User Tools

Site Tools


os:ios:vlan.dat

vlan.dat Internals

I wrote a Python module/utility to parse vlan.dat files: https://github.com/frei-style/vlandat

This page shows some information about the reverse engineering.

About the File

On Cisco IOS the VLAN and VTP information is stored in the VLAN database. This database is represented as the file vlan.dat.

Switch#dir flash:/vlan.dat
Directory of flash:/vlan.dat

    2  -rwx        1164  Nov 19 2016 23:15:21 +02:00  vlan.dat

27998208 bytes total (14103040 bytes free)

Some facts about the file:

  • It stores between 4 (1, 1002-1005) and 1005 VLANs. If there are more, the configuration goes to the config file.
  • If VTP mode is defined as transparent in the database and the config file and if the domain name matches, the VLAN information in the vlan.dat is ignored.
  • vlan.dat is the default name. It can be changed with vtp file <filename>.

Links:

Influence of VTP Configuration

In VTP Server Mode, switch “saves VLAN configuration information in a file named vlan.dat in flash memory.”
In VTP Client Mode, switch saves “VLAN information in RAM only, not stored in NVRAM or FLash memory; must be repopulated from a VTP server if switch is power-cycled.”
In VTP Transparent Mode, switch saves VLAN configuration in NVRAM.

– SWITCH (642-813) Student Guide Volume I

Structure

There is no guarantee that the information in the following table is correct. It's based on some information I found on the internet and was extended by my own research and experiments.

Offset Bytes Type IOS Name Values Notes
000 4 bytes - BADB100D Magic Number?
004 4 int VTP Version 2, 3 -
008 1 char VTP Operating Mode ID 1 (client), 2 (server), 3 (transparent) -
009 1 char - 0-32 VTP Domain Name Length
00a 32 string VTP Domain Name ascii, 0-32 chars -
02a 2 :?: :?: ?
02c 4 int Configuration Revision 0-2^31 this may is only 4 bytes, like in the VTP network package Max revision number is 2,147,483,648then counter will reset back to zerosource
030 4 int Local updater ID IP address
034 4 int Last update on vlan interface with lowest number. :?: this may is only 2 bytes
038 12 string Configuration last modified by yymmddhhmmss
044 16 bytes MD5 digest md5 hash -
054 1 char - 0-64 VTP Password Length
055 64 string VTP Password ascii, 0-64 chars -
095 1 char :?: ? ?
096 2 short Number of existing VLANs 0-4095 this may be 2 bytes not 3. There should be enough VLANs with two bytes: 2^(8*2)-1 = 65535. I add a 0-byte at the beginning and treat it as int
098 1 char Pruning Mode 1 (enabled), 2 (disabled) -
099 1 char V2 Mode 1 (enabled), 2 (disabled) -
09a 6 :?: :?: -
Repeats for each VLAN 1)
0a0 1 char - 0-32 Name Length
0a1 32 string Name ascii, 0-32 chars
0c1 2 short Type 1 (enet), 2 (fddi), 3 (trcrf), 4 (fdnet), 5 (trbrf) :?: this may is just a char, not short. would be enough, but no idea what the first byte could be
0c3 1 char State 1 (active), 2 (suspended)
0c4 2 short MTU 576-18190
0c6 2 short ID 1 to 4094 Extended-range VLANs (VLAN IDs 1006 to 4094) are only saved in the VLAN database in VTP version 3.
0c8 4 int SAID 1 to 4294967294
0cc 2 short Ring Number 1-4095 FDDI or Token Ring
0ce 1 char Bridge Number 0-15 FDDI Net or Token Ring Net (fd-net or trbrf)
0cf 1 char STP Type 0 (none), 1 (ieee), 2 (ibm) FDDI Net or Token Ring Net (fd-net or trbrf)
0d0 2 short Parent VLAN 0-1005 FDDI or Token Ring
0d2 2 short First Translational VLAN 0-1005
0d4 2 short First Translational VLAN 0-1005
0d6 1 char Bridge Number 0-15 FDDI Net or Token Ring Net (fd-net or trbrf)
0d7 1 char ARE Hops 0-13 type must be trcrf
0d8 1 char STE Hops 0-13 type must be trcrf
0d9 1 char Backup CRF Mode 0 (disabled), 1 (enabled) type must be trcrf
0da 1 char Remote SPAN 0 (disabled), 1 (enabled)
0db 1 char :?: :?: :?: I have no idea. I changed the value to 1 and 2 but I didn't notice any differences on the switch with the show command.
Following Stuff is yet unknown
:?: :?: :?: :?: :?: Looks like garbage, will be harder to figure that out.

The initial data for this table is from a blog post of Chris Welsh (decoding vlan.dat).

Information in IOS

Here will be shown, how the information in the VLAN database can be displayed with IOS commands.

