11-29-2018 04:01 AM - edited 03-10-2019 01:16 PM
Dear,
At this moment I am looking at a situation which boggles my mind. I just can't believe what is happening. Maybe this community will clear things up for me.
In our network we have a ring of 10 switches. One of these is in the serverroom SWI01 (2960X). Now we added another switch inside the serverroom SWI02 (3850) inside the ring. Each switch has a server system connected. The 2960X is the only non-REP capable device in the entire ring. Therefor both switches connected to the 2960X have rep edge no neighbor on there.
We do not want backup traffic from server system 1 to server system 2 to go over the ring, so we excluded the backup VLAN on the connection between both switches. Dedicated fiber will be foreseen in the future to only allow the backup VLAN. This exclusion is only made on 1 of the 2 switches, not both. The backup VLAN 350 is not configured on any of the other switches in the ring.
SWI01
interface gi1/0/25
switchport mode trunk
interface gi2/0/25
switchport mode trunk
SWI02
interface gi1/1/1 (this port is connecting to SWI01 gi2/0/25)
switchport trunk allowed vlan 1,105,201,303-305,401
switchport mode trunk
rep segment 1 edge-no neighbor
interface gi2/1/1
switchport trunk allowed vlan 1,105,201,303-305,401
switchport mode trunk
rep segment 1
I can see it right in front of me: I ping a device in VLAN350 that is plugged into SWI01 using a laptop that is plugged into SWI02. Both connected in VLAN350 access ports. No other ports are trunk, no other ports are access in VLAN350.
How can this be? I know that it is best to configure the allowed VLANs on both ends, but I do not want to have any production risk at this moment. I would expect this also to work like this, configured on 1 side, since else it would be an enormous security flaw?
The only thing I can image is that the order of commands is wrong so maybe it needs to be
- switchport mode trunk
- switchport trunk allowed vlan ...
instead of
- switchport trunk allowed vlan ...
- switchport mode trunk
But when opening the web interface it display it the same way, it says allowed VLANs. with this list of VLANs.
What am I doing wrong here? Or did I just found a bounty?
Can't imagine that. Thank you for your response.
11-29-2018 07:08 AM - edited 11-29-2018 07:08 AM
Since we had a link-flap error on the link, I was able to adjust the configuration without additional risk.
Once the setup was the same on both sides (allowed vlan …), only THAN the VLAN got blocked.
It was not blocked if the allowed VLAN statement was only on 1 side of the trunk link.
Which sounds very strange and insecure to me, because if some 3rd party wants to create a trunk link to my system and I only ""allow"" specific VLANs on that trunk on my side, he can still get in as long as he is allowing everything.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide