×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Switchport trunk allowed vlan all

Unanswered Question
Nov 30th, 2010
User Badges:

Hi,


i have attached my secenario below and i would that PC in vlan 1 send and receive from vlan 2 and 3 but don't want thant vlan 2 communicate with vlan 3. I used switchport trunk allowed vlan all on the switchport that is used to connect to the Pc of vlan1 but i don't have the expected result. Please any help will be welcome

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
cadet alain Tue, 11/30/2010 - 06:33
User Badges:
  • Purple, 4500 points or more

Hi,

You should post a diagram as jpg because not everybody has packet tracer to open your file.

And also post the config from your devices.


But if you want to do inter vlan routing you need a L3 device with SVI for each vlan( interface vlan) or a router on a stick design with a router trunking with switch and as may subinterfaces as vlans.

A trunk port is a port which can transport multiple vlans and normally PCs are in one VLAN (one subnet) ans so are attached to access port in this VLAN.



regards.

lruberintwari Tue, 11/30/2010 - 23:47
User Badges:

Hi,


Is there any possibility that Pc in Vlan1 send and receive from other Vlans using only a layer 2 device. Thought that the cmd: switchport trunk  allowed vlan all we allow me to achieve my goal but i am far away of that. Thanks for your help

Attachment: 
cadet alain Wed, 12/01/2010 - 03:00
User Badges:
  • Purple, 4500 points or more

Hi,

As VLANs are different IP subnets you must route between them and a L2 device can't do this.

You only have 2 options:

-router on a stick

-L3 switch with SVIs


Regards.

lruberintwari Wed, 12/01/2010 - 06:03
User Badges:

Thanks alot cadetalain!


But still have a question that is making my mind spinning. What does the cmd

Switchport trunk allowed vlan all is made for?




On Wed, Dec 1, 2010 at 1:01 PM, cadetalain <

cadet alain Wed, 12/01/2010 - 08:38
User Badges:
  • Purple, 4500 points or more

Hi,


By default all vlans are permitted on a trunk and so this command is used to revert to default if before we had just some vlans allowed but not all of them.



Regards.

charitha1013 Wed, 05/15/2013 - 12:04
User Badges:

What is the advantage of allowing certain vlans vs allowing all? Currently we have all vlans allowed in the network and want to allow only certain vlans instead; how can we determine which vlans to be allowed?


Appreciate response in this regards. Thanks

Bilal Nawaz Wed, 05/15/2013 - 13:25
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

I'ts normally a best security practice to only allow VLANs that need to communicate down the trunk link. Without setting the command switchport trunk allow vlan X,Y,Z,  it allows ALL VLANs to traverse that pipe. By restricting the amount of  VLANs you are cutting down on security risks and the amount of traffic that can cross those paths. I mean, if its not needed why include it?


Thing I wanted to note - doing this in a live production environment PLEASE be careful.


If you want to 'add existing vlans to a trunk' you should do this:

switchport trunk allowed vlan add xx


If you want to 'remove existing vlans to a trunk' you should do this:

switchport trunk allowed vlan remove xx


The reason why I raise this is because if we were to do this:

switchport trunk allowed vlan xx


This would momentarily remove all vlans from the trunk and ALL vlans will be disrupted. Although its minimal distruption, I have seen it cause havoc.

Lets just say - using the add and remove key words is much more friendly!


In regards to the Original Post Alain correctly stated that some sort of layer 3 device (Router) will be required to 'route' between the different subnets and VLANs. The requirement to get PC's to talk is to either be on the 'same segment' i.e. in one vlan OR, be on different segments with a router that can route from subnet to different subnet.


So I have taken the opportunity to quickly change things in the PKT file and hopefully there is some benefit there for anyone.


I've decided to take on Alain's suggestion of 'router on a stick' which is fairly simple, and personally I like this kind of simplistic setup. Also the concept is pretty easy to grasp.


There are 4 VLANs. 1,2,3 and 4. The switch has the usual access ports for the PC's and in addition to this, as part of the router on the stick setup, I have created a trunk interface towards Router. The router has sub-interfaces, which are capable of 802.1q tagging once you enable the 'encapsulation dot1q x' (x being the VLAN ID). Then we can assign an IP address to this particular interface. Another phrase for this type of setup is 'interVLAN routing'


You will note that in the configuration below, I have specified the 'native' vlan which does not get encapsulated or 'tagged' and by default - its VLAN 1.


Router#

Router#show run

Building configuration...


Current configuration : 835 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0.2

encapsulation dot1Q 2

ip address 192.168.2.1 255.255.255.0

!

interface FastEthernet0/0.3

encapsulation dot1Q 3

ip address 192.168.3.1 255.255.255.0

!

interface FastEthernet0/0.4

encapsulation dot1Q 4

ip address 192.168.4.1 255.255.255.0

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

line con 0

line vty 0 4

login

!

end

Router#


Here is the switch configuration:


Switch#show run

Building configuration...


Current configuration : 1238 bytes

!

version 12.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Switch

!

!

spanning-tree mode pvst

!

interface FastEthernet0/1

spanning-tree portfast

!

interface FastEthernet0/2

switchport access vlan 2

spanning-tree portfast

!

interface FastEthernet0/3

switchport access vlan 3

spanning-tree portfast

!

interface FastEthernet0/4

switchport access vlan 4

spanning-tree portfast

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

switchport trunk allowed vlan 1-4

switchport mode trunk

!

interface Vlan1

no ip address

shutdown

!

end


More details of router on a stick here:

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml


Hope this helps


Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Attachment: 
Broken-Arrow Wed, 05/15/2013 - 13:36
User Badges:

Hi,


I don't think the above completes the scenario. The 'switchport trunk allowed vlan' command only applies to trunks so is somewhat useless on int fa0/4. Hence the trunk keyword in the statement. Instead, as you are using a L2 device (pesumably a 2950 or similar) you want to trunk it all up to the router as Bilal correctly suggests.


-> However, remove the un-used vlan allowed statement on int fa0/4.

-> Configure an ACL on your router to prevent 2 and 3 talking to each other.


e.g:


access-list 101 deny ip 192.168.2.1 0.0.0.255 192.168.2.1 0.0.0.255

access-list 101 permit any any


int fa0/0.2

access-group 101 out


-> Repeat the above for vlan 3 but with the correct subnets.


When you move up to CCNP you might start thinking about isolated and community VLANs to solve your solution given the number of devices.

Broken-Arrow Wed, 05/15/2013 - 13:36
User Badges:

Just realised an error in my ACL. but you should get the picture.

Bilal Nawaz Wed, 05/15/2013 - 13:39
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

Agreed - thanks for pointing out the ACL - I think I got so carried away with the intervlan routing, I totally forgot about the ACLs to stop subnet from talking to another! :-)


Please rate useful posts & remember to mark any solved questions as answered. Thank you.

charitha1013 Wed, 05/15/2013 - 15:07
User Badges:

How can determine the vlans to be allowed now that the network has all vlans allowed.

How can go about determining the vlans that need to be added?

I want to change the switch port trunk allow all to switch port trunk allow vlan; but I want to determine the vlans to be allowed...

Please give me your feedback

Sent from Cisco Technical Support iPhone App

Bilal Nawaz Wed, 05/15/2013 - 15:23
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

Are you talking about an existing network in a live environment or just a lab, because approach to this can be very different.

Say I have vlan 1 - 5 on switch A

By default my config would be

Interface gi0/1
Switchport mode trunk

And would trunk all Vlans. Right?

Lets say I wanted to remove Vlan 5 afterwards from the trunk because its not needed on there anymore. I'd do this

Interface gi0/0
Switchport trunk allowed vlan remove 5

The running config at this stage will look like this:

Interface gi0/0
Switchport mode trunk
Switchport trunk allowed vlan 1-4

If I wanted to add a vlan I'd do this

Interface gi0/0
Switchport trunk allowed vlan add 5

The running config would then look like this

Interface gi0/0
Switchport mode trunk
Switchport trunk allowed vlan 1-5

It does this because we have explicitly configured the trunk to carry these Vlans for us.

If I had a brand new setup that wasnt being used in a live environment yet and was configuring a trunk,

Interface gi0/0
Switchport trunk allowed vlan 1,2,3,4

So I'm just allowing Vlans 1,2,3 and 4

This is explicitly configuring the allowed Vlans on the trunk.

However if Vlan is inactive then it gets pruned depending on your switches and layer 2 configurations.

IMHO it's more better from a security and control point of view of manually co figuring a trunk using this method

Hope this helps

Sent from Cisco Technical Support iPhone App

charitha1013 Wed, 05/15/2013 - 18:31
User Badges:

Thank you for the reply. It's a live network and I understand the procedure to add the vlans. But currently all vlans are being allowed; I am new to the network and I will have to determine which vlans to allow; how can I approach determine which vlans to allow?

Sent from Cisco Technical Support iPhone App

Bilal Nawaz Wed, 05/15/2013 - 23:51
User Badges:
  • Red, 2250 points or more
  • Community Spotlight Award,

    Questions Answered, June 2015

Good question. People might have difference in opinion on how to approach something like this.
I would start off at your access layer switches, from here we can pretty much tell what vlans are are required just by the 'access ports'
I would sketch out a rough diagram of the layer 2 network just so We can jot down beside a switch which Vlans are being used. This would definitely be a good exercise to go through since you'd get to know the network more!

Once we have this information we can go to core/distribution layer, we may have access ports there... But most should be trunks. Here we can pretty much say which vlans are needed on which trunks towards the access layer.
However, things become a bit more tricky when your organisation is using a virtual environment, ESX/Blade chassis. These may require Vlans to be trunked to them. I guess it would require some cooperation between network and platform teams to discuss which vlans need to stay on the trunk and which ones don't need to be there.

Then hopefully we can be in a position to determine which Vlans are required and which aren't - on the trunk ports.

Hope this helps

Sent from Cisco Technical Support iPhone App

charitha1013 Thu, 05/16/2013 - 05:54
User Badges:

I will try this approach and let you know how it goes. Thanks a lot.

Sent from Cisco Technical Support iPhone App

charitha1013 Thu, 05/16/2013 - 12:00
User Badges:

It's too tedious; is it worth the effort to identify and allow certain vlans vs allowing all to the existing network?

Is there any other easy way looking at the show commands, configs etc and identify the vlans ?

Sent from Cisco Technical Support iPhone App

JohnTylerPearce Thu, 05/16/2013 - 13:47
User Badges:
  • Silver, 250 points or more

Charitha1013,


Step 1) 'show vlan brief' (This will show you what ports have been assigned to what vlans, as well as all vlans created on the switch)


Step 2) 'switchport trunk allowed vlan add a.b.c.d.e.f (etc etc)'


Step 3) You can control broadcasts this way. By default a trunk belongs to all vlans, so if you only have vlans 10 through 30 on a switch, the trunk port on that switch will receive all broadcasts for all other active vlans.

charitha1013 Thu, 05/16/2013 - 17:15
User Badges:

Thank you for the reply. It was very helpful.

Sent from Cisco Technical Support iPhone App

Actions

This Discussion