06-21-2018 01:18 PM - edited 03-08-2019 03:26 PM
Consider this configuration on a Cisco 3560x switch running 15.0(2)SE11
interface GigabitEthernet0/1
description IDS connection to LAN
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11,12,66,68
switchport mode trunk
spanning-tree portfast
interface GigabitEthernet0/15
description Primary LB eth5 Mgmt vlan11 ATT LTE vlan9
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 9,11
switchport mode trunk
interface GigabitEthernet0/18
description Switch OOB Management
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,9
switchport mode trunk
end
Then this command sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1, Gi0/15, Gi0/16, Gi0/17
Gi0/20, Gi0/21, Gi0/22, Gi0/23
Gi0/24, Gi1/1, Gi1/2, Gi1/3
Gi1/4
9 VLAN0009 active Gi0/3
10 VLAN0010 active Gi0/2, Gi0/9, Gi0/10
11 VLAN0011 active Gi0/4
12 VLAN0012 active Gi0/6
66 VLAN0066 active Gi0/7, Gi0/8
67 VLAN0067 active Gi0/11, Gi0/12, Gi0/19
68 VLAN0068 active Gi0/5, Gi0/13, Gi0/14
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
(No mention of Gi0/18 btw)
Showing some ports in vlan 9 and 11 are just access ports.
interface GigabitEthernet0/3
description ATT LTE Connection
switchport access vlan 9
spanning-tree portfast
interface GigabitEthernet0/4
description 192.168.50 Network to ourguestinet
switchport access vlan 11
spanning-tree portfast
end
Why does sh vlan indicate port
Gi0/1 and Gi0/15 is in VLAN 1 and not vlan (11,12,66,68) or (9,11). Currently it is not connected, so maybe it needs to be connected to correctly reflect the config. Though Gi0/18 is connected and not reflecting its vlan membership in sh vlan at all.
Solved! Go to Solution.
06-23-2018 11:19 PM
VLAN 1 is present as native VLAN as others wrote (since native VLAN is not changed). Active trunk ports should not even supposed to be on list when show vlan is issued, and typically non active trunk ports are listed as ports in VLAN 1. Are those ports active?
To check which VLANs are permitted on trunks (when trunk is active) issue
show interface trunk
active vlans that are allowed on trunk are listed under:
vlans in spanning tree forwarding state and not pruned
Only traffic for vlans listed as " vlans in ... and not pruned" will be forwarded.
And "No", if VLAN 1 is not on the list of "vlans in ... and not pruned" user traffic will not be forwarded via that interface (traffic will be dropped).
06-21-2018 02:34 PM
Hello,
regarding functionall trunk ports - VLAN 1 is by default active on all trunk ports as untagged "native" VLAN. This is why you should never use this VLAN for any production traffic. Show vlan is a look into real status. This is why you don't see results for port which status is down. I believe that this behavior is consistent on all Catalyst switches and software releases. By the way , during my practice, I use this command only to check if VLANs are existing. When I want to review access port VLAN membership, I use show interface status. When I want to check trunks, I use show inter trunk. Hope this helps :-)
Stepan
06-21-2018 03:03 PM
Thanks for that explanation.
However if you have two Cisco switches at the end of a trunk, and lets say on both switches you see this command:
switchport trunk allowed vlan 11,12,66,68
Only vlan 11,12,66,68 tagged traffic egresses the port right? Lets say I put a port in vlan 1 on both switches, and give them arbitrary IP address, for example 10.1.1.1 and 10.1.1.2. Could they ping each other even though switchport trunk allowed vlan did not specify vlan 1 on either switch?
06-21-2018 03:26 PM
Hello,
If you use allowed vlan <list> and native vlan is not in that list, native vlan traffic will not flow across that interface. You can check this - actual VLAN topology - by show spanning tree.
Regards :-)
Stepan
06-21-2018 04:06 PM
Hi Mate,
VLAN 1 is the default VLAN in the switch which is generally used for multiple other things when you interconnect two switches. Whether the VLAN 1 is allowed through a trunk or not it carries certain traffic (ex : -vtp,stp etc..) across the switch. However, if you prune the VLAN off the trunk by removing it from the allowed list it will not carry user traffic
Cheers
Prabath
06-22-2018 08:50 AM
Thanks.
This switch is a spare that sits in our internet rack between load balancer and our outside IDS/IPS.
Currently that is handled with a Meraki switch, to the IDS/IPS to a dual core Extreme Networks X690. Because these are different models on each endpoints and we've been aggressively pen-tested before, nobody has been able to hop that external switch to vlan either via our public wifi, which terminates outside the network on that switch, or our external wan ip's.
We believe a port is starting to go bad on the Meraki so I've racked this spare 3560x in its place with the same trunks and access vlan configuration in anticipation of it being a working cold spare.
06-23-2018 11:19 PM
VLAN 1 is present as native VLAN as others wrote (since native VLAN is not changed). Active trunk ports should not even supposed to be on list when show vlan is issued, and typically non active trunk ports are listed as ports in VLAN 1. Are those ports active?
To check which VLANs are permitted on trunks (when trunk is active) issue
show interface trunk
active vlans that are allowed on trunk are listed under:
vlans in spanning tree forwarding state and not pruned
Only traffic for vlans listed as " vlans in ... and not pruned" will be forwarded.
And "No", if VLAN 1 is not on the list of "vlans in ... and not pruned" user traffic will not be forwarded via that interface (traffic will be dropped).
06-25-2018 09:18 AM
ah sh interface trunk is a more appropriate command.
No most of those ports are not connected at this time.
Thanks for your help everyone!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide