I'm not 100% sure of the vocabulary, so please bear with me.
Suppose I've set up some new VLANs to better divide my network logically. I have a 4507 as a core network switch with VLANs 1 and 10-19. The switches themselves have IP addresses on VLAN 1. Each of the three child switches I have each have three additional VLANs with said VLANs corresponding to individual departments. Several departments may be on one switch, but departments would be confined to one switch only. Some of the host interfaces on the child switches are configured as trunking interfaces to accommodate phones and PCs on the same int. The uplinks to the 4507 are configured as trunking intrtfaces as well.
Switch
- 3524 should have 10, 11, and 12
- 3550 should have 13, 14, and 15
- 3560 should have 16, 17, and 18
- 4507 should have VLAN 19 as well
Is it possible to configure each child switch so that they drop (?, *) or don't see VLAN traffic not intended for any VLANs present on any host interfaces? I.e., Switch
- 3524 should drop* or not see traffic for VLANs 13-15, 16-18, and 19
- 3550 should drop* or not see traffic for VLANs 10-12, 16-18, and 19
- 3560 should drop* or not see traffic for VLANs 10-12, 13-15, and 19
- 4507 should be the only switch to see VLAN 19 traffic
I'm trying to minimize the scope of a broadcast storm should another one occur (fun day).
I'm curious to see which switches would be affected and how far a broadcast storm would propagate if, for example, a broadcast storm started in VLAN 10 on 3524. Would it only affect 3524 and 4507? Or would the storm affect all switches because their uplinks and some of their host ints are configured as trunking interfaces? Assume bpduguard isn't available on 3524.
.* "Drop" versus "don't see" would be, I imagine, from the perspective of the switch. "Drop" means the child switches (3524/50/60) would decide to drop certain broadcast traffic because certain VLANs aren't present for any host ints. "Don't see" would be the 4507 not forwarding certain broadcast traffic because certain VLANs aren't advertised(?) by child switches.
Best Answer
You can control which VLANs are allowed on a trunk. For example:
On the 4507 trunk interface to the 3524:
On the 4507 trunk interface to the 3550:
On the 4507 trunk interface to the 3560:
None of the traffic for any VLANs not allowed on a trunk will be sent to the access switches.
Cisco recommendations are actually pretty close to what you have, although you do have VLAN 1 going to all the switches. The current best practices allow multiple VLANs on an access switch, but no VLAN on an access switch should be trunked to another access switch. Also access switches should not be connected to each other, and no access interfaces should be allowed on the distribution switch. This will almost completely eliminate any spanning tree problems.
In fact, the best practices are moving toward running layer-3 connections, instead of trunks, to the access switches, and that will completely eliminate any spanning tree problems.
In either case, you leave spanning tree enabled as a failsafe.