CCIE 400-101: Layer 2 Technologies - VTPv3


VTPv3 extends and enhances the functionality of VTP from previous versions. The operation of VTP is improved in three major areas:
  • more secure administrative control: only a predefined device is allowed to update the VLAN topology
  • extended functionality: VTPv3 supports the advertisement of extended range and private VLAN information
  • support for MST

VTPv3 still retains the same core operation as previous versions.  A VTP update message can be sent over a trunk but not over access ports or Layer 3 interfaces. Only devices in the same VTP domain are able to exchange and process VTP information.

In previous versions a new switch with the default domain name of NULL used the domain name of the first VTP message that it received. This behavior has changed with VTP version 3, which now requires manual configuration prior to enabling VTPv3.

Catalyst6500-1(config)# vtp version 3
Cannot set the version to 3 because domain name is not configured.

Catalyst6500-1(config)# vtp domain CCIE
Changing VTP domain name from NULL to CCIE

*Jul 8 11:18:33.215: %SW_VLAN-SP-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to CCIE.

If not done already, enable the use of spanning-tree extended system-id.

Catalyst6500-1(config)# vtp version 3
Cannot set the version to 3 because spanning-tree extend system-id is disabled.

Catalyst6500-1(config)# spanning-tree extend system-id
*Jul 8 11:24:23.719: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan. The Bridge IDs of all active STP instances have been updated, which might change the spanning tree topology.

VTP messages that include a mismatching domain name are ignored and dropped.

Since the functional base in VTP version 3 is left unchanged from VTP version 2, so backward compatibility is built in. It is possible, on a per link basis, to automatically discover and support VTP version 2 devices.

VTPv3 is modular, which means it supports the advertisement of several databases or instances: VLAN database, MST configuration, and Unknown, reserved for future use.

SW2#show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 3
VTP Domain Name                 : CCIE
VTP Pruning Mode                : Enabled
VTP Traps Generation            : Disabled
Device ID                       : 001c.576d.4a00

Feature VLAN:
VTP Operating Mode                : Server
Number of existing VLANs          : 18
Number of existing extended VLANs : 0
Maximum VLANs supported locally   : 1005
Configuration Revision            : 0
Primary ID                        : 0000.0000.0000
Primary Description               : 
MD5 digest                        : 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 
                                    0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 

Feature MST:
VTP Operating Mode                : Transparent

Feature UNKNOWN:
VTP Operating Mode                : Transparent

VTPv3 Enhancements

VTP version 3 added a number of enhancements to VTP version 1 and 2, including the following:
  • support for extended range and private VLANs
  • feature enhancement beyond support for a single database or VTP instance (MST support)
  • protection from unintended database overrides
  • option for clear-text or hidden password protection
  • configuration option on a per-port basis instead of only on a global scheme
  • optimized resource handling and more efficient transfer of information

While VTP version 1 and 2 interacted with the VLAN process directly, VTP version 3 introduces the concept of transferring opaque databases. This approach provides expanded usability,  allowing independent databases (or tables) aka VTP instances that go beyond just serving the VLAN environment. VTP version 3 supports a VLAN instance and a separate MST instance.

In VTP version 3, the configuration revision number works the same as in previous versions, but only a specific devices in the domain, a primary server, is allowed to update other devices.

VTPv3 Operation

In addition to the three well-known roles (server, client, and transparent), a fourth role (off) is now available.

Transparent: Holds a locally created configuration on permanent storage (NVRAM). Does not originate or evaluate received VTP advertisements. Relays received VTP messages on trunks if the STP state for VLAN 1 is forwarding. A domain check, as in VTP version 1, is not implemented.

Client: Holds received VTP information in temporary storage space. Local configuration is not possible. The default MST configuration will be used at boot time until a VTP version 3 message arrives.

Off: Contrary to the transparent mode, the switch will not relay received VTP messages. Off mode can be configured globally or on a per port basis. Formerly available only in CAT OS.

Server: VTPv3 expands and enhances the server role. By default, the secondary server subtype is applied. Only one server per domain can be prompted to be a primary server. Manual configuration on a secondary server locally is not possible. Only the primary server is allowed to update the VLAN database. The role of a primary server for the VLAN database and  MST database can be divided among two different physical devices if desired. When a device is designated as the primary server, a sanity check is performed in the domain. A warning message is generated if a conflicting device is discovered. The sanity check can be skipped be issuing the force keyword. If a secondary server is promoted to become a primary server without specifying VLAN or MST, the VLAN isntance is assumed.

SW1(config)#vtp mode server
Setting device to VTP Server mode for VLANS.

SW1(config)#vlan 100
VTP VLAN configuration not allowed when device is not the primary server for vlan database.

