Trunk port security: Allow tagged frames only + VLAN ingress filter + STP BPDU blocking (Catalyst 29...

janrovner1 · ‎10-09-2015

Hello,

I am quite new to Cisco, I have two aggregation-like switches, all ports on them are 1Q trunks. Could you please give me a note about:

a) how to configure a trunk port to receive/send tagged traffic only (acceptable frame type: tagged, do not accept anything untagged, including STP BPDUs, do not emit anything untagged) ?

b) how to ensure that a trunk port accepts only VLANs/tags it is configured for (switchport trunk allowed vlan add x,y,z - accept only x,y,z tagged frames) - ingress filtering ?

c) if STP BPDUs are handled separately from user untagged traffic, how to block STP BPDU messages on a trunk port (on ingress ideally, or on egress at least - the port must not emit/forward any STP BPDU) ?

Thank you,

Jan

malshara · ‎10-09-2015

hello ,

a - you can configure the native vlan for unused vlan .

b - it seems the same as "a"

c - you can use BPDU filter

please let me know if you have more questions

janrovner1 · ‎10-10-2015

Thank you,

what about using vlan dot1q tag native ?

malshara · ‎10-10-2015

Hi,

"vlan dot1q tag native performs tagging on the outgoing frames (i.e. the native VLAN setting is ignored and all frames are tagged with the corresponding tag value). Untagged frames arriving at a trunk port will be dropped without being forwarded further.

so this is another solution :)

Trunk port security: Allow tagged frames only + VLAN ingress filter + STP BPDU blocking (Catalyst 2960x + Catalyst 3750x)