VTP – Versions / Passwords / Extended VLANs DEEP DIVE – Explained and labbed exhaustively so prepare thyself!

I will only be using the 3560 stand alone for IOS difference comparisons, and will only be using the 3750’s in a two layer Core / Access switch model to demonstrate the differences between the 3 different VTP versions.

This will be a long, lab heavy post to demonstrate behaviors, so prepare yourself for a DEEP DIVE through the eyes of the CLI on the home SWITCH lab!

The switches had all been reset except for trunks, and the following was configured on SW1 then verified it propagated via SW2:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vtp ver 2
SW1(config)#vtp domain CCNP

Changing VTP domain name from NULL to CCNP
SW1(config)#
*Mar 1 00:25:10.008: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to CCNP.
SW1(config)#vlan 10
SW1(config-vlan)#exit
SW1(config)#^Z
SW1#wr
*Mar 1 00:25:25.929: %SYS-5-CONFIG_I: Configured from console by console
Building configuration…
[OK]
SW1#
ASR#2
[Resuming connection 2 to sw2 … ]

SW2#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:25:20
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 2
MD5 digest : 0xBC 0x00 0x22 0x15 0x4B 0xE6 0xB1 0x07
0x0F 0x2F 0x75 0xB5 0xB9 0x16 0xAD 0x1F
SW2#

So the VTP Domain Version #, VTP Domain name, and VTP Config Rev # have propagated to completely unconfigured switches that are still in server mode – So I throw them both in client:

SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#vtp mode client
Setting device to VTP Client mode for VLANS.
SW2(config)#
ASR#3
[Resuming connection 3 to sw3 … ]

SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#vtp mode client
Setting device to VTP Client mode for VLANS.
SW3(config)#

Now passwords hasn’t really been covered or touched as a refresher so I wanted to lab a quick demonstration of what happens on 15.x IOS switches when a password is applied to a server, but not to the clients.

Will it propagate it? Will clients still receive VLAN updates if one is created? Lets see:

SW1(config)#vtp password SWITCH
Setting device VTP password to SWITCH
SW1(config)#vlan 20
SW1(config-vlan)#exit

SW1(config)#
ASR#2
[Resuming connection 2 to sw2 … ]
[OK]
SW2#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:25:20

Feature VLAN:
————–
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 2
MD5 digest : 0xBC 0x00 0x22 0x15 0x4B 0xE6 0xB1 0x07
0x0F 0x2F 0x75 0xB5 0xB9 0x16 0xAD 0x1F
SW2#

So SW2 does not receive the update, because it has no password configured for the VTP Domain, so as weak as the VTP password security is for V2 (discussed shortly) it does at least protect against rogue switches dynamically learning VTP Domain info with only a matching domain name.

One odd behavior I found, as demonstrated below, is even after setting the password on the Client SW2, it does not trigger a Client Request Advertisement to the Server:

SW2(config)#vtp password SWITCH
Setting device VTP password to SWITCH
SW2(config)#^Z
SW2#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:25:20

Feature VLAN:
————–
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 6
Configuration Revision : 2
MD5 digest : 0xBE 0xA4 0x9E 0xB1 0x66 0xC0 0x4C 0x2B
0xD4 0x33 0x8C 0x72 0x4B 0xBF 0x1A 0xF5
SW2#sh vlan bri

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Fa1/0/3, Fa1/0/4, Fa1/0/5
Fa1/0/6, Fa1/0/7, Fa1/0/8
Fa1/0/9, Fa1/0/10, Fa1/0/11
Fa1/0/12, Fa1/0/13, Fa1/0/14
Fa1/0/15, Fa1/0/16, Fa1/0/17
Fa1/0/18, Fa1/0/19, Fa1/0/20
Fa1/0/21, Fa1/0/22, Fa1/0/23
Fa1/0/24, Gi1/0/1, Gi1/0/2
10 VLAN0010 active

1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW2#

No VLAN 20, so I checked to see if the password is indeed set, since it is in Client mode which makes the Switch basically a Slave in the Slave / Master role of VTP Client / Server.

So to verify quick that the VTP password is indeed matching on both switches:

SW1#sh vtp password
VTP Password: SWITCH
SW1#
ASR#2
[Resuming connection 2 to sw2 … ]

SW2#sh vtp password
VTP Password: SWITCH
SW2#

If you haven’t recently gotten your CCNA, that is as secure as it gets with v2 as far as password security, and actually interestingly it can be seen in the switches VLAN Database (vlan.dat) by looking at it with the following command:

SW2#more vlan.dat
00000000: BADB100D 00000002 01044343 4E500000 :[.. …. ..CC NP..
00000010: 00000000 00000000 00000000 00000000 …. …. …. ….
00000020: 00000000 00000000 00000000 00000003 …. …. …. ….
00000030: 00000000 00000001 39333033 30313030 …. …. 9303 0100
00000040: 33333136 21540AAB 68646E7E B0C7C59C 3316 !T.+ hdn~ 0GE.
00000050: 352FC465 06535749 54434800 00000000 5/De .SWI TCH. ….
00000060: 00000000 00000000 00000000 00000000 …. …. …. ….
00000070: 00000000 00000000 00000000 00000000 …. …. …. ….
00000080: 00000000 00000000 00000000 00000000 …. …. …. ….
00000090: 00000000 00000007 02010131 00A2AA68 …. …. …1 .”*h
000000A0: 07646566 61756C74 00000000 00000000 .def ault …. ….
000000B0: 00000000 00000000 00000000 00000000 …. …. …. ….
000000C0: 00000101 05DC0001 000186A1 00000000 …. .\.. …! ….
000000D0: 00000000 00000000 00000000 08564C41 …. …. …. .VLA
000000E0: 4E303031 30000000 00000000 00000000 N001 0… …. ….
000000F0: 00000000 00000000 00000000 00000101 …. …. …. ….
00000100: 05DC000A 000186AA 00000000 00000000 .\.. …* …. ….
00000110: 00000000 00000000 08564C41 4E303032 …. …. .VLA N002
00000120: 30000000 00000000 00000000 00000000 0… …. …. ….

I highlighted a few things that can be read in plain text within the v2 VLAN Database, including the Domain name CCNP, the password SWITCH, the VLAN 10 and surprisingly I saw VLAN 20 in there so I verified the VTP status updated:

SW2#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:33:16

Feature VLAN:
————–
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
Configuration Revision : 3
MD5 digest : 0x21 0x54 0x0A 0xAB 0x68 0x64 0x6E 0x7E
0xB0 0xC7 0xC5 0x9C 0x35 0x2F 0xC4 0x65
SW2#

*** So the above shows not only a gigantic security hole in using VTP v2 from a Security perspective, but also that a Client Request Advertisement is not triggered by a change in configuration (as it is in Client mode) but when it is plugged into the network or config saved and reloaded***

The reason this switch did eventually get this updated information is when the Server sent out the Summary advertisement as it does every 5 minutes, SW2 now had a correct Domain Password to be forwarded the update from SW1 – SW3 still has no password so I’ll use it to start the discussion of Versions after a brief summary of all 3 versions.

 

Very IMPORTANT differences in VTP Versions and improvements on Versions!

 

VTP v1 – Does not support Token Ring VLANs or networks, if running in Transparent mode in v1, it requires neighbor Switches to have matching VTP Domain AND Version # to forward Advertisements, so if the Trunking VTP switches are not running v1 they are not receiving any Advertisements from the Transparent switch!

Also, if a Switch running Version 1 detects a switch running Version 3, it will attempt to dynamically upgrade itself to VTP v2 (if they are v3 capable) – This is because VTP v3 will only speak to Switches running v3 and v2 of VTP.

VTP v2 – Support for Token Ring, performs consistency checks when changes are made to VLAN or VTP configuration to ensure it is propagating correct Domain information, Transparent switches will forward Advertisements over Trunks even if VTP Switches are in a different VTP Domain.

As seen above, there is huge inherit security flaws with VTP v2’s Domain password, along with the huge problem of the VTP Synch Issue that was covered in a previous post – This is all fixed with the introduction of the 3rd version of VTP.

VLAN Ranges for VTP Version / Extended VLAN explanation

Both v1 and v2 only support VLANs 1-1005, while v3 supports “Extended VLANs” which range for 1006-4094, while the reserved range is 1-1005 (though some documentation claims it is 1-1024 so I’m not 100% clear on the reserved range).

