Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
615
Views
0
Helpful
1
Replies

switchport trunk allowed vlan does not block the VLAN?

Joris Syen
Level 1
Level 1

‎11-29-2018 04:01 AM - edited ‎03-10-2019 01:16 PM

Dear,

 

At this moment I am looking at a situation which boggles my mind. I just can't believe what is happening. Maybe this community will clear things up for me.

 

In our network we have a ring of 10 switches. One of these is in the serverroom SWI01 (2960X). Now we added another switch inside the serverroom SWI02 (3850) inside the ring. Each switch has a server system connected. The 2960X is the only non-REP capable device in the entire ring. Therefor both switches connected to the 2960X have rep edge no neighbor on there.

 

We do not want backup traffic from server system 1 to server system 2 to go over the ring, so we excluded the backup VLAN on the connection between both switches. Dedicated fiber will be foreseen in the future to only allow the backup VLAN. This exclusion is only made on 1 of the 2 switches, not both. The backup VLAN 350 is not configured on any of the other switches in the ring.

 

SWI01

interface gi1/0/25

switchport mode trunk

interface gi2/0/25

switchport mode trunk

 

SWI02

interface gi1/1/1 (this port is connecting to SWI01 gi2/0/25)

switchport trunk allowed vlan 1,105,201,303-305,401

switchport mode trunk

rep segment 1 edge-no neighbor

interface gi2/1/1

switchport trunk allowed vlan 1,105,201,303-305,401

switchport mode trunk

rep segment 1

 

I can see it right in front of me: I ping a device in VLAN350 that is plugged into SWI01 using a laptop that is plugged into SWI02. Both connected in VLAN350 access ports. No other ports are trunk, no other ports are access in VLAN350.

 

How can this be? I know that it is best to configure the allowed VLANs on both ends, but I do not want to have any production risk at this moment. I would expect this also to work like this, configured on 1 side, since else it would be an enormous security flaw?

 

The only thing I can image is that the order of commands is wrong so maybe it needs to be

- switchport mode trunk

- switchport trunk allowed vlan ...

instead of

- switchport trunk allowed vlan ...

- switchport mode trunk

 

But when opening the web interface it display it the same way, it says allowed VLANs. with this list of VLANs.

What am I doing wrong here? Or did I just found a bounty?

 

Can't imagine that. Thank you for your response.

Labels:
0 Helpful
1 Reply 1

Joris Syen
Level 1
Level 1

‎11-29-2018 07:08 AM - edited ‎11-29-2018 07:08 AM

Since we had a link-flap error on the link, I was able to adjust the configuration without additional risk.

Once the setup was the same on both sides (allowed vlan …), only THAN the VLAN got blocked.

It was not blocked if the allowed VLAN statement was only on 1 side of the trunk link.

 

Which sounds very strange and insecure to me, because if some 3rd party wants to create a trunk link to my system and I only ""allow"" specific VLANs on that trunk on my side, he can still get in as long as he is allowing everything.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card