Solved: Re: "allowed vlans" on trunk limits transmit, receive, or both? - Page 2

grnelson · ‎10-15-2010

Does adding an "allowed vlans" statement to a trunk limit the vlans transmitted on the trunk, received from the trunk, or both?

glen.grant · ‎10-18-2010

I would always use the "add" parameter when adding new vlans to the list . Below is the answer I think you might be looking for.

STP Configuration Guidelines

If more VLANs are defined in the VTP than there are spanning-tree instances, you can enable STP on only 64 VLANs. The remaining VLANs operate with spanning tree disabled. If the number of VLANs exceeds 128, we recommend that you enable the MSTP to map multiple VLANs to a single spanning-tree instance. For more information, see the "Configuring RSTP and MSTP."

If 64 instances of spanning tree are already in use, you can disable STP on one of the VLANs and then enable it on the VLAN where you want it to run. Use the no spanning-tree vlan vlan-id global configuration command to disable STP on a specific VLAN, and use the spanning-tree vlan vlan-id global configuration command to enable STP on the desired VLAN.

Caution

Switches that are not running spanning tree still forward BPDUs that they receive so that the other switches on the VLAN that have a running spanning-tree instance can break loops. Therefore, spanning tree must be running on enough switches to break all the loops in the network; for example, at least one switch on each loop in the VLAN must be running spanning tree. It is not absolutely necessary to run spanning tree on all switches in the VLAN; however, if you are running spanning tree only on a minimal set of switches, an incautious change to the network that introduces another loop into the VLAN can result in a broadcast storm.

Note If you have already used all available spanning-tree instances on your switch, adding another VLAN anywhere in the VTP domain creates a VLAN that is not running spanning tree on that switch. If you have the default allowed list on the trunk ports of that switch, the new VLAN is carried on all trunk ports. Depending on the topology of the network, this could create a loop in the new VLAN that will not be broken, particularly if there are several adjacent switches that have all run out of spanning-tree instances. You can prevent this possibility by setting up allowed lists on the trunk ports of switches that have used up their allocation of spanning-tree instances. Setting up allowed lists is not necessary in many cases and can make it more labor-intensive to add another VLAN to the network.

Spanning-tree commands determine the configuration of VLAN spanning-tree instances. You create a spanning-tree instance when you assign an interface to a VLAN. The spanning-tree instance is removed when the last interface is moved to another VLAN. You can configure switch and port parameters before a spanning-tree instance is created; these parameters are applied when the spanning-tree instance is created.

grnelson · ‎10-18-2010

That's interesting and informative.

However it seems our CIGESM switches are not exceeding their spanning-tree limit of 64 Vlans even though there are more than 64 vlans in the VTP database:

ibm-blade5-s2#sho vlan summ
Number of existing VLANs : 102
Number of existing VTP VLANs : 102
Number of existing extended VLANs : 0

ibm-blade5-s2#sho spanning-tree summ
Switch is in rapid-pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Pathcost method used         is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0         16         16
VLAN0007                     0         0        0         15         15
VLAN0014                     0         0        0         15         15
VLAN0103                     0         0        0         15         15
VLAN0105                     0         0        0         15         15
VLAN0110                     0         0        0         15         15
VLAN0121                     0         0        0         15         15
VLAN0129                     0         0        0         15         15
VLAN0144                     0         0        0         15         15
---------------------- -------- --------- -------- ---------- ----------
9 vlans                      0         0        0        136        136

We are limiting the Vlans on all CIGESM interfaces to only those the blade servers require....

Example:

========================================================

!
interface GigabitEthernet0/1
description blade1
switchport trunk native vlan 99
switchport trunk allowed vlan 1,7,14,103,105,110,121,129,144
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpdufilter enable
!
interface GigabitEthernet0/2
description blade2
switchport trunk native vlan 99
switchport trunk allowed vlan 1,7,14,103,105,110,121,129,144
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpdufilter enable

!

----------------- etc -----------------------------

----------------- lines removed-----------------

!
interface GigabitEthernet0/17
description extern1
switchport trunk allowed vlan 1,7,14,103,105,110,121,129,144
switchport mode trunk
channel-group 4 mode desirable
!
interface GigabitEthernet0/18
description extern2
switchport trunk allowed vlan 1,7,14,103,105,110,121,129,144
switchport mode trunk
channel-group 4 mode desirable

==============================================================================

Does the documentation you cited imply the CIGESM is forwarding other Vlans but not running spanning-tree for them?

Or does that only occur if it reaches 64 spanning-tree instances?

glen.grant · ‎10-18-2010

No you are not above 64 . What you are looking at is the just VTP advertisement telling you there are 102 vlans in the domain and as you see with your "manual" pruning" on the links only 9 are allowed across from the vtp server so that switch only has to allocate 9 stp instances in your case . So the switch could allocate 55 more spanning tree instances if it had to . For every new vlan that is allowed across the link your spanning tree instance on the switch decreases by 1 . This is only valid for manual pruning like you have done on the links . No it is not forwarding any other vlans other than what is allowed across the links...

Jon Marshall · ‎10-18-2010

What causes a switch to create a spanning-tree instance? Receiving a BDPU, a Vlan-tagged packet, or both?

A switch will create an instance of STP for a vlan when -

1) the vlan exists on the switch. As you are running VTP server/client all vlans you create on the 6500 switch will be propogated to the CIGESM switches. As Glen says, VTP transparent can be used to avoid this

AND

2) there is an active port on the switch for that vlan. This can either be an access port that has a device configured which is in the up/up state

or

it can be a trunk link that allows that vlan. This is why using "switchport trunk allowed vlan.." limits the creation of STP instances on the switch assuming you do not have a port that is in the vlan connected to an end device.

Jon