Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3945
Views
0
Helpful
10
Replies

Trunking VLANs

Go to solution
MrPrince1979
Level 1
Level 1

‎01-12-2011 10:54 AM - edited ‎03-04-2019 11:03 AM

Hi,

I’m configuring an 881 router to trunk 3 vlans (50,60 & 70) to a Cisco 1142 AP, vlan 50 being native. When I punch in the switchport trunk allowed vlan command and specify the vlans I want included I get:

‘Command rejected: Bad VLAN allowed list. You have to include all default vlans…etc’

Is understand that I have to allow all vlans across the trunk, but isn’t that a security risk? I have other vlans on that router that I don’t want trunked anywhere. Am I being overly worried? Is there a way around this, perhaps layering extra security on top etc.

Thanks for your help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jgraafmans
Level 1
Level 1
In response to MrPrince1979

‎01-12-2011 03:23 PM

small business routers don't force trunks to carry all vlans they just force trunks to carry all the default VLAN's which are 1 and 1002-1005. For security reasons you should not use VLAN1 for host connectivity in the first place and you can't use VLAN 1002-1005 for host connectivity.

So with the command I provided you only allow VLAN's 1,50,60,70,1002-1005 and this command works just fine on a Cisco 881 router

View solution in original post

0 Helpful
10 Replies 10

Go to solution
mwhitlow
Level 1
Level 1

‎01-12-2011 12:58 PM

Oliver,

You have the right idea by not wanting to send anymore vlans than necessary.

Is your 1142 running in autonomous or LWAPP mode?

Mike

0 Helpful

Go to solution
MrPrince1979
Level 1
Level 1
In response to mwhitlow

‎01-12-2011 01:39 PM

Hi Mike,

Thanks for posting. The 1142 is running in autonomous mode. The router in question is a perimiter router with my "inside" network being a VLAN in itself. I don't really want that network being trunked anywhere it doesn't need to go.

Thanks.

0 Helpful

Go to solution
mwhitlow
Level 1
Level 1
In response to MrPrince1979

‎01-12-2011 01:55 PM

I don't have an 881 on my network but I do have Cisco access points running in autononomous mode on trunked ports. Here is a sample of one of them.

interface FastEthernet0/1

description AUTONONOMOUS AIR

switchport trunk encapsulation dot1q

switchport trunk native vlan 11

switchport trunk allowed vlan 1,11,14,16,30-32

switchport mode trunk

end

Does this help?

0 Helpful

Go to solution
MrPrince1979
Level 1
Level 1
In response to mwhitlow

‎01-12-2011 02:10 PM

Yep, that's what I'd like to do but when I enter the command to limit the allowed VLANs the switch tells me I have to allow them all.

In your example it looks like vlan 11 is your management network and the rest of your allowed vlans are wireless networks?

0 Helpful

Go to solution
mwhitlow
Level 1
Level 1
In response to MrPrince1979

‎01-12-2011 02:16 PM

That is correct. VLAN 11 would be the native and the network that the wireless AP itself is on. The other vlans are the VLANs for the various SSIDs. VLAN 1 is legacy and could probably be removed.

Sometimes the IOS can be pickey about the order the trunk commands are put in.  Try playing with that and see if it makes a difference.

0 Helpful

Go to solution
jgraafmans
Level 1
Level 1

‎01-12-2011 02:22 PM

You need to include all default vlan's which are 1,1002-1005

So your command should be: switchport trunk allowed vlan 1,50,60,70,1002-1005

0 Helpful

Go to solution
MrPrince1979
Level 1
Level 1
In response to jgraafmans

‎01-12-2011 02:50 PM

Thanks jgraafmans, I understand what the command would be but my question relates more to the security ramifications of trunking vlans where they don't need to go etc. I know its best practice to limit the vlans on any trunk to those that need to be trunked, what kind of exposure am I facing when trunking every vlan?

Shame that the small business routers force trunks to carry all vlans.

Thanks.

0 Helpful

Go to solution
jgraafmans
Level 1
Level 1
In response to MrPrince1979

‎01-12-2011 03:23 PM

small business routers don't force trunks to carry all vlans they just force trunks to carry all the default VLAN's which are 1 and 1002-1005. For security reasons you should not use VLAN1 for host connectivity in the first place and you can't use VLAN 1002-1005 for host connectivity.

So with the command I provided you only allow VLAN's 1,50,60,70,1002-1005 and this command works just fine on a Cisco 881 router

0 Helpful

Go to solution
MrPrince1979
Level 1
Level 1
In response to jgraafmans

‎01-12-2011 04:40 PM

I’m sorry I missed that important detail in your post!

So I’ve shutdown vlan 1 on the router and baring certain management traffic that still flows over vlan 1, with the command you provided:

switchport trunk allowed vlan 1,50,60,70,1002-1005

Really I’m only actually trunking the vlans I want. I didn’t realize that you can't use VLAN 1002-1005 for host connectivity.

This is great news, it alleviates my worries trunking vlans I don’t want being trunked. I’ll try the command tonight and post back the ‘Corrected Answer’

Thanks.

0 Helpful

Go to solution
MrPrince1979
Level 1
Level 1
In response to jgraafmans

‎01-12-2011 07:05 PM

Yup, works great, thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card