VTP Explained: Central VLAN Management & Its Dangers
VTP (VLAN Trunking Protocol) lets you create a VLAN once on a server switch and have it automatically propagate to all other switches in the domain over trunk links — saving repetitive configuration. Powerful, but carrying a notorious danger that has taken down real networks.
The three modes
- Server — can create/modify/delete VLANs; changes propagate to the domain
- Client — receives and applies the database but can't modify it
- Transparent — ignores VTP for its own VLANs but forwards VTP messages through
The revision-number danger
VTP uses a revision number that increments with each change; switches accept any database with a higher revision. The catastrophe: connect an old switch with a higher revision number (from previous use) and it overwrites the entire domain's VLAN database — potentially deleting production VLANs and blackholing traffic instantly. This has caused real outages.
Common mistakes and the safe practice
Never connect a switch to a production VTP domain without first resetting its revision to zero — change its VTP domain name to something else and back, or set it to transparent mode. Many engineers now avoid VTP entirely (or use VTPv3, which is safer) and configure VLANs manually. See the VTP lab to see propagation in action.
Frequently asked questions
What does VTP do?
It propagates VLAN database changes (create/modify/delete) from a server switch to all switches in the domain over trunks, avoiding repetitive per-switch configuration.
What is the famous VTP danger?
A switch with a higher revision number can overwrite the whole domain's VLAN database — even deleting production VLANs. Always reset a switch's revision before connecting it.
What are the VTP modes?
Server (can modify VLANs and propagate), Client (receives only), and Transparent (ignores VTP for itself but forwards messages).
How do you safely add a switch to a VTP domain?
Reset its revision number to zero first — by changing its VTP domain name to a dummy and back, or setting it to transparent mode — before connecting.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.