Jun 10

Rapid PVST+ – Enterprise LAN Design and Technologies

Rapid PVST+ is based on the Rapid Spanning Tree Protocol (RSTP) IEEE 802.1W standard. RSTP (IEEE 802.1w) natively includes most of the Cisco-proprietary enhancements to 802.1D Spanning Tree Protocol, such as BackboneFast and UplinkFast. Rapid PVST+ has these unique features:

  • Uses version 2 bridge protocol data units (BPDUs), which are backward compatible with the 802.1D Spanning Tree Protocol, which in turn uses version 0 BPDUs.
  • All the switches generate BPDUs and send out on all the ports every 2 seconds, whereas with 802.1D Spanning Tree Protocol, only the root bridge sends the configuration BPDUs.

Rapid PVST+ has the following roles, states, and types:

  • Port roles: Root port, designated port, alternate port, and backup port
  • Port states: Discarding, Learning, and Forwarding
  • Port types: Edge Port (PortFast), Point-to-Point, and Shared port

Rapid PVST+ uses RSTP to provide faster convergence. When any RSTP port receives a legacy 802.1D BPDU, it falls back to legacy Spanning Tree Protocol, and the inherent fast convergence benefits of 802.1W are lost when it interacts with legacy bridges. Cisco recommends that Rapid PVST+ be configured for best convergence.

Alignment of Spanning Tree Protocol with FHRP

Remember to manually assign the root bridge of a Spanning Tree Protocol network. Usually, one of the distribution switches is selected as the root bridge to match the Layer 3 First-Hop Resiliency Protocol (FHRP). The root bridge is assigned by manually lowering its root bridge priority from the default.

MST

Multiple Spanning Tree (MST), which is defined by IEEE 802.1S, is based on the Cisco Multiple Instance Spanning Tree Protocol (MISTP). MISTP (802.1S) is an IEEE standard that allows several VLANs to be mapped together. MST is used to reduce the total number of spanning-tree instances that match the physical topology of the network. This reduces the CPU load on a switch and is possible because most networks do not need more than a few logical topologies. Each instance handles multiple VLANs that have the same Layer 2 topology. For MST, do not manually prune VLANs from trunks and do not run MST on access ports between switches.

Cisco Spanning Tree Protocol Toolkit

Spanning Tree Protocol has been the friend and enemy of network designers and network troubleshooters throughout the years. Spanning Tree Protocol is required for a Layer 2 Ethernet network to function properly for path redundancy and prevention of Layer 2 loops. Cisco recommends that you design for the use of the Cisco STP Toolkit to enhance the performance of IEEE 802.1D Spanning Tree Protocol on your network. Figure 6-10 shows where each mechanism is applied in a network.

Figure 6-10 Cisco STP Toolkit Mechanisms

Apr 20

PortFast – Enterprise LAN Design and Technologies

PortFast causes a Layer 2 LAN access port to enter the forwarding state immediately, bypassing the listening and learning states. When configured for PortFast, a port is still running Spanning Tree Protocol and can immediately transition to the blocking state, if necessary. PortFast should be used only when connecting a single end station to the port. It can be enabled on trunk ports.

UplinkFast

UplinkFast provides fast convergence after a direct link failure. UplinkFast cannot be configured on individual VLANs; it is configured on all VLANs of a LAN switch. It is most useful when configured on the uplink ports of closet switches connecting to distribution switches. This mechanism is enabled when RSTP is enabled on a switch.

BackboneFast

BackboneFast provides fast failover when an indirect link failure occurs. It is initiated when a root port or blocked port on a network device receives inferior BPDUs from its designated bridge. It is configured on distribution and core switches. As with UplinkFast, this mechanism does not need to be enabled when RSTP is configured.

Loop Guard

Loop Guard helps prevent bridging loops that could occur because of a unidirectional link failure on a point-to-point link. It detects root ports and blocked ports and ensures that they keep receiving BPDUs from the designated port on the segment. When Loop Guard is enabled, if a root or blocked port stops receiving BPDUs from its designated port, it transitions to the loop-inconsistent blocking state.

Loop Guard can be enabled on a per-port basis. It must be configured on point-to-point links only. When Loop Guard is enabled, it is automatically applied to all active instances or VLANs to which that port belongs. When enabled on an EtherChannel (link bundle) and the first link becomes unidirectional, it blocks the entire channel until the affected port is removed from the channel. Loop Guard cannot be enabled on PortFast ports, dynamic VLAN ports, or Root Guard–enabled switches. It does not affect UplinkFast or BackboneFast operation.

Root Guard

Root Guard prevents a port from becoming a root port or blocked port. When a Root Guard port receives a superior BPDU, the port immediately goes to the root-inconsistent (blocked) state. Root Guard is configured on access switches so that they do not become a root of the spanning tree.

BPDU Guard

BPDU Guard shuts down a port that receives a BPDU, regardless of PortFast configuration. In a valid configuration, PortFast-enabled ports do not receive BPDUs. Reception of a BPDU by a PortFast-enabled port signals an invalid configuration.

Feb 20

BPDU Filter – Enterprise LAN Design and Technologies

BPDU Filter prevents a port from sending or receiving BPDUs. It can be configured on a per-port basis. When configured globally, it applies to all operational PortFast ports. Explicitly configuring PortFast BPDU filtering on a port that is not connected to a host can result in bridging loops. If a port configuration is not set to the default configuration, the PortFast setting will not affect PortFast BPDU filtering. When a PortFast port receives a BPDU, it immediately loses its operational PortFast status, BPDU filtering is automatically disabled on the port, and Spanning Tree Protocol resumes sending BPDUs on the port.

To summarize, the following are the recommended practices for Spanning Tree Protocol stability mechanisms:

  • PortFast: Apply PortFast to all end-user ports. To secure PortFast-enabled ports, always combine PortFast with BPDU Guard.
  • Root Guard: Apply Root Guard to all ports where a root is never expected.
  • Loop Guard: Apply Loop Guard to all ports that are or can become nondesignated ports.

Table 6-10 summarizes the mechanisms available in Cisco STP Toolkit.

Table 6-10 Mechanisms in Cisco STP Toolkit

MechanismImproves Spanning Tree Protocol Performance or Stability?Description
PortFastPerformanceBypasses the listening and learning phases to transition directly to the forwarding state. Apply to all end-user ports.
UplinkFastPerformanceEnables fast uplink failover on an access switch.
BackboneFastPerformanceEnables fast convergence in distribution and core layers when Spanning Tree Protocol changes occur.
Loop GuardStabilityPrevents an alternate or root port from being the designated port in the absence of bridge protocol data units (BPDUs).
Root GuardStabilityPrevents external switches from becoming the root of the Spanning Tree Protocol tree. Apply to all ports where it is not expected.
BPDU GuardStabilityDisables a PortFast-enabled port if a BPDU is received.
BPDU FilterStabilitySuppresses BPDUs on ports.

Unidirectional Link Detection (UDLD) Protocol

Spanning Tree Protocol’s operation relies on the reception and transmission of the bridge protocol data units (BPDUs). If the Spanning Tree Protocol process that runs on a switch with a blocking port stops receiving BPDUs from its upstream (designated) switch on the port, Spanning Tree Protocol eventually ages out the Spanning Tree Protocol information for the port and moves it to the forwarding state. This creates a forwarding loop or Spanning Tree Protocol loop. Packets start to cycle indefinitely along the looped path, and they consume more and more bandwidth. This can possibly lead to a network outage.

A Spanning Tree Protocol loop can occur on fiber networks if an SFP module fails. Unidirectional Link Detection (UDLD) can be configured on a per-port basis on all redundant links. Because Loop Guard does not work on shared links, UDLD should also be configured to prevent loops. UDLD detects unidirectional links on optical fiber links before a forwarding loop is created. Loop Guard and UDLD functionality overlap, partly in the sense that both protect against Spanning Tree Protocol failures caused by unidirectional links.

For UDLD recommended practices, Cisco recommends that UDLD aggressive mode be configured on any fiber-optic interconnection and that UDLD be enabled in global mode. Use UDLD aggressive mode for best protection. Turn on UDLD in global configuration mode so that it does not have to be enabled in every individual fiber-optic interface.

Table 6-11 compares Loop Guard and UDLD functionality.

Table 6-11 Loop Guard and UDLD Comparison

FunctionalityLoop GuardUDLD
ConfigurationPer portPer port
Action granularityPer VLANPer port
Protection against Spanning Tree Protocol failures caused by unidirectional linksYes, when enabled on all root and alternate ports in a redundant topologyYes, when enabled on all links in a redundant topology
Protection against Spanning Tree Protocol failures caused by problems in the software (designated switch does not send BPDUs)YesNo
Protection against miswiringNoYes

Nov 20

Layer 2 Security – Enterprise LAN Design and Technologies

Cisco provides several Layer 2 security technologies to secure the network infrastructure against various types of attacks. These include Spanning Tree Protocol (STP) security, port security, and VLAN Access Control List (VACL) security.

  • STP Security
    • STP Security: STP is a Layer 2 protocol that is used to prevent loops in the network topology by blocking redundant paths. However, attackers can exploit this protocol by introducing fake bridge protocol data units to manipulate the STP topology and create a denial-of-service (DoS) attack. To prevent this, Cisco provides STP security mechanisms such as BPDU Guard, Root Guard, and Loop Guard. Although they were covered in a previous section, they are included here for completeness:
    • BPDU Guard: This feature disables the port if any BPDU from an unauthorized switch is received, preventing the attacker from manipulating the STP topology. If a BPDU is received in a PortFast-enabled port, the port is disabled.
    • Root Guard: This feature prevents unauthorized switches from becoming the root bridge by configuring a trusted root bridge for the network.
    • Loop Guard: This feature detects and prevents loops in the network by monitoring the arrival of BPDUs.
  • Port Security
    • Port Security: Port security is a feature that restricts the access of devices to the network by binding the MAC addresses of authorized devices to the switch ports. This helps prevent unauthorized devices from accessing the network and protect against MAC spoofing attacks. Cisco provides various port security mechanisms such as
      • Static MAC address: This feature allows the switch to learn the MAC address of a device connected to a port and restricts other devices from accessing that port.
      • Sticky MAC address: This feature allows the switch to dynamically learn the MAC address of a device connected to a switchport and save it in the configuration. When a device is connected and the MAC address is dynamically learned for the switchport, it is permanently assigned to that port. Now when a new device is attached to this switchport, it will be denied by the switch.
      • MAC address limit: This feature limits the number of MAC addresses that can be learned on a port. By default, at least one MAC address per port can be secured. In addition to this default, a global resource of up to 1024 MAC addresses is available to be shared by the ports.
      • Port security age time: This feature specifies how long all addresses on that port will be secured. After the age time expires for a MAC address, the entry for that MAC address on the port is removed from the secure address list.
  • VACL Security
    • VACL Security: VACLs are similar to access control lists (ACLs) but are applied to VLANs instead of interfaces. VACLs are used to filter traffic based on Layer 2, 3, or 4 criteria and can be used to protect against various types of attacks, such as MAC flooding, VLAN hopping, and DHCP spoofing. Cisco provides various VACL security mechanisms such as:
    • VLAN access lists and maps: This feature allows the switch to filter traffic based on VLANs and provide granular control over the traffic. VACLs can provide access control for all packets that are bridged within a VLAN or that are routed into or out of a VLAN or a WAN interface for VACL capture. Unlike Cisco IOS ACLs that are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN or WAN interface. VLAN maps allow the switch to map-specific VLANs to different actions such as permit or deny, based on the MAC or IP addresses. Each VLAN access map can consist of one or more map sequences; each sequence has a match clause and an action clause. The match clause specifies IP or MAC ACLs for traffic filtering, and the action clause specifies the action to be taken when a match occurs. When a flow matches a permit ACL entry, the associated action is taken, and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it is checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.

In summary, Cisco provides several Layer 2 security technologies, such as STP security, port security, and VACL security, which can be used to protect the network infrastructure against various types of attacks. These features can be configured on Cisco switches to enhance the security posture of the network.

Sep 20

Campus LAN Design and Best Practices – Advanced Enterprise Campus Design

LANs can be classified as large-building LANs, campus LANs, or small and remote LANs. A large-building LAN typically contains a major data center with high-speed access and floor communications closets; it is usually the headquarters in a larger company. Campus LANs provide connectivity between buildings on a campus. Redundancy is usually a requirement in large-building and campus LAN deployments. Small and remote LANs provide connectivity to remote offices with a relatively small number of nodes.

Campus design factors include the following categories:

  • Network application characteristics: Different application types
  • Infrastructure device characteristics: Layer 2 and Layer 3 switching and hierarchy
  • Environmental characteristics: Geography, wiring, distance, space, power, and number of nodes

Network Requirements for Applications

A business dictates which applications need to be used, and the network must be able to support them. Applications may require high bandwidth or may be time sensitive. Infrastructure devices influence the design. Decisions on switched or routed architectures and port limitations influence the design. The actual physical distances affect the design. The selection of copper or fiber media may be influenced by the environmental or distance requirements. Table 7-2 describes different application types.

Table 7-2 Application Types

Application TypeDescription
Peer-to-peerPeer-to-peer applications include instant messaging, file sharing, IP phone to IP phone, and video conferencing.
Client/local serversServers are located in the same segment as the clients or close by, normally on the same LAN. According to the legacy 80/20 workgroup rule, 80% of traffic is local, and 20% is not local. This rule is not followed today.
Client/data centerMail servers, file servers, database servers, and business applications are located in the data center. The network needs to be reliable and provide adequate bandwidth to the data center.
Client/enterprise edgeExternal servers such as mail, web, business-to-business (B2B), and public servers are located in the enterprise-edge where off-net connectivity is located.

There is a wide range of network requirements for applications, depending on the application type. Networks today are switched and not shared. Data centers require high-capacity links to the servers and redundant connections on the network to provide high availability. With servers now located in data centers, the 20/80 rule is applied. With 20/80, 20% of traffic is local traffic, and 80% of the traffic communicates with servers in the data center.

Costs are lower for peer-to-peer applications and become higher for applications that traverse the network with high redundancy. Table 7-3 summarizes network requirements for applications.

Table 7-3 Network Requirements for Application Types

RequirementPeer-to-PeerClient/Local ServersClient/Data CenterClient/Enterprise Edge
Connectivity typeSwitchedSwitchedSwitchedSwitched
Throughput requiredMedium to highMediumHighMedium
AvailabilityLow to highMediumHighHigh
Network costsLow to mediumMediumHighMedium

Jul 20

Best Practices for Hierarchical Layers – Advanced Enterprise Campus Design

Each layer of the hierarchical architecture requires special considerations. The following sections describe best practices for each of the three layers of the hierarchical architecture: access, distribution, and core.

Access Layer Best Practices

When designing the building access layer, you must consider the number of users or ports required to size up the LAN switch. Connectivity speed for each host should also be considered. Hosts might be connected using various technologies, such as Fast Ethernet, Gigabit Ethernet, and port channels. The planned VLANs enter into the design as well.

Performance in the access layer is also important. Redundancy and QoS features should be considered.

There are several options for the access layer architectures:

  • Traditional Layer 2 access layer design
  • Updated Layer 2 access layer design
  • Layer 3 access layer design
  • Hybrid access layer design
Traditional Layer 2 Access Layer

Figure 7-1 shows the traditional Layer 2 access layer. This is the de facto model that has been used for years, where VLANs are defined in the distribution switches, HSRP gateways are configured for the VLANs with active and standby, and the Spanning Tree Protocol root bridge is configured. The access switch is configured as a Layer 2 switch that forwards traffic via trunk ports to the distribution switches. There is no load balancing because Spanning Tree Protocol blocks one of the uplink trunks, so only one uplink is active for each VLAN.

Figure 7-1 Traditional Layer 2 Access Layer Design

Distribution layer switches act as default gateways. Layer 3 links are used between the core and distribution switches with a routing protocol.

Updated Layer 2 Access Layer (Using VSS)

Figure 7-2 shows the updated Layer 2 access layer. In this model, the distribution switches are still the demarcation between the Layer 2 and Layer 3 boundaries. The difference now is that Virtual Switching System (VSS) is configured in the distribution layer. With VSS, the physical distribution switch pair is merged into a virtual switch. VSS is supported on Cisco 4500, 6500, and 6800 Series switches. With VSS, both access switch uplinks are used, doubling the bandwidth from access switches to the distribution pair. The bundled pair is called a Multichassis EtherChannel (MEC), and it creates a loop-free topology. With Gigabit Ethernet uplinks, you have 2 Gbps of uplink bandwidth, and with 10 Gigabit Ethernet uplinks, you have 20 Gbps of uplink bandwidth.

