Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Nexus 5548 pruning equalivance

I have inherited the management of two Nexus 5548's. I am required to prune the management vlan from any vlan trunk links belonging to the managed network's infrastructure. I know these do not support VTP Pruning. Any suggestions would be appreciated.

5 REPLIES
Hall of Fame Super Blue

JeffWhat vlan is the

Jeff

What vlan is the management vlan in your environment ?

Do you mean you simply want to stop that vlan going across the trunk link ?

Jon

New Member

My management vlan is 8. In

My management vlan is 8. In gov STIGs it requires this pruning. The audit was run against on IOS STIG since there are currently no NX-OS STIGs that I am aware of. This is what it says:

 

By default all the VLANs that exist on a switch are active on a trunk link. Since the switch is being managed via OOBM connection, management traffic should not traverse any trunk links.

Hall of Fame Super Blue

JeffOkay, i just think of

Jeff

Okay, i just think of pruning as an automatic thing ie. if a switch on the other end of the link doesn't have any ports in that vlan then it is pruned off the trunk link.

But you just want to remove a vlan off the trunk links by the sounds of it so you can use the "switchport trunk allowed .." command on the trunk interface.

See this configuration guide for details -

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/b_Cisco_Nexus_5000_Series_NX-OS_/Cisco_Nexus_5000_Series_NX-OS__chapter6.html#task_1207161

Jon

New Member

I do see that the VLAN is

I do see that the VLAN is being allowed on those ports. I can remove the Managment VLAN and see how that effects the configuration. Hopefully this will get approved as a way of "Pruning". I appreciate you inputs.

Hall of Fame Super Blue

JeffIt should be approved

Jeff

It should be approved because it is more secure than simply pruning ie. if you only pruned and then a port was allocated into the vlan on another switch the vlan would be allowed across the trunk link.

If you don't allow the vlan on the trunk link it doesn't matter if a port is accidentally allocated into that vlan, traffic still won't go across the trunk link.

Jon

71
Views
0
Helpful
5
Replies
CreatePlease to create content