Extended VLANs for VTP v3 blabbed below for demonstration, but here are details on Extended VLANs:

• Extended VLANs can be only be created on Transparent switches unless configured on a VTP v3 Primary Server!
• Extended VLANs DO NOT save to vlan.dat / VLAN DB, only to running config or startup config if “wr mem” or “copy run start” issued
• Extended VLANs do not increase the “Number of VLANs” section of “sh vtp status”, as there is an “Extended VLAN” segment for v3 (demonstrated at the bottom of post)

VTP v3 – I will start the configuration of this on SW1 and go into the differences demonstrated on live equipment in the home lab.

 

The first essential difference is that it adds VTP mode “off” to the list, whereas a Switch not capable (pre 15.x like the 3560) will not show it as demonstrated here:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vtp mode ?
client Set the device to client mode.
off Set the device to off mode.
server Set the device to server mode.
transparent Set the device to transparent mode.

SW1(config)#vtp mode
ASR#4
[Resuming connection 4 to sw4 … ]

SW4(config)#vtp mode ?
client Set the device to client mode.
server Set the device to server mode.
transparent Set the device to transparent mode.

SW4(config)#vtp mode

This new mode “Off” is essentially Transparent mode, only instead of relaying Advertisements, it discards them (hence the name Off).

I won’t be using SW4 more than for that demonstration, so if you are shown output for “vtp mode ?” and there is no “off” mode, you can immediately tell it is not v3 capable.

Another major difference is it can be Enabled or Disabled per interface, so it does not need to be running globally on every interface, Cisco calls this “Interface OFF mode”:

SW1(config)#vtp version 3
SW1(config)#
*Mar 1 01:19:36.095: %SW_VLAN-6-OLD_CONFIG_FILE_READ: Old version 2 VLAN configuration file detected and read OK. Version 3
files will be written in the future.
SW1(config)#int fa1/0/2
SW1(config-if)#?
Interface configuration commands:
(A lot of sub-commands)
vtp Enable VTP on this interface

SW1(config-if)#

So it will be running VTP Version 3 once configured globally, but to turn it off simply issue “no vtp” on the interface and to turn it back on just “vtp” on the interface:

SW1(config-if)#no vtp
SW1(config-if)#
SW1(config-if)#exit
SW1(config)#vlan 30
VTP VLAN configuration not allowed when device is not the primary server for vlan database.

SW1(config-vlan)#

So I disabled it on the interface to see how this impacted SW2’s ability to receive the new VTP Config Revision, however this brings up the next improvement, the one which eliminates the “VTP Synch Issue” once and for all – VTP Primary Server configuration!

As you might guess by the name, this configuration on a Server actually designates it as the Primary Server or Primary source of information, so switches in this VTP v3 Domain will ONLY update their DB’s with updates coming from this Primary Server.

So I enabled VTP again with simply “vtp” on the Trunk interface going to SW2, I will change it to a Primary Server and see if SW2 receives the VLAN 30 update from SW1:

SW1(config)#vtp ?
domain Set the name of the VTP administrative domain.
file Configure IFS filesystem file where VTP configuration is stored.
interface Configure interface as the preferred source for the VTP IP updater
address.
mode Configure VTP device mode
password Set the password for the VTP administrative domain
pruning Set the administrative domain to permit pruning
version Set the administrative domain to VTP version

SW1(config)#vtp

It is not seen here as an option, because it is configured in Privileged Exec mode!

There is a lot going on in this configuration as far as sub-commands, I’ll only configure it pretty plain, but want to demonstrate the options along the way:

SW1#vtp ?
primary Make the system as the primary server

SW1#vtp primary ?
force Do not check for conflicting devices
mst MST feature
vlan Vlan feature
<cr>

SW1#vtp primary vlan ?
force Do not check for conflicting devices
<cr>

SW1#vtp primary vlan
This system is becoming primary server for feature vlan
No conflicting VTP3 devices found.
Do you want to continue? [confirm]

SW1#
*Mar 1 01:35:21.483: %SW_VLAN-4-VTP_PRIMARY_SERVER_CHG: 1ce6.c7c1.c800 has become the primary server for the VLAN VTP feature
SW1#

————————-

Edit – Courtesy of Mr Henry Woo in the comments, a behavior not shown here due to a password not being set^

When promoting a Secondary Server to a Primary Server in VTPv3, if a password is set for the Domain, it will require the “hidden” or cleartext password be entered to promote the server before it will take the Primary role.

Info sourced from Cisco VTPv3 white papers here.

END EDIT!

———————–

So the “force” mode is not something I would probably ever use, as it could cause issues not running the conflict check highlighted in red with other switches in the VTP Domain, also highlighted in blue shows that the switch prompts to confirm once more before making this the Primary Server.

I am not quite sure what MST is except that it is some sort of VTP Mapping Table, but will be discussed further into Advanced Topics.

So now that SW1 is a v3 Primary Server, first I want to see if SW2 is still receiving VTP updates from SW1, as they still show they share matching Domain names and password:

SW1(config)#vlan 30
SW1(config-vlan)#exit

SW1(config)#
ASR#2
[Resuming connection 2 to sw2 … ]

SW2#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:33:16

Feature VLAN:
————–
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
Configuration Revision : 3
MD5 digest : 0x21 0x54 0x0A 0xAB 0x68 0x64 0x6E 0x7E
0xB0 0xC7 0xC5 0x9C 0x35 0x2F 0xC4 0x65
SW2#sh vtp status

So even after giving it some time for a “Summary Ad” to be sent by the Server, it is not updating, so I tried to force an update with a Name change and got an interesting error message on SW2:

SW1(config)#vlan 30
SW1(config-vlan)#name Update
SW1(config-vlan)#exit
SW1(config)#
ASR#2
[Resuming connection 2 to sw2 … ]

*Mar 1 01:51:26.945: %SW_VLAN-4-VTP_USER_NOTIFICATION: VTP protocol user notification: MD5 digest checksum mismatch on receipt of equal revision summary on trunk: Fa1/0/2

SW2#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:33:16

Feature VLAN:
————–
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 7
Configuration Revision : 3
MD5 digest : 0x21 0x54 0x0A 0xAB 0x68 0x64 0x6E 0x7E
0xB0 0xC7 0xC5 0x9C 0x35 0x2F 0xC4 0x65
*** MD5 digest checksum mismatch on trunk: Fa1/0/2 ***

SW2#

From searching the cause for this error, it appears to be a bug in some IOS’s on my specific switch model, so I figured out that simply putting it in Transparent mode and back clear the MD5 mismatch:

SW2(config)#vtp mode transparent
Setting device to VTP Transparent mode for VLANS.
SW2(config)#vtp mode client
Setting device to VTP Client mode for VLANS.
SW2(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800
Configuration last modified by 0.0.0.0 at 3-1-93 01:51:34

Feature VLAN:
————–
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
Configuration Revision : 3
MD5 digest : 0xA8 0x9C 0x0F 0xDE 0x23 0x85 0x4F 0x02
0x08 0x59 0x02 0x76 0x7C 0xB3 0xBF 0x42
SW2(config)#

Success! So outside of some buggy stuff, it does work with VTP version 2, however I reset SW3 completely and unplugged network cables to test the behavior of dynamically upgrading itself to v2, so to do this I will only plug in SW1 to begin.

I have completely reset SW3 to see if it will dynamically upgrade to v2 right out of the box, or if we need to tweak some thing to trigger the effect:

SW1(config)#vlan 40
SW1(config-vlan)#exit

SW1(config)#
ASR#3
[Resuming connection 3 to sw3 … ]

SW3#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.ce00
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
Configuration Revision : 0
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
0x56 0x9D 0x4A 0x3E 0xA5 0x69 0x35 0xBC
SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#vtp domain CCNP
Changing VTP domain name from NULL to CCNP
SW3(config)#
*Mar 1 01:28:47.235: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to CCNP.
SW3(config)#do sh vtp stat

VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.ce00
Configuration last modified by 0.0.0.0 at 3-1-93 02:51:31
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
Configuration Revision : 2
MD5 digest : 0x15 0x56 0x59 0x13 0xA6 0x0E 0xE0 0xBE
0xEC 0x39 0xFF 0x6A 0xE7 0x12 0x81 0x92
SW3(config)#

So that takes care of that question – SW3 only needed the Domain name configured and it was dynamically upgraded and VLAN DB updated immediately, if a password was configured it would also require that to be set to dynamically upgrade and update.

SPEAKING OF PASSWORDS THIS WILL BE THE LAST TOPIC TO TOUCH ON V3 FOR TONIGHT, AS I AM ABOUT READY TO FALL OVER! 🙂

VTP v3 brings password security to VTP, as previous versions are in plain text as demonstrated at the top, both with “sh vtp pass” and in the VLAN Database with “more vlan.dat” command.

So lets take a look at setting the VTP password in v3, and our options:

SW1(config)#vtp password ?
WORD The ascii password for the VTP administrative domain.

SW1(config)#vtp password SWITCH ?
hidden Set the VTP password hidden option
secret Specify the vtp password in encrypted form
<cr>

SW1(config)#vtp password SWITCH

A quick explanation of the three options:

• hidden = Creates the password in a non-readable format, and only the hash output of the password can be seen in “sh vtp password” or “more vlan.dat”
• secret = Encrypts the password for VTP, but at a cost (shown below)
• <cr> = Plain Text
• NOTE : “service password-encryption” DOES NOT ENCRYPT THE VTP PASSWORD:

SW1(config)#service password-encryption
SW1(config)#vtp password SWITCH
Setting device VTP password to SWITCH
SW1(config)#do sh vtp password
VTP Password: SWITCH
SW1(config)#

So the password-encryption service will not encrypt this password from being seen in plain text.

One thing I did find, that I am not sure if it is a bug for this IOS and I’m too tired to dig into it at this time, is that when I removed the password to demonstrate the other two options, it reset its status as Primary Server:

SW1(config)#no vtp password SWITCH
Clearing device VTP password.
SW1(config)#
SW1(config)#do sh vtp status
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 1ce6.c7c1.c800

Feature VLAN:
————–
VTP Operating Mode : Server
Number of existing VLANs : 9
Number of existing extended VLANs : 0
Maximum VLANs supported locally : 1005
Configuration Revision : 0
Primary ID : 0000.0000.0000
Primary Description :
MD5 digest : 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00

 

Feature MST:
————–
VTP Operating Mode : Transparent

 

Feature UNKNOWN:
————–
VTP Operating Mode : Transparent

SW1(config)#

Extended VLANs and MST will be for another day, but notice in the fields of Primary ID and Description they are essentially both blank, whereas the “Primary Description” should be the Hostname (SW1) and that hosts MAC address.

So I am not sure if that is a bug, but I reconfigured the Primary Server, and will show the output of trying the other two options, starting with “secret” to encrypt the password:

SW1(config)#vtp password SWITCH secret ?
<cr>

SW1(config)#vtp password SWITCH secret
VTP secret has to be 32 characters in length

SW1(config)#

Secret requires a 32 character password, no thanks, I will try hidden instead:

SW1(config)#vtp password SWITCH hidden ?
<cr>

SW1(config)#vtp password SWITCH hidden
Setting device VTP password
SW1(config)#do sh vtp password
VTP Password: B1C6265827064A45E5A4CAB488A786F8

SW1(config)#do more vlan.dat

00000000: BADB100D 00000003 02044343 4E500000 :[.. …. ..CC NP..
00000010: 00000000 00000000 00000000 00000000 …. …. …. ….
00000020: 00000000 00000000 00000000 00000003 …. …. …. ….
00000030: 00000000 00000001 39333033 30313033 …. …. 9303 0103
00000040: 31383233 21540AAB 68646E7E B0C7C59C 1823 !T.+ hdn~ 0GE.
00000050: 352FC465 00B1C626 5827064A 45E5A4CA 5/De .1F& X’.J Ee$J
00000060: B488A786 F8000000 00000000 00000000 4.’. x… …. ….
00000070: 00000000 00000000 00000000 00000000 …. …. …. ….
00000080: 00000000 00000000 00000000 00000000 …. …. …. ….
00000090: 00000000 00000009 02010131 01030303 …. …. …1 ….
000000A0: 00000000 00000000 00000000 00000000 …. …. …. ….
000000B0: 00000000 00000000 00000000 00000000 …. …. …. ….

So you can still see the Domain name in the VTP Database file, but otherwise the password will be a hashed output of the password, with no character limitations that I am aware of.

There may be some future editing as there were numerous behaviors I setup and worked through, but the troubleshooting was so extensive I felt it not necessary to add to this post, so there may be mentions of a bug or something that I later deleted.

The very last thing I wanted to touch on before I finish this post so I have it noted somewhere – Extended VLANs configuration and behaviors:

Extended VLANs can be created since I a flavor of IOS 12.2, and are saved only to the running configuration but NOT that VLAN DB or vlan.dat file, and can only be configured in Transparent mode (and cannot be moved from Transparent with existing Extended VLANs configured).

Shown here on the 3560 first running IOS 12.2:

SW4(config)#vlan 3000
SW4(config-vlan)#exit
% Failed to create VLANs 3000
Failed due to unknown reason.
%Failed to commit extended VLAN(s) changes.
SW4(config)#
03:29:28: %SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 3000: extended VLAN(s) not allowed in current VTP mode
SW4(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
SW4(config)#vlan 3000
SW4(config-vlan)#exit
SW4(config)#vtp mode server
Device mode cannot be VTP SERVER because extended VLAN(s) exist
SW4(config)#

So as can be seen, in VTP v2, it must be put into Transparent mode and not taken back out of it to retain Extended VLANs.

On the flip side of the coin, on a VTP v3 Primary Server Extended VLANs can not only be created, but will also propagate to VTP v3 Client switches as well (but not v3 as seen here):

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vlan 3000
SW1(config-vlan)#exit
SW1(config)#do sh vlan bri

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active (lots of ports)
10 VLAN0010 active
20 VLAN0020 active
30 Update active
40 VLAN0040 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
3000 VLAN3000 active

SW1(config)#
ASR#2
[Resuming connection 2 to sw2 … ]

SW2#sh vlan brief

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active (lots of ports)
10 VLAN0010 active
20 VLAN0020 active
30 Update active
40 VLAN0040 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
3000 VLAN3000 active

SW2#
ASR#3
[Resuming connection 3 to sw3 … ]

SW3(config)#exit
SW3#
*Mar 1 02:21:14.649: %SYS-5-CONFIG_I: Configured from console by console
SW3#sh vlan bri

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active (lots of ports)
10 VLAN0010 active
20 VLAN0020 active
30 Update active
40 VLAN0040 active
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
SW3#

So SW3 which is still running v2 does not receive the VLAN 3000 update, but its configuration revision matches both the Server and Client for Configuration Revision # and # of VLAN in “sh vtp stat” :

SW3#sh vtp stat
VTP Version capable : 1 to 3
VTP version running : 2
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.ce00
Configuration last modified by 0.0.0.0 at 3-1-93 02:51:31
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Client
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
Configuration Revision : 2
MD5 digest : 0x15 0x56 0x59 0x13 0xA6 0x0E 0xE0 0xBE
0xEC 0x39 0xFF 0x6A 0xE7 0x12 0x81 0x92
SW3#
ASR#1
[Resuming connection 1 to sw1 … ]

SW1(config)#do sh vtp stat

VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 1ce6.c7c1.c800

Feature VLAN:
————–
VTP Operating Mode : Primary Server
Number of existing VLANs : 9
Number of existing extended VLANs : 1
Maximum VLANs supported locally : 1005
Configuration Revision : 2
Primary ID : 1ce6.c7c1.c800
Primary Description : SW1
MD5 digest : 0x94 0x68 0x7A 0x2A 0x83 0xDB 0xEC 0x34
0x36 0x0A 0xCF 0xED 0xE6 0x21 0xB4 0xD2

 

Feature MST:
————–
VTP Operating Mode : Transparent

SW1(config)#
ASR#2
[Resuming connection 2 to sw2 … ]

SW2#sh vtp stat
VTP Version capable : 1 to 3
VTP version running : 3
VTP Domain Name : CCNP
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5897.1eab.c800

Feature VLAN:
————–
VTP Operating Mode : Client
Number of existing VLANs : 9
Number of existing extended VLANs : 1
Maximum VLANs supported locally : 1005
Configuration Revision : 2
Primary ID : 1ce6.c7c1.c800
Primary Description : SW1
MD5 digest : 0x94 0x68 0x7A 0x2A 0x83 0xDB 0xEC 0x34
0x36 0x0A 0xCF 0xED 0xE6 0x21 0xB4 0xD2

 

Feature MST:
————–
VTP Operating Mode : Transparent

SW2#

So highlighted in blue it can be seen that even Client switches have the Primary Server ID and Hostname in their VTP configuration, and interestingly Extended VLANs are not counted in the number of existing VLANs – It is only counted in the Extended VLAN information (so I will add that to the bullet points for extended VLANs now).

I assume it was designed that way for backwards compatibility with VTP v2.

So now that I am beyond mentally exhausted, I will call it a good productive labbing session, and round off VTP with one last post on VTP Pruning before moving on to Spanning Tree Protocol Fundamentals into Advanced topics! 😀