VTP Version 3

Laz

Thank you very much by your response. I have a CCIE in my office that likes to test my knowledge on very vague questions for my CCIE Lab test. My assumption after reading some more was regarding VTP3 in the scope of Switch administration in the study matrix, but python also make sense. Though I haven’t gotten to that section in my studies. thank you for your feedback

1 Like

Hi Rene / Laz,
I understand that the vtp version 3 does prevents “wrong” vtp updates coming from other switches that aren’t the Server one.
Does the Primary server totally skips vtp packets coming from a client or a server that has a revision number higher than its one ?

Thanks a lot for a reply
Best Regards

Aronne

Hello Aronne

A VTP v3 implementation as you suggest has a single primary VTP server that plays the role of the source of all VTP information. Only a primary server can alter the VLAN database of any server or client in the domain, and there can only be one primary server. It is the only device that can send VTP updates, and all other devices, whether servers or clients will receive them and process them. In such a topology, there will never be another device that sends an update with a higher revision number within that domain.

Even if you are interfacing with VTP v2 clients/servers, at the boundary of the two protocols, a VTP version 3 switch will send out both version 3 and version 2-compatible messages. However, version 2 messages received by a version 3 switch are discarded.

I hope this has been helpful!

Laz

Hi Laz,
thanks a lot for your explanation.
It’s really helpful

Aronne

1 Like

Rene,
Please i would like that you should explaim more about the following configuration:
What are Instances, and how to identify them, please. Iam sorry for my ignorance …

SW1#show running-config | begin mst
spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
 name MST
 revision 1
 instance 1 vlan 10, 20, 30
 instance 2 vlan 40, 50, 60

Hello Simão

This configuration includes what is known as Multiple Spanning Tree or MST. This is a version of STP that allows VLANs to be grouped into instances. These groups can then have an STP topology applied to them as a group. This is much more efficient than using simply per VLAN STP (PVST+) especially when you have dozens or even hundreds of VLANs in a topology. More information about MST can be found at the following lesson:

I hope this has been helpful!

Laz

Thanks Laz, the explanation was very clear.

1 Like

Lazaros and Rene,
This is regarding the Private Vlans section (1.2) in VTPv3. As you can see from the output of show vlan private-vlan that the secondary vlan 501 (community) is not associated with any primary vlan, while the secondary vlan 502 (isolated) is associated with the primary vlan 500, and this is because the wrong usage of the private-vlan association add

SW1(config)#vlan 500
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan association add 501
SW1(config-vlan)#private-vlan association add 502

The correct usage of the command should be

SW1(config)#vlan 500
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan association add 501-502

or

SW1(config)#vlan 500
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan association 501
SW1(config-vlan)#private-vlan association add 502

Hello Bassam

You are indeed correct. These commands result in the creation of a community VLAN 501 which is not associated with a primary VLAN. Actually, in my emulator, I get the following putout for the show vlan private-vlan command:

SW1#show vlan private-vlan 

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
500     502       isolated          
none    501       community

This explicitly shows that 501 is not assigned to any primary VLAN. Thanks for pointing this out, I will let Rene know to consider making changes to the content to clarify.

The primary point of this lesson is to show how VTPv3 is able to share information about private VLANs, and this is done successfully. However, if you want to find out more about private VLANs and how to configure them, you can take a look at the following lesson which shows more detail:

I hope this has been helpful!

Laz

Hello Dear Netowrk Lessons Team,
How we can secure our VTP Server for example if my VTP server revision number is 10 and if somone plug its switch to my network with Higher revison number than 10 what wil happened, my all switches will receive update from that so how to secure it?

Thanks,

Ajmal

Hello Ajmal

VTP can be secured by using the domain and password parameters of the protocol. By making sure that all of your switches are using the same domain and password, any new switch that anyone connects to the network will not change any VTP configuration, even if its revision number is higher. Now VTP version 3 also encrypts the password used, so that it cannot be intercepted and read by anyone else, making it even more secure.

In such cases, there is more danger from the administrator accidentally connecting a new switch with domain and password set, with a higher revision number, causing the VTP configuration to reset. For this reason, it is always best practice to configure a new switch as transparent before connecting it. And then very carefully configuring the various VTP parameters to be sure that revision numbers will not cause havoc with your network.

I hope this has been helpful!

Laz

1 Like

Hello Rene/Laz,

  1. Can I configure more than one VTP Server switch as Primary Server in VTP version 3? If not, can I configure more than one VTP Server switches where only one switch will have the Primary privilege?
  2. How many VTP Servers can be configured in VTP version 2? If more than one server can be configured, can all the servers be used to modify VLANs?

Thanks in advance.

Hello Azm

  1. In VTP version 3, you can configure more than one switch as a VTP Server, but only one switch can be the Primary Server at a time. The Primary Server is the only one that can create, modify, or delete VLANs. The other servers in VTP version 3 are in Secondary mode by default and only store the VLAN database but can’t modify it. If the Primary Server fails, you need to manually promote one of the Secondary Servers to Primary. Take a look at this NetworkLessons note about the primary VTP server and how it works for more info.

  2. In VTP version 2, you can also configure more than one switch as a VTP Server. All these servers can create, modify, or delete VLANs. However, it’s important to note that the last VLAN change made on any of the VTP Servers will be propagated to all other switches in the VTP domain.

I hope this has been helpful!

Laz

Hello Laz,
What is the difference between VTP Version 1 and Version 2?

Thanks a lot in advance.

Hello Azm

Take a look at this NetworkLessons note on the various VTP versions and their differences. If you have further questions, let us know!

I hope this has been helpful!

Laz