12-02-2010 10:40 AM - edited 03-06-2019 02:19 PM
Trying to understand the effectiveness of the following command:
switchport trunk allowed vlan 1,100
The command is on the trunks between my access and distro switches. Vlan 100 is my native/management vlan and I’m running dot1q. I know the command is supposed to restrict the VLANs that can travel between a trunk on the switch but there are several vlan not listed (voice and data) as being allowed. It doesn't appear to affect day to day operations. From my understanding any data that comes in or out not identified will be tagged with the native vlan. Does it make a difference since the access switches are VTP transparent and the distros are servers?
Solved! Go to Solution.
12-03-2010 06:58 AM
Jonathancert wrote:
Access layer switch is 4510R-E with WS-X45-SUP6-E. "sho ip route" and "sho cdp nei" are good. All neighbors and routes are populated. Vlan 100 and 101 are layer three trunks to the DSW's. Int te5/1 and te6/1 are layer two trunks to the DSW's. Using OSPF point-to-point.
So are vlans 34 and 600 being routed off the 4500 then ? If so this would explain why these do not need to be allowed on the trunk link because they are routed onto another vlan then sent across the link.
Couple of things to think about but only suggestions.
1) If you are routing the data and voice vlans off the access switch then instead of a trunk link why not use a L3 routed connection. This means you apply the IP address to the actual port itself rather than use a vlan interface.
2) following on from 1) for management of the access switch you could actually use a loopback interface rather than a L3 vlan interface.
Jon
12-02-2010 11:02 AM
Hi,
The Native vlan has to specified in the trunk with the command (switch port trunk native vlan 100), Or the Switch will allow ONLY vlan 1 as the default native vlan.
However, when it comes to restriction, you have to allow the Voice vlan as well
And your understanding is incorrect. The Native VLAN has special objective, the native vlan carries the following:
1- VTP
2- CDP
3- STP
This how and why its designed for , So , inorder to keep your data and Voice , you will have to add it all to the allowed vlan list on the trunk.
HTH
Mohamed
12-02-2010 02:04 PM
I'll be the first to admit that switching isn't my strong point but the voice and data services appear to be working fine even though they are not part of the allowed vlans. I wasn't part of the decision team on the design of the network. I'm just trying to understand the reasoning with some of the configs. Forgot to mention that my access switches (4510's) have uplinks to two different distro switches (6509's). Not sure is that makes the current configs any more logical.
12-02-2010 02:16 PM
In this case the voice vlan could be allowed on the other trunk link indeed.
12-03-2010 04:10 AM
In addition to Jame's request simply do a "sh int trunk" on both uplinks to see which vlans are actually forwarding on your trunk links.
Jon
12-03-2010 03:56 AM
Hi,
Are you sure that your data and voice frames are definately being VLAN tagged and not falling into the native vlan and thus that is how they are communicating between switches? As stated, if you have only allowed VLAN 1 and 100 ove the trunk port, these are the only frames that will be allowed to travel over the trunk? Are you able to paste in your switch config into your next reply?
Cheers,
Jimmy
12-03-2010 05:50 AM
1N-ASW1#sho int trunk
Port Mode Encapsulation Status Native vlan
Te5/1 on 802.1q trunking 100
Te6/1 on 802.1q trunking 101
Port Vlans allowed on trunk
Te5/1 1,100
Te6/1 1,101
P
ort Vlans allowed and active in management domain
Te5/1 1,100
Te6/1 1,101
Port Vlans in spanning tree forwarding state and not pruned
Te5/1 1,100
Te6/1 101
1N-ASW1#
NVANPJUF-1N-ASW1#sho vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active
34 1N-CLIENTS active Gi1/1, Gi1/2, Gi1/3, Gi1/4
Gi1/5, Gi1/6, Gi1/7, Gi1/8
Gi2/21, Gi2/22, Gi2/23, Gi2/24
Gi2/25, Gi2/26, Gi2/27, Gi2/28
Gi2/29, Gi2/30, Gi2/31, Gi2/32
Gi4/13, Gi4/14, Gi4/15, Gi4/16
Gi4/17, Gi4/18, Gi4/19, Gi4/20
Gi4/21, Gi4/22, Gi4/23, Gi4/24
Gi4/41, Gi4/42, Gi4/43, Gi4/44
Gi4/45, Gi4/46, Gi4/47
100 DSW1 active
101 DSW2 active
600 1N-VOIP active Gi1/1, Gi1/2, Gi1/3, Gi1/4
Gi1/5, Gi1/6, Gi1/7, Gi1/8
Gi1/9, Gi1/10, Gi1/11, Gi1/12
Gi1/45, Gi1/46, Gi1/47, Gi1/48
Gi2/1, Gi2/2, Gi2/3, Gi2/4
Gi4/29, Gi4/30, Gi4/31, Gi4/32
Gi4/33, Gi4/34, Gi4/35, Gi4/36
Gi4/37, Gi4/38, Gi4/39, Gi4/40
Gi4/41, Gi4/42, Gi4/43, Gi4/44
Gi4/45, Gi4/46, Gi4/47, Gi4/48
1002 fddi-default act/unsup
1003 trcrf-default act/unsup
1004 fddinet-default act/unsup
1005 trbrf-default act/unsup
1N-ASW1#
DSW1#sho int trunk
Port Mode Encapsulation Status Native vlan
Te1/1 desirable 802.1q trunking 100
Te1/3 desirable 802.1q trunking 110
Te2/1 desirable 802.1q trunking 200
Te2/3 desirable 802.1q trunking 220
Te3/1 desirable 802.1q trunking 300
Te3/3 desirable 802.1q trunking 330
Te3/5 desirable 802.1q trunking 500
Te3/6 desirable 802.1q trunking 550
Te4/1 desirable 802.1q trunking 400
Te4/3 desirable 802.1q trunking 440
Po10 desirable 802.1q trunking 999
Port Vlans allowed on trunk
Te1/1 1,100
Te1/3 1,110
Te2/1 1,200
Te2/3 1,220
Te3/1 1,300
Te3/3 1,330
Te3/5 1,500
Te3/6 1,550
Te4/1 1,400
Te4/3 1,440
Po10 1-4094
Port Vlans allowed and active in management domain
Te1/1 1,100
Te1/3 1,110
Te2/1 1,200
Te2/3 1,220
Te3/1 1,300
Te3/3 1,330
Te3/5 1,500
Te3/6 1,550
Te4/1 1,400
Te4/3 1,440
Po10 1,100-101,110-111,200,202,220,222,300,303,330,333,400,404,440,444,500-501,550,555,700,702,999
Port Vlans in spanning tree forwarding state and not pruned
Te1/1 1,100
Te1/3 1,110
Te2/1 1,200
Te2/3 1,220
Te3/1 1,300
Te3/3 1,330
Te3/5 1,500
Te3/6 1,550
Te4/1 1,400
Te4/3 1,440
Po10 1,101,111,202,222,303,333,404,444,501,555,999
12-03-2010 05:56 AM
Jonathan
Port Vlans allowed on trunk
Te5/1 1,100
Te6/1 1,101
P
ort Vlans allowed and active in management domain
Te5/1 1,100
Te6/1 1,101
Port Vlans in spanning tree forwarding state and not pruned
Te5/1 1,100
Te6/1 101
if these are the only 2 connections from the access switch then vlans 34 and 600 are not being forwarded on the links. So either there is another path via this switch to the distribution switch or these vlans are actually being routed off the access switch.
What is the model of the access switch and if you do a "sh ip route" what do you get ?
Also what does "sh cdp neighbors" show on the access switch.
As a side note the native vlan configuration is very strange. Generally you use the same native vlan on all trunks and this vlan should -
1) have no ports assigned into it
2) not be vlan 1
3) not have a L3 routed interface
Jon
12-03-2010 06:44 AM
Access layer switch is 4510R-E with WS-X45-SUP6-E. "sho ip route" and "sho cdp nei" are good. All neighbors and routes are populated. Vlan 100 and 101 are layer three trunks to the DSW's. Int te5/1 and te6/1 are layer two trunks to the DSW's. Using OSPF point-to-point.
12-03-2010 06:58 AM
Jonathancert wrote:
Access layer switch is 4510R-E with WS-X45-SUP6-E. "sho ip route" and "sho cdp nei" are good. All neighbors and routes are populated. Vlan 100 and 101 are layer three trunks to the DSW's. Int te5/1 and te6/1 are layer two trunks to the DSW's. Using OSPF point-to-point.
So are vlans 34 and 600 being routed off the 4500 then ? If so this would explain why these do not need to be allowed on the trunk link because they are routed onto another vlan then sent across the link.
Couple of things to think about but only suggestions.
1) If you are routing the data and voice vlans off the access switch then instead of a trunk link why not use a L3 routed connection. This means you apply the IP address to the actual port itself rather than use a vlan interface.
2) following on from 1) for management of the access switch you could actually use a loopback interface rather than a L3 vlan interface.
Jon
12-03-2010 07:18 AM
Thanks for everyones help in understanding this setup. The voice and data being routed on L3 so they don't have to part of the layer 2 trunks. I believe whom ever designed this setup is hold on the theory of switching is faster than routing si the reason why no L3 on the physical connections between the ASW's and DSW's.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide