trunk vs access port

Unanswered Question
May 20th, 2007

We have a cisco 4507 switch that also has a layer 3 and uplinks to a 2600 router on the access port on vlan 23. Since we needed to access the router on a new Vlan, vlan40, in addition to the vlan 23, we have created a trunk port and allowed both vlans in it..On a router, we have created 2 subinterfaces, one for vlan 23 & the other is for vlan 40. The 4507 switch has 4 more old vlans configured in addition to vlan 23 and the new vlan 40. Also, the switch is configured with EIGRP that advertises the subnets from the vlans to the router. When we connected the router cable to the new trunk port, the only devices that were operational and were able to go out were the ones on vlan23. Do we need to allow other vlans on the trunk as well?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Sun, 05/20/2007 - 14:46

The 4507 should be able to perform inter-vlan routing, therefore none of the VLANs need to be trunked towards the router. You should leave the switchport where the router is connected as access vlan 23.

You mentioned using EIGRP as dynamic routing protocol, thus enable EIGRP in the 4507 and in the 2600 and enable EIGRP on their respective interfaces.


axfalk Sun, 05/20/2007 - 17:02

Thanks for your response. I have to trunk the port since the router is doing wccp redirection. The traffic is coming in to the router on vlan23 and then gets redirected to vlan40. The EIGRP is enabled on 4507 and in the 2600 and advertises the subnets for all the vlans. The question that I have is should the trunk include all the vlans?

thanks again...

Jon Marshall Sun, 05/20/2007 - 23:12


The trunk link needs to allow all vlans that you have created subinterfaces for on the router.



axfalk Mon, 05/21/2007 - 06:10

Thanks for your response. I have created only 2 subinterfaces for vlan 23 & vlan 40 and those vlans are allowed on the trunk. Do I need to allow other vlan's as well?

Thanks again...

Jon Marshall Mon, 05/21/2007 - 06:36


You only need to allow the vlans that have subinterfaces on the router.



axfalk Mon, 05/21/2007 - 08:23

Thanks...Can u please briefly explain how traffic from other vlans will find their way to the router if they r not allowed on the trunk? Thanks again...

axfalk Mon, 05/21/2007 - 08:24

Or better yet, if you could please point me to a doc explaining that...thanks..

Jon Marshall Mon, 05/21/2007 - 10:06


If you don't have a subinterface setup for your other vlans then they will not be able to talk to any other vlans.

You could allow all vlans down the trunk link to the router but without a subinterface for that vlan the only things a memeber of that vlan can communicate with are other members of the same vlans.

For vlans to communicate with each other you need inter-vlan routing. Whether this be with subniterfaces on a router ie "router on a stick" or Switch Virtual Interfaces on a Layer 3 switch.



axfalk Mon, 05/21/2007 - 12:52

The 4507 switch is a Layer 3 switch, so it does inter-vlan routing. It also runs EIGRP, that advertises the subnets of all the vlans. So,in essense, it's like connecting 2 routers together with a cross-over cable. The only thing that sets this case apart is the fact that the router has 2 sub-int and the switch has a trunk port. So, what you're basically saying is that the traffic from the other vlans on the switch wil get routed (via inter-vlan routing) to the vlans (vlan23 & vlan40)that have the corresponding sub-int on the downstream router on their way out the door. I thought the same thing, except, for some reason, the traffic from any vlans but vlan23 does not get out the door...Thanks...

Jon Marshall Mon, 05/21/2007 - 23:14


So you have L3 interfaces on your 4500 for your other vlans ?.

So if you do a show ip route on your 4500 what routes do you see. Are you seeing routes for the destinations you want to get to from the 4500 vlans ie not vlans 23 or 40.

Does your 4500 have an EIGRP neighbourship with the router ?


axfalk Tue, 05/22/2007 - 05:16

Yes, the 4507 has L3 int for the vlans..I had to swing the cable back to the access port when the trunk port was not working since I was running over the allowable window. I am now doing the due dilligence to try and figure out why none of the other vlans were working. I had only allowed vlan23 & vlan40 on the trunk and since I also had only 2 sub-interfaces on the router, that sounds like the right way of doing it. I did have an EIGRP neighbourship with the router...


axfalk Thu, 05/24/2007 - 08:40


Can you also tell me please if the sub-interface name has to match the vlan? i.e. if I am creating a sub-int for vlan 23, does sub-int have to be .23 or could it be anything?

thanks again

Jon Marshall Thu, 05/24/2007 - 20:44


You have to match the vlan number to your encapsulation command ie.

vlan 10

encapsulation dot1q 10

As for the actual subinterface i always just use the same number but i don't believe it has to match although i could be wrong.



Edison Ortiz Mon, 05/21/2007 - 07:19

If you want wccp support for those VLANs, you need to create the respective subinterfaces in the router.

The VLANs will automatically be allowed unless you explicitly blocked them.

axfalk Mon, 05/21/2007 - 08:31

we only need wccp support for the 2 vlans I mentioned - vlan23 & vlan40...however, eigrp advertises subnets from all the vlans...


This Discussion