CCIE Routing & Switching v5 Workbook -
CCIE R&S v5 Advanced Technology Labs -
LAN Switching
VTP Version 3
You must load the initial configuration files for the section, LAN
Switching Initial VTP, which can be found in
. Reference the Virtual Routers &
Physical Switches Diagram to complete this task.
Task
All switches are pre-configured in VTP domain CCIE.
Configure VTP Version 3 on all switches.
Set the VTP password to CISCO and ensure that it cannot be retrieved through
show commands or by looking at the vlan.dat file.
Ensure that SW2 can modify the VLAN database.
Configuration
SW1:
vtp version 3
vtp password CISCO hidden
SW2:
vtp version 3
vtp password CISCO hidden
end
!
vtp primary vlan
SW3:
vtp version 3
vtp password CISCO hidden
SW4:
vtp version 3
vtp password CISCO hidden
Verification
VTP Version 3 comes with multiple VLAN database security improvements, the
most significant being that only the VTP switch designated as primary can update
the VLAN database within one VTP domain, regardless of the configuration revision
number value. The switch designated as primary must run in server mode. By
default, all switches running in server mode are designated as secondary servers.
Note that the command
vtp primary
is configured from
#
mode. VTP Version 3 is
modular, in that it supports advertisement propagation for several databases or
instances:
VLAN database configuration
MST configuration
Unknown, reserved for future use
For each of the above modules, a switch can run in the following modes:
Server
Client
Transparent
Off
Version 3 also brings support for advertising Private-VLAN configuration and
extended-range VLANs. It also has the ability to hide the password so that it cannot
be retrieved by means of show commands. If a hidden password was configured,
the administrator would need to provide the password before promoting a secondary
server to primary. A VTP client cannot be promoted to primary server, but it can still
participate by listening and processing VTP updates from the primary server. The
output of SW1 will be similar to SW3 and SW4.
SW1#show vtp status
VTP Version capable
: 1 to 3VTP version running: 3
VTP Domain Name
: CCIE
VTP Pruning Mode
: Enabled
VTP Traps Generation
: Disabled
Device ID
: 000a.b832.3580
Feature VLAN:
--------------VTP Operating Mode: Client
Number of existing VLANs: 18
Number of existing extended VLANs : 0
Maximum VLANs supported locally
: 1005
Configuration Revision
: 0
Primary ID
: 0000.0000.0000
Primary Description
:
MD5 digest
: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Feature MST:
--------------
VTP Operating Mode
: Transparent
Feature UNKNOWN:
--------------
VTP Operating Mode
: Transparent
!
!SW2#show vtp status
VTP Version capable
: 1 to 3VTP version running: 3
VTP Domain Name
: CCIE
VTP Pruning Mode
: Enabled
VTP Traps Generation
: Disabled
Device ID
: 001c.576d.4a00
Feature VLAN:
--------------VTP Operating Mode: Server
Number of existing VLANs: 18
Number of existing extended VLANs : 0
Maximum VLANs supported locally
: 1005
Configuration Revision
: 0
Primary ID
: 0000.0000.0000
Primary Description
:
MD5 digest
: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
Feature MST:
--------------
VTP Operating Mode
: Transparent
Feature UNKNOWN:
--------------
VTP Operating Mode
: Transparent
With the other versions of VTP, the password could be easily looked at in clear text
by using the
show vtp password
command. Look at the output with VTP Version 3
and the new hidden password feature.
SW1#show vtp password
VTP Password: 14F81D29C1B9FBF90576F97120429250
Now we will promote SW2 to the primary server role and add VLAN 2055. Note that
this VLAN would have not been able to get propagated with Versions 1 or 2 because
it is higher than 1001.
SW2#vtp primary vlan force
This system is becoming primary server for feature vlan
Enter VTP Password: CISCO
%SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: 001c.576d.4a00 has become the primary server for the VLAN VTP feature
!SW2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.SW2(config)#vlan 2055
SW2(config-vlan)#name TEST_VLAN
Note in the output of
show vtp status
that the Primary ID value has changed from
0000.0000.0000 to a switch-derived MAC address of SW2 and **Primary
Description ** value is the hostname of the primary VTP server.
SW1#show vtp status
VTP Version capable
: 1 to 3
VTP version running
: 3
VTP Domain Name
: CCIE
VTP Pruning Mode
: Enabled
VTP Traps Generation
: Disabled
Device ID
: 0013.605f.f000
Feature VLAN:
--------------
VTP Operating Mode
: Client
Number of existing VLANs
: 16
Number of existing extended VLANs : 1
Maximum VLANs supported locally
: 1005
Configuration Revision
: 2Primary ID: 000a.b832.3a80
Primary Description
: SW2
MD5 digest
: 0x41 0x9B 0x84 0xFA 0x2E 0x10 0x9B 0x37
0x72 0x1D 0x28 0x58 0xA4 0x2F 0xE6 0xC0
<output omitted>
!
!
SW2#show vtp status
VTP Version capable
: 1 to 3
VTP version running
: 3
VTP Domain Name
: CCIE
VTP Pruning Mode
: Enabled
VTP Traps Generation
: Disabled
Device ID
: 000a.b832.3a80
Feature VLAN:
--------------
VTP Operating Mode
: Primary Server
Number of existing VLANs
: 16
Number of existing extended VLANs : 1
Maximum VLANs supported locally
: 1005
Configuration Revision
: 1Primary ID: 000a.b832.3a80
Primary Description
: SW2
MD5 digest
: 0x57 0xA9 0x31 0x33 0x2A 0xC6 0x64 0x1C
0x9B 0x83 0x55 0x15 0x86 0xA7 0x0C 0x0A
<output omitted>
Note that as soon as there is a promotion to primary server, all members of the VTP
domain output a syslog message.
%SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: 000a.b832.3a80 has become the primary server for the VLAN VTP feature
Now check that the extended range VLAN has been propagated within the VTP
domain.
SW1#show vlan id 2055
VLAN NameStatus Ports
---- -------------------------------- --------- -------------------------------
2055 TEST_VLANactive
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24
VLAN Type SAIDMTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
2055 enet 1020551500 ---- -00
Remote SPAN VLAN
----------------
Disabled
Primary Secondary TypePorts
------- --------- ----------------- ------------------------------------------
When all switches have selected their primary VTP server from which to accept
updates, this is reported in VTP messages so that you get a complete map of all
devices in the VTP domain.
SW1#show vtp devices
Retrieving information from the VTP domain. Waiting for 5 seconds.
VTP Feature Conf Revision Primary Server Device IDDevice Description
------------ ---- -------- -------------- -------------- ----------------------
VLANNo 2000a.b832.3a80=000a.b832.3a80 SW2
VLANNo 2000a.b832.3a80 001a.a174.2500 SW4
VLANNo 2000a.b832.3a80 0022.5627.1f80 SW3