VTP Version 3

Laz

Thank you very much by your response. I have a CCIE in my office that likes to test my knowledge on very vague questions for my CCIE Lab test. My assumption after reading some more was regarding VTP3 in the scope of Switch administration in the study matrix, but python also make sense. Though I haven’t gotten to that section in my studies. thank you for your feedback

Hi Rene / Laz,
I understand that the vtp version 3 does prevents “wrong” vtp updates coming from other switches that aren’t the Server one.
Does the Primary server totally skips vtp packets coming from a client or a server that has a revision number higher than its one ?

Thanks a lot for a reply
Best Regards

Aronne

Hello Aronne

A VTP v3 implementation as you suggest has a single primary VTP server that plays the role of the source of all VTP information. Only a primary server can alter the VLAN database of any server or client in the domain, and there can only be one primary server. It is the only device that can send VTP updates, and all other devices, whether servers or clients will receive them and process them. In such a topology, there will never be another device that sends an update with a higher revision number within that domain.

Even if you are interfacing with VTP v2 clients/servers, at the boundary of the two protocols, a VTP version 3 switch will send out both version 3 and version 2-compatible messages. However, version 2 messages received by a version 3 switch are discarded.

I hope this has been helpful!

Laz

Hi Laz,
thanks a lot for your explanation.
It’s really helpful

Aronne

Rene,
Please i would like that you should explaim more about the following configuration:
What are Instances, and how to identify them, please. Iam sorry for my ignorance …

SW1#show running-config | begin mst
spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
 name MST
 revision 1
 instance 1 vlan 10, 20, 30
 instance 2 vlan 40, 50, 60

Hello Simão

This configuration includes what is known as Multiple Spanning Tree or MST. This is a version of STP that allows VLANs to be grouped into instances. These groups can then have an STP topology applied to them as a group. This is much more efficient than using simply per VLAN STP (PVST+) especially when you have dozens or even hundreds of VLANs in a topology. More information about MST can be found at the following lesson:

I hope this has been helpful!

Laz

Thanks Laz, the explanation was very clear.

Lazaros and Rene,
This is regarding the Private Vlans section (1.2) in VTPv3. As you can see from the output of show vlan private-vlan that the secondary vlan 501 (community) is not associated with any primary vlan, while the secondary vlan 502 (isolated) is associated with the primary vlan 500, and this is because the wrong usage of the private-vlan association add

SW1(config)#vlan 500
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan association add 501
SW1(config-vlan)#private-vlan association add 502

The correct usage of the command should be

SW1(config)#vlan 500
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan association add 501-502

or

SW1(config)#vlan 500
SW1(config-vlan)#private-vlan primary
SW1(config-vlan)#private-vlan association 501
SW1(config-vlan)#private-vlan association add 502

Hello Bassam

You are indeed correct. These commands result in the creation of a community VLAN 501 which is not associated with a primary VLAN. Actually, in my emulator, I get the following putout for the show vlan private-vlan command:

SW1#show vlan private-vlan 

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
500     502       isolated          
none    501       community

This explicitly shows that 501 is not assigned to any primary VLAN. Thanks for pointing this out, I will let Rene know to consider making changes to the content to clarify.

The primary point of this lesson is to show how VTPv3 is able to share information about private VLANs, and this is done successfully. However, if you want to find out more about private VLANs and how to configure them, you can take a look at the following lesson which shows more detail:

I hope this has been helpful!

Laz

Hello Dear Netowrk Lessons Team,
How we can secure our VTP Server for example if my VTP server revision number is 10 and if somone plug its switch to my network with Higher revison number than 10 what wil happened, my all switches will receive update from that so how to secure it?

Thanks,

Ajmal

Hello Ajmal

VTP can be secured by using the domain and password parameters of the protocol. By making sure that all of your switches are using the same domain and password, any new switch that anyone connects to the network will not change any VTP configuration, even if its revision number is higher. Now VTP version 3 also encrypts the password used, so that it cannot be intercepted and read by anyone else, making it even more secure.

