06-18-2009 03:58 PM - edited 03-01-2019 03:44 PM
How to define the VLANs allowed on a trunk link.
When a trunk link is established, all of the configured VLANs are allowed to send and receive traffic across the link. VLANs 1 through 1005 are allowed on each trunk by default. However, VLAN traffic can be removed from the allowed list. This keeps traffic from the VLANs from passing over the trunk link.
Note: The allowed VLAN list on both the ends of the trunk link should be the same.
perform these steps:
This removes specific VLANs from the allowed list.
Note: VLANs 1 and 1002 through 1005 are reserved VLANs and cannot be removed from any trunk link.
The vlan-list parameter is either a single VLAN ID or a range of VLAN IDs. This parameter is described by two VLAN numbers separated by a hyphen. Do not enter any spaces between comma-separated VLAN IDs or in hyphen-specified ranges.
For example, to remove VLANs 5 through 10 and 12 from the trunk, issue the switchport trunk allowed vlan remove 5-10, 12 command.
To add a VLAN to the trunk, issue the switchport trunk allowed vlan add vlan-list command.
Add VLAN 7 back and verify the allowed VLANs on the trunk link.
c3550#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
c3550(config)#int fa0/2
c3550(config-if)#switchport trunk encapsulation dot1q
c3550(config-if)#switchport mode trunk
c3550(config-if)#switchport trunk allowed vlan remove 5-10,12
c3550(config-if)#switchport trunk allowed vlan add 7
c3550(config-if)#end
c3550#show interfaces fastEthernet 0/2 trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4,7,11,13-4094
Port Vlans allowed and active in management domain
Fa0/2 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
c3550#
perform these steps:
Note: Even when the VLAN is removed from the port, the trunk remains in On state.
Even if you specify a VLAN range, it is ignored.
This example shows:
Console> (enable) clear trunk 1/1 101-499
Removing Vlan(s) 101-499 from allowed list.
Port 1/1 allowed vlans modified to 1-100,500-1005.
Console> (enable) set trunk 1/1 250
Adding vlans 250 to allowed list.
Port(s) 1/1 allowed vlans modified to 1-100,250,500-1005.
Console> (enable) show trunk 1/1
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
1/1 desirable isl trunking 1
Port Vlans allowed on trunk
-------- ---------------------------------------------------------------------
1/1 1-100,250,500-1005
Port Vlans allowed and active in management domain
-------- ---------------------------------------------------------------------
1/1 1,521-524
Port Vlans in spanning tree forwarding state and not pruned
-------- ---------------------------------------------------------------------
1/1 1,521-524
Console> (enable)
For more information on configuring VLANs on Catalyst switches, refer to Creating Ethernet VLANs on Catalyst Switches.
Switchport trunk allowed vlan all
What is the advantage of allowing certain vlans vs allowing all? Currently we have all vlans allowed in the network and want to allow only certain vlans instead; how can we determine which vlans to be allowed?
Appreciate response in this regards. Thanks
If the network administrator can't tell the purpose of the various VLANs you have a secious problem! VLANs are used to have just one backbone but providing "shielded" separate networks within that infrastructure. Like having Internet in one VLAN and the internal stuff in another.
As an example for allowing only specific VLANs imagine a company that has an ICT department that provides the network backbone and the programmer department is having some ESX servers running. The network card going to the ESX server should only allow the VLANs used by the programmers to inhibit them creating a VM that has a NIC in the wrong VLAN. Like they think they know what they do but (unintentionally) enter the wrong VLAN ID and putting a VM in your production server VLAN disrupting your whole server park.
If you want to see the VLANs on a switch and which access port is member of which VLAN issue the command "show vlans" to get a nice list. For the ports in trunk mode this will not help thus you have to check the device attached to the port for its configuration. All in all coming back to the question: why did you allow all VLANs on all trunk ports ultimately resulting in not beeing able to answer the question which device is member of which VLAN. Thus always have a perfect documentation and/or use the "switchport trunk allowed vlan" command to limit to the necessary.
Mistake in printing command, must be:
"1. To restrict the traffic that a trunk carries, issue the switchport trunk allowed vlan vlan-list interface command"
I would say it depends on the situation, for instance I am the Network Administrator for a High School, each classroom has a Wireless Access Point and a VoIP phone. Its a very old infrastructure (only one copper drop per classroom).
I'm not 100% sure why but our VoIP phones need to grab two IP addresses from two different VLANs for them to work.
Our Access Points are on a specified VLAN per building.
The copper directly connects to the Access Point, and the AP has an additional 100mb port that we connect the phone to.
Clearly this would need to be a trunked port for all the devices to work, but why bombard the port and devices with traffic from every single VLAN in the infrastructure (ours has about 30), when all we need is traffic from the 3 VLANs?
So the advantage for us is clearly less overhead on the port and devices connected to it.
I've also heard of Administrators doing this in the backbone of the network for load balancing.
its depend on what is requirment in network.If I am using OOB vlan on switch which is directly connected to core and in cascade switch I am sure that no single user will connect from OOB team then i will definetly not pass that Vlan in downlink of access switch.
Much better to prune vlan's on trunks and port-channels from the start.
Without fail allowing all, will one day need to be pruned.
"switchport trunk allowed vlan add/remove ###" is easier to manage from the start and a good spiritual practice.
I would define in the distribution layer, on the layer 3 switch or router, on the port channel, which vlan to allow on that interface.
interface Port-channel10
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
switchport nonegotiate
This was a great help with a rapid-pvst troubleshooting lab I'm working on. The interfaces I was looking for (g1/0-2) were not in the output of the show spanning-tree vlan 1 command even though the interfaces were up, up. I executed the following commands
(config)#int range g1/0-2
(config-if)#switchport trunk allowed vlan add 1
re-ran show spanning-tree vlan 1 and the interfaces were listed. Appreciate you sharing!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: