Re: Why does traffic of vlan not allowed in 'switchport trunk allowed vlan' command pass through?

vikram4 · ‎08-02-2020

I have a vlan 5 connected directly to core switch. I have another vlan 10 connected to firewall. Core switch is connected to firewall through inside interface. In trunk link between core and firewall, i have allowed only vlan 10 (i understand vlan 10 need to be allowed in trunk if all vlan's are now allowed in order to reach it's default gateway in firewall and then get routed to other subnets). EIGRP is running between core and firewall.

When traffic has to go to internet from vlan 5, how is it's traffic allowed through trunk link to firewall when i have allowed only vlan 10 through the trunk? I just want to understand how this works.

Georg Pauwen · ‎08-02-2020

Hello,

post the configs of your devices as well as a schematic drawing showing how your devices are connected...

Martin L · ‎08-02-2020

we need some more info but my guess is that vlan 5 traffic is being routed by eigrp to firewall; is there SVI interface vlan 5 on core switch? is it being advertised by eigrp (network statement)? Is vlan 5 network/prefix exists in routing table? Look for prefix/network x which belongs to vlan 5 in routing table on firewall.

Regards, ML
**Please Rate All Helpful Responses **

vikram4 · ‎08-03-2020

Yes, there is SVI interface vlan 5 on core switch and this subnet is advertised by EIGRP.

Why do you say that vlan 5 traffic is being routed by eigrp to firewall? As per my understanding, EIGRP in my case will advertise routes/subnets running on firewall and core to each other. The routes learned through EIGRP will be placed in RIB/routing table and passed down to FIB. Core will refer to FIB to send packets. When EIGRP job appears to be only to let all devices know about routes to reach different subnets in various devices and it is the device itself that does the actual routing, why do you say that vlan traffic itself is routed by EIGRP?

Jon Marshall · ‎08-03-2020

It's not being routed by EIGRP, traffic from vlan 5 is routed on the core switch because it has directly connected interfaces in both vlan 5 and vlan 10.

EIGRP is needed to advertise the vlan 5 subnet (and any others) to the firewall so it knows how to route back to them.

Jon

paul driver · ‎08-03-2020

Hello

All the belwow though is the assumption based on

@vikram4 wrote:

how is it's traffic allowed through trunk link to firewall when i have allowed only vlan 10 through the trunk? I just want to understand how this works.

It sounds like you have routed svi interfaces for vlan 1-5, 10 on the core switch with a possible advertied eigrp default route pointing to the fw on the vlan10 subnet
The fws inside interface resides in vlan 10 address range which is the default next-hop for the core switch, This is also the eigrp peering interface between the two devices.
If this is the case then I dont see any need for core switchs Fw interconnect to be a trunk as it just allowing vlan 10, This can just be an access port in vlan 10.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

vikram4 · ‎08-03-2020

No, vlan 5 subnet/default gateway is connected to core whereas vlan 10 default gateway is connected to firewall.

I think martin's answer clarifies some of my doubts as i think vlan 5 traffic is routed. However iam now wondering how EIGRP helps with routing traffic through firewall as i had asked earlier.