resetting the VTP revision number:bashCopyEditvtp mode transparent vtp mode client

---

7. Check for DTP Issues (If Trunk is Not Forming)

Issue: Trunk mode is not working.

Solution:

• Verify the DTP mode on both ends:bashCopyEditshow interfaces switchport
• If both ports are dynamic auto, no trunk will form. Change one side to dynamic desirable:bashCopyEditinterface GigabitEthernet0/1 switchport mode dynamic desirable
• If connecting to a non-Cisco switch, disable DTP:bashCopyEditswitchport mode trunk switchport nonegotiate

---

8. Restart the Trunking Process (Last Resort)

If all configurations are correct but the VLAN is still not passing traffic, restart the trunk port:

interface GigabitEthernet0/1
  shutdown
  no shutdown

---

Summary of Key Troubleshooting Commands

Command	Purpose
show vlan brief	Checks if VLANs exist on the switch.
show interfaces trunk	Verifies which ports are in trunk mode.
show interfaces switchport	Displays VLAN and trunk settings on an interface.
show spanning-tree interface Gi0/1	Checks if STP is blocking the port.
show vtp status	Confirms VTP domain, mode, and VLAN propagation.
show ip interface brief	Verifies if SVI (inter-VLAN routing) is configured.
show cdp neighbors	Confirms if the switch is connected to the expected devices.

---

Best Practices to Avoid VLAN and Trunk Issues

✅ Manually configure trunk ports (switchport mode trunk).
✅ Disable DTP (switchport nonegotiate) unless auto-negotiation is needed.
✅ Ensure native VLANs match on both ends of a trunk.
✅ Use show interfaces trunk to verify allowed VLANs.
✅ Check STP (show spanning-tree) to prevent VLAN blocking.

If DTP is not forming trunks as expected, you need to check for common misconfigurations and conflicts. Below is a systematic troubleshooting guide.

---

1. Verify the Current Trunking Status

Issue: The trunk is not forming.

Solution:

Use the following command to check if the port is in trunk mode:

show interfaces trunk

• If the port is missing from the output, it means the trunk did not form.

Also, check the interface mode with:

show interfaces GigabitEthernet0/1 switchport

• Look for Administrative Mode and Operational Mode.
• Ensure the port is not in access mode if you expect it to be a trunk.

---

2. Check the DTP Mode on Both Ends

Issue: Two switches are not forming a trunk.

Solution:

Use:

show running-config interface GigabitEthernet0/1

Verify that both ports are using compatible DTP modes.

Local Mode	Remote Mode	Trunk Formed?
Trunk	Trunk / Dynamic Desirable / Dynamic Auto	✅ Yes
Dynamic Desirable	Trunk / Dynamic Desirable / Dynamic Auto	✅ Yes
Dynamic Auto	Dynamic Auto	❌ No (Both are passive)
Access	Any Mode	❌ No

👉 If both ports are set to dynamic auto, change one to dynamic desirable or trunk:

interface GigabitEthernet0/1
  switchport mode dynamic desirable

---

3. Check for DTP Being Disabled (nonegotiate)

Issue: Trunk is not forming even though the correct mode is set.

Solution:

Check if DTP negotiation is disabled:

show running-config interface GigabitEthernet0/1

If you see switchport nonegotiate, DTP is disabled.

👉 If needed, remove the nonegotiate command:

interface GigabitEthernet0/1
  no switchport nonegotiate

---

4. Verify VLANs Allowed on the Trunk

Issue: Trunk is formed, but some VLANs are missing.

Solution:

Check which VLANs are allowed on the trunk:

show interfaces trunk

If some VLANs are missing, allow them manually:

interface GigabitEthernet0/1
  switchport trunk allowed vlan add 10,20,30

---

5. Check Native VLAN Mismatch

Issue: Trunk forms, but communication issues occur between VLANs.

Solution:

Verify the native VLAN on both switches:

show interfaces trunk

If one switch has VLAN 1 as native and another has VLAN 99, packets might be dropped.

👉 To fix, match the native VLAN on both sides:

interface GigabitEthernet0/1
  switchport trunk native vlan 99

---

6. Check for Trunking with Non-Cisco Devices

Issue: Trunk is not forming with a non-Cisco switch.

Solution:

DTP is Cisco-proprietary and does not work with non-Cisco switches.

• Manually set the port to trunk mode and disable DTP:

interface GigabitEthernet0/1
  switchport mode trunk
  switchport nonegotiate

👉 This forces the trunk without DTP negotiation.

