07-13-2004 07:31 AM - edited 03-02-2019 05:02 PM
We have a network with two 6509's and about 50 switches. Each switch is on a different VLAN. The two 6509 are VTP server and all other switches are Client. We have a VTP domain.
We have a network upgrade comming up with the same types and amount of switches. I want to secure my DMZ mor tightly by implementing PVLAN so the hosts on that segment can't talk to each other. But PVLAN requires VTP to be in Transparent mode. I would be running VTP version 2.
My question is: Should I set the first core to be server, and all other switches including the second core to be transparent?
What ramification would that have on Trunking, and each switch being on a different VLAN?
Thanks
07-13-2004 11:36 PM
Hi,
Leaving all other switches as clients and the 6500 switch as a server is not an issue. Only take the switch which has to get configured with PVLANs to transparent mode.
If the 6500 switch has to be configured with PVLAN, then it has to act in a transparent mode and hence the client switches cannot get terminated to the 6500 switch where the PVLAN has been configured.
Once the switch is bought to transparent mode it stops propagating BPDU's to the clients. The transparent switch just listens and updates info about the network but doesnot send.
Regards
07-14-2004 12:49 AM
Hi,
you are not correct with "Once the switch is bought to transparent mode it stops propagating BPDU's to the clients."
You probably meant VTP updates (BPDUs are an STP term). But in VTP version 2, transparent switches do forward VTP advertisements that they receive out their trunk interfaces.
See
http://www.cisco.com/warp/public/473/185.pdf
for details and many other useful information.
Generally, moving a switch to the transparent mode might cause a trunk problem.
If trunk negotiation is used, the VTP domain must match on both trunk sides. See the DTP part of the document mentioned above.
I'm not sure what happens when you change the VTP mode to transparent when thrunk had been negotiated already. But I'd change all trunks on the switch (and opposite sides) to nonegotiate before moving the switch to transparent mode for sure (they will go down/up when being changed to nonegotiate, probably).
Regards,
Milan
07-15-2004 07:51 AM
I have a follow up question.
It looks like PVLAN since it's really per switch is not really condusive to a distributed environment such as ours.
But, how about VACL? If I set up a VACL on a vlan, can I prevent the hosts within that VLAN from talking to each other, and only talk to the router for outbound traffic?
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide