cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
419
Views
0
Helpful
3
Replies

PVLAN and VTP

ty.masse
Level 1
Level 1

We have a network with two 6509's and about 50 switches. Each switch is on a different VLAN. The two 6509 are VTP server and all other switches are Client. We have a VTP domain.

We have a network upgrade comming up with the same types and amount of switches. I want to secure my DMZ mor tightly by implementing PVLAN so the hosts on that segment can't talk to each other. But PVLAN requires VTP to be in Transparent mode. I would be running VTP version 2.

My question is: Should I set the first core to be server, and all other switches including the second core to be transparent?

What ramification would that have on Trunking, and each switch being on a different VLAN?

Thanks

3 Replies 3

raj_kn7
Level 1
Level 1

Hi,

Leaving all other switches as clients and the 6500 switch as a server is not an issue. Only take the switch which has to get configured with PVLANs to transparent mode.

If the 6500 switch has to be configured with PVLAN, then it has to act in a transparent mode and hence the client switches cannot get terminated to the 6500 switch where the PVLAN has been configured.

Once the switch is bought to transparent mode it stops propagating BPDU's to the clients. The transparent switch just listens and updates info about the network but doesnot send.

Regards

Hi,

you are not correct with "Once the switch is bought to transparent mode it stops propagating BPDU's to the clients."

You probably meant VTP updates (BPDUs are an STP term). But in VTP version 2, transparent switches do forward VTP advertisements that they receive out their trunk interfaces.

See

http://www.cisco.com/warp/public/473/185.pdf

for details and many other useful information.

Generally, moving a switch to the transparent mode might cause a trunk problem.

If trunk negotiation is used, the VTP domain must match on both trunk sides. See the DTP part of the document mentioned above.

I'm not sure what happens when you change the VTP mode to transparent when thrunk had been negotiated already. But I'd change all trunks on the switch (and opposite sides) to nonegotiate before moving the switch to transparent mode for sure (they will go down/up when being changed to nonegotiate, probably).

Regards,

Milan

I have a follow up question.

It looks like PVLAN since it's really per switch is not really condusive to a distributed environment such as ours.

But, how about VACL? If I set up a VACL on a vlan, can I prevent the hosts within that VLAN from talking to each other, and only talk to the router for outbound traffic?

Thanks,

Review Cisco Networking for a $25 gift card