VTP Version 3
VTP version 3 is the third version of the VLAN trunk protocol and enhances its initial functions well beyond the handling of VLAN matters. VTP version 3 has introduced the primary and secondary server concept. Enter the vtp version 3 command to tell the switches to use VTP version 3. The vtp mode server command only sets a switch to indicate a secondary server. However, all VTP version 3 switches do not accept a VLAN update unless the update is generated by a primary server. The only way to change the VLAN database is first to promote a secondary server to a primary server with the vtp primary vlan command, modify the VLAN database, and finally demote it back to a secondary server for safety. By changing to transparent mode and then back to server mode, the primary server will act as a secondary server again
Let’s dig into that.
First we will see difference between VTP version 1 ,2 and 3



Some more elaborated points for VTP Version-3
VTP VERSION 3 SUPPORTS BELOW GIVEN FEATURES THAT ARE NOT SUPPORTED IN VERSION 1 OR 2 :
Private VLAN support.
Multiple Spanning Tree (MST) Support – VTP version 3 can propagate Multiple Spanning Tree (MST) protocol database information.
VTP primary server and VTP secondary servers.
Support to turn VTP on or off on a per-trunk (per-port) basis.
Support for extended range VLAN (VLANs 1006 to 4094) which was initially upto 1005 until Version 2 of VTP.
Enhanced authentication where Authentication can be configured as hidden or secret.
RSPAN VLANs: remote SPAN VLANs can now be synchronized
VTP can be disabled globally.
Protection from unintended database overrides during insertion of new switches – VTP mode clients, and secondary servers cannot write the VLAN database. There can only be one primary server. The primary server is the only server allowed to write the VLAN database.
In VTP version 3, VLAN configurations are saved in NVRAM in client mode. Earlier version did not save Vlan configurations in NVRAM
new additions to VTP version 3:
VTP primary server: only the primary server is able to create / modify / delete VLANs. This is a great change as you can no longer “accidently” wipe all VLANs like you could with VTP version 1 or 2.
Extended VLANs: you can now synchronize VLANs in the extended VLAN range (1006 – 4094).
Private VLANs: if you have VLANs that are configured as private VLANs then you can synchronize them with VTPv3.
RSPAN VLANs: remote SPAN VLANs can now be synchronized.
MST Support: one of the problems of MST is that you had to configure each switch manually. With VTPv3, MST configurations are synchronized.
Authentication improvements: VTPv3 has more secure methods for authentication.
VTP mode off: If you didn’t want to use VTP for version 1 or 2 then you had to use the transparent mode. VTPv3 can be disabled globally or per interface.
Compatibility: VTP version 3 is compatible with version 2, not version 1


same on SW2. adding some VLANs.

All switches will be running in VTP server mode by default


This is huge problem with previous versions of VTP. Especially prior to version 3 - that customers use VTP mode transparent. The problem is that VTP devices - VTP clients included - can have their VLANs removed or changed while not connected to the mothership, and inadvertently end up with a higher configuration revision. When that switch is introduced, or reintroduced, to the greater network, the higher configuration revision "wins", and the rest of the network replicates that VLAN database, erasing their own VLANs. This can be so dramatic that the entire network can end up with just VLAN 1, and the entire layer 2 domain goes down. This is a very easy problem to create, and causes a dramatic outage.
VTPv3 can no longer create this issue.VTP mode clients, and secondary servers cannot write the VLAN database.
This is new, one of the switches has to be the primary server in order to create / modify or delete VLANs. Let’s make SW1 our primary server:

SW2 and SW3 are able to confirm that SW1 is the primary server. VTP version 3 also has a new command that allows us to see all switches in the same VTP domain

Coresw1 is now the only device that can make changes to the contiguous v3 PVST VLAN database. Note the command vtp primary vlan is in privilege exec mode and is not saved to the config - if you reboot you lose this privilege. This completely eliminates the possibility of have a plug-and-play way of accidentally overwriting another network's VTP database.
