Skip to main content
Your first session is free. Claim mine
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
LabsPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
Network Access Intermediate

VTP — VLAN Trunking Protocol

Cisco's protocol for sharing VLAN config across switches in the same VTP domain. Powerful, dangerous, and the reason every CCNA engineer learns the value of `vtp mode transparent`.

TL;DR
  • VTP shares the VLAN database from a 'server' switch to 'client' switches in the same VTP domain — auto-propagates new VLANs.
  • Higher revision number wins. A wrongly-configured switch joining the domain with high revision can wipe everyone else's VLANs.
  • Safest production approach: `vtp mode transparent` everywhere. Or VTPv3 + primary-server mode. Default v1/v2 client/server is risky.

Mental model

If you have 50 switches and need to add VLAN 100 to all of them, you have two options:

  1. SSH to each one and type vlan 100; name USERS. Tedious.
  2. Configure VLAN 100 on one switch and have it auto-propagate to the others. That’s VTP.

The convenience comes with risk: if a switch joining the network has a higher VTP revision number, its VLAN database overwrites everyone else’s. A misplaced switch from a lab → entire production VLAN database wiped → every access port reverts to VLAN 1. Big outage.

For CCNA: know VTP exists, how it works, and why most production networks run vtp mode transparent (each switch maintains its own VLAN database, no auto-sync) instead.

The roles

ModeCan create / modify VLANs?Receives updates?Forwards updates?
ServerYesYesYes
ClientNoYesYes
TransparentYes (locally)NoForwards (but doesn’t apply)
OffYes (locally)NoNo

Server is the source-of-truth. Client receives. Transparent does its own thing but passes VTP through to others. Off is total isolation.

The dangerous revision number

Every change to the VLAN database on a Server (or Transparent) switch increments its revision number. When a Client receives a VTP update, it compares the revision number with its own. Higher number wins — the Client’s database gets overwritten.

The disaster scenario:

  1. Engineer powers up a lab switch that was previously in production, with revision number 47.
  2. Connects it to a trunk in production. Production VTP is at revision 35.
  3. Production switches see the higher number, accept the lab switch’s (empty) VLAN database.
  4. Every access port in the production network suddenly thinks its VLAN doesn’t exist → no traffic forwards.

This has happened many times. The fix: always set vtp mode transparent on any switch before plugging it in. Or reset its VTP revision to 0 by changing the domain name briefly.

VTP versions

VersionNotes
v1Original. Limited features. Avoid.
v2Adds Token Ring + some bug fixes. CCNA default-tested.
v3Major improvement. Adds primary/secondary server, supports VLANs 1-4094, MST, password protection. Safer.

VTPv3 is what you’d actually deploy in 2026. It has a “primary server” concept — only one switch is authoritative, others can’t accidentally override. Still many environments run v1/v2 from inertia.

Commands

! Set the VTP domain (must match on all switches)
SW1(config)# vtp domain CORP

! Set mode
SW1(config)# vtp mode server                ! default
SW1(config)# vtp mode client
SW1(config)# vtp mode transparent
SW1(config)# vtp mode off

! Set version (v2 or v3 — affects feature support)
SW1(config)# vtp version 2

! Optional — password
SW1(config)# vtp password supersecret

! VTPv3 primary server (only this switch can change VLANs in the domain)
SW1# vtp primary

Verify

SW1# show vtp status
SW1# show vtp counters
SW1# show vtp password

Key fields in show vtp status:

  • VTP Operating Mode: Server / Client / Transparent / Off
  • VTP Domain Name: must match neighbors
  • Configuration Revision: the number that determines who wins
  • Number of existing VLANs: how many VLANs this switch knows about

Resetting the revision number

If you need to safely add a switch to an existing VTP domain, reset its revision number to 0 first. Three ways:

! Method 1 — change the domain name briefly (revision resets)
SW1(config)# vtp domain TEMPORARY
SW1(config)# vtp domain CORP-REAL

! Method 2 — change to transparent and back
SW1(config)# vtp mode transparent
SW1(config)# vtp mode client

! Method 3 — wipe vlan.dat (requires reload)
SW1# delete flash:vlan.dat
SW1# reload

Always do this before connecting the switch to a production trunk.

Why production often runs transparent

The “convenience vs blast radius” calculation. Pros of running everything in transparent mode:

  • No risk of revision-number-based wipeout
  • Each switch’s VLAN database is local — explicit and auditable
  • Forced to update VLANs via config-management automation (Ansible, etc.) — generally healthier than relying on auto-propagation

Cons:

  • Have to add VLANs on every switch separately (or via automation)

In modern networks with config management, transparent is the safer default. Auto-propagation of critical config across switches is a 2005-era convenience that doesn’t fit current best practices.

VTP Pruning

A different VTP feature: pruning removes VLAN broadcast / unknown-unicast traffic from trunks that don’t carry any access ports for that VLAN. Saves bandwidth.

SW1(config)# vtp pruning

Pruning is generally safer than VLAN propagation — manage allowed VLAN lists on trunks explicitly instead.

Common mistakes

  1. Adding a lab switch to production without resetting revision. Wipes the production VLAN database. Has burned every CCNA learner at some point.

  2. VTP domain name mismatch. Two switches with different domain names won’t exchange VTP info. Common after a config copy-paste mistake.

  3. Running VTP servers everywhere. Defeats the point — any one of them can become the canonical source by being changed. Run one or two servers max; the rest as clients (or transparent in modern setups).

  4. Forgetting password mismatch. Two switches in the same domain but with different VTP passwords → updates ignored. show vtp password to verify.

  5. Confusing VTP with DTP. VTP synchronizes VLAN databases. DTP (Dynamic Trunking Protocol) negotiates trunk vs access mode between switches. Different things — both Cisco-proprietary, both can be disabled.

  6. Trusting VTP to never break things. Mistakes happen. Always have a recent backup of running-configs and the VLAN database (show vlan brief saved somewhere).

Lab to try tonight

  1. Three switches connected via trunks. Same VTP domain CORP.
  2. Configure SW1 as server, SW2 and SW3 as clients.
  3. On SW1, create VLAN 10, 20, 30. Verify with show vlan brief.
  4. On SW2 and SW3, run show vlan brief — the same VLANs appear automatically.
  5. On SW2 (client), try vlan 99. Should fail — clients can’t create VLANs.
  6. The dangerous experiment: disconnect SW3, configure a totally different VLAN list on it locally, manually set a high revision (or change & change back the domain to bump it up), then reconnect to the trunk. Watch the production VLANs disappear. Restore from backup.
  7. Bonus: convert everything to vtp mode transparent. Note each switch now maintains its own DB. Add a VLAN on each individually.

Cheat strip

ConceptPlain English
VTPAuto-share VLAN database between switches
ServerSource of truth — can add/modify VLANs
ClientReceives. Can’t make changes.
TransparentLocal DB only. Forwards VTP for others but ignores it.
Revision numberHigher wins. Cause of catastrophic accidents.
VTPv3Adds primary-server safety net. Use over v1/v2 if you must run VTP.
PruningDifferent VTP feature — removes unnecessary VLAN traffic from trunks
Production defaultvtp mode transparent is the safest choice in 2026
← Previous topic

GRE Tunnels

How to make two distant routers feel directly connected by wrapping IP inside IP. Covers tunnel interface config, MTU caveats, why GRE itself isn't encrypted, and the standard 'GRE over IPsec' combination.
Next topic →

Layer-3 Switch & SVI Routing

How a Layer-3 switch routes between VLANs at line rate using SVIs (Switched Virtual Interfaces) — the modern replacement for router-on-a-stick in any campus network.
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Related topics

Network Access

Spanning Tree Protocol (STP)

Definitive CCNA-level STP guide — why loops are catastrophic, bridge ID + priority election, three port roles, five port states, BPDU anatomy, PortFast + BPDU Guard + Root Guard + Loop Guard, RSTP convergence, MSTP overview, and 8 worked scenarios.

 Network Access

Trunks & 802.1Q Tagging

How switches carry multiple VLANs over a single link using 802.1Q tags. Includes DTP behavior, native VLAN gotchas, and the allowed-VLAN list.

 Network Access

VLANs

Definitive CCNA-level VLAN guide — broadcast domains, access vs trunk ports, 802.1Q tagging, native VLAN, voice VLANs, VTP, VLAN design, the 6-step trunk debug, security pitfalls, and 7 worked exam scenarios.

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.

Start typing — or browse popular topics below.

↑↓ navigate open Searches topics · labs · programs · pages