Thanks, I believe you. My boss may not be satisfied. Can you

cite a cisco document that clarifies what "allowed vlans" does?

We had a serious network interruption last Friday. I added a Vlan to a 6509 VTP server. A number of IBM blade centers went down because the CIGESM switches were exceeding their limit of 64 spanning-tree instances. We had previously configured "allowed vlans" on the trunks between the 6509's and the CIGESM switches. That didn't help. CIGESM log messages indicated they were receiving vlan-tagged packets from the blades outside those in the allowed list.

So, we added "allowed vlans" to each blade trunk interface. That fixed it. However we were puzzled since we assumed "allowed vlans" only limited transmitted vlans. Blocking only vlans transmitted to the blades would not have stopped the spurious vlan traffic from the blades.

Thanks for your answer.

We had a serious network interruption last Friday. I added a Vlan to a 6509 VTP server. A number of IBM blade centers went down because the CIGESM switches were exceeding their limit of 64 spanning-tree instances. We had previously configured "allowed vlans" on the trunks between the 6509's and the CIGESM switches. That didn't help. CIGESM log messages indicated they were receiving vlan-tagged packets from the blades outside those in the allowed list.

Haven't worked on those blades so how do the CIGESM switches relate to the blades ?? Not sure what you mean when you say CIGESM log messages indicated they were receiving vlan-tagged packets from the blades outside those in the allowed list.?

Jon

There are a pair of CIGESM running IOS 12.1 in each blade chassis. Each switch connects to each blade over a trunk and has four interfaces to the network. Here are some log messages showing the CIGESM complaining about Vlans received on the blade interfaces numbered G0/1 -G0/14:

grnelson wrote:
There are a pair of CIGESM running IOS 12.1 in each blade chassis. Each switch connects to each blade over a trunk and has four interfaces to the network. Here are some log messages showing the CIGESM complaining about Vlans received on the blade interfaces numbered G0/1 -G0/14:
y4w: %LINEPROTO-5-UPDOWN: Line protocol on  Interface GigabitEthernet0/14, changed state to up
1y4w: %LINEPROTO-5-UPDOWN:  Line protocol on Interface GigabitEthernet0/14, changed state to down
1y4w:  %SPANTREE_VLAN_SW-2-MAX_INSTANCE: Platform limit of 64 STP instances exceeded.  No instance created for VLAN5 (port Gi0/14).
1y4w: %LINEPROTO-5-UPDOWN: Line  protocol on Interface GigabitEthernet0/14, changed state to up
1y4w:  %SPANTREE_VLAN_SW-2-MAX_INSTANCE: Platform limit of 64 STP instances exceeded.  No instance created for VLAN202 (port Gi0/1).
1y4w:  %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on  GigabitEthernet0/17.
1y4w: %PM-4-ERR_DISABLE: loopback error detected on  Gi0/17, putting Gi0/17 in err-disable state
1y4w: %LINEPROTO-5-UPDOWN: Line  protocol on Interface GigabitEthernet0/17, changed state to down
1y4w:  %LINK-3-UPDOWN: Interface GigabitEthernet0/17, changed state to down
1y4w:  %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on  GigabitEthernet0/18.
1y4w: %PM-4-ERR_DISABLE: loopback error detected on  Gi0/18, putting Gi0/18 in err-disable state
1y4w: %LINEPROTO-5-UPDOWN: Line  protocol on Interface GigabitEthernet0/18, changed state to down
1y4w:  %LINK-3-UPDOWN: Interface GigabitEthernet0/18, changed state to  down

So the CIGESM switches connect back to the 6500 switches ??  And the blade interfaces have to go via the CIGESM to get to the 6500 ?

Is that correct ??

If so on which interfaces did you have allowed vlan configured on ?

Jon

Yes, that is correct. We had a similar problem where the blade switches (CIGESM) were exceeding their limit of 64 spanning tree instances about a year ago. At that time we added "allowed vlans" statements to both ends of the trunks between the 6509's and the CIGESM's. That solved the problem until last Friday. Adding another vlan to our vlan list caused havoc and the CIGESM's were once again exceeding their spanning-tree limit.

This time we copied the allowed vlan list to each blade trunk interface which corrected the problem once again.

No one can explain why the blades were emitting vlan packets for vlans not in the "allowed" list.

grnelson wrote:
Yes, that is correct. We had a similar problem where the blade switches (CIGESM) were exceeding their limit of 64 spanning tree instances about a year ago. At that time we added "allowed vlans" statements to both ends of the trunks between the 6509's and the CIGESM's. That solved the problem until last Friday. Adding another vlan to our vlan list caused havoc and the CIGESM's were once again exceeding their spanning-tree limit.
This time we copied the allowed vlan list to each blade trunk interface which corrected the problem once again.
No one can explain why the blades were emitting vlan packets for vlans not in the "allowed" list.

Unfortunately i had a quick look and couldn't find anything to corroborate what i said originally but i have seen the behaviour before so i'm sure that's the way it works.

You say you are using VTP server/client setup. How many vlans are there actually on the CIGESM switch ??

Jon

Here is what is on our 6509 VTP server:

gcw-r65-5dgrn#sho vlan summ
Number of existing VLANs           : 102
Number of existing VTP VLANs      : 102
Number of existing extended VLANs : 0

This is from a CIGESM:

ibm-blade5-s2#sho vlan summ
Number of existing VLANs           : 102
Number of existing VTP VLANs      : 102
Number of existing extended VLANs : 0

The CIGESM's are VTP clients.

grnelson wrote:
Here is what is on our 6509 VTP server:

gcw-r65-5dgrn#sho vlan summ
Number of existing VLANs           : 102
Number of existing VTP VLANs      : 102
Number of existing extended VLANs : 0
This is from a CIGESM:

ibm-blade5-s2#sho vlan summ
Number of existing VLANs           : 102
Number of existing VTP VLANs      : 102
Number of existing extended VLANs : 0
The CIGESM's are VTP clients.

Okay, so 64 of those 102 vlans on the CIGESM either have a trunk with the vlan allowed on or an active port in that vlan. I say this because for an STP instance to be started on a switch the vlan must either be part of a trunk ot have an active port for that vlan.

The new vlan you added, is there any chance one of the blades was in this vlan or there was any active port in this vlan on the CIGESM ?

Jon

BTW, this is the manual for the CIGESM switches.

   Is it possible that you   didn't use the add parameter which I think will allow everything across ?    It should have been  "switchport trunk allowed vlan add XX "  .   If you didn't  use the "add" parameter by  mistake (switchport trunk allowed vlan XX)  I think it will allow everything which would then overrun  the STP instances.  Myself i would make the blades transparent and just create and allow what you need on the blades directly.  This would avoid the issue you ran into .  If you are going to manually prune the links with the switchport trunk allowed parameter , use it on both ends of the link, on the 6509 and  the bladeserver switches... The switches will allocate a spanning tree instance for everything that is allowed across those links even if those vlans are not used on the blades.. Those blade server switches is basically a 2950 on a card .

We enter the entire vlan list each time we configure the "allowed vlans".

I have another related question.

We had previously limited vlans on both ends of the trunks between the CIGESM switches and the 6509 switches using the "allowed vlans" statement.

The longest list had fewer than 20 vlans yet the CIGESM switch's log files were reporting they had already reached their limit of 64 spanning-tree instances. Log messages indicated blades were issuing packets for Vlans not in the "allowed" list.

What causes a switch to create a spanning-tree instance? Receiving a BDPU, a Vlan-tagged packet, or both?