vlan questions

Unanswered Question
Jun 27th, 2010

hi! I've a setup similar to the diagram in the file attached.

my core switch has it own vtp domain and vlan 210 (transit vlan) is part of the vtp domain abc in the core sw. I've another switch on the production network which is configured with vlan45 (not part of the abc vtp domain). I'm not too sure what's the setup of the firewall. Currently i can ping host on the production network. I've a static route from my core switch to the production network.

My questions are,

1) why do i need a "transit vlan" here?

2) Can i create vlan 45 in vtp abc and use that vlan/network segment in the core sw?

3) Through the firewall, can i use vlan 45 in my corporate network which is in the core sw?

One question which might not related to the questions above. Within a sw itself can i create a vtp domain, and have another vlan created within that switch and not joining that particular vlan into the vtp domain? or can i have multiple vtp domain within a switch itself?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Giuseppe Larosa Sun, 06/27/2010 - 12:28

Hello Dave,

if the firewall works at layer 3 = its interfaces have IP addresses in different IP subnets and this is quite common, then you cannot extend vlan 45 from VTP domain abc to production network or the firewall can be bypassed !!!

I think that current setup is correct from the point of view of security and I would not attempt to change it for the reasons explained above.

Hope to  help


dlee_gmail Tue, 06/29/2010 - 08:55

hi! does that mean that(vlan behind firewall can be part of the core's vtp domain) can be done? if i would to "bypass" the router, will

i still be able to apply rule as per usual? does that mean if the bypass mode (same ip range on the inside and outside) can be done, the vlan behind the firewall can be part of the core sw's vtp domain?

Another question, i would like to find out about firewall is that. if i would to use a flat network (eg10.34.10.0/24) within my internal LAN, can i've 2 WAN links out with firewalls(checkpoint firewall) configured on each of these wan link (adsl to corporate and optical to internet)?

will it make any different if i have only one vlan within my internal network compared to no vlan configured since i only got one network segment? any changes on the route required?



This Discussion