Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
801
Views
10
Helpful
4
Replies

Cisco Nexus 5K - Port operating in access mode but with Trunking VLANs Allowed.

lds_sm
Level 1
Level 1

‎11-23-2018 12:49 PM

Hello,

Recently while troubleshooting an issue in a Nexus 5K switch, I noticed that the ports operating in access mode did not contain the "switchport mode access" command, and the output of the show interfaces <int> switchport displays the following "Trunking VLANs Allowed: 1-4094"


I added the command "switchport mode access" but unlike the Catalyst switches where DTP would be disabled, nothing happened in the Nexus switch port. Currently the port is part of a single VLAN.

Is there a security concern in having all those VLANs allowed and could a trunk automatically be formed if a dot1q capable device is connected to the port? If yes, how could all other vlans but the needed one be blocked in the port?

Thank you very much for your help!

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎11-23-2018 01:09 PM

Network will have STP loops issue, if other device have loop, or some issues if the new device elected as STP root bridge on your network. If port is not intent to be a Trunk suggest to make it as access port.

 

For security reason accidentally plug in by any device caused network issue, so always unused ports put in shutdown mode in DC/ Enterprise environment.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

lds_sm
Level 1
Level 1
In response to balaji.bandi

‎11-23-2018 01:34 PM

Thanks for the response Balaji, the port is already operating in access mode, I even tried to manually enter "switchport mode access" but the command does not appear in the interface configuration. Also, there are no vlans being explicitly allowed in the interface, the only command present is "switchport access vlan x".

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to lds_sm

‎11-23-2018 02:29 PM

Can you post the configuration of that port.

 

show run interface  ether X/X

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

David Castro F.
Spotlight
Spotlight

‎12-06-2018 07:33 AM

Hello,

 

I hope you are doing great,

 

This could happen if the port was a trunk in the past, you can run for example: "default interface ethernet 1/1", then run the swichport mode access this command wont be shown in the running config, it will remain hidden for some reason so it is a default behavior, now if you do "show vlan id XX" or "show vlan" it will show the VLANs allowed on that interface only.

 

Now DTP is not supported on any Nexus platform so there is not dynamic negotiation, so a trunk wont be formed, anyways you can run BPDU guard to prevent BPDUs from that particular interface.

 

Keep us posted,

 

Please rate all helpful posts and mark as correct if this answered your question,

 

David Castro,

Customers Also Viewed These Support Documents