cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
437
Views
0
Helpful
1
Replies
Beginner

MSTP & Allowed VLAN's

Hi Guys,

Quick question.  First off a quick overview of my environment: I have two distribution switches and an access switch (Well multiple access switches but for the purpose of this question one access switch ) the distribution switches are linked via trunked etherchannels and are not blocking any VLANs. 

I have 1 region and 3 MSTP instances running 0 (Vlan 1 in here only),1, and 2 which are each assigned the correct priority to ensure that under normal circumstances instance 0 and 2 have Distrbution SW1 as their root switch and instance 1 has Distribution Switch 2 as it's root switch.

Now my distribution switches have 60 + VLANs and this is reflected in the instances configured on all switches. What I wish to do is limit broadcast traffic on my access switches.  I plan to do this by using the "trunk allow" command to limit VLAN's sent via the trunk that connects the access switch.  I understand this may cause limitations in regards to topology changes should both my designated root switches fail and one of my access switches be designated the new root switch however if this happens I imagine I will have bigger issues to worry about

My question being do I need to ensure all trunk links (To my access switches) always allow VLAN1 as well as the active VLAN's at the other end to ensure MSTP works correctly?  If I block VLAN 1 on an access switch (Because theoretically it is not in use at the other end) will this cause operational issues?

Also is there anything else I should be aware of in regards to vlan blocking?

Thanks in advance all,

Jamie

Everyone's tags (6)
1 REPLY 1
Highlighted
VIP Expert

MSTP & Allowed VLAN's

Hi,

Now my distribution switches have 60 + VLANs and this is reflected in  the instances configured on all switches. What I wish to do is limit  broadcast traffic on my access switches.  I plan to do this by using the  "trunk allow" command to limit VLAN's sent via the trunk that connects  the access switch.  I understand this may cause limitations in regards  to topology changes should both my designated root switches fail and one  of my access switches be designated the new root switch however if this  happens I imagine I will have bigger issues to worry about

It is actually a good security practice to only allow the vlans that need to be on that particular trunk and not use "switchport mode trunk" which allow ALL vlans.

My question being do I need to ensure all trunk links (To my access  switches) always allow VLAN1 as well as the active VLAN's at the other  end to ensure MSTP works correctly?  If I block VLAN 1 on an access  switch (Because theoretically it is not in use at the other end) will  this cause operational issues?

Not at all.  This is actually another good security practice to not use vlan 1 at all and shut down the SVI.

HTH

CreatePlease to create content
Content for Community-Ad