Thoughts on Vlan trunking

[Sage2k]

Lets say we have a Nexus 7k acting as a layer 3 switch with about 15 vlans. We have ten 2k fex's connected to it, with various vlans trunked to various fex's. Some fex's might be trunked with 3 vlans, some might have 10, and some might use all 15.

Is there any reason we shouldn't just trunk all vlans to all fex's via "switchport trunk allowed vlan 2-1000" ?

I think it might make troubleshooting a tad easier for some of our tier 1 folk, and allow them to connect new clients to the fex's without having to worry if trunks are setup correctly everywhere.

Ideas? Thoughts? Concerns?

 

[TCM]

Security vs. convenience. Not trunking unneeded VLANs is a small layer of protection in case something fails elsewhere.

 

[PigLover]

Could create volume/latency problems for traffic going to the fex's too. Your're sending unnecessary traffic on the link. Most of the time it won't matter, but when you have a short-burst traffic surge it might. Of course, if the links to the fex's are large enough it might not matter.

 

[Sage2k]

We are using dual 10gig links with future upgrade to quad 10 gig links to the fex's.
The only unnecessary traffic that should flood the other fex's would be broadcast traffic correct?

TCM,

Could you elaborate on potential security concerns?

Thanks guys!

 

[TCM]

Well, suppose your "support" switch is misconfigured and actually puts some hosts in the "accounting" VLAN, then the central switch would still prevent this from working if it doesn't even trunk the accounting VLAN to the support branch in the first place.

It's basically a fail-safe mechanism. That's the security part.

However, if the management of switches is spread out over separate departements and you need a defined communication between them to have config changes made, you increase the work.

By trunking all VLANs to all branches, you increase convenience since each branch can config as they wish.

It all depends on how your organisation is laid out and your security policy.

 

[green91]

If you tag all VLAN to all switches, the receiving switch has to drop the frames of VLANs it doesnt recognize. It does unnecessarily increase the load on the CPU and also the network link because it still has to process all frames and then drop/allow.

 

[tangoseal]

Trunk only whats necessary as you are adding to latency and congestion of the already limited bandwidth of a gigabit port. I would also consider it a security issue, minimal one, but still one worth consideration.

The problem shouldn't be, it is harder for lesser trained folks, afterall how hard is it to do a SH VLAN or Sh vlan-switch command or equivalent based on your specific hardware to see what is going on.