VTP Version 3

In an earlier lesson I explained the basics of VTP (version 1 and 2). The main goal of VTP version 3 remains to synchronize VLANs but it has a number for extras. It’s been around for a while but until recent IOS versions it wasn’t supported on Cisco Catalyst Switches.

Here are some of the new additions to VTP version 3:

  • VTP primary server: only the primary server is able to create / modify / delete VLANs. This is a great change as you can no longer “accidently” wipe all VLANs like you could with VTP version 1 or 2.
  • Extended VLANs: you can now synchronize VLANs in the extended VLAN range (1006 – 4094).
  • Private VLANs: if you have VLANs that are configured as private VLANs then you can synchronize them with VTPv3.
  • RSPAN VLANs: remote SPAN VLANs can now be synchronized.
  • MST Support: one of the problems of MST is that you had to configure each switch manually. With VTPv3, MST configurations are synchronized.
  • Authentication improvements: VTPv3 has more secure methods for authentication.
  • VTP mode off: If you didn’t want to use VTP for version 1 or 2 then you had to use the transparent mode. VTPv3 can be disabled globally or per interface.
  • Compatibility: VTP version 3 is compatible with version 2, not  version 1.

I’ll walk you through each of those and show you how to configure VTP version 3. I’ll use the following topology:

Cisco VTP Version 3 topology

All interfaces between the switches are configured as trunks.

Configuration

Basic Configuration

First we will try to enable VTP version 3 on one of our switches:

SW1(config)#vtp version 3
Cannot set the version to 3 because domain name is not configured

The domain name is now a requirement, it can’t be null. Let’s set one and try again:

SW1(config)#vtp domain NWL
Changing VTP domain name from NULL to NWL

%SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to NWL.

SW1(config)#vtp version 3

Let’s do the same on SW2 and SW3:

SW2 & SW3#
(config)#vtp domain NWL
(config)#vtp version 3

All switches will be running in VTP server mode by default:

SW1#show vtp status | include Operating Mode
VTP Operating Mode                : Server
SW2#show vtp status | include Operating Mode
VTP Operating Mode                : Server
SW3#show vtp status | include Operating Mode
VTP Operating Mode                : Server

Being VTP server however is not enough to make changes to the VLAN database, take a look below:

SW1(config)#vlan 100
VTP VLAN configuration not allowed when device is not the primary server for vlan database.

This is new, one of the switches has to be the primary server in order to create / modify or delete VLANs. Let’s make SW1 our primary server:

SW1#vtp primary
This system is becoming primary server for feature vlan
No conflicting VTP3 devices found.
Do you want to continue? [confirm]

%SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: 0019.569d.5700 has become the primary server for the VLAN VTP feature

As soon as I make SW1 the primary server then you’ll also see this message on the other switches:

SW2 & SW3#
%SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: 0019.569d.5700 has become the primary server for the VLAN VTP feature

SW1 is now the primary server. We can verify this from SW1 or any other switch in our VTP domain:

SW1#show vtp status | include Primary
VTP Operating Mode                : Primary Server
Primary ID                        : 0019.569d.5700
SW2#show vtp status | include Primary
Primary ID                        : 0019.569d.5700
Primary Description               : SW1
SW3#show vtp status | include Primary
Primary ID                        : 0019.569d.5700
Primary Description               : SW1

SW2 and SW3 are able to confirm that SW1 is the primary server.  VTP version 3 also has a new command that allows us to see all switches in the same VTP domain:

SW1#show vtp devices
Retrieving information from the VTP domain. Waiting for 5 seconds.

VTP Feature  Conf Revision Primary Server Device ID      Device Description
------------ ---- -------- -------------- -------------- ----------------------
VLAN         No   6        0019.569d.5700 0011.214e.d180 SW3
VLAN         No   6        0019.569d.5700 0011.bb0b.3600 SW2

You can run this command on any of your switches, it will show all VTP members (not just the directly connected ones like CDP does).

Let’s see if we are able to synchronize some VLANs. We’ll start with something simple:

SW1(config)#vlan 100
SW1(config-vlan)#exit

Let’s create VLAN 100, it should show up on SW2 and SW3:

SW2 & SW3#show vlan | include VLAN0100
100  VLAN0100                         active

There it is! We can also synchronize VLANs in the extended range (1006 – 4094). Let’s give it a try:

SW1(config)#vlan 1234
SW1(config-vlan)#exit

Let’s verify if it has been synchronized:

SW1, SW2 & SW3#show vlan | include VLAN1234
1234 VLAN1234                         active

No problem at all! Let’s look at some more advanced stuff.

Private VLANs

VTP version 3 is able to synchronize private VLAN information. It only synchronizes the information from the VLAN database, not port information. Let’s create a private VLAN:

SW1(config)#vlan 501
SW1(config-vlan)#private-vlan community

SW1(config)#vlan 502
SW1(config-vlan)#private-vlan isolated

SW1(config)#vlan 500
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan association add 501
SW1(config-vlan)#private-vlan association add 502

We’ll create VLAN 500 with two VLANs. VLAN 501 is a community VLAN and VLAN 502 is an isolated VLAN. Let’s see if it shows up on SW1:

SW1#show vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
500     502       isolated
        501       community

There we go, now let’s check if it has been synchronized to SW2 and SW3:

SW2 & SW3#show vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
500     502       isolated
        501       community

We see the exact same thing on SW2 and SW3. This is a nice addition to VTPv3.

