Solved: Re: how to manage the allowed vlans on trunks

sumerfat · ‎11-25-2023

for this network, the instructor allows vlans 10,30 on g0/1 SW1 , and also vlans 10,30 on g0/1 , without allowing vl 20 , on g0/2 allows 10,20,30 , in his explanation why vl 20 isn't allowed on trunk between sw1 , 2 he said because vl 20 don't have to use this trunk , if pc5 wants to send to pc2 , it's should be sent to R1 the it will send it to Sw2 .. the question is if vl 20 anyway isn't allowed, how could it get into the trunk Sw 1 ,2 ?

MHM Cisco World · ‎11-25-2023

Broadcast of vlan 20

Let see

Sw1 to sw2 have both host in vlan20

If host in sw1 send broadcast are broadcast pass through trunk?

We limit broadcast by subnet but I talk about broadcast of same vlan.

For secuirty' yes cisco recommend to not allow all vlan in trunk as l2 secuirty protect of SW.

MHM

View solution in original post

MHM Cisco World · ‎11-25-2023

Vlan 20 not allow in trunk because sw1 dont have any access port on vlan20 so allow it no need.

MHM

MHM Cisco World · ‎11-25-2023

Pc5 will send tag with vlan 20 to router (gw) for inter-vlan then router will send traffic to pc2 tag with vlan10.

The vlan tag change done in router.

MHM

sumerfat · ‎11-25-2023

do you mean the tag 20 which is L2 will be removed on R1 which works on L3 ? if not removed , still the tag 20 from source, when it arrives on G0/1 Sw2 , the vl 20 isn't allowed on that port, so i understand it should be dropped, or else why the allowed vl command if any unallowed vl still can send and receive?

MHM Cisco World · ‎11-25-2023

Router remove tag vlan 20 and tag traffic with new tag vlan 10

MHM

sumerfat · ‎11-25-2023

ok, but what the benefit of allowing certain vlans on a trunk int , if like here vl20 which is not allowed, still can get access

MHM Cisco World · ‎11-25-2023

You meaning why we not allow all vlan in trunk?

If that is your q then answer is reduce broadcast and and l2 protocol.

Sw1 dont any any host in vlan 20 so why it must recieve broadcast of vlan 20 from other SW' that put more work in cpu.

That why we allow only vlan in trunk that Sw have host in it.

sumerfat · ‎11-25-2023

the reducing of broadcast isn't fulfilled basically by just subnetting and vlans ? so basically if we just assigned vl 10,30 without the use of ( allowed vlans 10,30 ) command, still they need to send , even broadcast to the router anyway. but the ( allowed vlans 10,30 ) doesn't have security reasons? so the not allowed vlans should not be allowed to communicate

MHM Cisco World · ‎11-25-2023

Broadcast of vlan 20

Let see

Sw1 to sw2 have both host in vlan20

If host in sw1 send broadcast are broadcast pass through trunk?

We limit broadcast by subnet but I talk about broadcast of same vlan.

For secuirty' yes cisco recommend to not allow all vlan in trunk as l2 secuirty protect of SW.

MHM

Joseph W. Doherty · ‎11-25-2023

Any traffic between VLANs will need to use R1.

Assuming R1 is the gateway router for VLANs 10, 20 and 30, the R1 G0/0 interface should be defined having 3 sub-interfaces and the SW2 G0/2 interface defined as a trunk allowing VLANs 10, 20 and 30.

Since SW1 has only VLANs 10 and 30 connected to it, it (SW1) and SW2 need to share those VLANs using a trunk, on the SW1 and SW2 G0/1 interfaces. VLAN 20 is not needed across this trunk because it only connects to SW2 (which has its G0/2 defined as a trunk allowing all 3 VLANs).

For PC5 to send a packet to PC2, as those PCs are on different VLANs, it sends the packet to R1, which routes the packet to VLAN 10. It's the converse for PC2 to PC5 traffic.