I work for the University of Wisconsin. We have 1,000's of switches on campus with hundreds of vlans in use. It is not uncommon for us to have more than 128 vlans on a switch which obviously causes an issue. Of course we are not using a 128 vlans per switch which is why we are trying to find an efficient process to remove the vlans not in use so we are no longer hitting the max 128 vlan limit per switch. Here is an example of a switch and the number of vlans on it currently:

Number of existing VLANs               : 131

Number of existing VTP VLANs          : 67

Number of existing extended VLANS     : 64

Number of existing VLANs               : 131

I'm not sure what switch you are using Catalyst switches should support up to 1005 VLANs.

What you are doing is going to be a temporary solution.  Particularly with buildings as part of the large campus, you may want to think about segmenting each building into a unique Layer 3 network.  I am talking about long term.

The problem about "removing VLANs" not used in BLAH weeks isn't going to work well because some ports can be dormant only when some teaching staff don't find the use of it.  This is particularly true when you have staff on leave or long leave (like maternal).

The fastest way to determine is do a "sh interface VLAN ".

Switch#sh int vlan 15

Vlan15 is up, line protocol is up

Hardware is EtherSVI, address is 7c95.f37e.2040 (bia 7c95.f37e.2040)

Description: SNET-NWLP-Netman

Internet address is 10.175.78.1/25

MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive not supported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:58, output 00:00:58, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

236501 packets input, 21191444 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

1179289 packets output, 76813090 bytes, 0 underruns

0 output errors, 2 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

Look at the highlighted items above.  Now compare with the one below:

Switch#sh int vlan 17

Vlan17 is up, line protocol is up

Hardware is EtherSVI, address is 7c95.f37e.2040 (bia 7c95.f37e.2040)

Description: SNET-NWLP-DMZ

Internet address is 203.62.103.1/25

MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive not supported

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output 21w5d, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

3 packets output, 180 bytes, 0 underruns

0 output errors, 2 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

This is indication that this VLAN, 17, haven't been used for a long time.

Mark

So you are basically hitting the STP instances limit supported on some of your switches ?

If so a longer term solution may be MST which can dramatically reduce the number of STP instances per switch.

In the short term do you actually have a physical topology diagram of the network showing all switch connections ?

In terms of the "sh vlan" suggested by Reza I'm not sure "sh vlan" on it's own will help  because lets say you have three switches and vlan 10 is on all switches. The left and right switches have access ports in vlan 10 but the middle switch doesn't. If you do a "sh vlan" it does not show trunk ports so the middle switch looks like it has no ports in vlan 10.

But if you remove vlan 10 then you have effectively stopped communication between the left and right switch. So you would need to know that vlan 10 is actually needed. If you are allowing all vlans on the trunk then a "sh int trunk" could be used to see which vlans have been pruned but you could still not be sure because perhaps the access ports in vlan 10 on the right hand switch are not active when you look.

Reza please correct if i got that wrong.

Assuming the above is correct you would need to -

1) have a topology layout

2) for each switch record any vlan that has access ports in it

3) any switches not using this vlan can have it deleted if downstream switches from it do not have access ports in that vlan

You can script the "sh vlan" collection but i'm not sure how you would do the rest. I have written scripts a long time ago that would login to a switch, do a CDP neighbor and then move to other switches to trace a particular mac address but it would be a lot harder to accurately draw a topology diagram using a script (at least for me ).

I'm not aware of any software that can do this but then i have never needed to do this sort of thing so it doesn't mean it doesn't exist.

Sorry i can't be more help.

Jon

Hi Reza

I suspect each switch doesn't need anywhere near that number but with that many switches i suspect they are using VTP and if the trunks are allowing all vlans every time a vlan is created it is sent to all switches.

Even if the trunks had allowed vlans and if intermediate switches didn't have access ports in that vlan switches further downstream might have ports in that vlan so the vlan needs to exist on all intermediate switches.

So i think it's a question of how to rationalise it based on where they are now rather than needing lots of vlans on each switch.

Jon

Reza,

Jon is correct. In many cases the vlan is not in use on the switch, but is needed since it is part of the "path" for a switch further up/down stream that has ports defined on that vlan. Delete the vlan from the switch under the assumption that it is not in use because it is not defined on any access ports and the pathing would be broken.

Regards,
Mark

Mark

I have not implemeneted it but it may be worth looking at MST as i mentioned previously.

A lot depends on whether you have accurate physical layout diagrams.

Either way with that many switches you may end up logging onto all of them anyway to get the vlan information although as i say the actual capturing of the "sh vlan" could be automated with a script but it would still then need someone to match up the outputs to the switches to see what vlans you do and don't need per switch.

Jon

Rather than upgrading to a more streamlined version of stp, you need to be looking at Leo's suggestion. With 1000s of switches, you need to start segmenting at layer 3 somewhere.

Sent from Cisco Technical Support iPad App

Reza Sharifi wrote:
 Can you provide the model number for the switches you are using?
128 vlans should be more than enough for one switch.  Lets say, you have 48 port switches.  If you put each port in a different vlan, that is 48 vlans. 

The majority of our access switches are the various 3750 model switches.

Regards,
Mark