Re: Vlan traffic in uplink port

13jobsp90 · ‎05-22-2025

For eg, If I have 3 data vlans, Vlan 10,20,30

All are data vlans. All the vlans are enabled intervlan routing in the core switch.

If I have an access switch, the end devices are connected to this switch all the end devices (PCs) are in vlan 20. So in the uplink port configuration of this access switch should be which from the below?

switchport trunk allowed vlan 20
switchport mode trunk

or

switchport mode trunk

I would like to know if there I put the 2nd command in the uplink port , will all the vlan traffic (all vlans - 10,20,30) will enter in the switch or only vlan 20 traffic will only pass since only the interfaces are configured with access vlan 20 in the access switch where PCs are connected to this switch?

Joseph W. Doherty · ‎05-22-2025

From what you've described, the uplink could be, on both ends, configured as a V20 access port.

On a trunk, many would configure allow V20 on both ends. For what you've described, that's needless on the access switch side, but good practice.

Not doing any of the above, would allow the core switch to send other than VLAN 20 traffic to the access switch, but often a small subset of that other VLANs traffic.

13jobsp90 · ‎05-22-2025

My doubt is will all the vlan traffic (all vlans - 10,20,30) will enter in the switch or only vlan 20 traffic will only pass since only the interfaces are configured with access vlan 20 in the access switch where PCs are connected to this switch?

Joseph W. Doherty · ‎05-22-2025

If only access switch has V20, by default switch can receive frames from core for other VLANs, but as access switch only has access 20 ports, access switch will drop other VLAN frames.

If you have only all V20 on access switch's uplink, port will immediately drop any non-V20 frames in either direction. More-or-less same net result.

However, if you only allow V20 on core downlink, it will not send any other VLAN traffic to access switch. Same logical result, but, physically, much more efficient.

13jobsp90 · ‎05-23-2025

so which is better for network stability and performance?

Joseph W. Doherty · ‎05-23-2025

Pruning.

As you kept asking about applying the restriction on an uplink, remember it's mostly beneficial on a downlink. The latter to insure needless traffic isn't sent down the wire, wasting bandwidth.

Sort of the same principle that ACLs that drop traffic should be done ASAP, like on ingress rather than egress.

Also remember, if the edge switch is hosting only a single VLAN (or 2 VLANs) an access port might be used.

Royalty · ‎05-22-2025

Hi @13jobsp90,

@13jobsp90 wrote:
My doubt is will all the vlan traffic (all vlans - 10,20,30) will enter in the switch or only vlan 20 traffic will only pass since only the interfaces are configured with access vlan 20 in the access switch where PCs are connected to this switch?

To simply answer your question, configuring only the "2nd command" on the uplink port 'switchport mode trunk' will mean that all VLANs (VLAN 1-4094) are allowed to traverse the trunk uplink to the core, yes. If there are devices in oither VLANs (not in VLAN 20), yes, they'll be able to send traffic over the trunk. If you only have devices attached to the access switch in VLAN 20 then the ontraffic could still be sent over other VLANs that are active and created in the VLAN database. For example, in Cisco's PVST and RPVST implementations (Spanning-Tree Protocol), BPDUs are encapsulated and tagged with the 802.1Q VLAN ID that corresponds to the VLAN for which the STP instance is running; Control traffic (BPDUs) for calculating loop free topologies in VLAN 30 are sent with a tag of 30. If this VLAN is unused then this traffic is wasting bandwidth, etc. Finally, traffic from the core switch would send some traffic from other VLANs it is active for to the access switch (e.g. broadcast).

In contrast, the "1st" set of commands 'switchport mode trunk' + 'switchport trunk allowed vlan 20' will have an effect that results in only VLAN 20 traffic being allowed across the trunk. Any other VLANs, including VLAN 1 (in recent IOS(-XE)), is generally also pruned (not allowed over the trunk). This also happens for the native VLAN, if the native VLAN is set to a different VLAN other than what is currently being allowed over thr trunk, except for control traffic for protocols in use and generated by the switch itself.

@Joseph W. Dohertyis correct and makes a great point that you could alternatively configure the uplink as 'switchport mode access' and 'switchport access vlan 20' which would yield similar results. Again, you would make sure that only VLAN 20 is live and in use.

Edit: Just to clarify as I'm not sure where your confusion is. All VLANs that are created and exist in the VLAN database can enter the access switch. The trunk link and the allowed list defines what is allowed to traverse across the uplink towards the core. The trunk allowed list does not affect anything to do with the switch locally. Any VLAN can send any traffic as long there are active ports, etc.

Please let us know if you need any further clarity on anything!