cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
948
Views
7
Helpful
9
Replies

how to manage the allowed vlans on trunks

sumerfat
Level 1
Level 1

Screenshot_20231123_130009.jpg

ā€ƒfor this network, the instructor allows vlans 10,30 on g0/1 SW1 , and also vlans 10,30 on g0/1 , without allowing vl 20 , on g0/2 allows 10,20,30 , in his explanation why vl 20 isn't allowed on trunk between sw1 , 2 he said because vl 20 don't have to use this trunk , if pc5 wants to send to pc2 , it's should be sent to R1 the it will send it to Sw2 .. the question is if vl 20 anyway isn't allowed, how could it get into the trunk Sw 1 ,2  ? 

1 Accepted Solution

Accepted Solutions

Broadcast of vlan 20

Let see 

Sw1 to sw2 have both host in vlan20

If host in sw1 send broadcast are broadcast pass through trunk? 

We limit broadcast by subnet but I talk about broadcast of same vlan.

For secuirty' yes cisco recommend to not allow all vlan in trunk as l2 secuirty protect of SW.

MHM

View solution in original post

9 Replies 9

Vlan 20 not allow in trunk because sw1 dont have any access port on vlan20 so allow it no need.

MHM

Pc5 will send tag with vlan 20 to router (gw) for inter-vlan then router will send traffic to pc2 tag with vlan10.

The vlan tag change done in router.

MHM

do you mean the  tag 20 which is L2 will be removed on R1 which works on L3 ? if not removed , still the tag 20 from source, when it arrives on G0/1 Sw2 , the vl 20 isn't allowed on that port, so i understand it should be dropped, or else why the allowed vl command if any unallowed vl still can send and receive? 

Router remove tag vlan 20 and tag traffic with new tag vlan 10

MHM

ok, but what the benefit of allowing certain vlans on a trunk int , if like here vl20 which is not allowed, still can get access 

You meaning why we not allow all vlan in trunk?

If that is your q then answer is reduce broadcast and and l2 protocol.

Sw1 dont any any host in vlan 20 so why it must recieve broadcast of vlan 20 from other SW' that put more work in cpu.

That why we allow only vlan in trunk that Sw have host in it.

the reducing of broadcast isn't fulfilled basically by just subnetting and vlans ? so basically if we just assigned vl 10,30 without the use of ( allowed vlans 10,30 ) command, still they need to send , even broadcast to the  router anyway. but the ( allowed vlans 10,30 ) doesn't have security reasons? so the not allowed vlans should not be allowed to communicate 

Broadcast of vlan 20

Let see 

Sw1 to sw2 have both host in vlan20

If host in sw1 send broadcast are broadcast pass through trunk? 

We limit broadcast by subnet but I talk about broadcast of same vlan.

For secuirty' yes cisco recommend to not allow all vlan in trunk as l2 secuirty protect of SW.

MHM

Joseph W. Doherty
Hall of Fame
Hall of Fame

Any traffic between VLANs will need to use R1.

Assuming R1 is the gateway router for VLANs 10, 20 and 30, the R1 G0/0 interface should be defined having 3 sub-interfaces and the SW2 G0/2 interface defined as a trunk allowing VLANs 10, 20 and 30.

Since SW1 has only VLANs 10 and 30 connected to it, it (SW1) and SW2 need to share those VLANs using a trunk, on the SW1 and SW2 G0/1 interfaces.  VLAN 20 is not needed across this trunk because it only connects to SW2 (which has its G0/2 defined as a trunk allowing all 3 VLANs).

For PC5 to send a packet to PC2, as those PCs are on different VLANs, it sends the packet to R1, which routes the packet to VLAN 10.  It's the converse for PC2 to PC5 traffic.

 

Review Cisco Networking for a $25 gift card