Figure 7-2 Updated Layer 2 Access Layer Design

When VSS is used, there is no need for a first-hop routing protocol (FHRP) such as HSRP. This solution provides faster convergence and higher uplink bandwidth than the traditional Layer 2 access design.

Layer 3 Access Layer

Figure 7-3 shows the Layer 3 access layer. With this design model, the Layer 3 demarcation is pushed to the access layer. The access layer switches have VLANs defined and act as the default gateways. Notice that VLANs are not able to span access switches.

Figure 7-3 Layer 3 Access Layer Design

Layer 3 links are now used from the access layer to the distribution switches to the core. The use of HSRP is not necessary. In this solution, the access layer switches act as default gateways and participate in routing, and there is no need for an FHRP.

May 15

Hybrid Access Layer – Advanced Enterprise Campus Design

The hybrid access layer combines the use of Layer 2 switching with Layer 3 at the access layer. In this design, some VLANs are defined in the access layer and others in the distribution layer. There are Layer 3 and Layer 2 links between the distribution switches and the access switches. With the Layer 2 links, Spanning Tree Protocol is still in the network. This design is not the preferred design because it has the added complexity of mixed Layer 2 and Layer 3 access layers per VLAN, but it is usually implemented for various reasons. One reason to implement these solutions might be sensor or security devices requiring a shared VLAN. The disadvantage is that Spanning Tree Protocol is enabled on these VLANs.

Access Layer Designs

Table 7-4 summarizes the access layer designs.

Table 7-4 Access Layer Designs

Access Layer Design ModelDescription
Traditional Layer 2 access layerLayer 2 switch forwards traffic via trunk ports to distribution switches. Spanning Tree Protocol blocks one of the uplink trunks.
Updated Layer 2 access layerLayer uses VSS and MEC to provide additional uplink bandwidth.
Layer 3 access layerLayer 3 SVIs are defined in the access layer, and there is no need for an FHRP.
Hybrid access layerLayer 3 routing in the access layer and in the distribution layer.

The following are the recommended best practices for the building access layer:

  • Limit VLANs to a single closet when possible to provide the most deterministic and highly available topology.
  • Use Rapid Per-VLAN Spanning Tree Plus (RPVST+) if Spanning Tree Protocol is required. It provides for faster convergence than traditional 802.1d default timers.
  • Set trunks to ON and ON with no-negotiate.
  • Prune unused VLANs to avoid broadcast propagation; this is commonly done on the distribution switch. VLAN Trunking Protocol (VTP) version 2 and version 3 automatically prune unused VLANs.
  • Use VTP Transparent mode because there is little need for a common VLAN database in hierarchical networks.
  • Disable trunking on host ports because it is not necessary. Doing so provides more security and speeds up PortFast.
  • Consider implementing routing in the access layer to provide fast convergence and Layer 3 load balancing.
  • Use the switchport host command on server and end-user ports to enable PortFast and disable channeling on these ports. Alternatively, you can use the spanning-tree portfast default global command.
  • Use the Cisco STP Toolkit, which provides the following tools:
    • PortFast: Bypasses the listening/learning phase for access ports.
    • Loop Guard: Prevents an alternate or root port from becoming designated in the absence of bridge protocol data units (BPDUs).
    • Root Guard: Prevents external switches from becoming root.
    • Design Strategy: Used to design a Spanning Tree Protocol priority strategy with the highest priorities hardcoded at the top layers of the Spanning Tree Protocol tree.
    • BPDU Guard: Disables a PortFast-enabled port if a BPDU is received.

Mar 11

Stacking Access Switches – Advanced Enterprise Campus Design

Stacking is a method of joining multiple physical access switches into a single logical switch. Switches are interconnected by stackwise interconnect cables, and a master switch is selected. The switch stack is managed as a single object and uses a single IP management address and a single configuration file. This reduces management overhead. Furthermore, the switch stack can create an EtherChannel connection, and uplinks can form MECs with an upstream VSS distribution pair.

Distribution Layer Best Practices

As shown in Figure 7-4, the distribution layer aggregates all closet switches and connects to the core layer. Design considerations for the distribution layer include providing wire-speed performance on all ports, link redundancy, and infrastructure services.

Figure 7-4 Distribution Layer

The distribution layer should not be limited in terms of performance. Links to the core must be able to support the bandwidth used by the aggregate access layer switches. Redundant links from the access switches to the distribution layer and from the distribution layer to the core layer allow for high availability in the event of a link failure. Infrastructure services include quality-of-service (QoS) configuration, security, and policy enforcement. Access lists are configured in the distribution layer.

The following are recommended best practices at the distribution layer:

  • Use first-hop redundancy protocols (FHRPs). Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), or Gateway Load Balancing Protocol (GLBP) should be used if you implement Layer 2 links between the Layer 2 access switches and the distribution layer.
  • Use Layer 3 routing protocols between the distribution and core switches to allow for fast convergence and load balancing.
  • Only peer on links that you intend to use as transit.
  • Build Layer 3 triangles, not squares, as shown in Figure 7-5.

  

Figure 7-5 Layer 3 Triangles

  • Use the distribution switches to connect Layer 2 VLANs that span multiple access layer switches.
  • Summarize routes from the distribution to the core of the network to reduce routing overhead.
  • Use Virtual Switching System (VSS) to eliminate the use of Spanning Tree Protocol and the need for an FHRP.
Core Layer Best Practices

Depending on the network’s size, a core layer might or might not be needed. For larger networks, building distribution switches are aggregated to the core. This is called a collapsed core. This core layer provides high-speed connectivity to the server farm or data center and to the enterprise edge (to the WAN and the Internet).

Figure 7-6 shows the criticality of the core switches. The core must provide high-speed switching with redundant paths for high availability to all the distribution points. The core must support gigabit speeds and data and voice integration.

Figure 7-6 Core Switches

The following are best practices for the campus core:

  • Reduce switch peering by using redundant triangle connections between switches.
  • Use routing that provides a loop-free topology.
  • Use Layer 3 switches on the core that provide intelligent services that Layer 2 switches do not support.
  • Use two equal-cost paths to every destination network.

Jan 15

Campus Layer Best Practices – Advanced Enterprise Campus Design

Table 7-5 summarizes campus layer best practices.

Table 7-5 Campus Layer Design Best Practices

LayerBest Practices
Access layerLimit VLANs to a single closet, when possible, to provide the most deterministic and highly available topology.
Use RPVST+ if Spanning Tree Protocol is required. It provides the best convergence.
Set trunks to ON and ON with no-negotiate.
Manually prune unused VLANs to avoid broadcast propagation.
Use VTP Transparent mode because there is little need for a common VLAN database in hierarchical networks.
Disable trunking on host ports because it is not necessary. Doing so provides more security and speeds up PortFast.
Consider implementing routing in the access layer to provide fast convergence and Layer 3 load balancing. Or use the Updated Layer 2 access layer design with VSS.
Use Cisco STP Toolkit, which provides PortFast, Loop Guard, Root Guard, and BPDU Guard.
Distribution layerUse first-hop redundancy protocols. HSRP, VRRP, or GLBP should be used if you implement Layer 2 links between the access and distribution.
Use Layer 3 links between the distribution and core switches to allow for fast convergence and load balancing.
Build Layer 3 triangles, not squares.
Use the distribution switches to connect Layer 2 VLANs that span multiple access layer switches.
Summarize routes from the distribution layer to the core layer of the network to reduce routing overhead.
Use VSS or StackWise Virtual between distribution devices as an option to eliminate the use of Spanning Tree Protocol.
Core layerReduce switch peering by using redundant triangle connections between switches.
Use routing that provides a topology with no spanning-tree loops.
Use Layer 3 switches that provide intelligent services that Layer 2 switches do not support.
Use two equal-cost paths to every destination network.
VTP Considerations

VLAN Trunking Protocol (VTP) is a Cisco-proprietary protocol that enables central management of the VLAN database. Implementations of VTPv1 and VTPv2 were unstable, causing the whole LAN network to go down in the event that a higher revision switch was inserted into the network. The best practice is to configure all switches in a VTPv2 domain in Transparent mode. In this mode, all VLAN changes are local.

VTP version 3 eliminated the instabilities of the previous versions. However, VTPv3 is compatible with VTPv2 only if you do not use it to propagate private or extended VLANs. If desired, you need to explicitly configure VTPv3 as the default mode in VTPv2.