Configure Private VLAN on 3750 & 2960

Hi All,
( R ) ------ [ 3750 ] ------- [ 2960 A ]
                        |------------ [ 2960 B ]
I had these VLAN on the 3750 & 2960:
- Vlan 8 (mgnt Vlan), Vlan 17, Vlan 34, Vlan 35
Basically I had already configure switchport protected on all the port on the 2960 except the uplink to 3750.
2960 Configure
On uplink to 3750
 switchport mode trunk
On end device port 
 switchport trunk native vlan 35
 switchport trunk allowed vlan 34,35
 switchport mode trunk
 switchport protected
 spanning-tree portfast
How do I go about configure private VLAN on the 3750? 
3750 Configure
On downlink to 2960
 switchport mode trunk
Interface vlan8
 ip address 10.8.0.1 255.255.255.0
Interface vlan17
​ ip address 10.17.0.1 255.255.255.0
Interface vlan34
​ ip address 10.34.0.1 255.255.255.0
Interface vlan35
​ ip address 10.35.0.1 255.255.255.0
What I want to achieve is to send all the VLAN 8, 17, 34, 35 from 2960 to 3750 and 3750 to 2960. But at the same time prevent 2960 A client from talking to 2960 B client on VLAN 35? 

I believe that if both devices you want no to speak with each other are on 2960 the "switchport protected" should work.
But you can configure with private vlan.
let's say client A is in port f0/1 and client B in port f0/2
Parent (main) VLAN is 100 and child is 999
You would configure the VLANs in ALL switches.
vlan 999
private-vlan isolated
vlan 100
private-vlan primary
private-vlan association 999
Now you would need to configure the ports.
int range f0/1 - 2
switchport mode private-vlan host
switchport private-vlan host-association 100 999
If the interfaces will talk to other VLANs, you need to configure the SVI to understand it will serve the private VLANs.
interface vlan 100
private-vlan mapping 999
That's it, but notice that now interface f0/1 will not talk to f0/2 and to any other interface inside vlan 100, if you want a port to communicate to f0/1 or f0/2 this new port would need to be configured as a promiscuous one (In case it needs to talk to both of them) or create a community private-vlan and configure the ports desired on it. (F0/1 and F0/2 can't be on the same community VLAN or they'll be able to talk to each other).
If the intention is to prevent one specific port from talking to all the others, you can put only this interface in the private VLAN instead of both.
wrote too much, if this answers your question let me know, or we can create a practical scenario for it.

Similar Messages

  • Private-VLan Cisco 2975

    Hi guys,
         I got an issue configuring Private-VLans on a cisco 2975 i know that it's not supported but it's there a way that i can configure a switchport on a Cisco 2975 switch and be able to communicate witch a Private-VLan on a 3750 switch

    Hi Eduardo,
    To prune a set of VLANs from a trunk manually, you should use the command
    switchport trunk allowed vlan remove vlan-list
    If, for example, 100 was the primary VLAN and 101, 102, 103 and 199 were the secondary VLANs associated with this primary VLAN, the command would be:
    switchport trunk allowed vlan remove 100-103,199
    Be careful when you do this in your production network. This command will cause that these VLANs are immediately disallowed on this trunk. If there are any clients in the removed VLANs on the 2975 switch, they will lose connectivity with the remainder of the network until you configure a separate connection between the 3750 and the 2975 placed into the particular secondary community VLAN.
    Best regards,
    Peter

  • Private Vlan support on CAT3850

    Hello , i need to configure private vlans on Catalyst 3850 .
    On this page is said that 3850 does support this technology
    http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps12686/qa_c67-722110.html
    But i can't  configure it because there is no such commands in CLI
    3850(config-vlan)#pri?
    % Unrecognized command
    Does it support it or will it support private vlans in future?

    Dmitry
    There does seem to be conflicting information. The link you provide does say they are supported but looking at the config guide it says -
    Restrictions for VLANs
    The following are restrictions for VLANs:
    The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
    The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
    Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
    Private VLANs are not supported on the switch.
    You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.
    full link -
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg_chapter_0100.html
    So it looks like with this release at least, they are not available. I don't know whether they are scheduled to be included in a later release of the software.
    Perhaps someone from Cisco can comment. The product page certainly needs updating as it seems the configuration guide is the correct one.
    Edit - i have posted a link to this thread in the Technical Documentation forum to ask for clarification although a Cisco person is still not guaranteed to answer.
    Jon

  • Private-VLAN trunk on 3560X

    Hi,
    I need to create Private-VLANs on 3650X, but is possible to configure this technology with 3560X switch and IOS 12.2(55)SE5?. I attach the topology.
    I want to configure the private VLANs on the VLAN 30, the isolated VLAN is the number 100 and the community VLAN is the 200. I guess that the interfaces trunk has to be set as promiscuous mode, is that correct?
    If the trunk is configuring as promiscuous mode, what happened with the others VLANs (10, 20 and 40), and what is the correct configuration for the interfaces trunk?

    Hi,
    Follow the config guide on how to configure private vlans:
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_53_se/configuration/guide/3750xscg/swpvlan.html
    HTH

  • Private vlan over dot1q trunks with etherchannels

    Dear Freinds,
    I need to know whether can i use trunks in etherchannel for Private Vlans.
    regards
    Manish Shamjee

    Hello manish,
    You would need to elaborate more on that.
    Are you trying to 'trunk' primary private vlan's or secondary private vlans? Or are you trying to configure private vlans on ports that are etherchannels?
    Read this "Do not configure private VLAN ports as EtherChannels. While a port is part of the private VLAN configuration, any EtherChannel configuration for it is inactive"
    The above is from the pvlan guidelines and restrictions found here:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979

  • SUP WS-X45-SUP6-E & private-vlan community

    All,
    I tried to upgrade Cisco 6500 from Sup-2 to Sup-6 running IOS cat4500e-entservicesk9-mz.122-40.SG.bin.
    After upgrade everything came back up normal , no problem with hardaware.
    Except with private VLAN community.
    After this upgrade I can not configure "Private VLAN comunity" on this switch.
    AUNN00RS_XXXXX(config-vlan)#private-vlan community
    % Invalid input detected at '^' marker.
    AUNN00RS_MGMT1(config-vlan)#private-vlan     ?    
      association  Configure association between private VLANs
      isolated     Configure the VLAN as an isolated private VLAN
      primary      Configure the VLAN as a primary private VLAN
    It works absolutely fine with Sup-2 running same IOS.
    AUAN00RS_XXX(config-vlan)#private-vlan ?
      association  Configure association between private VLANs
      community    Configure the VLAN as a community private VLAN
      isolated     Configure the VLAN as an isolated private VLAN
      primary      Configure the VLAN as a primary private VLAN
    Regards
    Sachin

    I just checked the command reference:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/40sg/command/reference/cmdref.html
    And it should be there....I couldn't find any related bugs.
    Do you have the option of upgrading the IOS? The latest is 12.2(53) SG3
    Regards,
    Ian

  • 3750-2960 Vlans Issue via Port Channel

    Im trying to get all my vlans to pass thru to my 2960 user level switches, from my 3750 stack.
    Each one of my 2960 stack is connected to my 3750 via port channel. Here is my port setup.
    I have Vlans 1,210,214,216,220,306,406 on my 3750 stack. I cannot see those vlans on my 2960 stack. Why is that? What am I missing from the config?
    Thanks...
    3750 ports:
    interface GigabitEthernet1/0/41
    description Uplink to ETHSW03
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 1,210,214,216,220,306,406
    switchport mode trunk
    snmp trap mac-notification change added
    snmp trap mac-notification change removed
    spanning-tree guard loop
    channel-protocol lacp
    channel-group 7 mode active
    interface GigabitEthernet1/0/42
    description Uplink to ETHSW03
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 1,210,214,216,220,306,406
    switchport mode trunk
    snmp trap mac-notification change added
    snmp trap mac-notification change removed
    spanning-tree guard loop
    channel-protocol lacp
    channel-group 7 mode active
    interface Port-channel7
    description Uplink to ETHSW03
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 1,210,214,216,220,306,406
    switchport mode trunk
    snmp trap mac-notification change added
    snmp trap mac-notification change removed
    spanning-tree guard loop
    Here are my 2960 ports setup:
    interface GigabitEthernet1/0/47
    description Uplink to CORE01
    switchport trunk allowed vlan 1,210,214,216,220,306,406
    switchport mode trunk
    snmp trap mac-notification change added
    snmp trap mac-notification change removed
    spanning-tree guard loop
    channel-protocol lacp
    channel-group 1 mode active
    interface GigabitEthernet1/0/48
    description Uplink to CORE01
    switchport trunk allowed vlan 1,210,214,216,220,306,406
    switchport mode trunk
    snmp trap mac-notification change added
    snmp trap mac-notification change removed
    spanning-tree guard loop
    channel-protocol lacp
    channel-group 1 mode active
    interface Port-channel1
    description Uplink to CORE01
    switchport trunk allowed vlan 1,210,214,216,220,306,406
    switchport mode trunk
    snmp trap mac-notification change added
    snmp trap mac-notification change removed
    spanning-tree guard loop

    I have 1 stack of 3750, connected with flex technology.
    I have 3 stacks of 4-2960s, connected with flex technology.
    Then, each 2960 stack is connected to my 3750 stack via port channels (gig ports x2).
    Now, this is a second office site. We are connected to our datacenter via private ethernet line, and thats where most of our vlans and servers reside.
    Output from 3750
    P-DB-CORE01#sh vtp status
    VTP Version capable             : 1 to 3
    VTP version running             : 1
    VTP Domain Name                 : NULL
    VTP Pruning Mode                : Disabled
    VTP Traps Generation            : Disabled
    Device ID                       : 6c41.6a9c.a280
    Configuration last modified by 10.2.20.1 at 3-3-93 23:43:55
    Feature VLAN:
    VTP Operating Mode                : Transparent
    Maximum VLANs supported locally   : 1005
    Number of existing VLANs          : 19
    Configuration Revision            : 0
    MD5 digest                        : 0x3D 0x05 0x4D 0x8C 0x31 0x07 0x34 0xDA
                                        0x2F 0x60 0xE8 0x24 0xA6 0x27 0x59 0x24
    Output from 2960
    P-ETHSW03-20.4#sh vtp status
    VTP Version capable             : 1 to 3
    VTP version running             : 1
    VTP Domain Name                 : NULL
    VTP Pruning Mode                : Disabled
    VTP Traps Generation            : Disabled
    Device ID                       : c07b.bcb2.9a80
    Configuration last modified by 10.2.20.2 at 1-3-14 13:02:15
    Local updater ID is 10.2.20.4 on interface Vl1 (lowest numbered VLAN interface found)
    Feature VLAN:
    VTP Operating Mode                : Server
    Maximum VLANs supported locally   : 255
    Number of existing VLANs          : 7
    Configuration Revision            : 5
    MD5 digest                        : 0x89 0x91 0xBA 0xE3 0x12 0x1B 0xDB 0x1D
                                        0x75 0x43 0x7F 0x8D 0x62 0x5A 0x09 0x70

  • Private vlans and 2960 and 3560 switch

    Hi, I have a 3560 switch that supports private vlans. There are few computers connected to it and private vlans work fine. Now I need to connect a 2960 switch to 3560 switch. 2960 seems to have no private vlan configuration options but it can be private vlan edge? What is private vlan edge? If I put the computers on 2960 to a vlan that is isolated vlan in 3560 will the computers be able to communicate with themselves in layer2 on 2960 switch?

    Example: I have network 10.0.0.0/24. Networks primary vlan is 2001, isolated is 2002 and community is 2003. These settings are on 3560. So if I put computers on 2960 switch to vlan 2002 and make the ports protected ports they will act as isolated ports and they can't communicate with ports that are on isolated vlan 2002 on 3560???
    Can I also use the community vlan on 2960? is this possible because vlans 2002 and 2003 would be on the same network???

  • Private VLANs - is this configuration right?

    Hi
    I have a 4500 that has a vlan (10) on it that none of the clients should talk to each other. I am going to configure this as a isolated vlan. This VLAN is propagated to a 6500 that has the IP address of this VLAN, from what I have read I need to create a primary vlan (99) and then create the client vlan (10) as a isolated vlan within this (99).
    Is this correct?
    If anyone has a good doc on PVLANs please let me know! The docs on Cisco seem to be lacking.
    Cheers

    Here is an example.. Vlan 83 is the promiscuous VLAN, I left in a port on vlan 230 that has a host on it.
    no file verify auto
    spanning-tree mode pvst
    spanning-tree extend system-id
    spanning-tree vlan 83,100-101,210,230,248-250 priority 24576
    vlan internal allocation policy ascending
    vlan 83
    name DMZ_VLAN
    private-vlan primary
    private-vlan association 100-101,210,230,248
    vlan 100
    name hinfwe-vlan
    private-vlan community
    vlan 101
    name hinneo-vlan
    private-vlan community
    vlan 210
    name IPASS
    private-vlan community
    vlan 230
    name DNS-GSS
    private-vlan community
    vlan 248
    name ADP-Internal
    private-vlan community
    interface GigabitEthernet1/0/1
    description GSS-01 83.200
    switchport private-vlan host-association 83 230
    switchport mode private-vlan host
    no logging event link-status
    speed 100
    duplex full
    no snmp trap link-status
    spanning-tree portfast
    spanning-tree guard root
    interface GigabitEthernet1/0/24
    description Firewall_Uplink
    switchport access vlan 83
    switchport private-vlan mapping 83 100-101,210,230,248-250
    switchport mode private-vlan promiscuous
    speed 1000
    duplex full
    spanning-tree portfast
    spanning-tree guard root
    HTH
    CHris

  • Private VLAN and ASA subinterfaces

    Gents,
    I have a dmz 3750 switch and i want to introduce private VLAN on this switch. This switch is connected to cisco ASA with trunk (subinterface for each primary VLAN) because we have multiple dmz. How the configuration on both sides will be ?.
    If private VLANs can't be used with ASA subinterfaces, what  solution can be done in this scanario ?
    Thanks,

    I would think the ASA doesn't care. The Pvlans are configured on the switch. The port that the ASA is connected too will be promiscuous.
    To see how to configure it, check out this guide (a long in depth read but worth it):
    http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/pvlans.html
    Regards,
    Ian
    If I hepled please rate me.

  • Private vlan and HSRP

    Hi, guys. I have a question about Private Vlan and HSRP implement. In my network topology, there are 2 switch 6509 as core switches and Internet outlet. There are a 3750 as a distribute swtich, and 3550 as a access swtich. the topology is as below:
    | |
    7609----7609
    | |
    3750
    |
    3550
    |
    servers
    Now there are some Server will connect to 3550, and 3750 and 3550 will be treated as Layer 2 switch, that is these servers's default gateway will be on vlan interface on 7609, and I have configured HSRP between the vlan on 2 6509. My question is how to implement private vlan on 3550 with HSRP on 7609, so that these servers can have redundancy gateway, and be kept isolated between other servers.

    It looks like the 3550 do not support private VLAN.
    http://www.cisco.com/en/US/products/hw/switches/ps4324/products_tech_note09186a0080094830.shtml
    More info. on private VLAN :
    http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00802c30c4.html#wp1138148
    Did you configure the VLAN trunking between 7609, 3750 and 3550 ? Once we enable the VLAN trunking then the server can plug to the assigned VLAN and communicate to the 7609 via the trunk w/o interference w/ other VLAN. However, you have to enable the VLAN routing at 7609 to make it able to connect to other VLAN user if you want.
    Hope this helps.

  • Problems setting up public/private vlans on sg300-52 switches

    A real beginner here with a problem on how to setup 3 SG300-52 (in L2 mode) as per this diagram:
    Port 1 on all switches should be able to talk to each other and access the blob at the right.
    The ports 25 on the other hand should only be able to talk among themselves in their own
    private vlan. They are to carry sensitive traffic.
    So I created 3 vlans, vlan 78 for ports gi1, gi51 and vlan 10 for port25,49,50 and a dummy vlan: 666
    with the intent of segratating vlan 10 from vlan 78.
    My attempts so far have failed.
    ports gi49-50 are configured as trunk ports and gi1,gi51 as access ports as the following
    cli output (excerpts of the startup config):
    vlan database
    vlan 10,78,666
    exit
    interface vlan 1
    ip address 172.16.10.11 255.255.255.0
    no ip address dhcp
    interface gigabitethernet1
    switchport mode access
    switchport access vlan 78
    interface gigabitethernet25
    switchport mode access
    switchport access vlan 10
    interface gigabitethernet49
    switchport trunk allowed vlan add 10,78
    switchport trunk native vlan 666
    switchport default-vlan tagged
    interface gigabitethernet50
    switchport trunk allowed vlan add 10,78
    switchport trunk native vlan 666
    switchport default-vlan tagged
    interface gigabitethernet51
    switchport mode access
    switchport access vlan 78
    Ports gi1 can talk to each other and access the blob but ports 25 refuse to talk to each other. But as soon as I remove
    the access links to the blob they can! Obviously, at that point port gi1 lose access.
    Is such a topology feasable or even advisable?
    Thanks,
    jf

    Hi Jean,
    Here's a pretty picture
    Now I will explain.
    The layer 3 switch is going to service as your core switch.
    Vlan 78 looks like your BLOB connection.
    Vlan 10 and 666 look like they don't belong on the BLOB.
    So how to configure this-
    You will want to configure the switch that connects directly to the BLOB as the layer 3 switch depicted in my diagram.
    Layer 3 switch, follow this document
    https://supportforums.cisco.com/docs/DOC-27038
    Bear with me, I am making up random numbers since I don't know what you want or will use.
    So VLAN 78 looks like the BLOB and 10 and 666 are staying out of the BLOB.
    config t
    vlan database
    vlan 10, 78, 666
    int vlan 1
    ip address 192.168.1.254 /24
    int vlan 10
    ip address 192.168.2.254 /24
    int vlan 78
    ip address 192.168.3.254 /24
    int vlan 666
    ip address 192.168.4.254 /24
    Configure the port you want to go to the BLOB, I am assuming vlan 78.
    config t
    int gi01
    switchport mode access
    switchport access vlan 78 (that 3750, what is the native vlan of the port it is connecting to??)
    Next, configure the downlink port to connect the layer 2 switch
    config t
    int gi0/2
    switchport mode trunk
    switchport trunk allowed vlan add 10, 78, 666  (this will make the port native vlan 1 untagged, rest ports tagged)
    On the downstream switch you need to configure an uplink and downlink with the respective vlans. It will remain layer 2 mode.
    config t
    vlan database
    vlan 10, 78, 666
    int gi0/1
    switchport mode trunk
    switchport trunk allowed vlan add 10, 78, 666
    int gi0/2
    switchport mode trunk
    switchport trunk allowed vlan add 10, 78, 666
    Same thing for the last switch, it will remain layer 2 mode
    config t
    vlan database
    vlan 10, 78, 666
    int gi0/1
    switchport mode trunk
    switchport trunk allowed vlan add 10, 78, 666
    int gi0/2
    switchport mode trunk
    switchport trunk allowed vlan add 10, 78, 666
    Let me know if this works out or if it is not logical for you.
    -Tom
    Please mark answered for helpful posts

  • Private-VLAN and EtherChannel

    Hi,
    On a Catalyst 3750, I have created a Primary and Secondary Community VLANs and have associated them.
    The Primary VLAN (100) is attached to a promiscuous port, the Secondary VLANs (101-103) aren't attached to any port.
    I would like to let the Secondary VLANs traffic pass over an EtherChannel link that is a dot1q trunk.
    The trunk is made with a virtual switch (VMware ESX) and transports non-Private VLANs (101-103). The trunk itself works.
    How can I configure the EtherChannel as a private-VLAN port, considering that the EtherChannel isn't using PAgP/LACP modes? ("group-channel 1 mode on").
    Is there a way to solve this without replacing the Private-VLANs with VLANs?
    Thanks in advance for your help!

    From "EtherChannel Configuration Guidelines"
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sed/scg/swethchl.htm#wp1021856
    Do not configure a private-VLAN port as part of an EtherChannel.

  • Hi all, need advice on OSPF and private vlans

    Hi all.
    I have a project to complete and need some help on the possible solution I can use.
    Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.
    I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.
    My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.
    Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!
    I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.
    Any help and advice would be greatly appreciated.
    Cheers
    Steve

    Steve
    Thanks, that helps.
    GRE is defintely out because apart from the 6500 GRE tunneling is not supported on the Cisco switches.
    It's good that area 7 is only for these users and not mixed up with other users.
    So if i understand correcty the 4500 interface connecting to the 6500 is in area 0 and the interface connecting to the 3550 is in area.
    Or is the 3550 connected to both areas and the 4500 totally in area 0 ?
    Can you confirm the above ?
    In terms of keeping them separate there are 2 possible choices. You can either -
    1) use VRF-LIte, although i'm not sure whether the HP switch would support this. With VRF-Lite you are in effect creating virtual devices on the same physical device. This means each virtual device has it's own routing and forwarding table so it is quite secure because you would only populate the routing table with the routes needed so there would be no way for users to jump to thes rest of your networks.
    The downside is that is can become quite complex to configure. If the 4500 is only used to connect are 7 to area 0 then that would not be a problem but the connection from the 6500 to the HP could and i don't even know whether the HP supports VRF-Lite functionality let alone how to configure it on that switch.
    But it would, at least from the 4500 to 6500 to HP provide complete separation in terms of routing and forwarding. Once it got to the HP it wouldn't but that might not be an issue.
    2) Use PBR (possibly together with acls). This is easier to configure ie. you configure PBR on the 4500 and the 6500 to get the traffic to the HP switch. But you do not get the actual separation you get with VRF-Lite ie. the traffic simply overrides the existing routing tables.
    The other thing to bear in mind with PBR is that you also have to configure the return traffic as well so each device would need multiple PBR configs.
    Again i don't know whether the HP supports PBR but it may not be an issue depending on what the routing is on the HP.
    You could also use a combination of the above ie VRF-Lite between the Cisco switches and then PBR for the last hop to the HP device.
    I should say i don't have a huge amount of experience with VRF-Lite but that should not necessarily stop you using it if it is what you need. There are lots of other people on here so i'm sure there will be other people who can help if i can't.
    It still depends on how much separation is required. VRF-Lite is definitely seen as a way to separate traffic running across a shared infrastructure, PBR is not really seen in the same way.  So it may well be worth going back to find out exactly what "segregating" user traffic means.
    I don't want to confuse the issue but it's still not entirely clear what the actual requirement is.
    Jon

  • Migration of users in different vlans of 3750 Switches

    I have 30 switches of access (3750). I require To migrate 1200 users connected to this switches of vlan 1 (172.23.8.0 /22) to vlan 2 (172.23.52.0 /22). They changed in server DHCP the rank 172.23.8.0 /22 to 172.23.52.0 /22. ¿In this case the only solution is to change the ports of switches of vlan 1 to vlan 2?. Can i configure 2 vlans in the ports of switches 3750?. What you recommend to make this migration in the efficient form?

    well you could use the command interface range fastehternet 0/1 - 48 (change the command according to your ports) and then execute the switchport access vlan 2 command.
    Like this all the ports will be changed in one shot. When to do it.....well during a weekend.
    The biggest problem is see is that the workstations have to get a new IP address from DHCP after the migration so i suggest that you put the lease expiration to one day. Like this all the workstations will ask for a new ip address every day and after the change to vlan 2 they will ask an ip and everybody will have connectivity and it should be transparent for the user than.
    FYI A switch port can always only belong to a single vlan or it has to be a trunk port to support multiple vlans what is not recommended in your situation.
    Yves
    rate this post if it helped
    Yves

Maybe you are looking for