In this blog, we’re going to explore two important Cisco switching protocols: DTP (Dynamic Trunking Protocol) and VTP (VLAN Trunking Protocol). I’ll explain what they do, how they work, and why it’s important to understand them especially when you’re working with VLANs across multiple switches.

We’ll go through each topic step-by-step using Cisco Packet Tracer, starting with how trunk links form automatically with DTP, and then how VLANs are shared between switches using VTP. I’ll also show you what to watch out for, like revision number issues and domain mismatches, and explain how VTP modes work: server, client, and transparent.

Whether you’re reviewing for CCNA, building your own lab, or just trying to make sense of switch behavior, this guide is written in a way that’s easy to follow and based on actual testing. Let’s get started.

DTP (Dynamic Trunking Protocol)

Before we can connect VLANs across switches, we need to understand how switches know whether to create a trunk link or not. This is where DTP, or Dynamic Trunking Protocol, comes in.

DTP is a Cisco protocol that lets switches decide automatically if they should form a trunk between them. If you've ever connected two switches and noticed that a trunk formed without doing much, DTP probably did that.

So, how does DTP actually work?
When you connect two Cisco switches, they send DTP messages to each other through their interfaces. Based on how each port is configured, they’ll either agree to form a trunk or keep the link as access. For example, if one switch port is set to dynamic desirable (which actively wants to trunk) and the other is set to dynamic auto (which waits for the other side), a trunk link will form.

But if both sides are set to dynamic auto, nothing will happen. Both are just waiting. No one takes the first step, so the link stays as access.

Now, why do we even use DTP?
It's helpful when you want to make setup quicker. Instead of going to each interface and manually forcing trunk mode, DTP can handle that automatically as long as the port modes are compatible. It’s handy in labs or small environments where you just want things to connect easily.

But in real-world networks, DTP is often disabled. Why? Because it can lead to accidental trunks or even security issues if someone connects a rogue switch. Many network engineers prefer to manually configure trunk links to avoid surprises.

If you want to control how DTP behaves, you just change the switchport mode of the interface. Here are the common ones:

switchport mode access – This disables DTP and forces the port to act as an access port.
switchport mode trunk – This forces the port to trunk, and it still sends DTP messages unless you turn that off.
switchport mode dynamic desirable – This actively tries to form a trunk with the other side.
switchport mode dynamic auto – This waits for the other side to start trunking.

If you want to manually configure a trunk and not send any DTP messages, add this command:
switchport nonegotiate
This turns off DTP on that port. Just make sure the other side is also set to trunk manually, or the link won’t work as a trunk.

In short, DTP helps automate trunking, but you have to be careful how and where you use it. For security purposes, manual configuration is recommended. DTP should be disabled on all switchports.

Network topology with two switches. SW1 is connected to PC1 (VLAN 10) and PC2 (VLAN 20). SW2 is connected to PC3 (VLAN 30) and PC4 (VLAN 20). SW1 and SW2 are connected to each other.

On Switch 1, go to the interface that's connected to Switch 2. You can do this by entering interface configuration mode.

Switch 1 CLI showing the command switchport mode dynamic ? with options: auto and desirable.

You’ll see two options: auto and desirable.

This command helps you choose how DTP will behave on that port.

auto means the port will wait for the other side to initiate trunking.
desirable means the port will actively try to form a trunk.

Now that we’ve seen the DTP modes, let’s look at how different combinations of switchport modes affect whether a trunk or access link is formed between two switches.

Cisco switches decide what kind of link to form based on how both ends of the connection are configured. If DTP is involved, the switches can negotiate a trunk. If not, the port will stay as access unless trunking is forced.

Here’s a quick summary of the four common interface modes:

access – Forces the port to be an access port. Doesn’t participate in DTP.
trunk – Forces the port to be a trunk. Still sends DTP unless turned off with nonegotiate.
dynamic auto – Listens for DTP messages. Won’t start trunking by itself.
dynamic desirable – Actively tries to form a trunk by sending DTP messages.

Now here’s a table showing what happens when two switch ports are connected using different combinations of these modes:

DTP Mode Behavior Table

Switch 1 Mode	Switch 2 Mode	Link Formed
dynamic desirable	dynamic desirable	Trunk
dynamic desirable	dynamic auto	Trunk
dynamic auto	dynamic auto	Access
access	access	Access
trunk	trunk	Trunk
trunk	access	No link (mismatch)
dynamic desirable	access	Access
dynamic auto	access	Access
trunk	dynamic auto	Trunk
trunk	dynamic desirable	Trunk

A Few Notes:

When both sides are set to dynamic auto, no one initiates the trunking process—so the link stays as access.
Trunk + access often causes a mismatch warning, and VLAN traffic won’t flow properly.
Trunk mode sends DTP unless you add switchport nonegotiate.
DTP will not form a trunk with a router, PC, etc. The switchport will be in access mode.
In real networks, many admins disable DTP completely and manually set trunks for better security and stability.

This table should help you quickly understand how DTP behaves depending on how you configure each side of the link.

Once you've set the port mode, it's a good idea to check if the interface is actually acting as a trunk or access port. You can do that using the command:

Now let’s check if our configuration is working. On SW1, I used the command:

show interfaces fa0/1 switchport

Switch 1 CLI output showing the result of the command show interfaces fa0/1 switchport.

The image shows the following lines from the output:

Name – This is just the label of the interface. If you added a description using the description command, it’ll show up here.
Switchport – This tells you if the interface is operating as a Layer 2 switchport. If it says "Enabled," that means it’s in switchport mode (Layer 2). If it’s "Disabled," it might be in Layer 3 mode.
Administrative Mode – This shows how the interface is configured. For example, it might say:
- dynamic desirable
- dynamic auto
- trunk
- access

This is what you manually set with the switchport mode command.

Operational Mode – This shows what the interface is actually doing right now. It could be:
- trunk – the port is successfully trunking.
- static access – the port is operating as an access port.
- dynamic desirable – still waiting or trying to negotiate.

Sometimes, the Administrative Mode and Operational Mode don’t match if trunking hasn’t been successfully negotiated. Always check this part to confirm if your link is working as intended.

Let me share a few important things you should know about DTP behavior, defaults, and best practices.

On older Cisco switches, the default mode for interfaces is usually switchport mode dynamic desirable, which means the port actively tries to form a trunk using DTP. But on newer switches, the default is often switchport mode dynamic auto, which means the port just listens for DTP messages but won’t initiate trunking.

If you want to stop DTP from running on an interface, you can use the command:

switchport nonegotiate

This disables DTP on that port. Keep in mind that this command only works if the port is already configured as a trunk. If the port is set to access mode using switchport mode access, DTP is automatically disabled anyway so no need to use nonegotiate.

As a best practice, it’s usually recommended to disable DTP on all ports and just manually set them as access or trunk. This gives you more control and helps avoid accidental trunking or security issues, especially in production environments.

Now about trunk encapsulation, older switches that support both ISL (Inter-Switch Link) and 802.1Q can use DTP to negotiate which encapsulation to use. By default, the encapsulation mode is set to:

switchport trunk encapsulation negotiate

This means the switch will try to agree with the other side on which protocol to use. If both ends support ISL, it will be selected by default, since ISL is preferred over 802.1Q.

One last note:

DTP frames are sent in VLAN 1 when ISL is used.
With 802.1Q, DTP frames are sent in the native VLAN.

Important:
Modern switches (like Catalyst 2960 and later) no longer support ISL. They only support 802.1Q, and the switchport trunk encapsulation command is removed entirely. So if you're using newer hardware or Packet Tracer, you’ll likely only see 802.1Q in action.

VTP (VLAN Trunking Protocol)

Now that we’ve talked about how trunk links are formed using DTP, let’s shift our focus to another Cisco protocol that works with VLANs across multiple switches: VTP, or VLAN Trunking Protocol.

While DTP is about forming trunk connections, VTP is about managing VLAN information across switches. Instead of manually creating the same VLANs on every switch, VTP can help sync that info automatically. It can save you time, but it also comes with risks if you’re not careful.

VTP stands for VLAN Trunking Protocol, and it’s a Cisco protocol used to share VLAN information between switches. The idea is simple: instead of manually adding VLANs one by one on every switch, you can configure VLANs on one switch and have that information automatically shared with the rest.

VTP only works over trunk links, so before VLANs can be shared, switches must be connected through properly configured trunk ports.

How VTP Works

VTP uses a server-client model. You set one switch as a VTP server, and it will be the one where you add or delete VLANs. The other switches can be set as VTP clients, and they will receive VLAN updates from the server.

Here’s a quick breakdown of the VTP modes:

Server – You can add, delete, and modify VLANs. VLAN changes are advertised to other switches.
Client – You can’t make VLAN changes, but the switch will receive updates from the server.
Transparent – This mode doesn’t participate in VTP advertisements. VLANs made on this switch stay local and are not shared, but it will still forward VTP messages it receives.

For VTP to work, the switches must be in the same VTP domain name and use a matching VTP version. By default, Cisco switches use VTP version 1 and are set to server mode, so they’ll start sending updates as soon as they’re connected over a trunk.

Why Use VTP?

VTP can be useful when you have a lot of switches and want to manage VLANs more easily. If you add a new VLAN on the VTP server, it will automatically appear on all client switches. That saves time and helps keep things consistent.

But there’s a catch.

If you accidentally connect a new switch with a higher VTP revision number and an empty VLAN database, it can wipe out VLANs across your whole network. That’s why many network engineers prefer not to use VTP in production and just configure VLANs manually or use VTP transparent mode for safety.

Network topology with four Cisco switches connected to each other, forming a setup for VTP demonstration.

Before we start configuring anything, it’s good to know how to check a switch’s current VTP settings. You can do that with the command:

show vtp status

This command shows you a summary of the switch’s VTP configuration even if you haven’t set anything yet. It tells you things like:

VTP Version – The VTP version the switch is using (usually version 1 or 2 by default).
VTP Domain Name – The name of the VTP domain the switch belongs to. If you haven’t configured it yet, it might be blank.
VTP Mode – Whether the switch is in server, client, or transparent mode.
Configuration Revision – A number that increases every time you make VLAN changes on a VTP server.
Number of Existing VLANs – How many VLANs are currently recognized by the switch.

This command is useful because it gives you a clear view of what the switch is doing with VTP, even before you start making changes. It also helps you catch any mismatches in domain name or version early on

You might have noticed that most switches use VTP version 1 or version 2 by default. But yes, there’s also a VTP version 3.

VTP version 3 adds several improvements over the older versions, including:

Support for extended-range VLANs (VLANs 1006–4094)
Better authentication and security features
Support for MST (Multiple Spanning Tree)
More control over who can make changes – VTPv3 uses the idea of a primary server, which is the only switch allowed to make VLAN changes in the domain. This helps prevent accidental changes.

One important thing to know:
VTP version 3 is not enabled by default and is not supported on all Cisco switches, especially older models. You have to manually upgrade the version if you want to use it:

vtp version 3

For most Packet Tracer labs, you’ll usually be working with version 1 or 2, since v3 isn’t always supported in the simulator.

Switch 1 CLI displaying the output of the show vtp status command, showing details like VTP Version, VTP Domain Name, VTP Mode, Configuration Revision, and Number of Existing VLANs.

Now that we’ve seen the current VTP settings, let’s start configuring it. The first step is to set a VTP domain name. All switches that are part of the same VTP domain will be able to share VLAN information with each other.

To do that, go into global configuration mode and use this command:

vtp domain cisco

In this case, we’re setting the domain name to cisco. Make sure all switches you want to include in the same VTP setup use the exact same domain name because VTP won’t work if there’s a mismatch.

Switch 1 CLI showing the command vtp domain cisco entered in global configuration mode.

We also added VLAN 10 to increase the revision number and VLAN count in the Switch.

Switch 1 CLI showing the creation of VLAN 10 with the name "Sales" using the vlan 10 and name Sales commands.

Switch 1 CLI showing the output of show vtp status, with an increased Configuration Revision number and a list of VLANs, including the newly added VLAN 10.

Switch 1 CLI showing the output of the show vlan brief command, with VLAN 10 named "Sales" listed among the VLANs.

After creating VLAN 10 on Switch 1, the show vtp status output now shows a higher revision number, the VTP domain name cisco, and the updated VLAN list. This confirms that VTP recognized the change and is ready to advertise it to other switches in the same domain.

On Switch 2, we can use the show vtp status command to confirm that it’s in the same cisco domain and has received the updated revision number. Then, by using show vlan brief, we can see that VLAN 10 with the name "Sales" is now present—proving that VTP successfully synced the VLAN from Switch 1.

Switch 2 CLI showing the output of the show vtp status command, displaying the same VTP domain name “cisco” and matching configuration revision number as Switch 1.

Switch 2 CLI showing the output of the show vlan brief command, with VLAN 10 named "Sales" listed among the VLANs.

There are two important things to remember about how VTP works when switches communicate:

If a switch has no VTP domain name set, and it receives a VTP advertisement from another switch with a domain name, it will automatically join that domain. So if a new switch is added with no VTP config, it will adopt the domain name from the first VTP message it receives.
If a switch receives a VTP advertisement with a higher revision number and the same domain name, it will update its entire VLAN database to match the one in the advertisement. This includes adding, deleting, or renaming VLANs—even if it erases what was already there.

That’s why it’s so important to check the domain name and revision number before connecting a switch to the network. One wrong move can wipe out your VLANs without warning.

Switch 3 CLI showing the output of the show vtp status command, with the same VTP domain name “cisco” and matching configuration revision number as Switch 1 and Switch 2.

Switch 4 CLI showing the output of the show vtp status command, displaying the same VTP domain name “cisco” and the same configuration revision number, confirming it has synced VLAN information just like Switches 1, 2, and 3.

One Thing to Watch Out For

Be careful when connecting a switch to an existing VTP domain. If you plug in an old switch that has a higher revision number, even if it has no VLANs, it can overwrite the VLAN database of all other switches in the domain.

This happens because VTP trusts the switch with the higher revision number. So, the rest of the network will treat that old switch’s VLAN info as the latest version even if it’s empty.

To avoid this, always reset the VTP revision number before connecting a switch to the network. One way to do that is by changing the VTP domain name to something else, then changing it back. This resets the revision number to 0.

This diagram illustrates a common VTP issue: connecting an old switch with a higher revision number can force other switches in the same VTP domain to sync with it—overwriting their VLANs, even if the old switch has an empty VLAN database.

Quick Recap Before We Move On

So far, we’ve worked with VTP server and VTP client modes:

VTP Server – This is where you create, delete, or rename VLANs. Any changes made here are advertised to other switches in the same domain. By default, all Cisco switches start in server mode.
VTP Client – This mode doesn’t allow VLAN changes. Instead, the switch listens for updates from a VTP server and automatically syncs its VLAN database.

These two modes are great for automatic VLAN management, but they come with risks especially if the wrong switch gets connected with outdated or incorrect VLAN info.

Switch 2 CLI showing the command vtp mode client followed by an attempt to create VLAN 20, which results in an error message.

Now Let’s Talk About VTP Transparent Mode

If you want to avoid the risks of automatic VLAN syncing but still use trunk links and custom VLANs, VTP transparent mode is a safer option.

