10-15-2014 02:28 PM - edited 03-07-2019 09:08 PM
Hello,
I have two switches connected: a core and an access switch. The trunk ports between the switches are configured to only allowed certain vlans, because I don't want the access switch to see all the VLANs. However, the access switch still sees all the VLANs.
When I type the command "show interface trunk" on both switches I see that the configuration looks OK. the only difference I see is that in the core switch the "Vlans in spanning tree forwarding state and not pruned" entry has only 2 of the vlans, and the access switch has 4.
Core Switch
interface GigabitEthernet1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan XX
switchport trunk allowed vlan 405,410,430,496
switchport mode trunk
end
sho int trunk:
Port Mode Encapsulation Status Native vlan
Gi1/1 on 802.1q trunking XX
Port Vlans allowed on trunk
Gi1/1 405,410,430,496
Port Vlans allowed and active in management domain
Gi1/1 405,410,430,496
Port Vlans in spanning tree forwarding state and not pruned
Gi1/1 410,496
Access Switch:
interface GigabitEthernet0/52
switchport trunk encapsulation dot1q
switchport trunk native vlan XX
switchport trunk allowed vlan 405,410,430,496
switchport mode trunk
end
sho int trunk
Port Mode Encapsulation Status Native vlan
Gi0/52 on 802.1q trunking XX
Port Vlans allowed on trunk
Gi0/52 405,410,430,496
Port Vlans allowed and active in management domain
Gi0/52 405,410,430,496
Port Vlans in spanning tree forwarding state and not pruned
Gi0/52 405,410,430,496
Any ideas on what could be wrong, and why the access switch can see all the VLANs ?
Solved! Go to Solution.
10-17-2014 08:04 AM
If you are using VTP, your access switch will know of the existence of all the VLANs, even if it does not participate in them. In fact, for any VLAN for which there are no ports on the access switch (including the uplink), a "show spanning-tree vlan nnn" will tell you there is no Spanning-Tree instance for that VLAN. I guess that is how you would want it.
Now, in your case, your trunk is carrying VLANs 405, 410, 430, and 496, so there should be Spanning-Tree instances for at least those four. There will not be any other Spanning-Tree instances unless you have configured some access port with some other VLAN, in which case you will have an STP instance but it will be disconnected from the rest of your network.
Also, in your case, it looks like the core switch has pruned 405 and 430 from the trunk. This is because your access switch has told it (via VTP) that it does not have any clients in those VLANs for the moment. The Spanning Tree is still there, but the trunk is not passing any traffic on those VLANs because the access switch does not need them at the moment.
Hope this helps.
Kevin Dorrell
Luxembourg
10-15-2014 04:35 PM
Is access switch learning the VLANs using VTP or do you create it manually?
Are VLANs 405 and 430 the VLANs that you don't want access switch to see?
Which command do you used to only permit some VLANs to Access switch?
10-15-2014 06:46 PM
Fabio,
I'm using VTP for VLAN learning.
VLANs 405,410,430,496 are the only ones I want to allow to the access switch, and nothing else. However the access switch still sees all the other VLANs (including the ones mentioned)
The command I used was "switchport trunk allowed vlan 405,410,430,496" on both sides (core and access switches).
10-15-2014 07:45 PM
Can you try to bounce the port once?
Check the following on the core switch:
Port Vlans allowed and active in management domain
Gi1/1 405,410,430,496
Port Vlans in spanning tree forwarding state and not pruned
Gi1/1 410,496
1) show vlan id 405 & 430----> Make sure you see these vlan in vlan database with the port g/1 associated.
2) sh spanning-tree vlan 405 & 430 ---> G1/1 status(root or designated)
3) show int G1/1 switchport -- port should show as trunk and parameters should look okay.
4) show spanning-tree g1/1
5) If in case this switch is not in production try to reload it.
HTH
Regards
Inayath
10-17-2014 06:10 AM
Thanks for all the responses.
Maybe I'm a bit confuse and everything is working the way it should.
Although I can see all the VLANs in the access switch, when I do a "show spanning-tree VLAN XX" ( a VLAN that is not allowed in the trunk config) I get nothing, which makes me think that the setup may be working correctly.
What is throwing me off is that the switch sees all the VLANs, which I thought it should not be if you only allow certain VLANs in the trunk.
10-17-2014 07:45 AM
Hi,
your configuration looks correct...
What do you mean, when you say that access switch sees all vlans?
How do you check this, do not accidentally by the command - show vlan? "See vlans" and "see the traffic of this vlans" is not the same thing...
Your access switch sees all vlans, because it propagated to switch by VTP, but access switch don`t "see the traffic" of not allowed vlans on the trunk...
You can see for yourself via command - show mac address-table vlan (not allowed vlans ID)
10-17-2014 09:22 AM
Thanks for your explanation. It clarified my doubts.
10-17-2014 08:04 AM
If you are using VTP, your access switch will know of the existence of all the VLANs, even if it does not participate in them. In fact, for any VLAN for which there are no ports on the access switch (including the uplink), a "show spanning-tree vlan nnn" will tell you there is no Spanning-Tree instance for that VLAN. I guess that is how you would want it.
Now, in your case, your trunk is carrying VLANs 405, 410, 430, and 496, so there should be Spanning-Tree instances for at least those four. There will not be any other Spanning-Tree instances unless you have configured some access port with some other VLAN, in which case you will have an STP instance but it will be disconnected from the rest of your network.
Also, in your case, it looks like the core switch has pruned 405 and 430 from the trunk. This is because your access switch has told it (via VTP) that it does not have any clients in those VLANs for the moment. The Spanning Tree is still there, but the trunk is not passing any traffic on those VLANs because the access switch does not need them at the moment.
Hope this helps.
Kevin Dorrell
Luxembourg
10-17-2014 09:19 AM
Kevin you are correct!
VTP is configured, so that's the reason I see all the VLANs on that switch.And Spanning-tree does not see any of the not allowed VLANs.
Thanks for the explanation. Everything is working OK.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide