Solved: Re: Switchport trunk allowed

Jonathancert_2 · ‎12-02-2010

Trying to understand the effectiveness of the following command:

switchport trunk allowed vlan 1,100

The command is on the trunks between my access and distro switches. Vlan 100 is my native/management vlan and I’m running dot1q. I know the command is supposed to restrict the VLANs that can travel between a trunk on the switch but there are several vlan not listed (voice and data) as being allowed. It doesn't appear to affect day to day operations. From my understanding any data that comes in or out not identified will be tagged with the native vlan. Does it make a difference since the access switches are VTP transparent and the distros are servers?

Jon Marshall · ‎12-03-2010

Jonathancert wrote:

Access layer switch is 4510R-E with WS-X45-SUP6-E. "sho ip route" and "sho cdp nei" are good. All neighbors and routes are populated. Vlan 100 and 101 are layer three trunks to the DSW's. Int te5/1 and te6/1 are layer two trunks to the DSW's. Using OSPF point-to-point.

So are vlans 34 and 600 being routed off the 4500 then ? If so this would explain why these do not need to be allowed on the trunk link because they are routed onto another vlan then sent across the link.

Couple of things to think about but only suggestions.

1) If you are routing the data and voice vlans off the access switch then instead of a trunk link why not use a L3 routed connection. This means you apply the IP address to the actual port itself rather than use a vlan interface.

2) following on from 1) for management of the access switch you could actually use a loopback interface rather than a L3 vlan interface.

Jon

View solution in original post

Mohamed Sobair · ‎12-02-2010

Hi,

The Native vlan has to specified in the trunk with the command (switch port trunk native vlan 100), Or the Switch will allow ONLY vlan 1 as the default native vlan.

However, when it comes to restriction, you have to allow the Voice vlan as well

And your understanding is incorrect. The Native VLAN has special objective, the native vlan carries the following:

1- VTP

2- CDP

3- STP

This how and why its designed for , So , inorder to keep your data and Voice , you will have to add it all to the allowed vlan list on the trunk.

HTH

Mohamed

Jonathancert_2 · ‎12-02-2010

I'll be the first to admit that switching isn't my strong point but the voice and data services appear to be working fine even though they are not part of the allowed vlans. I wasn't part of the decision team on the design of the network. I'm just trying to understand the reasoning with some of the configs. Forgot to mention that my access switches (4510's) have uplinks to two different distro switches (6509's). Not sure is that makes the current configs any more logical.

cadet alain · ‎12-02-2010

In this case the voice vlan could be allowed on the other trunk link indeed.

Don't forget to rate helpful posts.

Jon Marshall · ‎12-03-2010

In addition to Jame's request simply do a "sh int trunk" on both uplinks to see which vlans are actually forwarding on your trunk links.

Jon

James Hardman · ‎12-03-2010

Hi,

Are you sure that your data and voice frames are definately being VLAN tagged and not falling into the native vlan and thus that is how they are communicating between switches? As stated, if you have only allowed VLAN 1 and 100 ove the trunk port, these are the only frames that will be allowed to travel over the trunk? Are you able to paste in your switch config into your next reply?

Cheers,

Jimmy

Jonathancert_2 · ‎12-03-2010

1N-ASW1#sho int trunk

Port        Mode             Encapsulation Status        Native vlan
Te5/1       on               802.1q         trunking           100
Te6/1       on               802.1q         trunking           101

Port        Vlans allowed on trunk
Te5/1       1,100
Te6/1       1,101

P

ort        Vlans allowed and active in management domain
Te5/1       1,100
Te6/1       1,101

Port        Vlans in spanning tree forwarding state and not pruned
Te5/1       1,100
Te6/1       101
1N-ASW1#

NVANPJUF-1N-ASW1#sho vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                                 active
34   1N-CLIENTS                       active         Gi1/1, Gi1/2, Gi1/3, Gi1/4
                                                               Gi1/5, Gi1/6, Gi1/7, Gi1/8
                                                                  Gi2/21, Gi2/22, Gi2/23, Gi2/24
                                                               Gi2/25, Gi2/26, Gi2/27, Gi2/28
                                                               Gi2/29, Gi2/30, Gi2/31, Gi2/32
                                                               Gi4/13, Gi4/14, Gi4/15, Gi4/16

                                                               Gi4/17, Gi4/18, Gi4/19, Gi4/20
                                                               Gi4/21, Gi4/22, Gi4/23, Gi4/24
                                                               Gi4/41, Gi4/42, Gi4/43, Gi4/44
                                                               Gi4/45, Gi4/46, Gi4/47
100 DSW1                             active
101 DSW2                             active
600 1N-VOIP                          active         Gi1/1, Gi1/2, Gi1/3, Gi1/4
                                                               Gi1/5, Gi1/6, Gi1/7, Gi1/8
                                                               Gi1/9, Gi1/10, Gi1/11, Gi1/12
                                                               Gi1/45, Gi1/46, Gi1/47, Gi1/48
                                                               Gi2/1, Gi2/2, Gi2/3, Gi2/4

                                                               Gi4/29, Gi4/30, Gi4/31, Gi4/32
                                                               Gi4/33, Gi4/34, Gi4/35, Gi4/36
                                                               Gi4/37, Gi4/38, Gi4/39, Gi4/40
                                                               Gi4/41, Gi4/42, Gi4/43, Gi4/44
                                                               Gi4/45, Gi4/46, Gi4/47, Gi4/48
1002 fddi-default                     act/unsup
1003 trcrf-default                    act/unsup
1004 fddinet-default                  act/unsup
1005 trbrf-default                    act/unsup
1N-ASW1#

DSW1#sho int trunk

Port                Mode         Encapsulation Status        Native vlan
Te1/1               desirable    802.1q         trunking      100
Te1/3               desirable    802.1q         trunking      110
Te2/1               desirable    802.1q         trunking      200
Te2/3               desirable    802.1q         trunking      220
Te3/1               desirable    802.1q         trunking      300
Te3/3               desirable    802.1q         trunking      330
Te3/5               desirable    802.1q         trunking      500
Te3/6               desirable    802.1q         trunking      550
Te4/1               desirable    802.1q         trunking      400
Te4/3               desirable    802.1q         trunking      440
Po10                desirable    802.1q         trunking      999

Port                Vlans allowed on trunk
Te1/1               1,100
Te1/3               1,110
Te2/1               1,200
Te2/3               1,220
Te3/1               1,300
Te3/3               1,330
Te3/5               1,500

Te3/6               1,550
Te4/1               1,400
Te4/3               1,440
Po10                1-4094

Port                Vlans allowed and active in management domain
Te1/1               1,100
Te1/3               1,110
Te2/1               1,200
Te2/3               1,220
Te3/1               1,300
Te3/3               1,330
Te3/5               1,500
Te3/6               1,550
Te4/1               1,400
Te4/3               1,440
Po10                1,100-101,110-111,200,202,220,222,300,303,330,333,400,404,440,444,500-501,550,555,700,702,999

Port Vlans in spanning tree forwarding state and not pruned
Te1/1 1,100

Te1/3               1,110
Te2/1               1,200
Te2/3               1,220
Te3/1               1,300
Te3/3               1,330
Te3/5               1,500
Te3/6               1,550
Te4/1               1,400
Te4/3               1,440
Po10                1,101,111,202,222,303,333,404,444,501,555,999

Jon Marshall · ‎12-03-2010

Jonathan

Port        Vlans allowed on trunk
Te5/1       1,100
Te6/1       1,101

P

ort        Vlans allowed and active in management domain
Te5/1       1,100
Te6/1       1,101

Port Vlans in spanning tree forwarding state and not pruned

Te5/1 1,100

Te6/1 101

if these are the only 2 connections from the access switch then vlans 34 and 600 are not being forwarded on the links. So either there is another path via this switch to the distribution switch or these vlans are actually being routed off the access switch.

What is the model of the access switch and if you do a "sh ip route" what do you get ?

Also what does "sh cdp neighbors" show on the access switch.

As a side note the native vlan configuration is very strange. Generally you use the same native vlan on all trunks and this vlan should -

1) have no ports assigned into it

2) not be vlan 1

3) not have a L3 routed interface

Jon

Jonathancert_2 · ‎12-03-2010

Access layer switch is 4510R-E with WS-X45-SUP6-E. "sho ip route" and "sho cdp nei" are good. All neighbors and routes are populated. Vlan 100 and 101 are layer three trunks to the DSW's. Int te5/1 and te6/1 are layer two trunks to the DSW's. Using OSPF point-to-point.

Jon Marshall · ‎12-03-2010

Jonathancert wrote:

Access layer switch is 4510R-E with WS-X45-SUP6-E. "sho ip route" and "sho cdp nei" are good. All neighbors and routes are populated. Vlan 100 and 101 are layer three trunks to the DSW's. Int te5/1 and te6/1 are layer two trunks to the DSW's. Using OSPF point-to-point.

So are vlans 34 and 600 being routed off the 4500 then ? If so this would explain why these do not need to be allowed on the trunk link because they are routed onto another vlan then sent across the link.

Couple of things to think about but only suggestions.

1) If you are routing the data and voice vlans off the access switch then instead of a trunk link why not use a L3 routed connection. This means you apply the IP address to the actual port itself rather than use a vlan interface.

2) following on from 1) for management of the access switch you could actually use a loopback interface rather than a L3 vlan interface.

Jon

Jonathancert_2 · ‎12-03-2010

Thanks for everyones help in understanding this setup. The voice and data being routed on L3 so they don't have to part of the layer 2 trunks. I believe whom ever designed this setup is hold on the theory of switching is faster than routing si the reason why no L3 on the physical connections between the ASW's and DSW's.