We have a core switch that has 77 VLANs in the VTP domain. We are working to get this number down, but right now I have a few older switches that can only deal with 64 vlans. Also I am looking to put some Express 500 switches in our confernece rooms for a NAC deployment. I am sure that the 500s will only see 64 (or less) vlans. I want these switches to take part in the VTP domain as clients.
Since I have a limit of only 64 VLANs on the older and I assume Express 500 series, can I pick and choose which VLANs they will talk on? In other words, since they cant talk on and see all 77 VLANs, can I tell the switches "theses all the vlans you need to deal with"?.
And how does that command look on the trunk?
Thanks a million,
Solved! Go to Solution.
You would use the "switchport trunk allowed vlan..." command to limit which vlans could go over the trunk -
So this is the easiest way to get around the VLAN limitation right? Or do I need to buy enterprise ready switches for my conference rooms??
"Or do I need to buy enterprise ready switches for my conference rooms??"
Well how many vlans would you actually need on the switch in the conference rooms. It's unlikely i would have thought to be more than 64.
Remember that just because you only allow say 10 vlans on a trunk link to a switch clients within one of those vlans can still communicate with all the other vlans by routing. It's just that you can't have a client in one of those other vlans on the local switch.
I'm assuming in the above that you do indeed have a device(s) in your network that routes for all vlans.
You assumed correctly. We have a core switch that routes for all VLANs.
The conference room switches will be controlled by a Clean Access Server so ideally ports will be initially in an authentication VLAN and then changed to an access VLAN. And depending on the user role there might be three or four access vlans. So as long as my trunk talks all all the vlans involved I am good to go I assume.
I tried the "switchport trunk allowed vlan..." to allow only the first ten vlans but when i do a show vlan on the downstream switch, I still see the first 64 vlans instead of the first ten.
What am i doing wrong?
Your'e not doing anything wrong. The switchport allowed vlan command does not clear vlans from the switch vlan database, it simply determines which vlans are allowed on the trunk.
If the 10 vlans are included within the 64 then you are fine, you don't have to do anything.
If the 10 vlans are not included in the 64 then you will need to delete some of the existing vlans and add your 10 vlans. To do this you will need to make the switch VTP transparent.
If the switch is a VTP server you definitely don't want to be deleting vlans and if the switch is a VTP client you won't be able to delete vlans.
Thanks so far.
I now have a new problem:
I allowed vlans 1-10 but now I cannot do inter-vlan routing.
Note that VLAN 1 is the default/trunking/management vlan
Do you have L3 vlan interfaces for these vlans ?
Do these vlans exist on all the switches back to the 6500 that routes the vlans ?
Check the far end to see how they have trunking setup , it has to match on each end . Make sure the native vlan matches on each end if something or than vlan 1 is the native , should look something like this
switchport mode trunk (or dynamic desirable if dtp) is used)
switchport trunk allowed vlan 1-10
switchport trunk native vlan X (must match on each end)
Also when you have a smaller swith like a 2950 that supports 64 vlans , it is really telling you the switch supports 64 vlans with 64 individual spanning tree instances (PVST) , if you try to add more than that then switch will automatically change to transparent mode . Restricting vlans across the trunk will fix this if less than 64 vlans are allowed across the trunk . Each end should be configured the same on the trunk . If its not routing now then the trunk itself is broken .
Before I applied the command, inter-vlan routing was working - was able to get to Pcs on other VLANs.
After I applied the command, I cound not get onto any PCs on other VLANs - only to those PCs on the same VLANs connected to the switch.
Thanks for your help so far :-)