In such cases, there is more danger from the administrator accidentally connecting a new switch with domain and password set, with a higher revision number, causing the VTP configuration to reset. For this reason, it is always best practice to configure a new switch as transparent before connecting it. And then very carefully configuring the various VTP parameters to be sure that revision numbers will not cause havoc with your network.

I hope this has been helpful!

Laz

Hello Rene/Laz,

1. Can I configure more than one VTP Server switch as Primary Server in VTP version 3? If not, can I configure more than one VTP Server switches where only one switch will have the Primary privilege?
2. How many VTP Servers can be configured in VTP version 2? If more than one server can be configured, can all the servers be used to modify VLANs?

Thanks in advance.

Hello Azm

1. In VTP version 3, you can configure more than one switch as a VTP Server, but only one switch can be the Primary Server at a time. The Primary Server is the only one that can create, modify, or delete VLANs. The other servers in VTP version 3 are in Secondary mode by default and only store the VLAN database but can’t modify it. If the Primary Server fails, you need to manually promote one of the Secondary Servers to Primary. Take a look at this NetworkLessons note about the primary VTP server and how it works for more info.

2. In VTP version 2, you can also configure more than one switch as a VTP Server. All these servers can create, modify, or delete VLANs. However, it’s important to note that the last VLAN change made on any of the VTP Servers will be propagated to all other switches in the VTP domain.

I hope this has been helpful!

Laz

Hello Laz,
What is the difference between VTP Version 1 and Version 2?

Thanks a lot in advance.

Hello Azm

Take a look at this NetworkLessons note on the various VTP versions and their differences. If you have further questions, let us know!

I hope this has been helpful!

Laz

Hello,

First, thanks for this good lesson!

I saw with the command show vtp interface that VTP is enabled on all interfaces.

I found that it is possible to disable VTP on an interface with the command no vtp.

Is it best practice to disable VTP on all interfaces where VTP is not needed?

Thanks in advance.

Hello CTE

Indeed it is possible to enable or disable VTP on a per-interface basis. This is only supported by VTPv3. Note that when you disable VTP on an interface, both incoming and outgoing VTP messages are blocked. By default, VTP is enabled on all trunk ports.

Now having said that, VTP can’t be disabled globally as a feature, but if you want to disable it (which is best practice if you’re not using it), the best way to do so is to configure the switch in VTP transparent mode.

Now could you achieve something similar by disabling VTP on all interfaces? Yes, you could, but that is a little bit more difficult to administrate and manage. Remember, the no vtp command can only be applied on trunk ports. If you make a change to a switch and configure a new trunk port, you may forget to issue the no vtp command, thus possibly causing problems. With the global transparent mode configuration, it’s a safer bet because it’s a global command that won’t be affected by changes to the modes of specific ports. Does that make sense?

I hope this has been helpful!

Laz

Hi Laz,

Thank you for your answer!

I have one more question regarding your answer.

You said

Remember, the no vtp command can only be applied on trunk ports.

I tried it by myself, and I can also disable it on access ports. As I understood, even though the result of the command show vtp interface shows that VTP is enabled on all ports (access and trunk), VTP messages are not sent and considered on access ports but only on trunk ports, right?

So is it necessary/best practice to also disable VTP on the access ports? What I am trying to archive is to disable VTP on all ports where it isn’t needed for performance and security reasons.

Thanks in advance.

Hello CTE

I stand corrected on my previous statement. It is possible to apply the no vtp command to access ports. However, the command has no effect on access ports since by definition VTP messages are not sent from access ports, and any VTP messages received on access ports will be dropped.

So you are indeed correct. So whether you apply it or not will not make any difference to the behavior of VTP.

As a result, it is unnecessary to disable VTP on access ports. The only scenario in which it may be useful is if you have a switch that you often change the topology for. For example, if you often change access ports to trunk ports because of frequent topology changes, you may want to have VTP disabled on all ports so that, in the future, if you ever convert an access port to a trunk port, you will be sure that VTP is already disabled.

I hope this has been helpful!

Laz

Hi Laz,

Thanks for your answer. It was really helpful!