2.3. VLAN Filtering


Would shutting the vlan on SW3 fulfill the requirement?

vlan 17





  • I was using an different solution.

    What I did is on SW3, change it into VTP transparent mode (coz the question never mentioned that is forbidden). And once I have done that, I just deleted the VLAN 17 on the switch, so that SW3 will drop all traffic from/to VLAN 17.

    Anyone has any thoughts about this solution?


    RSRack1SW3(config)#do sh vtp status
    VTP Version capable             : 1 to 3
    VTP version running             : 1
    VTP Domain Name                 : IE
    VTP Pruning Mode                : Disabled
    VTP Traps Generation            : Disabled
    Device ID                       : 0015.c633.1c80
    Configuration last modified by at 3-1-93 00:22:34

    Feature VLAN:
    VTP Operating Mode                : Transparent
    Maximum VLANs supported locally   : 1005
    Number of existing VLANs          : 12
    Configuration Revision            : 0
    MD5 digest                        : 0x68 0x47 0x56 0x15 0x3F 0x66 0x8F 0x1F
                                        0x43 0x89 0x24 0x8D 0x36 0xEF 0x44 0xA9
    RSRack1SW3(config)#do sh vlan brief

    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- -------------------------------
    1    default                          active    Fa1/0/1, Fa1/0/2, Fa1/0/4
                                                    Fa1/0/6, Fa1/0/7, Fa1/0/8
                                                    Fa1/0/9, Fa1/0/10, Fa1/0/11
                                                    Fa1/0/12, Fa1/0/16, Fa1/0/17
                                                    Fa1/0/18, Fa1/0/22, Fa1/0/23
                                                    Fa1/0/25, Fa1/0/26, Fa1/0/27
                                                    Fa1/0/28, Fa1/0/29, Fa1/0/30
                                                    Fa1/0/31, Fa1/0/32, Fa1/0/33
                                                    Fa1/0/34, Fa1/0/35, Fa1/0/36
                                                    Fa1/0/37, Fa1/0/38, Fa1/0/39
                                                    Fa1/0/40, Fa1/0/41, Fa1/0/42
                                                    Fa1/0/43, Fa1/0/44, Fa1/0/45
                                                    Fa1/0/46, Fa1/0/47, Fa1/0/48
                                                    Gi1/0/1, Gi1/0/2, Gi1/0/3
    27   VLAN0027                         active   
    33   VLAN0033                         active    Fa1/0/3, Fa1/0/24
    34   VLAN0034                         active   
    46   VLAN0046                         active   
    55   VLAN0055                         active    Fa1/0/5
    VLAN Name                             Status    Ports
    ---- -------------------------------- --------- -------------------------------
    82   VLAN0082                         active   
    510  VLAN0510                         active   
    1002 fddi-default                     act/unsup
    1003 token-ring-default               act/unsup
    1004 fddinet-default                  act/unsup
    1005 trnet-default                    act/unsup
    RSRack1SW3(config)#do sh int trunk

    Port        Mode             Encapsulation  Status        Native vlan
    Fa1/0/13    on               802.1q         trunking      1
    Fa1/0/14    on               802.1q         trunking      1
    Fa1/0/15    on               802.1q         trunking      1
    Fa1/0/19    on               802.1q         trunking      1
    Fa1/0/20    on               802.1q         trunking      1
    Fa1/0/21    on               802.1q         trunking      1

    Port        Vlans allowed on trunk
    Fa1/0/13    1-4094
    Fa1/0/14    1-4094
    Fa1/0/15    1-4094
    Fa1/0/19    1-4094
    Fa1/0/20    1-4094
    Fa1/0/21    1-4094

    Port        Vlans allowed and active in management domain
    Fa1/0/13    1,27,33-34,46,55,82,510
    Fa1/0/14    1,27,33-34,46,55,82,510
    Fa1/0/15    1,27,33-34,46,55,82,510
    Fa1/0/19    1,27,33-34,46,55,82,510
    Fa1/0/20    1,27,33-34,46,55,82,510
    Fa1/0/21    1,27,33-34,46,55,82,510
    Port        Vlans in spanning tree forwarding state and not pruned
    Fa1/0/13    27,33-34,46,55,82,510
    Fa1/0/14    27,33-34,46,55,82,510
    Fa1/0/15    27,33-34,46,55,82,510
    Fa1/0/19    1,27,33-34,46,55,82,510
    Fa1/0/20    none
    Fa1/0/21    none

  • Anyone has any thoughts about this solution?

    I can see no problem with this solution!  You could also manually prune the VLAN on SW3. 

    However all things considered enabling vtp pruning is easiest (least admin effort) to meet the requirement.

  • In my topology SW4 was the root switch for all the vlans including vlan 17. By just raising the cost of the link between sw3 and sw2, And between sw1 and sw4 is meeting requirement of the this task and 2.1 task.

  • Dcanerian,

     I see what your saying, although spanning-tree would still particpate for VLAN 17 on that switch so I'm not 100% sure it meets the requirements.  

    I think vtp transparent then no vlan 17 would be the best solution, and VTP pruning might be considered but a STP instance would still exist so I'm not 100% sure on that one either.

  • The tasks requires that no traffic for vlan 17 is received on the trunk link sw4 to sw2.

    As the only devics attached to vlan 17 are on sw1 I used vlan filtering on sw3 in order to drop all traffic from vlan 17 on sw3. So no traffic is able to get to sw2 from SW1 or R1.



    mac access-list extended VLAN17

     deny   any any


    vlan access-map VLAN17 10

     action drop

     match mac address VLAN17


    vlan filter VLAN17 vlan-list 17


    For testing: I created an SVI VLAN17 on sw2 and tried to ping R1 or SW1 which didn't work. Therefore the vlan filter is working.

    Is this solutions also correct?

Sign In or Register to comment.