VLAN Information

affe#sh vl

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, 
                                                Gi1/0/22, Gi1/0/23, Gi1/0/25, Gi1/0/26
3    VLAN0003                         active
5    VLAN0005                         active
50   Affe                             active
52   Banane                           active    Gi1/0/13, Gi1/0/14
915  Entensuppe                       active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
3    enet  100003     1500  -      -      -        -    -        0      0
5    enet  100005     1500  -      -      -        -    -        0      0
50   enet  100050     1500  -      -      -        -    -        0      0
52   enet  100052     1500  -      -      -        -    -        0      0
915  enet  100915     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    srb      0      0
1004 fdnet 101004     1500  -      -      1        ieee -        0      0
1005 trnet 101005     1500  -      -      1        ibm  -        0      0


Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

VTP Configuration / Status

affe#sh vtp status
VTP Version capable             : 1 to 3
VTP version running             : 1
VTP Domain Name                 : ENTENSUPPE
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : a2a3.2b63.ef21
Configuration last modified by 192.168.2.230 at 10-21-16 16:41:50
Local updater ID is 192.168.1.200 on interface Vl1 (lowest numbered VLAN interface found)

Feature VLAN:
--------------
VTP Operating Mode                : Server
Maximum VLANs supported locally   : 255
Number of existing VLANs          : 42
Configuration Revision            : 321
MD5 digest                        : 0x00 0x11 0x22 0x33 0x44 0x55 0xE4 0x66
                                    0x77 0x88 0x99 0xAA 0xBB 0xCC 0xDD 0xEE




Notes About Missing Parts

Garbage

There is some garbage at the end of the file. Marco Rizzi (Playing with vlan.dat, the blog post was deleted unfortunately. It's available via Web Archive: WebArchive) assumes, that it's additional information about FDDI/Token Ring vlans. I think he's right.

I deleted the vlan.dat and reloaded the switch to get this clean config:

switch>sh vl

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
                                                Gi0/5, Gi0/6, Gi0/7, Gi0/8
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
          

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1002 fddi  101002     1500  -      -      -        -    -        0      0   
1003 tr    101003     1500  -      -      -        -    -        0      0   
1004 fdnet 101004     1500  -      -      -        ieee -        0      0   
1005 trnet 101005     1500  -      -      -        ibm  -        0      0   

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

I extracted the garbage at the end of the fresh config and also after some changes. It looks like this are 24 byte blocks, so i splitted them up. I also looked at an old config which I played too much with it, which hasn't the length of a multiple of 24 bytes (this config isn't trustworthy anymore but I should keep this in mind. Maybe there are additional data or there is a variable field).

initial config

02 23 c4 90 00 00 03 ea 00 00 00 08 02 23 ca 04 01 01 00 00 04 01 00 00 # vl 1002
02 23 c5 18 00 00 03 eb 00 00 00 08 02 23 c4 d4 01 01 00 00 04 01 00 00 # vl 1003
02 23 c5 a0 00 00 03 ec 00 00 00 08 02 23 c5 5c 02 01 00 00 03 01 00 01 # vl 1004
00 00 00 00 00 00 03 ed 00 00 00 08 02 23 c5 e4 02 01 00 00 03 01 00 02 # vl 1005
                  ## ##
                 vlan id

1. change

vl 777
media tokenring
02 23 eb 10 00 00 03 09 00 00 00 08 02 23 ea cc 01 01 00 00 04 01 00 00 # vl 777
02 23 fc 7c 00 00 03 ea 00 00 00 08 02 23 fc 38 01 01 00 00 04 01 00 00 # vl 1002
02 23 fd 04 00 00 03 eb 00 00 00 08 02 23 fc c0 01 01 00 00 04 01 00 00 # vl 1003
02 23 fd 8c 00 00 03 ec 00 00 00 08 02 23 fd 48 02 01 00 00 03 01 00 01 # vl 1004
00 00 00 00 00 00 03 ed 00 00 00 08 02 23 fd d0 02 01 00 00 03 01 00 02 # vl 1005
                  ## ##
                 vlan id

I did a small change (just add something) and some random portions of the whole data got changed. I have no idea, yet.

2. change

vl 777
ring 1002
02 07 4b bc 00 00 03 09 00 00 00 08 02 07 45 74 01 01 03 ea 04 01 00 00 # vl 777
02 23 fc 38 00 00 03 ea 00 00 00 08 02 23 e8 a8 01 01 00 00 04 01 00 00 # vl 1002
02 23 fc c0 00 00 03 eb 00 00 00 08 02 23 fc 7c 01 01 00 00 04 01 00 00 # vl 1003
02 23 fd 48 00 00 03 ec 00 00 00 08 02 23 fd 04 02 01 00 00 03 01 00 01 # vl 1004
00 00 00 00 00 00 03 ed 00 00 00 08 02 23 fd 8c 02 01 00 00 03 01 00 02 # vl 1005

3. change

vl 777
are 1
ste 1
02 1e 61 d8 00 00 03 09 00 00 00 08 02 1e 43 64 01 01 03 ea 04 01 00 00 # vl 777
02 24 14 40 00 00 03 ea 00 00 00 08 02 23 c9 8c 01 01 00 00 04 01 00 00 # vl 1002
02 24 09 24 00 00 03 eb 00 00 00 08 02 07 41 cc 01 01 00 00 04 01 00 00 # vl 1003
01 ed b0 64 00 00 03 ec 00 00 00 08 01 b0 75 d4 02 01 00 00 03 01 00 01 # vl 1004
00 00 00 00 00 00 03 ed 00 00 00 08 01 ea a0 34 02 01 00 00 03 01 00 02 # vl 1005

VLAN

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/vlan/configuration_guide/b_vlan_152ex_2960-x_cg/b_vlan_152ex_2960-x_cg_chapter_011.html

1)

  • Remote SPAN (enabled, disabled) ⇒ char (1)
  • VLAN state (active, suspend) ⇒ char (1)
  • Translational bridge 1 (0 to 1005) ⇒ short (2)
  • Translational bridge 2 (0 to 1005) ⇒ short (2)

or: 2)

  • Parent (Parent VLAN, if one exists.)
  • RingNo (Ring number for the VLAN, if applicable.)
  • BridgeNo (Bridge number for the VLAN, if applicable.)
  • Stp (Spanning-Tree Protocol type used on the VLAN.)
  • BrdgMode (Bridging mode for this VLAN—Possible values are source-route bridging (SRB) and source-route transparent bridging (SRT); the default is SRB.)
  • Trans1 (see below)
  • Trans2 (see below)

trans1 & trans2:

Types of translational bridges that the VLAN in the VLAN column is configured to translate to. Translational bridge VLANs must be a VLAN media type different from the affected VLAN; if two VLANs are specified, each one must be a different type.
Common VLAN types include Ethernet (enet), FDDI (fdnet), and Token Ring (tnet). The numbers in the Trans1 and Trans2 columns refer to the VLAN ID numbers of the translational bridge VLANs.
Note The term VLAN translation is also used in Cisco configuration guides for mapping specific VLANs in a given trunk to another VLAN that is of the same media type. In this context the term VLAN translation refers to a form of VLAN mapping that is using the term VLAN translation to describe it.

http://www.cisco.com/c/en/us/td/docs/ios/lanswitch/command/reference/lsw_book/lsw_s2.html

:!: it looks like this is Token Ring information… so, rather 2) than 1). http://www.cisco.com/c/en/us/td/docs/ios/12_2/ibm/configuration/guide/fibm_c/bcftrrsm.html

Script output - known fields:

1003 token-ring-default               trcrf 1500 101003
1004 fddinet-default                  fdnet 1500 101004
1005 trnet-default                    trbrf 1500 101005

Script output - unknown fields:

b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\x07\x00\x00\x00'
b'\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
b'\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

show vlan output:

1003 tr    101003     1500  -      -      -        -    srb      0      0
1004 fdnet 101004     1500  -      -      1        ieee -        0      0
1005 trnet 101005     1500  -      -      1        ibm  -        0      0

Cisco Docs input

show vlan fields

You can set these parameters when you create a new normal-range VLAN or modify an existing VLAN in the VLAN database:
  • VLAN ID
  • VLAN name
  • VLAN type
    • Ethernet
    • Fiber Distributed Data Interface [FDDI]
    • FDDI network entity title [NET]
    • TrBRF or TrCRF
    • Token Ring
    • Token Ring-Net
  • VLAN state (active or suspended)
  • Maximum transmission unit (MTU) for the VLAN
  • Security Association Identifier (SAID)
  • Bridge identification number for TrBRF VLANs
  • Ring number for FDDI and TrCRF VLANs
  • Parent VLAN number for TrCRF VLANs
  • Spanning Tree Protocol (STP) type for TrCRF VLANs
  • VLAN number to use when translating from one VLAN type to another

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/vlan/configuration_guide/b_vlan_152ex_2960-x_cg/b_vlan_152ex_2960-x_cg_chapter_011.html#task_87763697237543969FD3A444933A282E

Abbreviations

Abbreviation written-out
BRF Bridge Relay Function
ISL Cisco Inter-Switch Link
STE Spanning Tree Explorer
TrCRF Token Ring Concentrator Relay Function
TrBRF Token Ring Bridge Relay Function
1)
for number of iterations see Number of existing VLANs from above
os/ios/vlan.dat.txt · Last modified: 2023-01-04 17:45 by Manuel Frei