In this mode, the switch doesn’t participate in VTP updates. It doesn’t advertise its VLAN changes, and it won’t accept changes from other switches either. Any VLANs you create stay local to that switch.

However, it still forwards VTP messages it receives, so it won’t block the flow of VTP traffic between other switches.

Transparent mode is often used in production networks where engineers want full control and don’t want VLANs to be automatically pushed or overwritten.

Switch 3 CLI showing vtp mode transparent followed by vtp domain ccna, changing the VTP domain name from "cisco" to "ccna".

In this example, Switch 3 is set to VTP transparent mode, and then we changed its domain name from cisco to ccna using the vtp domain ccna command.

Because the switch is in transparent mode, changing the domain name doesn’t affect VLAN syncing. It will not accept or send any VLAN updates, regardless of what the domain name is. The VLANs you create on this switch will stay local, and it will simply forward VTP messages between other switches without acting on them.

Changing the VTP domain name to an unused domain will reset the revision number to 0. Changing the VTP mode to transparent also reset the revision number to 0.

This is useful when you want the switch to be part of the network and pass traffic, but not be affected by any VTP changes happening elsewhere.

You might be wondering, should we change the VTP domain name of a switch in transparent mode? The short answer is: not unless you want to isolate it from the VTP domain.

Even though VTP transparent mode doesn’t send or apply VTP updates, the switch still checks the VTP domain name of any messages it receives. If the domain name in the VTP frame doesn’t match its own, the interface will show a DOMAINMISMATCH warning. This is exactly what happened when we changed the domain name of SW3 from cisco to ccna, while the rest of the switches stayed in the cisco domain.

The warning doesn’t stop the switch from forwarding VTP frames—it still passes them along—but it’s a sign that something’s off.

To avoid this, it’s best to:

Keep the same VTP domain name on all switches, even transparent ones, if they’re meant to forward VTP traffic.
Only change the domain if you want that switch to be completely separate from the VTP environment.

In most cases, keeping the domain consistent is the simpler and safer option.

So if you're following along with my example and you've changed the domain name of SW3 to ccna, you'll notice that caused DOMAINMISMATCH warnings on the links to SW2 and SW4. That's because those switches are using the domain name cisco.

To fix that and avoid the warning, just change SW3’s domain name back to match the others:

vtp domain cisco

Once all switches are in the same domain, those mismatch errors will go away, and everything will work smoothly even with SW3 in transparent mode.

Moving On to VTP Version 2

By default, most Cisco switches use VTP version 1. But you can switch to version 2 using the command:

vtp version 2

Now you might ask, what’s the difference between version 1 and version 2?

The two versions are very similar, but VTP version 2 adds a few improvements:

Token Ring support – Rarely used today, but it’s supported in version 2.
VLAN consistency checks – Version 2 can detect when there's a mismatch between VLAN names and numbers, helping prevent config errors.
Forwarding VTP messages in transparent mode – In version 1, a switch in transparent mode only forwards VTP messages if they’re version 1. In version 2, transparent switches can forward both version 1 and version 2 messages.

So if you're using transparent mode and want better compatibility or plan to mix version 1 and 2 in your network, it’s better to switch to VTP version 2.

Wrapping It Up

We’ve covered a lot in this blog. From how DTP forms trunk links automatically, to how VTP helps manage VLANs across multiple switches. You saw how VTP server, client, and transparent modes work, how revision numbers affect the network, and why it's important to keep domain names consistent. We also looked at potential risks and how to avoid them, especially when connecting old switches.

Whether you're using this setup for practice or planning for real-world networks, the key takeaway is this: understand what your switches are doing behind the scenes. A small misstep like a mismatched domain or high revision number can cause big changes to your VLAN setup.

Thanks for reading! I’m not a professional, just someone learning and sharing what I’ve tested and understood through Packet Tracer and hands-on practice. Hope this helped you get a better grasp of DTP and VTP.

Let’s keep learning one config at a time.

Understanding DTP and VTP in Cisco Networks