---

7. Restart the Trunking Process (Last Resort)

Issue: All configurations are correct, but the trunk is still not working.

Solution:

Try resetting the trunking interface:

interface GigabitEthernet0/1
  shutdown
  no shutdown

This restarts the trunk and can force re-negotiation.

---

Summary of Key Troubleshooting Commands

Command	Purpose
show interfaces trunk	Checks which ports are operating as trunks.
show interfaces switchport	Displays DTP mode, VLAN settings, and negotiation status.
show running-config interface Gi0/1	Checks if nonegotiate is enabled.
show vlan brief	Ensures VLANs are properly assigned.
show cdp neighbors	Confirms neighboring Cisco devices.

---

Best Practices to Avoid DTP Issues

✅ Manually set trunk mode (switchport mode trunk) instead of relying on DTP.
✅ Disable DTP (switchport nonegotiate) to prevent unauthorized trunking.
✅ Ensure Native VLANs match on both ends of the trunk.
✅ Use show interfaces trunk to verify allowed VLANs.

. What is DTP?

Dynamic Trunking Protocol (DTP) is a Cisco-proprietary protocol that automates trunk formation between switches. It allows switch ports to dynamically negotiate whether they should be in access mode or trunk mode, reducing the need for manual configuration.

Key Features of DTP:

✅ Automatically forms trunks between Cisco switches.
✅ Negotiates trunking mode without manual intervention.
✅ Supports 802.1Q and ISL (Cisco’s older VLAN tagging protocol).
✅ Can be disabled for security to prevent unauthorized trunking.

---

2. DTP Modes

DTP has four operating modes:

Mode	Description	Effect When Connected to Another Switch
Trunk	Forces the port into trunk mode	Always trunks, regardless of the other switch’s mode.
Access	Forces the port into access mode	Never forms a trunk.
Dynamic Auto	Passively waits for a trunk request but does not initiate one	If the other switch is dynamic auto, no trunk forms. If desirable/trunk, a trunk forms.
Dynamic Desirable	Actively tries to form a trunk	If the other switch is trunk, desirable, or auto, a trunk forms.

---

3. DTP Mode Interaction

Local Mode →	Trunk	Access	Dynamic Auto	Dynamic Desirable
Trunk	✅ Trunk	❌ Access	✅ Trunk	✅ Trunk
Access	❌ Access	❌ Access	❌ Access	❌ Access
Dynamic Auto	✅ Trunk	❌ Access	❌ Access	✅ Trunk
Dynamic Desirable	✅ Trunk	❌ Access	✅ Trunk	✅ Trunk

🚨 Important Note: If both ports are set to Dynamic Auto, no trunk will form because neither initiates the trunk negotiation.

---

4. Configuring DTP

Enable Trunking with DTP (Dynamic Desirable)

bashCopyEditinterface GigabitEthernet0/1
  switchport mode dynamic desirable
  exit

👉 This makes the port actively negotiate a trunk.

---

Enable Passive DTP (Dynamic Auto)

bashCopyEditinterface GigabitEthernet0/2
  switchport mode dynamic auto
  exit

👉 This port will form a trunk only if the other switch actively requests it.

---

Disable DTP (For Security)

DTP can be a security risk if an attacker plugs in a switch and forces a trunk. To disable it:

bashCopyEditinterface GigabitEthernet0/3
  switchport mode trunk
  switchport nonegotiate
  exit

👉 This forces the port into trunk mode but stops DTP messages from being sent.

---

5. When to Use or Disable DTP?

✅ Use DTP when:

• You have Cisco switches and want automatic trunk formation.
• You need dynamic VLAN management with VTP.

❌ Disable DTP when:

• You want better security (to prevent VLAN hopping attacks).
• Your network includes non-Cisco switches (since DTP is Cisco-proprietary).

VTP (VLAN Trunking Protocol) has evolved over time, with VTP version 3 introducing significant improvements over VTP version 2. Below is a comparison of both versions.

---

1. Key Differences Between VTP v2 and VTP v3

Feature	VTP v2	VTP v3
VLAN Range Support	Supports VLANs 1-1005	Supports VLANs 1-4094 (full range)
Private VLANs	Not supported	✅ Supports private VLANs
VTP Modes	Server, Client, Transparent	Server, Client, Transparent, Off
Server Authorization	Any VTP server can modify VLANs	✅ Only a primary server can modify VLANs
Extended VLAN Support (1006-4094)	❌ No	✅ Yes
VTP Pruning	Yes	✅ Improved pruning efficiency
Security	No authentication improvements	✅ Supports hidden passwords for security
MD5 Hashing for Authentication	Yes	✅ Yes (Improved)
Multiple Spanning Tree (MST) Support	No	✅ Yes

---

2. When to Use VTP v3?

VTP v3 is ideal when:
✅ You need extended VLANs (1006-4094) support.
✅ You want to improve security and prevent accidental VLAN changes.
✅ You are using Private VLANs in your network.
✅ You need better MST (Multiple Spanning Tree) support.
✅ You want more control over which switches can modify VLANs (Primary Server Feature).

---

3. How to Upgrade from VTP v2 to VTP v3

Before upgrading, ensure:
✅ All switches support VTP v3 (older switches may not).
✅ The switch is running VTP Server Mode.
✅ The VTP domain name is configured correctly.

Step-by-Step Upgrade to VTP v3

Enable VTP v3 on the Server Switch

configure terminal

vtp version 3

exit

Set a Primary VTP Server

vtp primary

This switch now has exclusive rights to make VLAN changes.

Verify the Upgrade

show vtp status

Ensure Clients Are Syncing

show vlan brief

---

4. Summary: Should You Upgrade to VTP v3?

✅ YES, if:

• You need VLANs 1006-4094.
• You use Private VLANs.
• You want stronger security and better control over VLAN changes.

❌ NO, if:

• Your network has older switches that do not support VTP v3.
• You prefer manual VLAN configuration using VTP Transparent Mode.

When VLANs are not propagating correctly in a VTP environment, it’s important to check for misconfigurations. Below are common issues and troubleshooting steps.

---

1. Check VTP Mode and Domain Name

Issue: VLANs are not syncing between switches.

Solution:

• Ensure all switches have the same VTP domain name and password:bashCopyEditshow vtp status
  • If the domain name is different, update it:bashCopyEditvtp domain MyNetwork
• Ensure the VTP mode is correct (at least one switch should be in server mode).bashCopyEditvtp mode server

---

2. Verify Trunk Links

Issue: VTP advertisements are not passing between switches.

Solution:

• Check if the trunk is up and operational:bashCopyEditshow interfaces trunk
• If a port is not in trunk mode, enable it:bashCopyEditinterface GigabitEthernet0/1 switchport mode trunk switchport trunk allowed vlan all exit
• Ensure Native VLAN matches on both ends of the trunk:bashCopyEditshow interfaces trunk
  • If needed, change it:bashCopyEditswitchport trunk native vlan 99

---

3. Check VTP Version

Issue: Switches running different VTP versions may not sync.

Solution:

• Check the VTP version:bashCopyEditshow vtp status
• If versions do not match, change them:bashCopyEditvtp version 2

---

4. Check VTP Revision Number

Issue: A newly added switch with a higher revision number could erase VLANs.

Solution:

• Check the VTP Revision Number on all switches:bashCopyEditshow vtp status
• If a switch has a high revision number but incorrect VLANs, reset it:bashCopyEditvtp mode transparent vtp mode server # (or client if required)
  • This resets the revision number to 0.

---

5. Verify VTP Pruning

Issue: VLANs are not being propagated to all switches.

Solution:

• Check if VTP pruning is enabled:bashCopyEditshow vtp status
• If necessary, disable VTP pruning:bashCopyEditno vtp pruning

---

6. Check VTP Password

Issue: If a password is set on one switch but not on others, VLANs won’t sync.

Solution:

• Check if a VTP password is set:bashCopyEditshow vtp password
• If needed, set the same password on all switches:bashCopyEditvtp password Cisco123

---

7. Test VLAN Synchronization

Issue: VLANs still not syncing after troubleshooting.

Solution:

• Try manually adding a VLAN on the VTP server and check if it propagates to the clients:bashCopyEditconfigure terminal vlan 50 name Test_VLAN exit
• Then verify on a client switch:bashCopyEditshow vlan brief
  • If the VLAN does not appear, go through the previous troubleshooting steps again.

---

Summary of Key Troubleshooting Commands

Command	Description
show vtp status	Displays VTP domain, mode, revision number, and version.
show vtp password	Checks if a VTP password is set.
show interfaces trunk	Verifies if trunks are correctly configured.
show vlan brief	Checks if VLANs are propagating.
vtp mode transparent → vtp mode server	Resets the VTP revision number.

---

Best Practices to Avoid VTP Issues

✅ Use VTP Transparent Mode unless central management of VLANs is necessary.
✅ Reset the revision number when adding new switches to the network.
✅ Secure VTP with passwords to prevent unauthorized VLAN changes.
✅ Monitor trunk links to ensure VTP messages are transmitted properly.