cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14093
Views
0
Helpful
7
Replies

switchport trunk allowed still shows vlan 1 on port even though its not allowed

keithsauer507
Level 5
Level 5

Consider this configuration on a Cisco 3560x switch running 15.0(2)SE11

 interface GigabitEthernet0/1
    description IDS connection to LAN
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 11,12,66,68
    switchport mode trunk
    spanning-tree portfast

interface GigabitEthernet0/15
  description Primary LB eth5 Mgmt vlan11 ATT LTE vlan9
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 9,11
  switchport mode trunk

interface GigabitEthernet0/18
    description Switch OOB Management
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 1,9
    switchport mode trunk
end

 

Then this command sh vlan

 

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1, Gi0/15, Gi0/16, Gi0/17
Gi0/20, Gi0/21, Gi0/22, Gi0/23
Gi0/24, Gi1/1, Gi1/2, Gi1/3
Gi1/4
9 VLAN0009 active Gi0/3
10 VLAN0010 active Gi0/2, Gi0/9, Gi0/10
11 VLAN0011 active Gi0/4

12 VLAN0012 active Gi0/6
66 VLAN0066 active Gi0/7, Gi0/8
67 VLAN0067 active Gi0/11, Gi0/12, Gi0/19
68 VLAN0068 active Gi0/5, Gi0/13, Gi0/14
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

 

(No mention of Gi0/18 btw)

 

Showing some ports in vlan 9 and 11 are just access ports.

interface GigabitEthernet0/3

  description ATT LTE Connection
  switchport access vlan 9
  spanning-tree portfast

interface GigabitEthernet0/4
  description 192.168.50 Network to ourguestinet
  switchport access vlan 11
  spanning-tree portfast
end

 

Why does sh vlan indicate port

Gi0/1 and Gi0/15 is in VLAN 1 and not vlan (11,12,66,68) or (9,11).  Currently it is not connected, so maybe it needs to be connected to correctly reflect the config.  Though Gi0/18 is connected and not reflecting its vlan membership in sh vlan at all.

 

1 Accepted Solution

Accepted Solutions

VLAN 1 is present as native VLAN as others wrote (since native VLAN is not changed). Active trunk ports should not even supposed to be on list when show vlan is issued, and typically non active trunk ports are listed as ports in VLAN 1. Are those ports active?

To check which VLANs are permitted on trunks (when trunk is active) issue

show interface trunk

active vlans that are allowed on trunk are listed under:

vlans in spanning tree forwarding state and not pruned

 

Only traffic for vlans listed as " vlans in ... and not pruned" will be forwarded.

And "No", if VLAN 1 is not on the list of "vlans in ... and not pruned" user traffic will not be forwarded via that interface (traffic will be dropped).

View solution in original post

7 Replies 7

STEPAN JANKOVIC
Level 1
Level 1

Hello,

regarding functionall trunk ports - VLAN 1 is by default active on all trunk ports as untagged "native" VLAN. This is why you should never use this VLAN for any production traffic. Show vlan is a look into real status. This is why you don't see results for port which status is down. I believe that this behavior is consistent on all Catalyst switches and software releases. By the way , during my practice, I use this command only to check if VLANs are existing. When I want to review access port VLAN membership, I use show interface status. When I want to check trunks, I use show inter trunk. Hope this helps :-)

Stepan

Thanks for that explanation.

However if you have two Cisco switches at the end of a trunk, and lets say on both switches you see this command:

switchport trunk allowed vlan 11,12,66,68

 

Only vlan 11,12,66,68 tagged traffic egresses the port right?  Lets say I put a port in vlan 1 on both switches, and give them arbitrary IP address, for example 10.1.1.1 and 10.1.1.2.  Could they ping each other even though switchport trunk allowed vlan did not specify vlan 1 on either switch?

 

 

 

Hello,

If you use allowed vlan <list> and native vlan is not in that list, native vlan traffic will not flow across that interface. You can check this - actual VLAN topology - by show spanning tree. 

Regards :-)

Stepan

Hi Mate,

 

VLAN 1 is the default VLAN in the switch which is generally used for multiple other things when you interconnect two switches. Whether the VLAN 1 is allowed through a trunk or not it carries certain traffic (ex : -vtp,stp etc..) across the switch. However, if you prune the VLAN off the trunk by removing it from the allowed list it will not carry user traffic

 

Cheers

Prabath

***Please rate all the useful posts***
-Prabath

Thanks.  

 

This switch is a spare that sits in our internet rack between load balancer and our outside IDS/IPS.

 

Currently that is handled with a Meraki switch, to the IDS/IPS to a dual core Extreme Networks X690.  Because these are different models on each endpoints and we've been aggressively pen-tested before, nobody has been able to hop that external switch to vlan either via our public wifi, which terminates outside the network on that switch, or our external wan ip's.  

 

We believe a port is starting to go bad on the Meraki so I've racked this spare 3560x in its place with the same trunks and access vlan configuration in anticipation of it being a working cold spare.

 

VLAN 1 is present as native VLAN as others wrote (since native VLAN is not changed). Active trunk ports should not even supposed to be on list when show vlan is issued, and typically non active trunk ports are listed as ports in VLAN 1. Are those ports active?

To check which VLANs are permitted on trunks (when trunk is active) issue

show interface trunk

active vlans that are allowed on trunk are listed under:

vlans in spanning tree forwarding state and not pruned

 

Only traffic for vlans listed as " vlans in ... and not pruned" will be forwarded.

And "No", if VLAN 1 is not on the list of "vlans in ... and not pruned" user traffic will not be forwarded via that interface (traffic will be dropped).

ah sh interface trunk is a more appropriate command.

 

No most of those ports are not connected at this time.  

 

Thanks for your help everyone!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: