Hi,

Is there any possibility that Pc in Vlan1 send and receive from other Vlans using only a layer 2 device. Thought that the cmd: switchport trunk  allowed vlan all we allow me to achieve my goal but i am far away of that. Thanks for your help

Hi,

As VLANs are different IP subnets you must route between them and a L2 device can't do this.

You only have 2 options:

-router on a stick

-L3 switch with SVIs

Regards.

Thanks alot cadetalain!

But still have a question that is making my mind spinning. What does the cmd

Switchport trunk allowed vlan all is made for?

On Wed, Dec 1, 2010 at 1:01 PM, cadetalain <

Hi,

By default all vlans are permitted on a trunk and so this command is used to revert to default if before we had just some vlans allowed but not all of them.

Regards.

What is the advantage of allowing certain vlans vs allowing all? Currently we have all vlans allowed in the network and want to allow only certain vlans instead; how can we determine which vlans to be allowed?

Appreciate response in this regards. Thanks

I'ts normally a best security practice to only allow VLANs that need to communicate down the trunk link. Without setting the command switchport trunk allow vlan X,Y,Z,  it allows ALL VLANs to traverse that pipe. By restricting the amount of  VLANs you are cutting down on security risks and the amount of traffic that can cross those paths. I mean, if its not needed why include it?

Thing I wanted to note - doing this in a live production environment PLEASE be careful.

If you want to 'add existing vlans to a trunk' you should do this:

switchport trunk allowed vlan add xx

If you want to 'remove existing vlans to a trunk' you should do this:

switchport trunk allowed vlan remove xx

The reason why I raise this is because if we were to do this:

switchport trunk allowed vlan xx

This would momentarily remove all vlans from the trunk and ALL vlans will be disrupted. Although its minimal distruption, I have seen it cause havoc.

Lets just say - using the add and remove key words is much more friendly!

In regards to the Original Post Alain correctly stated that some sort of layer 3 device (Router) will be required to 'route' between the different subnets and VLANs. The requirement to get PC's to talk is to either be on the 'same segment' i.e. in one vlan OR, be on different segments with a router that can route from subnet to different subnet.

So I have taken the opportunity to quickly change things in the PKT file and hopefully there is some benefit there for anyone.

I've decided to take on Alain's suggestion of 'router on a stick' which is fairly simple, and personally I like this kind of simplistic setup. Also the concept is pretty easy to grasp.

There are 4 VLANs. 1,2,3 and 4. The switch has the usual access ports for the PC's and in addition to this, as part of the router on the stick setup, I have created a trunk interface towards Router. The router has sub-interfaces, which are capable of 802.1q tagging once you enable the 'encapsulation dot1q x' (x being the VLAN ID). Then we can assign an IP address to this particular interface. Another phrase for this type of setup is 'interVLAN routing'

You will note that in the configuration below, I have specified the 'native' vlan which does not get encapsulated or 'tagged' and by default - its VLAN 1.

Router#

Router#show run

Building configuration...

Current configuration : 835 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.2

encapsulation dot1Q 2

ip address 192.168.2.1 255.255.255.0

!

interface FastEthernet0/0.3

encapsulation dot1Q 3

ip address 192.168.3.1 255.255.255.0

!

interface FastEthernet0/0.4

encapsulation dot1Q 4

ip address 192.168.4.1 255.255.255.0

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

line con 0

line vty 0 4

login

!

end

Router#

Here is the switch configuration:

Switch#show run

Building configuration...

Current configuration : 1238 bytes

!

version 12.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Switch

!

!

spanning-tree mode pvst

!

interface FastEthernet0/1

spanning-tree portfast

!

interface FastEthernet0/2

switchport access vlan 2

spanning-tree portfast

!

interface FastEthernet0/3

switchport access vlan 3

spanning-tree portfast

!

interface FastEthernet0/4

switchport access vlan 4

spanning-tree portfast

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

switchport trunk allowed vlan 1-4

switchport mode trunk

!

interface Vlan1

no ip address

shutdown

!

end

More details of router on a stick here:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml

Hope this helps

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi,

I don't think the above completes the scenario. The 'switchport trunk allowed vlan' command only applies to trunks so is somewhat useless on int fa0/4. Hence the trunk keyword in the statement. Instead, as you are using a L2 device (pesumably a 2950 or similar) you want to trunk it all up to the router as Bilal correctly suggests.

-> However, remove the un-used vlan allowed statement on int fa0/4.

-> Configure an ACL on your router to prevent 2 and 3 talking to each other.

e.g:

access-list 101 deny ip 192.168.2.1 0.0.0.255 192.168.2.1 0.0.0.255

access-list 101 permit any any

int fa0/0.2

access-group 101 out

-> Repeat the above for vlan 3 but with the correct subnets.

When you move up to CCNP you might start thinking about isolated and community VLANs to solve your solution given the number of devices.

Just realised an error in my ACL. but you should get the picture.

Agreed - thanks for pointing out the ACL - I think I got so carried away with the intervlan routing, I totally forgot about the ACLs to stop subnet from talking to another! :-)

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Are you talking about an existing network in a live environment or just a lab, because approach to this can be very different.

Say I have vlan 1 - 5 on switch A

By default my config would be

Interface gi0/1
Switchport mode trunk

And would trunk all Vlans. Right?

Lets say I wanted to remove Vlan 5 afterwards from the trunk because its not needed on there anymore. I'd do this

Interface gi0/0
Switchport trunk allowed vlan remove 5

The running config at this stage will look like this:

Interface gi0/0
Switchport mode trunk
Switchport trunk allowed vlan 1-4

If I wanted to add a vlan I'd do this

Interface gi0/0
Switchport trunk allowed vlan add 5

The running config would then look like this

Interface gi0/0
Switchport mode trunk
Switchport trunk allowed vlan 1-5

It does this because we have explicitly configured the trunk to carry these Vlans for us.

If I had a brand new setup that wasnt being used in a live environment yet and was configuring a trunk,

Interface gi0/0
Switchport trunk allowed vlan 1,2,3,4

So I'm just allowing Vlans 1,2,3 and 4

This is explicitly configuring the allowed Vlans on the trunk.

However if Vlan is inactive then it gets pruned depending on your switches and layer 2 configurations.

IMHO it's more better from a security and control point of view of manually co figuring a trunk using this method

Hope this helps

Sent from Cisco Technical Support iPhone App

Thank you for the reply. It's a live network and I understand the procedure to add the vlans. But currently all vlans are being allowed; I am new to the network and I will have to determine which vlans to allow; how can I approach determine which vlans to allow?

Sent from Cisco Technical Support iPhone App

Good question. People might have difference in opinion on how to approach something like this.
I would start off at your access layer switches, from here we can pretty much tell what vlans are are required just by the 'access ports'
I would sketch out a rough diagram of the layer 2 network just so We can jot down beside a switch which Vlans are being used. This would definitely be a good exercise to go through since you'd get to know the network more!

Once we have this information we can go to core/distribution layer, we may have access ports there... But most should be trunks. Here we can pretty much say which vlans are needed on which trunks towards the access layer.
However, things become a bit more tricky when your organisation is using a virtual environment, ESX/Blade chassis. These may require Vlans to be trunked to them. I guess it would require some cooperation between network and platform teams to discuss which vlans need to stay on the trunk and which ones don't need to be there.

Then hopefully we can be in a position to determine which Vlans are required and which aren't - on the trunk ports.

Hope this helps

Sent from Cisco Technical Support iPhone App