VLAN Trunking Protocol (VTP): Complete Configuration Guide with Examples

Last updated: 30-01-2026

What is VLAN Trunking Protocol (VTP)?

VLAN Trunking Protocol (VTP) is a Cisco proprietary Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs across a network domain. VTP allows network administrators to make VLAN configuration changes on a central switch (VTP server) and have those changes automatically propagated to all other switches in the VTP domain, reducing administrative overhead and minimizing configuration errors.

VTP operates over trunk links and synchronizes VLAN databases across multiple switches. When you create, modify, or delete a VLAN on a VTP server, the change is advertised to all switches in the same VTP domain. Client switches receive these advertisements and update their VLAN databases accordingly, ensuring consistent VLAN configuration throughout the network without manual intervention on each switch.

VTP Overview Diagram

Why Use VTP?

Benefits of VTP

  • Centralized VLAN Management: Configure VLANs once on the VTP server instead of on every switch
  • Consistency: Ensures identical VLAN configurations across all switches in the domain
  • Simplified Administration: Reduces time required for VLAN configuration in large networks
  • Accuracy: Minimizes configuration errors from manual VLAN creation on multiple switches
  • Dynamic VLAN Updates: Automatically propagates VLAN changes throughout the network

VTP Use Cases

  • Enterprise campus networks with multiple distribution and access switches
  • Data centers requiring consistent VLAN configurations across numerous switches
  • Networks where VLAN changes occur frequently
  • Environments where reducing administrative overhead is critical

Important: While VTP offers significant benefits, it also carries risks. Incorrect VTP configuration can propagate VLAN deletion across the entire network, causing widespread outages. Many organizations disable VTP in favor of manual VLAN configuration for better control.

VTP Modes

VTP operates in three primary modes, each with different capabilities:

1. VTP Server Mode

VTP servers can create, modify, and delete VLANs. They advertise VLAN configuration changes to other switches in the VTP domain and synchronize their VLAN database with other VTP servers and clients. VTP servers store VLAN information in NVRAM, preserving configurations across reboots.

Characteristics:

  • Can create, modify, and delete VLANs
  • Advertises VTP messages to other switches
  • Synchronizes VLAN database with the domain
  • Stores VLAN configuration in NVRAM
  • Default mode on Cisco switches

2. VTP Client Mode

VTP clients cannot create, modify, or delete VLANs locally. They listen for VTP advertisements from VTP servers and update their VLAN databases accordingly. VTP clients forward VTP advertisements received on trunk ports but do not store VLAN information in NVRAM—the VLAN database exists only in RAM and is lost upon reboot.

Characteristics:

  • Cannot create, modify, or delete VLANs
  • Receives and processes VTP advertisements
  • Forwards VTP advertisements to other switches
  • Does not store VLAN configuration in NVRAM
  • Synchronizes VLAN database from VTP server

3. VTP Transparent Mode

VTP transparent switches do not participate in VTP synchronization. They can create, modify, and delete VLANs locally, but these changes affect only the local switch and are not advertised to other switches. Transparent switches forward VTP advertisements received on trunk ports without processing them, allowing VTP messages to pass through to other switches in the domain.

Characteristics:

  • Can create, modify, and delete VLANs locally
  • Does not synchronize VLAN database with domain
  • Forwards VTP advertisements without processing them
  • Stores VLAN configuration in NVRAM
  • Recommended mode for most production environments

4. VTP Off Mode (VTP Version 3)

Introduced in VTP version 3, VTP off mode completely disables VTP on the switch. Unlike transparent mode, off mode does not forward VTP advertisements, effectively isolating the switch from VTP operations.

VTP Components and Terminology

VTP Domain

A VTP domain is a group of switches that share the same VTP domain name and exchange VLAN information. Switches in different VTP domains do not exchange VTP information, even if physically connected via trunk links. The domain name is case-sensitive and can be up to 32 characters long.

Configuration Revision Number

The configuration revision number is a 32-bit value that tracks VLAN database changes. Every time a VLAN is created, modified, or deleted on a VTP server, the revision number increments. Switches compare revision numbers to determine which switch has the most recent VLAN database. A switch with a higher revision number overwrites the VLAN database on switches with lower revision numbers.

Critical Warning: The revision number mechanism can cause catastrophic network failures. If a switch with a higher revision number but outdated VLAN database joins the network, it will overwrite the current VLAN configuration across all switches, potentially deleting all VLANs.

VTP Passwords

VTP passwords provide authentication for VTP messages. When configured, switches only process VTP advertisements that include the correct password. The password is MD5 hashed and included in VTP advertisements. Using passwords prevents unauthorized switches from injecting false VTP information.

VTP Pruning

VTP pruning optimizes bandwidth utilization by restricting flooded traffic to trunk links that actually need the traffic. When enabled, VTP pruning prevents broadcasts, multicasts, and unknown unicast frames for specific VLANs from traversing trunk links if the receiving switch has no active ports in those VLANs.

VTP Versions

VTP Version 1

  • Original VTP implementation
  • Supports normal-range VLANs (1-1005)
  • Token Ring and FDDI VLAN support
  • Basic VTP functionality

VTP Version 2

  • Improved support for Token Ring VLANs
  • Consistency checks for VLAN parameters
  • Transparent mode forwards VTP version 2 messages
  • Version-dependent transparent mode operation
  • Still limited to VLANs 1-1005

VTP Version 3

  • Extended VLAN range support (1-4094)
  • Primary server concept prevents accidental database overwrites
  • Enhanced authentication mechanisms
  • MST (Multiple Spanning Tree) configuration propagation
  • Private VLAN support
  • VTP off mode available
  • Backward compatibility with VTP version 2

Recommendation: Use VTP version 3 for new deployments due to enhanced security features and extended VLAN support. However, ensure all switches support version 3 before enabling it.

VTP Configuration

Basic VTP Server Configuration

! Configure VTP domain and mode
Switch(config)# vtp domain COMPANY
Switch(config)# vtp mode server
Switch(config)# vtp version 2
Switch(config)# vtp password Cisco123

! Verify VTP configuration
Switch# show vtp status

VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : COMPANY
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 0c75.bd88.7c00
Configuration last modified by  : 192.168.1.1 at 1-25-26 10:30:15

Feature VLAN:
--------------
VTP Operating Mode              : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 10
Configuration Revision          : 5
MD5 digest                      : 0x3D 0x1A 0x2B 0x4C 0x5D

VTP Client Configuration

! Configure VTP client
Switch(config)# vtp domain COMPANY
Switch(config)# vtp mode client
Switch(config)# vtp version 2
Switch(config)# vtp password Cisco123

! Verify synchronization
Switch# show vtp status
Switch# show vlan brief

VTP Transparent Configuration

! Configure VTP transparent mode
Switch(config)# vtp mode transparent

! Verify transparent mode
Switch# show vtp status

VTP Version capable             : 1 to 3
VTP version running             : 2
VTP Domain Name                 : COMPANY
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 0c75.bd88.7c00

Feature VLAN:
--------------
VTP Operating Mode              : Transparent
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 15
Configuration Revision          : 0

VTP Version 3 Configuration

! Enable VTP version 3
Switch(config)# vtp version 3

! Promote switch to primary server (VTP v3 only)
Switch# vtp primary vlan
This system is becoming primary server for feature vlan
No conflicting VTP3 devices found.
Do you want to continue? [confirm]

! Verify primary server status
Switch# show vtp status

VTP Version capable             : 1 to 3
VTP version running             : 3
VTP Domain Name                 : COMPANY
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 0c75.bd88.7c00

Feature VLAN:
--------------
VTP Operating Mode              : Primary Server
Maximum VLANs supported locally : 4096
Number of existing VLANs        : 25
Configuration Revision          : 12
Primary ID                      : 0c75.bd88.7c00
Primary Description             : Switch
MD5 digest                      : 0x6E 0x2F 0x3A 0x5B 0x7C

VTP Pruning Configuration

VTP pruning must be enabled on VTP servers. Once enabled on the server, it propagates to all VTP client switches in the domain. 

! Enable VTP pruning on VTP server
Switch(config)# vtp pruning

! Verify VTP pruning
Switch# show vtp status | include Pruning
VTP Pruning Mode                : Enabled

! Configure pruning-eligible VLANs (optional)
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# switchport trunk pruning vlan 10,20,30

! Verify pruning-eligible VLANs
Switch# show interface GigabitEthernet1/0/1 pruning

Port    VLANs pruned for lack of request by neighbor
Gi1/0/1 10,20,30

Port    VLANs traffic requested of neighbor
Gi1/0/1 1,100,200

Note: VLAN 1 and VLANs 1002-1005 (reserved VLANs) cannot be pruned. VTP pruning only affects VLANs 2-1001.

VTP Verification Commands

Essential VTP Show Commands

! Display VTP status and configuration
Switch# show vtp status

! Display VTP password (hidden by default)
Switch# show vtp password

! Display VLAN database
Switch# show vlan brief

! Display VTP counters and statistics
Switch# show vtp counters

Summary advertisements       : 25
Subset advertisements        : 10
Advertisement requests       : 5

! Display detailed VTP interface information
Switch# show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi1/0/1     on               802.1q         trunking      1
Gi1/0/2     on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/1     1-4094
Gi1/0/2     1-4094

Port        Vlans allowed and active in management domain
Gi1/0/1     1,10,20,30,100,200
Gi1/0/2     1,10,20,30,100,200

VTP Troubleshooting

Common VTP Issues and Solutions

Issue 1: VLANs Not Synchronizing

Symptoms: VLANs created on VTP server don't appear on client switches

Causes and Solutions:

  • Domain name mismatch: Verify domain names match exactly (case-sensitive) 
    Switch# show vtp status | include Domain
  • Password mismatch: Ensure all switches use the same VTP password 
    Switch# show vtp password
  • No trunk configured: VTP requires trunk links between switches 
    Switch# show interfaces trunk
  • VTP version mismatch: All switches must run the same VTP version 
    Switch# show vtp status | include version

Issue 2: VLANs Deleted Unexpectedly

Symptoms: All VLANs disappear from switches, causing network outage

Cause: A switch with higher revision number but empty/old VLAN database was connected to the network

Prevention:

  • Always reset configuration revision before adding switches to the network
  • Use VTP transparent mode in production environments
  • Implement VTP version 3 with primary server protection
  • Use VTP passwords to prevent unauthorized switches from joining

Recovery:

! If VLANs are deleted, restore from backup
Switch# copy flash:vlan.dat.backup flash:vlan.dat
Switch# reload

! Or reconfigure VLANs manually on VTP server
Switch(config)# vlan 10
Switch(config-vlan)# name SALES
Switch(config-vlan)# exit

Issue 3: High Configuration Revision Number

Problem: Need to reset revision number to zero before adding switch to network

Solution:

! Method 1: Change to transparent mode and back
Switch(config)# vtp mode transparent
Switch(config)# vtp mode server
! Revision number resets to 0

! Method 2: Change domain name and back
Switch(config)# vtp domain TEMP
Switch(config)# vtp domain COMPANY
! Revision number resets to 0

! Method 3: Delete vlan.dat file (requires reload)
Switch# delete flash:vlan.dat
Switch# reload

Issue 4: VTP Transparent Mode Not Working

Symptoms: Local VLAN changes not saved in transparent mode

Solutions:

  • Verify mode is truly transparent: 
    Switch# show vtp status | include Operating
  • Ensure VLANs are configured in configuration mode, not VLAN database mode
  • Check that vlan.dat file is not corrupted: 
    Switch# dir flash: | include vlan.dat

VTP Best Practices

Security Best Practices

  • Use VTP Transparent Mode: Recommended for most production networks to prevent accidental VLAN deletion
  • Configure VTP Passwords: Always use MD5 authentication to prevent rogue switches from joining the domain
  • Use VTP Version 3: Provides primary server protection against accidental database overwrites
  • Document VTP Configuration: Maintain records of VTP domains, modes, and passwords
  • Limit VTP Server Count: Use only one or two VTP servers for better control

Operational Best Practices

  • Reset Revision Number: Always reset the configuration revision to zero before adding a switch to the network
  • Backup VLAN Database: Regularly backup vlan.dat file from VTP servers 
    Switch# copy flash:vlan.dat tftp://192.168.1.100/vlan.dat.backup
  • Verify Before Connecting: Check VTP status before connecting a switch to production network
  • Use Descriptive Domain Names: Choose meaningful VTP domain names that reflect network structure
  • Monitor VTP Changes: Implement logging and monitoring for VTP configuration changes

Design Recommendations

  • Single VTP Domain: Use one VTP domain per physical location or administrative boundary
  • Separate Management VLANs: Keep management VLANs in separate domain or use transparent mode
  • Enable VTP Pruning: Optimize bandwidth in large networks with many VLANs
  • Plan Revision Number Management: Establish procedures for managing configuration revision numbers
  • Consider Alternatives: Evaluate whether manual VLAN configuration provides better control for your environment

VTP Configuration Example - Complete Scenario

Network Topology

  • Core-SW1: VTP Server (Primary)
  • Dist-SW1: VTP Client
  • Access-SW1: VTP Client
  • Access-SW2: VTP Transparent (DMZ switch)

Core-SW1 (VTP Server) Configuration

! Configure VTP server
Core-SW1(config)# vtp domain COMPANY
Core-SW1(config)# vtp mode server
Core-SW1(config)# vtp version 3
Core-SW1(config)# vtp password SecureVTP123
Core-SW1(config)# vtp pruning

! Promote to primary server (VTP v3)
Core-SW1# vtp primary vlan

! Create VLANs
Core-SW1(config)# vlan 10
Core-SW1(config-vlan)# name SALES
Core-SW1(config-vlan)# vlan 20
Core-SW1(config-vlan)# name ENGINEERING
Core-SW1(config-vlan)# vlan 30
Core-SW1(config-vlan)# name GUEST
Core-SW1(config-vlan)# vlan 100
Core-SW1(config-vlan)# name SERVERS
Core-SW1(config-vlan)# exit

! Configure trunk to distribution
Core-SW1(config)# interface GigabitEthernet1/0/1
Core-SW1(config-if)# switchport trunk encapsulation dot1q
Core-SW1(config-if)# switchport mode trunk
Core-SW1(config-if)# switchport trunk allowed vlan all

Dist-SW1 (VTP Client) Configuration

! Configure VTP client
Dist-SW1(config)# vtp domain COMPANY
Dist-SW1(config)# vtp mode client
Dist-SW1(config)# vtp version 3
Dist-SW1(config)# vtp password SecureVTP123

! Configure trunks
Dist-SW1(config)# interface range GigabitEthernet1/0/1-2
Dist-SW1(config-if-range)# switchport trunk encapsulation dot1q
Dist-SW1(config-if-range)# switchport mode trunk

! Verify VLAN synchronization
Dist-SW1# show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    
10   SALES                            active    
20   ENGINEERING                      active    
30   GUEST                            active    
100  SERVERS                          active

Access-SW2 (VTP Transparent) Configuration

! Configure VTP transparent for DMZ switch
Access-SW2(config)# vtp mode transparent

! Create local VLANs (not propagated)
Access-SW2(config)# vlan 200
Access-SW2(config-vlan)# name DMZ-WEB
Access-SW2(config-vlan)# vlan 201
Access-SW2(config-vlan)# name DMZ-APP
Access-SW2(config-vlan)# exit

! Verify local configuration
Access-SW2# show vtp status

VTP Operating Mode              : Transparent
Configuration Revision          : 0

Conclusion

VLAN Trunking Protocol provides centralized VLAN management across Cisco switch networks, reducing administrative overhead and ensuring configuration consistency. However, VTP also introduces significant risks, particularly the potential for accidental VLAN deletion across the entire network due to configuration revision number conflicts.

For production environments, many network engineers prefer VTP transparent mode or completely disabling VTP in favor of manual VLAN configuration, trading automation for greater control and reduced risk. If implementing VTP, use version 3 with primary server protection, strong passwords, and comprehensive documentation. Regular backups of VLAN databases and careful procedures when adding switches to the network are essential for preventing VTP-related outages.

Understanding VTP modes, versions, and best practices enables informed decisions about whether VTP benefits your network or whether manual VLAN management provides better control and security for your specific environment.