Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trunk Allowed VLAN question

Hello,

I have two switches connected: a core and  an access switch. The trunk ports between the switches are configured to only allowed certain vlans, because I don't want the access switch to see all the VLANs. However, the access switch still sees all the VLANs.

When I type the command "show interface trunk" on both switches I see that the configuration looks OK. the only difference I see is that in the core switch the "Vlans in spanning tree forwarding state and not pruned" entry has only 2 of the vlans, and the access switch has 4.

Core Switch

interface GigabitEthernet1/1

switchport
 switchport trunk encapsulation dot1q
 switchport trunk native vlan XX
 switchport trunk allowed vlan 405,410,430,496
 switchport mode trunk
end

sho int trunk:

Port                Mode         Encapsulation  Status        Native vlan
Gi1/1               on                  802.1q         trunking      XX

Port                Vlans allowed on trunk
Gi1/1               405,410,430,496

Port                Vlans allowed and active in management domain
Gi1/1               405,410,430,496

Port                Vlans in spanning tree forwarding state and not pruned
Gi1/1               410,496

 

Access Switch:

interface GigabitEthernet0/52

 switchport trunk encapsulation dot1q
 switchport trunk native vlan XX
 switchport trunk allowed vlan 405,410,430,496
 switchport mode trunk
end

sho int trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/52      on                      802.1q         trunking      XX

Port        Vlans allowed on trunk
Gi0/52      405,410,430,496

Port        Vlans allowed and active in management domain
Gi0/52      405,410,430,496

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/52      405,410,430,496

 

Any ideas on what could be wrong, and why the access switch can see all the VLANs ?

 

 

 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

If you are using VTP, your

If you are using VTP, your access switch will know of the existence of all the VLANs, even if it does not participate in them.  In fact, for any VLAN for which there are no ports on the access switch (including the uplink), a "show spanning-tree vlan nnn" will tell you there is no Spanning-Tree instance for that VLAN.  I guess that is how you would want it.

Now, in your case, your trunk is carrying VLANs 405, 410, 430, and 496, so there should be Spanning-Tree instances for at least those four.  There will not be any other Spanning-Tree instances unless you have configured some access port with some other VLAN, in which case you will have an STP instance but it will be disconnected from the rest of your network.

Also, in your case, it looks like the core switch has pruned 405 and 430 from the trunk.  This is because your access switch has told it (via VTP) that it does not have any clients in those VLANs for the moment.  The Spanning Tree is still there, but the trunk is not passing any traffic on those VLANs because the access switch does not need them at the moment.

 

Hope this helps.

Kevin Dorrell

Luxembourg

8 REPLIES
New Member

Is access switch learning the

Is access switch learning the VLANs using VTP or do you create it manually?

Are VLANs 405 and 430 the VLANs that you don't want access switch to see?

Which command do you used to only permit some VLANs to Access switch?

New Member

 Fabio,I'm using VTP for VLAN

 

Fabio,

I'm using VTP for VLAN learning.

VLANs 405,410,430,496 are the only ones I want to allow to the access switch, and nothing else. However the access switch still sees all the other VLANs (including the ones mentioned)

The command I used was "switchport trunk allowed vlan 405,410,430,496" on both sides (core and access switches).

 

Cisco Employee

Can you try to bounce the

Can you try to bounce the port once?

Check the following on the core switch:

Port                Vlans allowed and active in management domain
Gi1/1               405,410,430,496

Port                Vlans in spanning tree forwarding state and not pruned
Gi1/1               410,496

 

1) show vlan id 405 & 430----> Make sure you see these vlan in vlan database with the port g/1 associated.

2) sh spanning-tree vlan 405 & 430 ---> G1/1 status(root or designated)

3) show int G1/1 switchport -- port should show as trunk and parameters should look okay.

4) show spanning-tree g1/1

5) If in case this switch is not in production try to reload it.

 

HTH

Regards

Inayath

 

 

 

New Member

 Thanks for all the responses

 

Thanks for all the responses.

Maybe I'm a bit confuse and everything is working the way it should.

Although I can see all the VLANs in the access switch, when I do a "show spanning-tree VLAN XX" ( a VLAN that is not allowed in the trunk config) I get nothing, which makes me think that the setup may be working correctly.

What is throwing me off is that the switch sees all the VLANs, which I thought it should not be if you only allow certain VLANs in the trunk.

Bronze

Hi,your configuration looks

Hi,

your configuration looks correct...

What do you mean, when you say that access switch sees all vlans?

How do you check this, do not accidentally by the command - show vlan? "See vlans" and "see the traffic of this vlans" is not the same thing...

Your access switch sees all vlans, because it propagated to switch by VTP, but access switch don`t "see the traffic" of not allowed vlans on the trunk...

You can see for yourself via command - show mac address-table vlan (not allowed vlans ID)

 

New Member

 Thanks for your explanation.

 

Thanks for your explanation. It clarified my doubts.

If you are using VTP, your

If you are using VTP, your access switch will know of the existence of all the VLANs, even if it does not participate in them.  In fact, for any VLAN for which there are no ports on the access switch (including the uplink), a "show spanning-tree vlan nnn" will tell you there is no Spanning-Tree instance for that VLAN.  I guess that is how you would want it.

Now, in your case, your trunk is carrying VLANs 405, 410, 430, and 496, so there should be Spanning-Tree instances for at least those four.  There will not be any other Spanning-Tree instances unless you have configured some access port with some other VLAN, in which case you will have an STP instance but it will be disconnected from the rest of your network.

Also, in your case, it looks like the core switch has pruned 405 and 430 from the trunk.  This is because your access switch has told it (via VTP) that it does not have any clients in those VLANs for the moment.  The Spanning Tree is still there, but the trunk is not passing any traffic on those VLANs because the access switch does not need them at the moment.

 

Hope this helps.

Kevin Dorrell

Luxembourg

New Member

 Kevin you are correct!VTP is

 

Kevin you are correct!

VTP is configured, so that's the reason I see all the VLANs on that switch.And Spanning-tree does not see any of the not allowed VLANs.

Thanks for the explanation. Everything is working OK.

 

 

603
Views
5
Helpful
8
Replies