SG300 VLAN Trunk?

Unanswered Question
Aug 2nd, 2012
User Badges:

I have recently been putting a SG300 through testing, and while the configuration is working, I am now at the stage of making sure everything is secure.  At this point I've reached a question I can't quite find the answer to:

Current Setup:

1 Port - Trunk Mode (1UP + Various VLANs Tagged)

Other Ports - Access Mode (Various VLANs Untagged)

The question comes as to how to deal with the Trunk Port.  Per Cisco's own "Virtual Lan Security Best Practices", the default/native VLAN should be cleared from all Trunks... unless I am misunderstaing I see no way to accomplish this with the SG300's port in Trunk Mode (it forces 1UP, and admit-all).

The only other options I see as being possible are:

Change Port to General Mode, and switch policy to admit-tagged-only, and leave 1UP on the trunk


Change Port to General Mode, and remove 1UP (but this forces the system to add 4095P, which per the documentation states it immediately disables all other VLANS?)

Are either of these options valid/usable... or is there a better way to accomplish this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tom Watts Thu, 08/02/2012 - 12:43
User Badges:
  • Green, 3000 points or more

Hi Domain, in a layer 2 environment, the switch IP is not particularly relevant. As long as your computer is on the same network as the switch IP then you can manage it.

If you want to remove VLAN 1, make any other VLAN the default VLAN then leave VLAN 1 as a management VLAN.


domain012 Thu, 08/02/2012 - 15:05
User Badges:

Not sure we are quite on the same page regarding this question:

In Trunk Mode, the switch is requiring a untagged VLAN (native vlan for the trunk) on the interface.  Per my understanding (correct me if I'm wrong), the best practices is indicating you generally do not want untagged traffic on your trunks.

Now by default in Trunk Mode, the link is assigned 1UP (PVID 1, Untagged).  It seems both the user interface and the cli interface will not allow you to keep a interface in Trunk Mode without having 1 assigned untagged VLAN.

I.E. (default Trunk):

#sh interface switchport GE1


Acceptable Frame Type: admitAll

Ingress UnTagged VLAN (NATIVE ): 1


I see no way of clearing this native VLAN from the trunk.  In General Mode it is possible to specify admitOnlyVlanTagged, which may be accomplishing the same thing however.

It also seems you can also set PVID to 4095 in General Mode.... I assume then that all untagged packets would be discarded.  At least from my limited testing it seems you can have something like:

General Mode:  100T, 200T, 300T, 4095P... and contrary to the documentation it does not seem to prevent you from using the Tagged VLANS.

Tom Watts Thu, 08/02/2012 - 15:20
User Badges:
  • Green, 3000 points or more

Typically the native vlan or PVID is untag on a port. You may set the switchport differently such as;

switchport mode general

switchport general ingress-filter disable

switchport general pvid X

switchport general allowed vlan add x tagged

With this configuration all vlan tag or untag is accepted on the switchport.

The ingress filtering on trunk and access port cannot disable, therefore the switchport setting must match, which making a pvid untagged and any additional vlan tag to the port. Otherwise ingress filter on the ingress port will discard the packet.

You may sculpt traffic any way you wish... The IP address of the switch is simply for management not for network unless running in L3.


domain012 Mon, 08/06/2012 - 12:55
User Badges:

The intent is not to accept any untagged traffic on this switchport at all (the best practices I list above come from Cisco's documentation for the Catalyst line of switches).

The native/pvid is used for control traffic (CDP, STP,...etc.) from my understanding, but the upstream device on this switchport is configured to only expect tagged traffic... I am not entirely sure what it will do with untagged traffic, but I highly suspect it will just drop/filter anything not properly tagged (haven't had time to validate)

I'm not worried about the IP address of the switch, since the management interface is not default/listens on a seperate tagged VLAN.  Realistically, the only thing I wanted this switch for was VLAN support (to segement apart various classes of devices) so it will only ever operate in L2... the upstream devices handle everything else.

For now, I have configured this port as follows, and it apears to be doing what I'm trying to accomplish:

switchport mode general

switchport general allowed vlan add 101,102,103 tagged

switchport general acceptable-frame-type tagged-only

switchport general pvid 4095

This may be actually overkill, since it appears once you apply PVID 4095, all untagged traffic gets dropped anyway.

I appreciate your replies on this topic

domain012 Tue, 08/07/2012 - 13:31
User Badges:

Well, to put an end to this saga:

This really doesn't do what I thought it would, and I proved this out by sticking a BSD machine on the port and sniffing the interface with tcpdump:

switchport mode general

switchport general allowed vlan add 101,102,103 tagged

switchport general acceptable-frame-type tagged-only

switchport general pvid 4095

This really does nothing.. it is the same as leaving the interface in just the default trunk mode with tagged vlans... control traffic is all sent out the interface untagged.

Playing around with this some more, this is more interesting:

switchport mode trunk

switchport trunk allowed vlan add 101,102,103

switchport default-vlan tagged

This changes the interface to Trunk: 1T, 101T, 102T, 103T, 4095P (and makes web interface go goofy if you try to change it). Now control traffic (other then STP) is coming down the VLAN's as tagged.

Oh well.... upstream device will just be configured to drop everything that is untagged and move on

barnett81 Fri, 08/31/2012 - 10:29
User Badges:

I may be a bit late on this one. If you change the native vlan on the trunk to a bogus vlan and then prune it from both ends of the trunk, untagged frames will be isolated to within the trunk. I believe this to be a Cisco best practice.

I have never worked with that device, however, the commands should be similar to this (vlan 99 being a bogus or "black-hole vlan):

switchport mode trunk

switchport trunk native vlan 99

switchport trunk allowed vlan 101, 102, 103