Remote SPAN (RSPAN)

RSPAN VLANs are also a special “type” of VLANs. They can be synchronized with VTP now. Here’s an example:

SW1(config)#vlan 600
SW1(config-vlan)#remote-span
SW1(config-vlan)#exit

Let’s check if it’s available on our switches:

SW1#show vlan remote-span

Remote SPAN VLANs
------------------------------------------------------------------------------
600
SW2#show vlan remote-span

Remote SPAN VLANs
------------------------------------------------------------------------------
600
SW3#show vlan remote-span

Remote SPAN VLANs
------------------------------------------------------------------------------
600

No problem, it has been synchronized to all switches.

MST (Multiple Spanning-Tree)

Synchronizing MST is pretty useful. In the past you had to configure each switch seperately. VTP version 3 uses a seperate “feature” for MST. Take a look below:

SW1#show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 3
VTP Domain Name                 : NWL
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 0019.569d.5700

Feature VLAN:
--------------
VTP Operating Mode                : Primary Server
Number of existing VLANs          : 12
Number of existing extended VLANs : 1
Configuration Revision            : 7
Primary ID                        : 0019.569d.5700
Primary Description               : SW1
MD5 digest                        : 0xC9 0x25 0xB3 0x86 0xE7 0xA1 0xE3 0xAE
                                    0xF8 0x2F 0xB9 0x7F 0x64 0xB3 0x43 0x5F


Feature MST:
--------------
VTP Operating Mode                : Transparent


Feature UNKNOWN:
--------------
VTP Operating Mode                : Transparent

The default “VLAN” feature is used for the things we did before…VLANs, extended range VLANs, private VLANs and RSPAN. To synchronize MST information we have to use the “MST” feature. As you can see the VTP mode for this feature is currently transparent.

Just like the VLAN feature, we require a primary server that will create the MST configuration. You can use the same switch for this role or you can pick another one. To demonstrate this, I’ll make SW2 my primary server:

SW2(config)#vtp mode server mst
Setting device to VTP Server mode for MST.

First I change SW2 from transparent to server mode. Now we can set it to primary:

SW2#vtp primary mst
This system is becoming primary server for feature  mst
No conflicting VTP3 devices found.
Do you want to continue? [confirm]

%SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: 0011.bb0b.3600 has become the primary server for the MST VTP feature

This message will also show up on SW1 and SW3:

SW1 & SW3#
%SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: 0011.bb0b.3600 has become the primary server for the MST VTP feature

OK great, take a look now at the VTP status output:

SW2#show vtp status | begin Feature MST
Feature MST:
--------------
VTP Operating Mode                : Primary Server
Configuration Revision            : 1
Primary ID                        : 0011.bb0b.3600
Primary Description               : SW2
MD5 digest                        : 0xE1 0xFE 0x40 0x19 0x4C 0x47 0x4D 0xA5
                                    0x9C 0x45 0x67 0xE3 0x9C 0xA3 0x92 0xEB

You can see that this switch is now the primary server for the MST feature. Let’s make SW1 and SW3 our clients:

SW1 & SW3
(config)#vtp mode client mst
Setting device to VTP Client mode for MST.

Everything is now in place so let’s create a configuration for MST. I’ll keep it simple:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 662 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

515 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Hello Abey

    VTP updates are sent out trunk ports regardless of which VLANs are configured on the switches themselves. It doesn’t matter what VLANs are configured on them. So if you have two switches, one VTP server and one VTP client that are not directly connected that have the same VTP domain, version and password, in order for them to sync up their VLAN information, the intermediate switch(es) must either be transparent OR have the same VTP config. VTP is not affected by the initial VLAN configuration of the switches, either intermediate or not, either tra

    ... Continue reading in our forum

  2. Hi Laz,

    Thank you very much for your explanation. That is quite good.

    Regards,
    Abc

  3. Hello Michael

    The answer to your question (unfortunately) is yes. If you have a client IN THE SAME DOMAIN with the SAME PASSWORD that has a higher revision number, the servers will all revert to the highest revision number. Just like Rene said, because a VTP server is also a client, it will be updated by any device with a higher revision number.

    Having said that, if one is careful (with the appropriate domain names and passwords) VTP can be very useful. Just be careful.

    Concerning the domain names, if a client does not have a domain name set, then it will a

    ... Continue reading in our forum

  4. Thanks much Rene.

    The following is good to know. Thinking back on a failure in my environment the likely cause was because of this.

    “A VTP client can overwrite a VTP server if the revision number is higher because a VTP server is also a VTP client”

    But below indicate this is now fixed in VTP version 3.

    “VTP primary server: only the primary server is able to create / modify / delete VLANs. This is a great change as you can no longer “accidently” wipe all VLANs like you could with VTP version 1 or 2.”

    Rohan

76 more replies! Ask a question or join the discussion by visiting our Community Forum