Hi Salman

Thanks a lot for your time.

In my understanding switch 1 (has vlan 10 configured and int vlan 10)  to ping switch 3 (has vlan 10  and int vlan 10) send arp request frames untagged in all own "ports access vlan 10" and tagged frames to all trunk links.

When the tagged frames (tagged vlanID=10) arrived at switch 2 (has not vlan 10 ) It should forward tagged frames to all trunk port, except incoming port  and so these tagged frames should arrive at switch 3.

This not happens if switch 2 has not vlan10 in his vlan database
Is there something wrong in my understanding  ?

Thankyou in advanced

Hi lnrdnl78d ,

Let me explain my understanding. you are right if switch doesn't know where to send frame it sends arp request to learn destination mac address. And after learning destination address switch adds  that mac to its mac address table. But in this situation there is no mac address table for vlan 10. In case if  switch learns mac address it would not be able to add that address anywhere. So switch dropps this frame

Hi lnrdnl78d,

so will give this ago not quite sure how a uploaded images looks,

i have mocked up what i have understood from your explanation so feel free to correct me if i have got this wrong :) 

however assuming in this situation that VTP is enabled (which i know you have disabled in yours, but hoping this helps)

in this situation client 1 sends a broadcast to client two.

with VTP pruning enable switch 2 will learn that switch 4 has no ports connected to VLAN 2

so the trunk link to Switch 4 will have VLAN 2 pruned from the trunk link

but   2 and 3 will receive the broadcast and switch 3 will be the only one to forward it out the connected port

from my understanding this is what you have configured in your lab apart from switch 4 but added it to fit the example

does this help demonstrate it at all or am i way off ?

whiteside is right,

if vlan doesnt exist on switch switch will not forward ethernet frame. because appropirate mac table doesnt exist and switch doesnt know to where forward the packet

Hi,

The question is that when a switch has not the approprate mac address in his CAM it forwards the frames to entire  broadcast domain (vlan x layer 2 domain ) and in all trunk port.

This is the mechanism to fill the mac-address table.

My question is why switch need to has in its vlan-database a vlan that it have only to forward to trunk links

I've not found any Cisco documentation  that say it but pratically is so.
Do you know if other vendor switch works at the same way ?

Thanks a lot
Daniele

Hi guys

I've read other Cisco documents and  I believe that it is a reasonable Cisco system behavior.

In fact for CIsco Vlan x can pass the trunk only if it is:

-1) Allowed

-2) Active

-3) Forwarded in stp and not pruned.

About point 2 Cisco permits to deny a vlan traffic over trunk using : (config-vlan)#shutdown command and so if a vlan doesn't exist in local database system doesn't know if permit or deny that vla.

About point 3 the question is that everytime that one vlan is created system run a new spanning-tree session (to avoid  loop). If vlan doesn't exist no spanning-tree session is active for that vlan.

So if system permits to unknown vlan to pass trunk it could happens loops without an way to detect or debug the cause. Furtermore this could be a door for denial of service attack.

So at the end I've undestood why is correct  that sytem block vlan not present il local database.

Thankyou to all for your support, I've have very appreciate your answers

Daniele

lnrdnl78d you are welcome.