VLANs that belong to each Spanning Tree instance. It's useful for when you have a large number of VLANs and want to minimize the number of Spanning Tree instances to conserve switch resources. In order for a pair of switches to run a PVST+, RPVST+, or MST instance for a VLAN, you need a confluence of several things:
All switches in the topology must have the VLAN configured. It sounds obvious, but a Spanning Tree instance can't participate on a VLAN that doesn't exist. The VLAN must be configured locally on the switch before Spanning Tree can become active for that VLAN.
All switches must have trunks between them. A trunk is always between only two switches. For both switches to establish a trunk, two things must occur:
Both switches must be configured to form a trunk.
Both must agree on the trunk encapsulation type to use 802.1Q or Cisco Inter-Switch Link (ISL).
The VLANs must be allowed on the trunk. Simply establishing a trunk isn't sufficient to carry traffic for a VLAN. Both switches must have the VLAN allowed on the trunk. By default, all VLANs are allowed on a trunk, but it's possible to remove or prune a VLAN from a trunk. We'll look at an example of this in a moment.
Dynamic Trunking
Connected switches can form a trunk between themselves automatically using the Dynamic Trunking Protocol (DTP). DTP can operate in one of two modes:
Desirable—DTP actively attempts to negotiate a trunk with the switch on the other end. An easy way to remember this is that the switch desires to form a trunk.
Auto—DTP will not attempt to form a trunk but will respond to the other switch's request to form a trunk. This is the default mode.
You can configure the DTP mode using the switchport mode dynamic interface command:
SW4(config-if)#switchport mode dynamic ? auto Set trunking mode dynamic negotiation parameter to AUTO desirable Set trunking mode dynamic negotiation parameter to DESIRABLE
If the dynamic option is set to auto on both ends, the switches won't form a trunk. Instead, each switch's interface will fall back to static access mode for VLAN 1, unless you explicitly configure a different VLAN using the switchport access vlan interface command.
Cisco switches support two encapsulation protocols: 802.1Q and the Cisco-proprietary ISL. You should be using 802.1Q whenever possible, since it's standard and interoperates with pretty much every other piece of networking equipment out there. But be aware that Cisco switches still support ISL (for compatibility reasons, of course), so you may still encounter it.
You can explicitly set the encapsulation type or have the switches negotiate it. If both sides have the negotiate option set, they'll negotiate ISL. To ensure that they settle on 802.1Q, be sure to specify the dot1q option:
SW4(config-if)#switchport trunk encapsulation ? dot1q Interface uses only 802.1q trunking encapsulation when trunking isl Interface uses only ISL trunking encapsulation when trunking negotiate Device will negotiate trunking encapsulation with peer on Interface
Let's look at a quick example of an interface that's configured as dynamic desirable and has the encapsulation type set to 802.1Q:
SW4#show interfaces gi0/0 switchport Name: Gi0/0 Switchport: Enabled Administrative Mode: dynamic desirable Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On ! Output truncated
Administrative Mode and Administrative Trunking Encapsulation refer to the interface configuration. Operational Mode and Operational Trunking Encapsulation refer to what the switch has negotiated with its peer. In this case, both switches have negotiated an 802.1Q trunk. The operational parameters of the trunk can also be viewed using the following command:
SW4#show interfaces gigabitEthernet 0/0 trunk Port Mode Encapsulation Status Native vlan Gi0/0 desirable 802.1q trunking 1
Unconditional Trunking
If you don't want to depend on DTP to negotiate a trunk on a specific interface, you can create a manual or unconditional 802.1Q trunk. To do this, you must first explicitly set the encapsulation type:
! Set the encapsulation type to 802.1Q SW4(config-if)#switchport trunk encapsulation dot1q
Thereafter, you can create the unconditional trunk:
SW4(config-if)#switchport mode trunk
In order for the trunk to be truly unconditional, both switches must have this configuration. To verify, use the show interfaces command:
SW4#show interfaces gi0/0 switchport Name: Gi0/0 Switchport: Enabled Administrative Mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: On
Administrative Mode is now trunk. What may surprise you is that Negotiation of Trunking is set to On. Creating an unconditional trunk doesn't disable DTP. If the switch on the other end of the link attempts to negotiate a trunk—that is, if its interface is in dynamic desirable mode—both switches will still negotiate a trunk. If you're concerned about trunks forming unexpectedly, you can disable DTP as follows:
SW4(config-if)#switchport nonegotiate SW4(config-if)#do show interface gi0/0 switchport | i Negotiation Negotiation of Trunking: Off
It's perfectly safe to disable DTP on all interfaces and explicitly create your unconditional trunks instead. Also, it's a wise idea to disable DTP on interfaces that will connect to end-user devices. If a malicious attacker is able to connect a device and form a trunk, they can potentially sniff traffic traversing all VLANs active on that trunk.
Active and Allowed VLANs
In order for two switches to participate in a Spanning Tree instance for a VLAN, they must each have the VLAN configured and the VLAN must be allowed on the trunk. For example, to have a Spanning Tree instance for VLAN 100 between SW1 and SW2, both need VLAN 100 configured:
SW1#conf t Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#vlan 100 SW1(config-vlan)#no shut %VLAN 100 is not shutdown. SW1(config-vlan)#end SW1#show vlan id 100 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 100 VLAN0100 active Gi0/0, Gi0/1, Gi1/0, Gi1/1 Gi2/0, Gi2/1
VLAN 100 is active on the switch, meaning it's not shut down. Notice that it's active on six ports, all of which are terminating 802.1Q trunks. Using Gi0/0 as an example, we can see that VLAN 100 is allowed and active on the trunk:
SW1#show interfaces gi0/0 trunk Port Mode Encapsulation Status Native vlan Gi0/0 on 802.1q trunking 1 Port Vlans allowed on trunk Gi0/0 1-4094 Port Vlans allowed and active in management domain Gi0/0 1-10,100 Port Vlans in spanning tree forwarding state and not pruned Gi0/0 1-10,100
A VLAN must be configured on the switch before it can be allowed or active on a trunk. All VLANs are allowed on an 802.1Q
