Frank Henderson Mon, 02/18/2008 - 09:57
vlans can't communicate with other vlans, unless they are routed thru a router.

Mr. Swami,

You can take help of VACL or VLAN access maps in order to prevent one vlan's communication with other vlan. You have to decide very carefully to what extend you need isolation between/among vlans. you have to design the access-lists as per your requirements. Apply all vacl/access-map related commands in your layer3 device which actually is responsible for inter-vlan routing. Have a look at it:


arumugasamy Tue, 02/19/2008 - 11:09
Dear Gaurav,

I received the audit report about my branch network from our HO. They told that the spanning tree is not configured correctly.

Could you tell me the best practice to optimize the STP for the banking environment.

2 core switches 4507R with 3750 as edge switches. Internet access thro PIX and 3800 series router is provided. Total 6 floors with each floor in separate vlan.



Hello Swami,

Kindly let me know the topology of your switches, how they are connected. Moreover, make sure the following configs in your LAN:

1. Make one of the core switches as ROOT bridge and other one as secondary root bridge for a particular vlan (for all vlans separately).

2. Configure root guard option on all access/edge switches (3750 here)

3. All PC/Laptop/Server connected ports can be configured as portfast and bpduguard.

4. On all distribution layer switches configure uplinkfast.

5. configure backbonefast on all core and distribution switches.

Kindly share your topology with us so that we may understand your needs.


williamwalla Tue, 02/19/2008 - 17:51
I agree with Gaurav. But, It might be simpler instead of uplink fast, etc, to implement Rapid Spanning-tree on all the switches.

arumugasamy Tue, 02/19/2008 - 21:53
The topology of the network is not pbplishable since this belong to Intl.Bank.

Let me explain the topology as below

2 core 4507R with dual fiber to each Cabinet IDF. The separate vlan on core switch connected to the PIX firewall and the firewall connected to the edge Inet router for the leased line and branch office connectivity.

We need to optimize the internal LAN only.

I accept gavrav suggesions to implement the STP.Also i like to implement the MST as per RFP of the BANK.

Please give me last advice on this issue before giving customer the proposal.



Dear Swami,

STP (MST/RSTP/PVST/PVST+ etc) is more concerned about LAN, so kindly let us know how core switches and other LAN switches (Edge/access switches) connected. My impression is that you have 2 core switches and some 3750 switches all connected in mesh scenario.

Yes, as Bill said, RSTP would give exactly same services with less head-ache.

MST is nothing but mapping of more than one PVST/PVST+ instances with one MST instance.

have a look at it:


arumugasamy Thu, 02/21/2008 - 10:35
You are correct. We have 2core switches and all the edge switches are conected to both the core switches with dot1q trunk.Hsrp not yet configured.I need to configure the STP optimization like u advice and MHSRP etc.

Please u can advice me to follow the procedures.