Catalyst6500-1# vtp primary vlan
This system is becoming primary server for feature vlan
No conflicting VTP3 devices found.
Do you want to continue? [confirm]

*Jul 8 12:34:20.047: %SW_VLAN-SP-4-VTP_PRIMARY_SERVER_CHG: 00d0.bcd2.0c00 has become the primary server for the VLAN VTP feature.

The above log message is displayed on all members of the VTP domain, as soon as the primary server is promoted.

The MAC address of the primary server and the host name can be seen in the show vtp status output.

SW1#show vtp status
VTP Version capable             : 1 to 3
VTP version running             : 3
VTP Domain Name                 : CCIE
VTP Pruning Mode                : Disabled
VTP Traps Generation            : Disabled
Device ID                       : 0019.569d.5700

Feature VLAN:
VTP Operating Mode                : Primary Server
Number of existing VLANs          : 12
Number of existing extended VLANs : 1
Configuration Revision            : 7
Primary ID                        : 0019.569d.5700
Primary Description               : SW1
MD5 digest                        : 0xC9 0x25 0xB3 0x86 0xE7 0xA1 0xE3 0xAE
                                    0xF8 0x2F 0xB9 0x7F 0x64 0xB3 0x43 0x5F

Feature MST:
VTP Operating Mode                : Transparent

Feature UNKNOWN:
VTP Operating Mode                : Transparent

Note the command vtp primary vlan is in privilege exec mode and is not saved to the config. If you reboot the device, you lose this privilege. This completely eliminates the possibility accidentally overwriting the VLAN database.

You can now get a complete map of all devices in the VTP domain.

SW1#show vtp devices
Retrieving information from the VTP domain. Waiting for 5 seconds.

VTP Feature  Conf Revision Primary Server Device ID      Device Description    
------------ ---- -------- -------------- -------------- ----------------------
VLAN         No   2        000a.b832.3a80 000a.b832.3a80 SW2                   
VLAN         No   2        000a.b832.3a80 001a.a174.2500 SW4                   
VLAN         No   2        000a.b832.3a80 0022.5627.1f80 SW3

Message Protection and Security

With VTPv3, two password configuration options are available: hidden and secret. When the hidden option is used, the password is not stored in a readable format. The password can no longer be viewed by a show command or inspected in the vlan.dat file. If the hidden option is applied, the administrator will be prompted to enter the password, when promoting a secondary server to a primary server. A former primary server that is reconnected to a domain after a reload will automatically revert to secondary server mode.


Catalyst6500-1(config)# vtp password Andreas
Setting device VTP password to Andreas

Catalyst6500-1# show vtp password
VTP Password: Andreas

The content of the file vlan.dat reveals the password in clear text:

00000030: 00000000 00000001 30383037 30383133 .... .... 0807 0813
00000040: 32343439 6280F325 0C2EB606 53154B3D 2449 b.s% ..6. S.K=
00000050: BFE30CA5 07416E64 72656173 00C795CE ?c.% . And reas .G.N
00000060: B21E305F 10000000 00000000 00000000 2.0_ .... .... ....
00000070: 00000000 00000000 00000000 00000000 .... .... .... ....

The password encryption service can be added:

Catalyst6500-1(config)# service password-encryption

After this, the show command stops displaying the clear text password, but the vlan.dat file still contains the password in a readable format.

Catalyst6500-1# show vtp password
VTP Encrypted Password: 02270A5F19030E32

To protect the password, the new hidden option should be used:

Catalyst6500-1(config)# vtp password Cisco hidden
Setting device VTP password

Catalyst6500-1# show vtp password
VTP Password: CF94C2FF1CDCEB8DC795CEB21E305F10

The password is no longer readable in the vlan.dat file

00000030: 00000000 00000001 30383037 30383133 .... .... 0807 0813
00000040: 34323334 6280F325 0C2EB606 53154B3D 4234 b.s% ..6. S.K=
00000050: BFE30CA5 00CF94C2 FF1CDCEB 8DC795CE ?c.% .O.B ..\k .G.N
00000060: B21E305F 10000000 00000000 00000000 2.0_ .... .... ....

VTP Interoperability

VTPv3 operates with VTPv2 but not with VTPv1.  Devices running VTPv1, and capable of running VTPv2, will be triggered to run VTPv2 by a VTPv3 device. There is no interaction available for VTPv1-only devices. Therefore, before implementing VTPv3, it is recommended to verify that all switches in the existing or prospective VTP domain will be capable of running VTPv2 at a minimum.  After receiving VTPv2 advertisements, a VTPv3 sends both VTPv3 and VTPv2-compatible messages.

Risks and Dependencies

The risks of using VTPv3 are minimal, practically none worth mentioning. The only major consideration involves the interoperability issues related to using different versions of VTP and the general design of the VTP domain.  Further, a software upgrade might be required because VTPv3 is available starting from the 12.2(33)SXI code version.


VTP Version 3
Jeff Kronlage's CCIE Study Blog: VTP v3
Network Lessons: VTP Version 3