[ietf86-tech] Vlans allowed on switch<>switch links

Bill Fenner fenner at fenron.com
Mon Mar 11 05:57:05 PDT 2013 

On Mon, Mar 11, 2013 at 8:49 AM, Colin Doyle <cdoyle at verilan.com> wrote:

>  Depends on the pruning policy. I can understand why we would restrict
> certain trunks for security reasons, but it begs the question of "what
> problem are we trying to solve".
>

We tend to try to solve the problem of "on Thursday we will have an
emergency in which we need vlan 736 to be over there ASAP".  Pruning VLANs
manually hurts that case.  We usually just filter towards the APs.

I added vlan 6 to that switchport to allow media vlan access for a
> streambox.
>

Sorry, I knew that.  That shouldn't have been necessary since we should
just have all VLANs on all switch links.

It's possible that this is my fault: if there were previously APs plugged
into these ports, the templatizer would have added the appropriate AP
access list, and then it doesn't know to remove them if the purpose of the
port has changed.  It's probably worth changing the templatizer to
explicitly apply the "allow all" policy on switch<>switch links.

  Bill


>
> On 3/11/13 8:48 AM, Bill Fenner wrote:
>
> Usually we just allow all vlans on switch<>switch links, right?  I saw a
> couple of edits go by in the rancid history, like
>
>    interface GigabitEthernet0/4
>    description SW-Boca1
>    switchport trunk encapsulation dot1q
> -  switchport trunk allowed vlan 1,8,16,32,80,96,112
>  +  switchport trunk allowed vlan 1,6,8,16,32,80,96,112
>
>  but I think it's better to just change switch<>switch links to
> "switchport trunk allowed vlan all".
>
>    Bill
>
>
>
> _______________________________________________
> ietf86-tech mailing listietf86-tech at daedelus.comhttp://www.daedelus.com/mailman/listinfo/ietf86-tech
>
>
> --
>
>
>
> Colin Doyle
> Senior Network Engineer
> CCNA, F5 ASP/ATSP, Juniper JES
>
> Verilan Event Services, Inc.
> 7327 SW Barnes Rd. #215
> Portland, OR 97225
>
>
> Cell: 503 810-2129cdoyle at verilan.comwww.verilan.com
>
>
> This e-mail contains proprietary information and may be confidential. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this message is strictly prohibited. If you received this message in error, please delete it immediately.
>
>
> _______________________________________________
> ietf86-tech mailing list
> ietf86-tech at daedelus.com
> http://www.daedelus.com/mailman/listinfo/ietf86-tech
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.daedelus.com/pipermail/ietf86-tech/attachments/20130311/8db9bf94/attachment-0001.html

More information about the ietf86-tech mailing list