Showing results for 
Search instead for 
Did you mean: 
Andrew Sinclair

Cleaning up layer two.

I'm going through the fun task of migrating twenty odd access switches to a new distribution later.

The downside seems to be that it looks as if there has been no deprovisioning process on these switches and they have unused vlans still active in the switches management domain and being trunked with the heinous 'switchport trunk allowed vlans all'

Before the migration takes place I would like to clean this all up by removing the vlans from the switches that are not in use and restricting the allowed vlan list on the uplinks with only layer two traffic that needs to span via the distrabution later. I would like to tell you how I plan on doing this and see if you can point out any gotchas that I have overlooked;

1. For each vlan on the switches management domain ; 'show vlan brief'

     Run 'show mac address-table vlan X | ex CPU'

If the results show;

SWITCH#show mac address-table vlan 123| ex CPU

          Mac Address Table


Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

Total Mac Addresses for this criterion: 20

        This shows that no mac addresses are present within this vlan and the vlan is not in use at all.

        This vlan can then be removed with the 'no vlan X' command.

2. To restrict the traffic spanning to the distrabution layer I would complete the same command;

     'show mac address-table vlan X | ex CPU'

     If only mac addresses for this vlan are seen on the interswitch trunk and no mac addresses are seen from any of the other local switches interfaces then this would show that no devices attached to the switch are using this vlan, only the system or dynamic macs of other devices on the fabric are being learnt from the interswitch trunk.

   These vlans can be removed on the switch again with the 'no vlan X' command. Once the vlans have been removed from the switch the device will remove them from the uplinks allowed list 'show int trunk | i X'  ( 'X' again means vlan number.)

This all hangs on the fact thateven if one of these vlans are in use and assigned to a trunk, if it's in use it must generate mac addresses to function on ethernet so if there are no mac addresses showing then as far as I see it the vlan is inactive and can be removed.

Can anyone point out anything that I am missing, or see any problems with this logic?

You're thoughts are appreciated. Thanks.

Reza Sharifi
Hall of Fame Expert

The other thing you can do to make sure you are not deleting any vlan that has port in it is to issue "sh vlan id x"and if no active port is in that vlan then it can be deleted.