Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
397
Views
0
Helpful
5
Replies

Nexus 5548 pruning equalivance

Jeff Horton
Level 1
Level 1

‎03-19-2014 12:58 PM - edited ‎03-07-2019 06:47 PM

I have inherited the management of two Nexus 5548's. I am required to prune the management vlan from any vlan trunk links belonging to the managed network's infrastructure. I know these do not support VTP Pruning. Any suggestions would be appreciated.

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎03-19-2014 01:05 PM

Jeff

What vlan is the management vlan in your environment ?

Do you mean you simply want to stop that vlan going across the trunk link ?

Jon

0 Helpful

Jeff Horton
Level 1
Level 1
In response to Jon Marshall

‎03-19-2014 01:16 PM

My management vlan is 8. In gov STIGs it requires this pruning. The audit was run against on IOS STIG since there are currently no NX-OS STIGs that I am aware of. This is what it says:

 

By default all the VLANs that exist on a switch are active on a trunk link. Since the switch is being managed via OOBM connection, management traffic should not traverse any trunk links.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Jeff Horton

‎03-19-2014 01:19 PM

Jeff

Okay, i just think of pruning as an automatic thing ie. if a switch on the other end of the link doesn't have any ports in that vlan then it is pruned off the trunk link.

But you just want to remove a vlan off the trunk links by the sounds of it so you can use the "switchport trunk allowed .." command on the trunk interface.

See this configuration guide for details -

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/b_Cisco_Nexus_5000_Series_NX-OS_/Cisco_Nexus_5000_Series_NX-OS__chapter6.html#task_1207161

Jon

0 Helpful

Jeff Horton
Level 1
Level 1
In response to Jon Marshall

‎03-19-2014 01:31 PM

I do see that the VLAN is being allowed on those ports. I can remove the Managment VLAN and see how that effects the configuration. Hopefully this will get approved as a way of "Pruning". I appreciate you inputs.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Jeff Horton

‎03-19-2014 01:45 PM

Jeff

It should be approved because it is more secure than simply pruning ie. if you only pruned and then a port was allocated into the vlan on another switch the vlan would be allowed across the trunk link.

If you don't allow the vlan on the trunk link it doesn't matter if a port is accidentally allocated into that vlan, traffic still won't go across the trunk link.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card