Cisco Systems 3560-X, 3750-X VTP Version 3

16-5

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 16 Configuring VTP Understanding VTP

• Consistency Checks—In VTP version 2, VLAN consistency checks (such as VLAN names and

values) are performed only when you enter new information through the CLI or SNMP. Consistency

checks are not performed when new information is obtained from a VTP message or when

information is read from NVRAM. If the MD5 digest on a received VTP message is correct, its

information is accepted.

VTP Version 3

VTP version 3 supports these features that are not supported in version 1 or version 2:

• Enhanced authentication—You can configure the authentication as hidden or secret. When hidden,

the secret key from the password string is saved in the VLAN database file, but it does not appear

in plain text in the configuration. Instead, the key associated with the password is saved in

hexadecimal format in the running configuration. You must reenter the password if you enter a

takeover command in the domain. When you enter the secret keyword, you can directly configure

the password secret key.

• Support for extended range VLAN (VLANs 1006 to 4094) database propagation. VTP versions 1

and 2 propagate only VLANs 1 to 1005. If extended VLANs are configured, you cannot convert

from VTP version 3 to version 1 or 2.

Note VTP pruning still applies only to VLANs 1 to 1005, and VLANs 1002 to 1005 are still

reserved and cannot be modified.

• Private VLAN support (if the switch is running the IP base or IP services feature set).

• Support for any database in a domain. In addition to propagating VTP information, version 3 can

propagate Multiple Spanning Tree (MST) protocol database information. A separate instance of the

VTP protocol runs for each application that uses VTP.

• VTP primary server and VTP secondary servers. A VTP primary server updates the database

information and sends updates that are honored by all devices in the system. A VTP secondary server

can only back up the updated VTP configurations received from the primary server to its NVRAM.

By default, all devices come up as secondary servers. You can enter the vtp primary privileged

EXEC command to specify a primary server. Primary server status is only needed for database

updates when the administrator issues a takeover message in the domain. You can have a working

VTP domain without any primary servers. Primary server status is lost if the device reloads or

domain parameters change, even when a password is configured on the switch.

• The option to turn VTP on or off on a per-trunk (per-port) basis. You can enable or disable VTP per

port by entering the [no] vtp interface configuration command. When you disable VTP on trunking

ports, all VTP instances for that port are disabled. You cannot set VTP to off for the MST database

and on for the VLAN database on the same port.

When you globally set VTP mode to off, it applies to all the trunking ports in the system. However,

you can specify on or off on a per-VTP instance basis. For example, you can configure the switch

as a VTP server for the VLAN database but with VTP off for the MST database.