VTP v3

Submitted by rayc on Mon, 10/25/2021 - 09:52

The main functions of VTP V3 are exactly the same as with VTPv1 and V2, however VTPv3 has some additional features and configuration requirements. 

  • VTPv3 is backward compatible with switches running V1 and V2. 
  • Allows on the VTP Primary Server to make VLAN changes.
  • Supports all 4094 VLANs. 
  • Supports propagating MST configuration changes
  • Provides feature specific primary server configuration.
  • Allows the use of PVLANs (Private VLANs)
  • Per Port VTP configuration is supported


Private VLANs are a topic for another day, but as you can see VTPv3 has made some improvements over v1 and v2 including supporting all 4094 VLANs, and being able to update MST configurations as well. Like with VTPv1 and 2, VTP v3 allows multiple VTP servers inside the VTP domain however there should always be at least one VTP Primary Server. The Primary server is the only server in the VTP domain that can make changes to the VLAN database. When configuring a VTP v3 switch as a VTP server, there are 3 additional options available on top of the normal vtp mode server configuration command:

  • mst: This tells the switch to be the VTP server for updating MST configuration options. 
  • unknown: This tells the switch to be the VTP server for unknown VTP instances
  • vlan: This tells the switch to be the VTP server for VLAN configurations

       N.B. If you do not specify an option, the default configuration uses vlan only. 

Configuring VTP v3 for VLANs

Let's talk about configuring VTP v3 on our 3 Switch topology. In this example, SW1 will be the VTP v3 Primary Server, SW2 will be the secondary Server, and SW3 will be the client. 

VTP v3 example topology

When configuring VTP v3, you should put all of the switches in the network in Transparent mode before configuring the VTP Primary Server to avoid any issues with clients not syncing correctly. Given that information, let's configure SW1 to use VTP v3.

vtp version 3 error

Straight off the bat you can see that VTP v3 requires a VTP domain to be configured. Unlike with VTP v1 and v2 which support no domain. So the first thing you need to do with VTP v3, is set the domain, then you can change the version and the mode to Server.

Configuring SW1 as VTP v3 server

Notice the message from the switch saying that the mode is already server for VLANS. This is because, as i've mentioned earlier, you can configure VTP v3 to be a server for 3 separate features.

vtp v3 server features

Now that we have it configured as a server, let's try creating a VLAN.

Configure VLAN without primary vtp server enabled

In order to create a VLAN as showing in by the error message, the switch needs to be the Primary VTP Server. To configure a switch as a Primary VTP Server, you need to be in exec mode and use the command vtp primary <vlan|mst|force>. The reason that this is configured in exec mode is that the Primary configuration is only valid until the switch reboots. Once the switch reboot's it will need to be configured as a Primary Server again or promote a secondary server to the Primary. Note that the output of the show VTP status command shows that SW1 is now the Primary Server.

Configuring SW1 as VTP primary server

In the above output, you can see that when enabling a switch as the VTP v3 Primary server, it does a check to see if there are any other Primary servers. To put this to the test, i've enabled vtp v3 on SW2 and tried to promote it to the Primary. Interestingly it allowed it so i'm not entirely sure if it doesn't work, or that's not exactly what it's meant to check for. I would guess that it's meant to check for rogue VTP v3 server devices and still allow multiple V3 Primary servers.

Testing VTP v3 primary server conflict

Anyway, back to the example. We should now be able to make changes to the VLANs on SW1.

Creating VLANs on VTP v3 Primary

Now let's configure a VTP password on SW1. VTP V3 allows for some additional security features over V1 and V2 when it comes to configuring a password. While you can still use the command vtp password <password>, this password is not hidden and is easily found using either the show command show vtp password, or viewing the vlan.dat file. VTP v3 provides an additional option to encrypt the VTP v3 key using the command vtp password <password> {hidden|secret}. If you use the secret keyword you must enter the already encrypted password. 

creating a hidden vtp v3 password

One thing I was not aware of until configuring a VTP password, was that if you configure the password after you have promoted the server to the Primary, it removes the primary status and you need to re-enable it by entering the password after the command vtp primary.

setting password after enabling as primary server

Now we have our primary server again, let;s configure SW2 as a secondary VTP v3 Server, and SW3 as a VTP v3 Client. 

Configuring SW2 and SW3 for VTP v3

Once again, let's configure a VLAN on SW1 and verify that the VLAN information is propagated to SW2 and SW3 using the show command show vtp status.

Configuring VLANs and verifying on SW2 and SW3

VTP v3 Pruning

Just like with VTP v1/v2, VTP v3 is capable of pruning VLANs so there's not really much to add here except that there is a difference in configuring VLAN Pruning in VTP v3. When you enable VTP pruning in v1 or v2 on the VTP Server, it is automatically enabled for all VTP clients inside the VTP domain. This is not the case for VTP v3. When enabling VLAN Pruning in VTP v3, you need to manually configure it on each device. That is unless you are migrating from v1 or v2 and already have VTP pruning enabled. To enable VTP Pruning, use the global configuration command vtp pruning.

Enabling VTP pruning


VTP v3 MST Operations

Another new feature of VTP v3, is the support for automatically configuring MST region settings. VTP v3 is designed to update multiple data formats including carrying MST information. Your VTP MST server switch does not need to be the same as your VLAN switch. In the examples above, I've made SW1 the primary, however for MST features, i'm going to make SW2 the primary. All switches are already running MST with VLANs 10, 20, and 30 bound to instance 1 and all other VLANs bound to the IST0. 

First, let's make SW2 the VTP Server for MST. Like with making switch a VLAN server, you need to go back to privileged exec mode and use the comand vtp primary mst to make the switch the VTP Primary server for MST.  (I'll post packet captures of this later)

Configuring SW2 as VTP v3 MST Primary Server

Now we need to configure SW1 and SW3 as VTP v3 MST Clients or Servers as you can have multiple servers and updates are still processed. Like with VLANs however, you need a primary server to be able to make changes to your MST configuration.

Configuring SW1 and SW3 as VPT v3 MST Clients

Let's take a look at the MST configuration as it stands, then make a change on SW2 to create a new MST Instance 2 and assign VLANs 31-4094 to MSTI2.

show span mst config after making changes on VTP v3 MST primary server

Now that is cool. And those who run MST will understand how useful this feature is and how easy it makes changing your MST configuration across the board. 

VTP Unkown

I don't actually have a way of showing you how VTP mode unknown works but I will try to explain what it's supposed to do. As i mentioned earlier, VTP v3 is designed to carry multiple database types and exchange this information. So what happens when you have some old switches in your network that don't support these new features? The VTP advertisements come through as unknown formats. That's what VTP unknown is for. Telling the switch what to do with these unknown formats. When you configure VTP unknown, you can only configure it as either off or transparent which has the same effect as setting the VTP mode to off or transparent in that it tells the switch if it should forward the frames, or drop them.

Configuring VTP unknown