VTP Version 3

In an earlier lesson I explained the basics of VTP (version 1 and 2). The main goal of VTP version 3 remains to synchronize VLANs but it has a number for extras. It’s been around for a while but until recent IOS versions it wasn’t supported on Cisco Catalyst Switches.

Here are some of the new additions to VTP version 3:

  • VTP primary server: only the primary server is able to create / modify / delete VLANs. This is a great change as you can no longer “accidently” wipe all VLANs like you could with VTP version 1 or 2.
  • Extended VLANs: you can now synchronize VLANs in the extended VLAN range (1006 – 4094).
  • Private VLANs: if you have VLANs that are configured as private VLANs then you can synchronize them with VTPv3.
  • RSPAN VLANs: remote SPAN VLANs can now be synchronized.
  • MST Support: one of the problems of MST is that you had to configure each switch manually. With VTPv3, MST configurations are synchronized.
  • Authentication improvements: VTPv3 has more secure methods for authentication.
  • VTP mode off: If you didn’t want to use VTP for version 1 or 2 then you had to use the transparent mode. VTPv3 can be disabled globally or per interface.
  • Compatibility: VTP version 3 is compatible with version 2, not  version 1.

I’ll walk you through each of those and show you how to configure VTP version 3. I’ll use the following topology:

Cisco VTP Version 3 topology

All interfaces between the switches are configured as trunks.

Configuration

Basic Configuration

First we will try to enable VTP version 3 on one of our switches:

SW1(config)#vtp version 3
Cannot set the version to 3 because domain name is not configured

The domain name is now a requirement, it can’t be null. Let’s set one and try again:

SW1(config)#vtp domain NWL
Changing VTP domain name from NULL to NWL

%SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to NWL.

SW1(config)#vtp version 3

Let’s do the same on SW2 and SW3:

SW2 & SW3#
(config)#vtp domain NWL
(config)#vtp version 3

All switches will be running in VTP server mode by default:

SW1#show vtp status | include Operating Mode
VTP Operating Mode                : Server
SW2#show vtp status | include Operating Mode
VTP Operating Mode                : Server
SW3#show vtp status | include Operating Mode
VTP Operating Mode                : Server

Being VTP server however is not enough to make changes to the VLAN database, take a look below:

SW1(config)#vlan 100
VTP VLAN configuration not allowed when device is not the primary server for vlan database.

This is new, one of the switches has to be the primary server in order to create / modify or delete VLANs. Let’s make SW1 our primary server:

SW1#vtp primary
This system is becoming primary server for feature vlan
No conflicting VTP3 devices found.
Do you want to continue? [confirm]

%SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: 0019.569d.5700 has become the primary server for the VLAN VTP feature

As soon as I make SW1 the primary server then you’ll also see this message on the other switches:

SW2 & SW3#
%SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: 0019.569d.5700 has become the primary server for the VLAN VTP feature

SW1 is now the primary server. We can verify this from SW1 or any other switch in our VTP domain:

SW1#show vtp status | include Primary
VTP Operating Mode                : Primary Server
Primary ID                        : 0019.569d.5700
SW2#show vtp status | include Primary
Primary ID                        : 0019.569d.5700
Primary Description               : SW1
SW3#show vtp status | include Primary
Primary ID                        : 0019.569d.5700
Primary Description               : SW1

SW2 and SW3 are able to confirm that SW1 is the primary server.  VTP version 3 also has a new command that allows us to see all switches in the same VTP domain:

SW1#show vtp devices
Retrieving information from the VTP domain. Waiting for 5 seconds.

VTP Feature  Conf Revision Primary Server Device ID      Device Description
------------ ---- -------- -------------- -------------- ----------------------
VLAN         No   6        0019.569d.5700 0011.214e.d180 SW3
VLAN         No   6        0019.569d.5700 0011.bb0b.3600 SW2

You can run this command on any of your switches, it will show all VTP members (not just the directly connected ones like CDP does).

Let’s see if we are able to synchronize some VLANs. We’ll start with something simple:

SW1(config)#vlan 100
SW1(config-vlan)#exit

Let’s create VLAN 100, it should show up on SW2 and SW3:

SW2 & SW3#show vlan | include VLAN0100
100  VLAN0100                         active

There it is! We can also synchronize VLANs in the extended range (1006 – 4094). Let’s give it a try:

SW1(config)#vlan 1234
SW1(config-vlan)#exit

Let’s verify if it has been synchronized:

SW1, SW2 & SW3#show vlan | include VLAN1234
1234 VLAN1234                         active

No problem at all! Let’s look at some more advanced stuff.

Private VLANs

VTP version 3 is able to synchronize private VLAN information. It only synchronizes the information from the VLAN database, not port information. Let’s create a private VLAN:

SW1(config)#vlan 501
SW1(config-vlan)#private-vlan community

SW1(config)#vlan 502
SW1(config-vlan)#private-vlan isolated

SW1(config)#vlan 500
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan association add 501
SW1(config-vlan)#private-vlan association add 502

We’ll create VLAN 500 with two VLANs. VLAN 501 is a community VLAN and VLAN 502 is an isolated VLAN. Let’s see if it shows up on SW1:

SW1#show vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
500     502       isolated
        501       community

There we go, now let’s check if it has been synchronized to SW2 and SW3:

SW2 & SW3#show vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
500     502       isolated
        501       community

We see the exact same thing on SW2 and SW3. This is a nice addition to VTPv3.

Remote SPAN (RSPAN)

RSPAN VLANs are also a special “type” of VLANs. They can be synchronized with VTP now. Here’s an example:

SW1(config)#vlan 600
SW1(config-vlan)#remote-span
SW1(config-vlan)#exit

Let’s check if it’s available on our switches:

SW1#show vlan remote-span

Remote SPAN VLANs
------------------------------------------------------------------------------
600
SW2#show vlan remote-span

Remote SPAN VLANs
------------------------------------------------------------------------------
600
SW3#show vlan remote-span

Remote SPAN VLANs
------------------------------------------------------------------------------
600

No problem, it has been synchronized to all switches.

MST (Multiple Spanning-Tree)

Synchronizing MST is pretty useful. In the past you had to configure each switch seperately. VTP version 3 uses a seperate “feature” for MST. Take a look below:

SW1#show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 3
VTP Domain Name                 : NWL
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 0019.569d.5700

Feature VLAN:
--------------
VTP Operating Mode                : Primary Server
Number of existing VLANs          : 12
Number of existing extended VLANs : 1
Configuration Revision            : 7
Primary ID                        : 0019.569d.5700
Primary Description               : SW1
MD5 digest                        : 0xC9 0x25 0xB3 0x86 0xE7 0xA1 0xE3 0xAE
                                    0xF8 0x2F 0xB9 0x7F 0x64 0xB3 0x43 0x5F


Feature MST:
--------------
VTP Operating Mode                : Transparent


Feature UNKNOWN:
--------------
VTP Operating Mode                : Transparent

The default “VLAN” feature is used for the things we did before…VLANs, extended range VLANs, private VLANs and RSPAN. To synchronize MST information we have to use the “MST” feature. As you can see the VTP mode for this feature is currently transparent.

Just like the VLAN feature, we require a primary server that will create the MST configuration. You can use the same switch for this role or you can pick another one. To demonstrate this, I’ll make SW2 my primary server:

SW2(config)#vtp mode server mst
Setting device to VTP Server mode for MST.

First I change SW2 from transparent to server mode. Now we can set it to primary:

SW2#vtp primary mst
This system is becoming primary server for feature  mst
No conflicting VTP3 devices found.
Do you want to continue? [confirm]

%SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: 0011.bb0b.3600 has become the primary server for the MST VTP feature

This message will also show up on SW1 and SW3:

SW1 & SW3#
%SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: 0011.bb0b.3600 has become the primary server for the MST VTP feature

OK great, take a look now at the VTP status output:

SW2#show vtp status | begin Feature MST
Feature MST:
--------------
VTP Operating Mode                : Primary Server
Configuration Revision            : 1
Primary ID                        : 0011.bb0b.3600
Primary Description               : SW2
MD5 digest                        : 0xE1 0xFE 0x40 0x19 0x4C 0x47 0x4D 0xA5
                                    0x9C 0x45 0x67 0xE3 0x9C 0xA3 0x92 0xEB

You can see that this switch is now the primary server for the MST feature. Let’s make SW1 and SW3 our clients:

SW1 & SW3
(config)#vtp mode client mst
Setting device to VTP Client mode for MST.

Everything is now in place so let’s create a configuration for MST. I’ll keep it simple:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

538 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Actually,you helped me figure out thank you. You are correct in your reply I guess I just had a brain fart :slight_smile:

    From the CISCO documentation - Thanks Andrew !!
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swvtp.html

    Switch(config)# vtp password mypassword hidden
     Generating the secret associated to the password.
     Switch(config)# end
    
     Switch# show vtp password
     VTP password: 89914640C8D90868B6A0D8103847A733
    
    Switch# vtp primary vlan
     Enter VTP password: mypassword
     This switch is becoming Pri
    ... Continue reading in our forum

  2. Thanks Luis, we will correct it.

  3. Hello Jama

    Yes this is normal. If a switch is configured as a CLIENT with a specific VTP domain, then it will only forward VTP updates that are in its own domain. If you change the password, it cannot register to the VTP server and thus will not accept VTP updates from the specific domain (or from any domain), because it doesn’t properly belong to it. The only way to have a switch forward VTP updates is in transparent mode.

    I hope this has been helpful!

    Laz

  4. Hello Roshan

    The purpose of the two types of servers (secondary and primary) are to improve redundancy. Specifically, a secondary server stores the received configuration in a local permanent storage space (for example, NVRAM) and updates other devices in the same domain and for the same instance. In the event that the primary server fails, a secondary server can be promoted to be a primary server. More information about this procedure and its benefits over VTPv1 and v2 can be found in the following Cisco Documentation:

    https://www.cisco.com/c/en/us/products

    ... Continue reading in our forum

22 more replies! Ask a question or join the discussion by visiting our Community Forum