Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7293
Views
5
Helpful
8
Replies

Trunk Allowed VLAN question

Go to solution
GFernandez07
Level 1
Level 1

‎10-15-2014 02:28 PM - edited ‎03-07-2019 09:08 PM

Hello,

I have two switches connected: a core and  an access switch. The trunk ports between the switches are configured to only allowed certain vlans, because I don't want the access switch to see all the VLANs. However, the access switch still sees all the VLANs.

When I type the command "show interface trunk" on both switches I see that the configuration looks OK. the only difference I see is that in the core switch the "Vlans in spanning tree forwarding state and not pruned" entry has only 2 of the vlans, and the access switch has 4.

Core Switch

interface GigabitEthernet1/1

switchport
 switchport trunk encapsulation dot1q
 switchport trunk native vlan XX
 switchport trunk allowed vlan 405,410,430,496
 switchport mode trunk
end

sho int trunk:

Port                Mode         Encapsulation  Status        Native vlan
Gi1/1               on                  802.1q         trunking      XX

Port                Vlans allowed on trunk
Gi1/1               405,410,430,496

Port                Vlans allowed and active in management domain
Gi1/1               405,410,430,496

Port                Vlans in spanning tree forwarding state and not pruned
Gi1/1               410,496

 

Access Switch:

interface GigabitEthernet0/52

 switchport trunk encapsulation dot1q
 switchport trunk native vlan XX
 switchport trunk allowed vlan 405,410,430,496
 switchport mode trunk
end

sho int trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/52      on                      802.1q         trunking      XX

Port        Vlans allowed on trunk
Gi0/52      405,410,430,496

Port        Vlans allowed and active in management domain
Gi0/52      405,410,430,496

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/52      405,410,430,496

 

Any ideas on what could be wrong, and why the access switch can see all the VLANs ?

 

 

 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kevin Dorrell
Level 10
Level 10

‎10-17-2014 08:04 AM

If you are using VTP, your access switch will know of the existence of all the VLANs, even if it does not participate in them.  In fact, for any VLAN for which there are no ports on the access switch (including the uplink), a "show spanning-tree vlan nnn" will tell you there is no Spanning-Tree instance for that VLAN.  I guess that is how you would want it.

Now, in your case, your trunk is carrying VLANs 405, 410, 430, and 496, so there should be Spanning-Tree instances for at least those four.  There will not be any other Spanning-Tree instances unless you have configured some access port with some other VLAN, in which case you will have an STP instance but it will be disconnected from the rest of your network.

Also, in your case, it looks like the core switch has pruned 405 and 430 from the trunk.  This is because your access switch has told it (via VTP) that it does not have any clients in those VLANs for the moment.  The Spanning Tree is still there, but the trunk is not passing any traffic on those VLANs because the access switch does not need them at the moment.

 

Hope this helps.

Kevin Dorrell

Luxembourg

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Fabio N.
Level 1
Level 1

‎10-15-2014 04:35 PM

Is access switch learning the VLANs using VTP or do you create it manually?

Are VLANs 405 and 430 the VLANs that you don't want access switch to see?

Which command do you used to only permit some VLANs to Access switch?

0 Helpful

Go to solution
GFernandez07
Level 1
Level 1
In response to Fabio N.

‎10-15-2014 06:46 PM

 

Fabio,

I'm using VTP for VLAN learning.

VLANs 405,410,430,496 are the only ones I want to allow to the access switch, and nothing else. However the access switch still sees all the other VLANs (including the ones mentioned)

The command I used was "switchport trunk allowed vlan 405,410,430,496" on both sides (core and access switches).

 

0 Helpful

Go to solution
InayathUlla Sharieff
Cisco Employee
Cisco Employee
In response to GFernandez07

‎10-15-2014 07:45 PM

Can you try to bounce the port once?

Check the following on the core switch:

Port                Vlans allowed and active in management domain
Gi1/1               405,410,430,496

Port                Vlans in spanning tree forwarding state and not pruned
Gi1/1               410,496

 

1) show vlan id 405 & 430----> Make sure you see these vlan in vlan database with the port g/1 associated.

2) sh spanning-tree vlan 405 & 430 ---> G1/1 status(root or designated)

3) show int G1/1 switchport -- port should show as trunk and parameters should look okay.

4) show spanning-tree g1/1

5) If in case this switch is not in production try to reload it.

 

HTH

Regards

Inayath

 

 

 

0 Helpful

Go to solution
GFernandez07
Level 1
Level 1
In response to InayathUlla Sharieff

‎10-17-2014 06:10 AM

 

Thanks for all the responses.

Maybe I'm a bit confuse and everything is working the way it should.

Although I can see all the VLANs in the access switch, when I do a "show spanning-tree VLAN XX" ( a VLAN that is not allowed in the trunk config) I get nothing, which makes me think that the setup may be working correctly.

What is throwing me off is that the switch sees all the VLANs, which I thought it should not be if you only allow certain VLANs in the trunk.

0 Helpful

Go to solution
aukhadiev
Level 1
Level 1
In response to GFernandez07

‎10-17-2014 07:45 AM

Hi,

your configuration looks correct...

What do you mean, when you say that access switch sees all vlans?

How do you check this, do not accidentally by the command - show vlan? "See vlans" and "see the traffic of this vlans" is not the same thing...

Your access switch sees all vlans, because it propagated to switch by VTP, but access switch don`t "see the traffic" of not allowed vlans on the trunk...

You can see for yourself via command - show mac address-table vlan (not allowed vlans ID)

 

Go to solution
GFernandez07
Level 1
Level 1
In response to aukhadiev

‎10-17-2014 09:22 AM

 

Thanks for your explanation. It clarified my doubts.

0 Helpful

Go to solution
Kevin Dorrell
Level 10
Level 10

‎10-17-2014 08:04 AM

If you are using VTP, your access switch will know of the existence of all the VLANs, even if it does not participate in them.  In fact, for any VLAN for which there are no ports on the access switch (including the uplink), a "show spanning-tree vlan nnn" will tell you there is no Spanning-Tree instance for that VLAN.  I guess that is how you would want it.

Now, in your case, your trunk is carrying VLANs 405, 410, 430, and 496, so there should be Spanning-Tree instances for at least those four.  There will not be any other Spanning-Tree instances unless you have configured some access port with some other VLAN, in which case you will have an STP instance but it will be disconnected from the rest of your network.

Also, in your case, it looks like the core switch has pruned 405 and 430 from the trunk.  This is because your access switch has told it (via VTP) that it does not have any clients in those VLANs for the moment.  The Spanning Tree is still there, but the trunk is not passing any traffic on those VLANs because the access switch does not need them at the moment.

 

Hope this helps.

Kevin Dorrell

Luxembourg

0 Helpful

Go to solution
GFernandez07
Level 1
Level 1
In response to Kevin Dorrell

‎10-17-2014 09:19 AM

 

Kevin you are correct!

VTP is configured, so that's the reason I see all the VLANs on that switch.And Spanning-tree does not see any of the not allowed VLANs.

Thanks for the explanation. Everything is working OK.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card