Friday, November 27, 2009

Trunking Dot1q - Applying allowed vlan in port - STP recalculation?

Some cisco switch ports have only the following configuration:

interface G2/1
switchport
switchport trunk encapsulation dot1q
switchport mode trunk

Well, this configuration is simple, because you only have to create the VLAN in the switch and it is automatically passed throught the trunk. Well, good for implementation, bad for security, performance and growth:
- In a security persepective, you have an uncontrolled trunk, specially if you are connecting to another switch that is not managed by you or your team.
- In a performance perspective, you have STP calculations permanently running and is case of a failure is this port can cause a downtime in other areas in the network.
- In a growth perspective, it is not scalable to use switchports without allowed in a growing scenarios such as Datacenters.

In a situation where you have uncontrolled trunk switchports (without the switchport trunk allowed vlan XXXX,...) and you want to limit the vlans passed in this trunk, there is always the question:
- Will this bring any downtime or STP recalculation.

Actually, I had to convert some of these links to allowed vlan mode, with hundreds of Vlans passing in a switchport, in a 6500, and when applying the allowed there was no recalculation of STP or any cut in the traffic.

My 2 cents for the ceptics ...