can "trunk allow" comand limit native vlan

Unanswered Question
Feb 26th, 2008
User Badges:

Hi, all

When I set up a switch topology as below:


\ /

\ /


I configure the 3 interconnect link to Trunk, and all native vlan is vlan 99, I found on SwA,B,C, STP cann't block native vlan 99, that is, on SwA,B,C, all the vlan 99's STP status is forwarding; So I decide block this with the command " swicth trunk allow vlan ***", my question is: does this method is effective?

when I design a big campus LAN, how to design native vlan's deployment, such as the following topology?

SwA---SwB Core Layer

| |

| |

SwC---SwD Dist Layer

\ \ /\

\ \/ \

\ / \ \

SwE SwF Access Layer

all interconnect link is trunk, how to design native vlan?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 02/26/2008 - 00:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Are you sure that STP is not blocking on any of your switches. Could you post

"sh spanning-tree vlan 99" (IOS)


"sh spantree 99" (CatOS)

from all 3 switches.

Edit - In answer to your question if you if do not allow a vlan across a trunk link then it will stop STP from running across that trunk link for that vlan. But STP should be blocking on one it's ports for vlan 99.


Kevin Dorrell Tue, 02/26/2008 - 00:36
User Badges:
  • Green, 3000 points or more

Just to add to what Jon said, you can disallow the native VLAN. But beware a nasty bug in all CatOS and early versions of IOS. In those versions, if you disallow the native VLAN on the trunk, then it also blocks Spanning-Tree BPDUs on VLAN 1. That can cause a network meltdown on VLAN 1, depending on your topology. Believe me ... it happens!

But I agree with Jon: it is very strange if all your switches are forwarding VLAN 99 on all trunks. That itself would normally lead to a meltdown. Just to confirm, are you using PVST+?

Please also check you do not have bdpufilter on your trunks. bpdufilter is one of the most dangerous and most abused commands I know. It should be used only when absolutely necessary.

Kevin Dorrell


hetao1601 Tue, 02/26/2008 - 01:41
User Badges:

Thanks Jon and kevin.

I didn't limit native vlan specifically. the configuration is as below:

one side is an IOS Switch:

interface GigabitEthernet0/52

description ---To JC-6506-5/2---

switchport trunk encapsulation dot1q

switchport trunk native vlan 900

switchport trunk allowed vlan 12,22,28

switchport mode trunk

switchport nonegotiate

KS-3560-P# sh spanning-tree vl 900


Spanning tree enabled protocol ieee

Root ID Priority 33668

Address 001b.5440.3480

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33668 (priority 32768 sys-id-ext 900)

Address 001b.5440.3480

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Gi0/47 Desg FWD 4 128.47 P2p

Gi0/48 Desg FWD 4 128.48 P2p

Gi0/49 Desg FWD 4 128.49 P2p

Gi0/50 Desg FWD 4 128.50 P2p

Gi0/51 Desg FWD 4 128.51 P2p


another side is a catOS


Cat6509> (enable) sh trunk 5/2

* - indicates vtp domain mismatch

Port Mode Encapsulation Status Native vlan

-------- ----------- ------------- ------------ -----------

5/2 on dot1q trunking 900

Port Vlans allowed on trunk

-------- ---------------------------------------------------------------------

5/2 12,22,28

Port Vlans allowed and active in management domain

-------- ---------------------------------------------------------------------

5/2 12,22,28

Port Vlans in spanning tree forwarding state and not pruned

-------- ---------------------------------------------------------------------

5/2 12,22,28

Cat6509> (enable) sh spantree 5/2

Port Vlan Port-State Cost Prio Portfast Channel_id

------------------------ ---- ------------- --------- ---- -------- ----------

5/2 12 forwarding 4 32 disabled 0

5/2 22 forwarding 4 32 disabled 0

5/2 28 forwarding 4 32 disabled 0


Does it mean IOS switch can't block native vlan forwarding, but CatOS switch block native vlan forwarding

Since native vlan is not used in real world, maybe it didn't produce bad effort.


This Discussion