Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7609
Views
0
Helpful
7
Replies

Best practices for trunking two switches?

Go to solution
clybumat1
Level 1
Level 1

‎03-14-2017 06:43 AM - edited ‎03-08-2019 09:44 AM

We are deploying a temporary solution and trunking one switch to another via x-over cable. 

What are the best practices to follow in this situation to allow for the ideal setup?

Right now I just have the ports on the two switches with the "switchport mode trunk" command.  But should we only allow the VLANs that need to be sent over the links, ie "switchport trunk allowed vlan 5,6,7"? 

Are there other commands to apply on the two ports to follow best practice?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio E. Moisa
VIP
VIP

‎03-14-2017 07:20 AM

Hi

There are many commands to be used under the trunk interfaces, but basically you need to take in consideration:

- A different native vlan than the vlan 1, for security purposes the vlan 1 should be shutdown. Example:

switchport trunk native vlan 100 

- Disable DTP or negotiation on your interface trunk
        switchport nonegotiate 

- You could just allow specific vlans through your interface trunk.
        switchport trunk allowed vlan A,B,C

- Configure storm-control to generate traps in order to see if there is a lot of multicast or broadcast traffic. Example:
       storm-control multicast level 40 20
       storm-control broadcast level 40 20
       storm-control action trap

Do Not configure bpduguard or spanning-tree portfast on your trunk interfaces. 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to clybumat1

‎03-14-2017 07:33 AM

Hi,

That is correct, on both switches, In order to disable the vlan 1 you can use:

interface vlan 1
shutdown

The new native vlan must be used for that role only not be used for end users.

I remember not all the switches support switchport nonegotiate but with switchport mode trunk should be enough. 

You can also include the following command to generate logs and keep it under monitoring:

logging link-status

Most of the switches support this command, other has it already applied.

switchport trunk encapsulation dot1q




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Julio E. Moisa
VIP
VIP

‎03-14-2017 07:20 AM

Hi

There are many commands to be used under the trunk interfaces, but basically you need to take in consideration:

- A different native vlan than the vlan 1, for security purposes the vlan 1 should be shutdown. Example:

switchport trunk native vlan 100 

- Disable DTP or negotiation on your interface trunk
        switchport nonegotiate 

- You could just allow specific vlans through your interface trunk.
        switchport trunk allowed vlan A,B,C

- Configure storm-control to generate traps in order to see if there is a lot of multicast or broadcast traffic. Example:
       storm-control multicast level 40 20
       storm-control broadcast level 40 20
       storm-control action trap

Do Not configure bpduguard or spanning-tree portfast on your trunk interfaces. 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
clybumat1
Level 1
Level 1
In response to Julio E. Moisa

‎03-14-2017 07:20 AM

Hi Julio, thanks for the reply. 

So for disabling DTP, more specifically would we apply the "switchport nonegotiate" command on both ends of the trunk?

Native vlan 1 is shutdown by the way on both switches.

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to clybumat1

‎03-14-2017 07:33 AM

Hi,

That is correct, on both switches, In order to disable the vlan 1 you can use:

interface vlan 1
shutdown

The new native vlan must be used for that role only not be used for end users.

I remember not all the switches support switchport nonegotiate but with switchport mode trunk should be enough. 

You can also include the following command to generate logs and keep it under monitoring:

logging link-status

Most of the switches support this command, other has it already applied.

switchport trunk encapsulation dot1q




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
clybumat1
Level 1
Level 1
In response to Julio E. Moisa

‎03-14-2017 07:33 AM

Ok great info.  Thanks again!

0 Helpful

Go to solution
Julio E. Moisa
VIP
VIP
In response to clybumat1

‎03-14-2017 07:35 AM

It was a pleasure my friend.

Have a good day!

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Julio E. Moisa

‎03-14-2017 08:01 AM

Just want to add, be careful when using storm-control options.  The problem is knowing what's normal vs. what's not volume.

0 Helpful

Go to solution
clybumat1
Level 1
Level 1
In response to Joseph W. Doherty

‎03-14-2017 08:11 AM

Indeed.  We have storm control configured on our other switch uplinks ,set to 50.00.  So I plan to set this on the trunk links. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card