I would like to split out my vlan so that there are 2 groups of hosts that can communicate within the group and with hosts outside the vlan, but not with each other. I think that I need to keep the existing vlan as the primary and create 2 new vlans as secondary community. I need create the appropriate vlan associations and vlan interface mappings, and then assign each switchport to the desired secondary vlan (with host-association command etc). I don't need to re-address any hosts, as they can all stay in the same subnet.
There are 4 switches, running vtp (one server, 3 clients), and one switch connects to a pix firewall.
-Do I require a promiscuous port? Would it be necessary on the pix interface?
-As PVLANS aren't carried in VTP, how can I configure them on VTP clients? Do I have to switch them to transparent?
-Is it correct that hosts from one secondary VLAN could not communicate with hosts from the other secondary VLAN at all? Or will the presence of a layer 3 device mean that traffic is routed? Would I need a VACL to control traffic?
Is there any thing else that I need to consider?
Many thanks, J
1) You would still need a promiscuous port if you needed hosts within your private vlan to communicate with hosts outside of your private vlan.
If you only had one vlan and just wanted to segregate hosts within that vlan then you could just create your community vlans without a promsicuous port.
If you are using a multilayer switch instead of a pix firewall for the intervlan communication you would generally make the routed SVI the promiscuous port.
2) Not sure i understand what you need here. If you are trying top control how hosts talk to each other within the same vlan then that is what you are doing by using private vlans.
Could you elaborate ?