- Bronze, 100 points or more
Consider the following scenario
h1------sw1---trunk-----sw2--------rest of network
vtp is on, sw1 vtp server,sw2 vtp client.
We want to use stop traffic from h1 to h2 using private vlans. We want to configure vlan 2 as primary vlan as shown below:
One of the videos I was watching says the above command will be rejected, because we must configure sw1 in vtp transparent mode first.
1)Is that correct?
Can we bypass this limitation as described below:
Let say we configure vlan 2 on sw1 and let vtp advertises it to sw3. Now both switches have vlan 2.
Next we configure sw1 as vtp transparent mode and configure the following commands:
Next we configure sw2 as transparent and configures the same above command.
2) Now we have vlan 2 on both switches sw1 and sw2, configured as primary vlan. Can we do that ?
Is it possible to stop traffic between two hosts located on different switches using private vlans ?
h1------ f1/1-sw1----trunk------sw2------rest of network
Let say we have vlan 2 configured on sw1 and sw2. We will use vlan 2 as primary vlan .
If we configure sw1 f1/1 as isolated port and sw2 as f1/2 as isolated port, while using vlan 2 as primary vlan, can we stop the traffic between h1 and h2 considering they are located on different switches ?
thanks and have a great weekend.
The pleasure of meeting you here again is all mine. Yes, I have been kind of busy in the last months. Now I have a couple of weeks free and I am trying to catch up here on CSC again.
Regarding your question:
Since we are using vtp v2, therefore we must configure private vlans manually on each switch in the path from h1 to h2.
Let assume we have already configured vlan 100 as primary and vlan 101 as isolated on sw1 and sw3 but not on sw3.
There seems to be a typo - I assume you wanted to say: "... on sw1 and sw2 but not on sw3".
My question is when we configure primary vlan 100 and isolated vlan 101 on sw3 , do we need to associate isolated vlan 101 with primary vlan 100 i.e:
Yes, you need to do that. Traffic received on promisc host ports is tagged with the primary PVLAN ID on trunks. If a switch receives a frame tagged with primary PVLAN, it immediately knows that this frame can be forwarded to any port in any associated secondary PVLAN if the destination MAC address points out such interface. It also goes the other way around: a frame tagged with any secondary PVLAN can be sent out any promisc interface that is associated with the corresponding primary PVLAN and the particular secondary PVLAN (as this mapping can be made more restrictive directly on the promisc port).
If your isolated PVLAN 101 was not associated with the primary PVLAN 100 then traffic received on promisc ports would not be allowed to be forwarded out through any port in the PVLAN 101. Hence, stations in secondary isolated PVLAN 101 would not be capable of communicating with devices placed on promisc ports.
Hello Sarah and Reza,
Just to add to Reza's answer, if running VTPv3 in the entire switched network, you may safely leave switches in VTP Server or Client mode. The reason VTPv1/VTPv2 had to be effectively deactivated by putting switches into Transparent mode was that these older VTP versions were unable to carry information about Private VLANs, in particular about the PVLAN types (primary, secondary community, secondary isolated) and their mutual association (which secondary PVLANs are associated with particular primary PVLAN). However, with VTPv3, this functionality has been added, and thus you can use VTPv3 and PVLANs together safely.
When configuring private vlans the mode has to be transparent.
This section provides some rules and limitations for which you must watch when you implement PVLANs. For a more complete list, refer to the Private VLAN Configuration Guidelines section of the document Configuring VLANs.
PVLANs cannot include VLANs 1 or 1002–1005.
You must set VLAN Trunk Protocol (VTP) mode to transparent.
Regarding the limitation, here is what happens if you put the switch in transparent mode, configure private vlan and than try to put the switch in server mode:
This switch is configured with private vlan and it is currently in tranparent mode
Switch(config)#vtp mode server
VTP mode cannot be set to server because there are private vlans configured on this device.