====== vlan.dat Internals ======
I wrote a Python module/utility to parse vlan.dat files: https://github.com/frei-style/vlandat
This page shows some information about the reverse engineering.
===== About the File =====
On Cisco IOS the VLAN and VTP information is stored in the VLAN database. This database is represented as the file vlan.dat.
Switch#dir flash:/vlan.dat
Directory of flash:/vlan.dat
2 -rwx 1164 Nov 19 2016 23:15:21 +02:00 vlan.dat
27998208 bytes total (14103040 bytes free)
Some facts about the file:
* It stores between 4 (1, 1002-1005) and 1005 VLANs. If there are more, the configuration goes to the config file.
* If VTP mode is defined as transparent in the database and the config file and if the domain name matches, the VLAN information in the vlan.dat is ignored.
* vlan.dat is the default name. It can be changed with //vtp file //.
Links:
* [[http://www.cisco.com/c/en/us/support/docs/switches/catalyst-2940-series-switches/109304-manage-vlandat.html|Managing vlan.dat in Cisco Catalyst Switches Running Cisco IOS Software]]
===== Influence of VTP Configuration =====
>In VTP Server Mode, switch "saves VLAN configuration information in a file named vlan.dat in flash memory."
>In VTP Client Mode, switch saves "VLAN information in RAM only, not stored in NVRAM or FLash memory; must be repopulated from a VTP server if switch is power-cycled."
>In VTP Transparent Mode, switch saves VLAN configuration in NVRAM.
//-- SWITCH (642-813) Student Guide Volume I//
===== Structure =====
There is no guarantee that the information in the following table is correct. It's based on some information I found on the internet and was extended by my own research and experiments.
^ Offset ^ Bytes ^ Type ^ IOS Name ^ Values ^ Notes ^
| 000 | 4 | bytes | - | BADB100D | Magic Number? |
| 004 | 4 | int | VTP Version | 2, 3 | - |
| 008 | 1 | char | VTP Operating Mode ID | 1 (client), 2 (server), 3 (transparent) | - |
| 009 | 1 | char | - | 0-32 | VTP Domain Name Length |
| 00a | 32 | string | VTP Domain Name | ascii, 0-32 chars | - |
| 02a | 2 | :?: | :?: | ? | |
| 02c | 4 | int | Configuration Revision | 0-2^31 | this may is only 4 bytes, like in the VTP network package //Max revision number is 2,147,483,648then counter will reset back to zero// -- [[https://www.coursehero.com/file/p6k41no/Max-revision-number-is-2147483648-then-counter-will-reset-back-to-zero-VLAN/|source]] |
| 030 | 4 | int | Local updater ID | | IP address |
| 034 | 4 | int | Last update on | | vlan interface with lowest number. :?: this may is only 2 bytes |
| 038 | 12 | string | Configuration last modified by | yymmddhhmmss | |
| 044 | 16 | bytes | MD5 digest | md5 hash | - |
| 054 | 1 | char | - | 0-64 | VTP Password Length |
| 055 | 64 | string | VTP Password | ascii, 0-64 chars | - |
| 095 | 1 | char | :?: | ? | ? |
| 096 | 2 | short | Number of existing VLANs | 0-4095 | this may be 2 bytes not 3. There should be enough VLANs with two bytes: 2^(8*2)-1 = 65535. I add a 0-byte at the beginning and treat it as int |
| 098 | 1 | char | Pruning Mode | 1 (enabled), 2 (disabled) | - |
| 099 | 1 | char | V2 Mode | 1 (enabled), 2 (disabled) | - |
| 09a | 6 | :?: | :?: | | - |
^ Repeats for each VLAN ((for number of iterations see //Number of existing VLANs// from above)) ^^^^^^
| 0a0 | 1 | char | - | 0-32 | Name Length |
| 0a1 | 32 | string | Name | ascii, 0-32 chars | |
| 0c1 | 2 | short | Type | 1 (enet), 2 (fddi), 3 (trcrf), 4 (fdnet), 5 (trbrf) | :?: this may is just a char, not short. would be enough, but no idea what the first byte could be |
| 0c3 | 1 | char | State | 1 (active), 2 (suspended) | |
| 0c4 | 2 | short | MTU | 576-18190 | |
| 0c6 | 2 | short | ID | 1 to 4094 | Extended-range VLANs (VLAN IDs 1006 to 4094) are only saved in the VLAN database in VTP version 3. |
| 0c8 | 4 | int | SAID | 1 to 4294967294 | |
| 0cc | 2 | short | Ring Number | 1-4095 | FDDI or Token Ring |
| 0ce | 1 | char | Bridge Number | 0-15 | FDDI Net or Token Ring Net (fd-net or trbrf) |
| 0cf | 1 | char | STP Type | 0 (none), 1 (ieee), 2 (ibm) | FDDI Net or Token Ring Net (fd-net or trbrf) |
| 0d0 | 2 | short | Parent VLAN | 0-1005 | FDDI or Token Ring |
| 0d2 | 2 | short | First Translational VLAN | 0-1005 | |
| 0d4 | 2 | short | First Translational VLAN | 0-1005 | |
| 0d6 | 1 | char | Bridge Number | 0-15 | FDDI Net or Token Ring Net (fd-net or trbrf) |
| 0d7 | 1 | char | ARE Hops | 0-13 | type must be trcrf |
| 0d8 | 1 | char | STE Hops | 0-13 | type must be trcrf |
| 0d9 | 1 | char | Backup CRF Mode | 0 (disabled), 1 (enabled) | type must be trcrf |
| 0da | 1 | char | Remote SPAN | 0 (disabled), 1 (enabled) | |
| 0db | 1 | char | :?: | :?: | :?: I have no idea. I changed the value to 1 and 2 but I didn't notice any differences on the switch with the show command. |
^ Following Stuff is yet unknown ^^^^^^
| ... | :?: | :?: | :?: | :?: | :?: Looks like garbage, will be harder to figure that out. |
//The initial data for this table is from a blog post of Chris Welsh ([[https://rednectar.net/2010/12/06/decoding-vlan-dat/|decoding vlan.dat]]).//
===== Information in IOS =====
Here will be shown, how the information in the VLAN database can be displayed with IOS commands.
==== VLAN Information ====
affe#sh vl
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4,
Gi1/0/22, Gi1/0/23, Gi1/0/25, Gi1/0/26
3 VLAN0003 active
5 VLAN0005 active
50 Affe active
52 Banane active Gi1/0/13, Gi1/0/14
915 Entensuppe active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
3 enet 100003 1500 - - - - - 0 0
5 enet 100005 1500 - - - - - 0 0
50 enet 100050 1500 - - - - - 0 0
52 enet 100052 1500 - - - - - 0 0
915 enet 100915 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - srb 0 0
1004 fdnet 101004 1500 - - 1 ieee - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
==== VTP Configuration / Status ====
affe#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name : ENTENSUPPE
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : a2a3.2b63.ef21
Configuration last modified by 192.168.2.230 at 10-21-16 16:41:50
Local updater ID is 192.168.1.200 on interface Vl1 (lowest numbered VLAN interface found)
Feature VLAN:
--------------
VTP Operating Mode : Server
Maximum VLANs supported locally : 255
Number of existing VLANs : 42
Configuration Revision : 321
MD5 digest : 0x00 0x11 0x22 0x33 0x44 0x55 0xE4 0x66
0x77 0x88 0x99 0xAA 0xBB 0xCC 0xDD 0xEE
----
----
----
----
==== Notes About Missing Parts ====
=== Garbage ===
There is some garbage at the end of the file. Marco Rizzi ([[http://rizzitech.blogspot.ch/2010_08_01_archive.html|Playing with vlan.dat]], the blog post was deleted unfortunately. It's available via Web Archive: [[https://web.archive.org/web/20150115040419/http://rizzitech.blogspot.com/2010/08/playing-with-vlandat.html|WebArchive]]) assumes, that it's additional information about FDDI/Token Ring vlans. I think he's right.
I deleted the vlan.dat and reloaded the switch to get this clean config:
switch>sh vl
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Remote SPAN VLANs
------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
I extracted the garbage at the end of the fresh config and also after some changes. It looks like this are 24 byte blocks, so i splitted them up. I also looked at an old config which I played too much with it, which hasn't the length of a multiple of 24 bytes (this config isn't trustworthy anymore but I should keep this in mind. Maybe there are additional data or there is a variable field).
**initial config**
02 23 c4 90 00 00 03 ea 00 00 00 08 02 23 ca 04 01 01 00 00 04 01 00 00 # vl 1002
02 23 c5 18 00 00 03 eb 00 00 00 08 02 23 c4 d4 01 01 00 00 04 01 00 00 # vl 1003
02 23 c5 a0 00 00 03 ec 00 00 00 08 02 23 c5 5c 02 01 00 00 03 01 00 01 # vl 1004
00 00 00 00 00 00 03 ed 00 00 00 08 02 23 c5 e4 02 01 00 00 03 01 00 02 # vl 1005
## ##
vlan id
**1. change**
vl 777
media tokenring
02 23 eb 10 00 00 03 09 00 00 00 08 02 23 ea cc 01 01 00 00 04 01 00 00 # vl 777
02 23 fc 7c 00 00 03 ea 00 00 00 08 02 23 fc 38 01 01 00 00 04 01 00 00 # vl 1002
02 23 fd 04 00 00 03 eb 00 00 00 08 02 23 fc c0 01 01 00 00 04 01 00 00 # vl 1003
02 23 fd 8c 00 00 03 ec 00 00 00 08 02 23 fd 48 02 01 00 00 03 01 00 01 # vl 1004
00 00 00 00 00 00 03 ed 00 00 00 08 02 23 fd d0 02 01 00 00 03 01 00 02 # vl 1005
## ##
vlan id
I did a small change (just add something) and some random portions of the whole data got changed. I have no idea, yet.
**2. change**
vl 777
ring 1002
02 07 4b bc 00 00 03 09 00 00 00 08 02 07 45 74 01 01 03 ea 04 01 00 00 # vl 777
02 23 fc 38 00 00 03 ea 00 00 00 08 02 23 e8 a8 01 01 00 00 04 01 00 00 # vl 1002
02 23 fc c0 00 00 03 eb 00 00 00 08 02 23 fc 7c 01 01 00 00 04 01 00 00 # vl 1003
02 23 fd 48 00 00 03 ec 00 00 00 08 02 23 fd 04 02 01 00 00 03 01 00 01 # vl 1004
00 00 00 00 00 00 03 ed 00 00 00 08 02 23 fd 8c 02 01 00 00 03 01 00 02 # vl 1005
**3. change**
vl 777
are 1
ste 1
02 1e 61 d8 00 00 03 09 00 00 00 08 02 1e 43 64 01 01 03 ea 04 01 00 00 # vl 777
02 24 14 40 00 00 03 ea 00 00 00 08 02 23 c9 8c 01 01 00 00 04 01 00 00 # vl 1002
02 24 09 24 00 00 03 eb 00 00 00 08 02 07 41 cc 01 01 00 00 04 01 00 00 # vl 1003
01 ed b0 64 00 00 03 ec 00 00 00 08 01 b0 75 d4 02 01 00 00 03 01 00 01 # vl 1004
00 00 00 00 00 00 03 ed 00 00 00 08 01 ea a0 34 02 01 00 00 03 01 00 02 # vl 1005
=== VLAN ===
[[http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/vlan/configuration_guide/b_vlan_152ex_2960-x_cg/b_vlan_152ex_2960-x_cg_chapter_011.html]]
1)
* Remote SPAN (enabled, disabled) => char (1)
* VLAN state (active, suspend) => char (1)
* Translational bridge 1 (0 to 1005) => short (2)
* Translational bridge 2 (0 to 1005) => short (2)
or:
2)
* Parent (Parent VLAN, if one exists.)
* RingNo (Ring number for the VLAN, if applicable.)
* BridgeNo (Bridge number for the VLAN, if applicable.)
* Stp (Spanning-Tree Protocol type used on the VLAN.)
* BrdgMode (Bridging mode for this VLAN—Possible values are source-route bridging (SRB) and source-route transparent bridging (SRT); the default is SRB.)
* Trans1 (see below)
* Trans2 (see below)
trans1 & trans2:
> Types of translational bridges that the VLAN in the VLAN column is configured to translate to. Translational bridge VLANs must be a VLAN media type different from the affected VLAN; if two VLANs are specified, each one must be a different type.
> Common VLAN types include Ethernet (enet), FDDI (fdnet), and Token Ring (tnet). The numbers in the Trans1 and Trans2 columns refer to the VLAN ID numbers of the translational bridge VLANs.
> **Note** The term VLAN translation is also used in Cisco configuration guides for mapping specific VLANs in a given trunk to another VLAN that is of the same media type. In this context the term VLAN translation refers to a form of VLAN mapping that is using the term VLAN translation to describe it.
-- [[http://www.cisco.com/c/en/us/td/docs/ios/lanswitch/command/reference/lsw_book/lsw_s2.html]]
:!: it looks like this is Token Ring information... so, rather 2) than 1). [[http://www.cisco.com/c/en/us/td/docs/ios/12_2/ibm/configuration/guide/fibm_c/bcftrrsm.html]]
Script output - known fields:
1003 token-ring-default trcrf 1500 101003
1004 fddinet-default fdnet 1500 101004
1005 trnet-default trbrf 1500 101005
Script output - unknown fields:
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x07\x00\x00\x00'
b'\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
b'\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
show vlan output:
1003 tr 101003 1500 - - - - srb 0 0
1004 fdnet 101004 1500 - - 1 ieee - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
===== Cisco Docs input =====
==== show vlan fields ====
> You can set these parameters when you create a new normal-range VLAN or modify an existing VLAN in the VLAN database:
* VLAN ID
* VLAN name
* VLAN type
* Ethernet
* Fiber Distributed Data Interface [FDDI]
* FDDI network entity title [NET]
* TrBRF or TrCRF
* Token Ring
* Token Ring-Net
* VLAN state (active or suspended)
* Maximum transmission unit (MTU) for the VLAN
* Security Association Identifier (SAID)
* Bridge identification number for TrBRF VLANs
* Ring number for FDDI and TrCRF VLANs
* Parent VLAN number for TrCRF VLANs
* Spanning Tree Protocol (STP) type for TrCRF VLANs
* VLAN number to use when translating from one VLAN type to another
-- [[http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/vlan/configuration_guide/b_vlan_152ex_2960-x_cg/b_vlan_152ex_2960-x_cg_chapter_011.html#task_87763697237543969FD3A444933A282E]]
===== Abbreviations =====
^ Abbreviation ^ written-out ^
| BRF | Bridge Relay Function |
| ISL | Cisco Inter-Switch Link |
| STE | Spanning Tree Explorer |
| TrCRF | Token Ring Concentrator Relay Function |
| TrBRF | Token Ring Bridge Relay Function |
==== Links ====
* [[http://rizzitech.blogspot.ch/2010/08/playing-with-vlandat.html|Marco Rizzi Blog: Playing with vlan.dat]]
* [[https://rednectar.net/2010/12/06/decoding-vlan-dat/|RedNectar's Blog: decoding vlan.dat]]
* Description of VLAN fields[[http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/vlan/configuration_guide/b_vlan_152ex_2960-x_cg/b_vlan_152ex_2960-x_cg_chapter_011.html|Catalyst 2960-X Switch VLAN Configuration Guide, Cisco IOS Release 15.0(2)EX]]
* [[http://www.cisco.com/c/en/us/td/docs/ios/lanswitch/command/reference/lsw_book/lsw_s2.html|Cisco: Chapter: show vlan through spanning-tree vlan]]
* [[https://www.wireshark.org/docs/dfref/v/vtp.html|Wireshark VTP Info]]
* [[http://www.cisco.com/c/en/us/support/docs/lan-switching/vtp/10558-21.html|Cisco: Understanding VLAN Trunk Protocol (VTP)]]