×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cannot add allowed vlan's to 4esw switch port in 2811 router

Answered Question
Sep 2nd, 2014
User Badges:

Hello,

 

I'm having a heck of a time adding 4 vlans to a trunk port on Fa0/0/1 which is a port on a 4ESW hwic card in a Cisco 2811 router.

The command I am adding is

switchport trunk allowed vlan 296,297,299,300 

I get this back from the console:

Command rejected: Bad VLAN allowed list. You have to include all default vlans, e.g. 1-2,1002-1005.

 

I've already added those vlans in vlan database.  Here is a cut and paste of them:

VLAN ISL Id: 296
    Name: VLAN0296
    Media Type: Ethernet
    VLAN 802.10 Id: 100296
    State: Operational
    MTU: 1500

  VLAN ISL Id: 297
    Name: VLAN0297
    Media Type: Ethernet
    VLAN 802.10 Id: 100297
    State: Operational
    MTU: 1500

  VLAN ISL Id: 299
    Name: VLAN0299
    Media Type: Ethernet
    VLAN 802.10 Id: 100299
    State: Operational
    MTU: 1500

  VLAN ISL Id: 300
    Name: VLAN0300
    Media Type: Ethernet
    VLAN 802.10 Id: 100300
    State: Operational
    MTU: 1500

 

 

So what am I missing?

 

Correct Answer by Karsten Iwen about 2 years 11 months ago

So your suggesting move that Fe0/1 (LAN) to the 4esw card and then I can use Fe0/1 with sub interfaces like I currently do today with Fe0/0 for the other ISP?

In general, that should work. It's not that uncommon to have the WANs on the router-ports and the LANs on the switch-module.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Karsten Iwen Tue, 09/02/2014 - 14:49
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

Well, the error message states which vlans are missing. The switch-modules always behave a little bit different to a regular switch.

<span style="font-size: 14px;">switchport trunk allowed vlan 1,296,297,299,300,1002-1005</span>
keithsauer507 Tue, 09/02/2014 - 14:49
User Badges:

I don't want vlan 1, 1002-1005 on that link.  It goes through an ISP hand off and I can't control what they have on their side.  For all I know those vlans could be other customers and I can't allow those vlans access for security.

Karsten Iwen Tue, 09/02/2014 - 15:00
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

I'm not aware of a way to tweak the module to operate the way you want.

A possible Workaround: Place the ISP on one of the build-in router-ports. There you can configure sub-interfaces for your four VLANs. The HWIC could then be used for your internal connection.

keithsauer507 Tue, 09/02/2014 - 15:01
User Badges:

Both Fe's are used.  1 for one ISP and 1 for lan.

 

So your suggesting move that Fe0/1 (LAN) to the 4esw card and then I can use Fe0/1 with sub interfaces like I currently do today with Fe0/0 for the other ISP?

This is because we have branch offices in different territories that have different LEC's.

Correct Answer
Karsten Iwen Tue, 09/02/2014 - 15:09
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

So your suggesting move that Fe0/1 (LAN) to the 4esw card and then I can use Fe0/1 with sub interfaces like I currently do today with Fe0/0 for the other ISP?

In general, that should work. It's not that uncommon to have the WANs on the router-ports and the LANs on the switch-module.

keithsauer507 Wed, 09/03/2014 - 05:36
User Badges:

Just curious if this is a function of the IOS version running.  Currently running c2800nm-advipservicesk9-mz.124-25g because it does everything I need and lower memory requirements of the 15.1 train.  If I upgrade to c2800nm-advipservicesk9-mz.151-4.M7, do you think it would allow me to prune vlan 1 (and the others) off a Fa interface on a 4ESW hwic card?

Or do you think this limitation is from the traces burned into the ASIC's on the ESW card itself, in which no software could overcome?

Karsten Iwen Wed, 09/03/2014 - 06:14
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

As far as I know it's a limitation of the hardware (or the software-implementation for this hardware). I know the same behavior from 15.1 and 15.2 on ISR G2 releases.

keithsauer507 Wed, 09/03/2014 - 06:30
User Badges:

Ok, I will mark your suggestion as the correct answer to use the built in Fa0/0 and Fa0/1 for my WAN links and use the 4ESW card for the LAN links.

Fa0/0 - Windstream VPL - 2 offices in Windstream territory (existing) (Requires 802.1q vlans as specified from us to service provider)

Fa0/1 - Verizon EVPL - 2 offices in Verizon territory (adding) (Requires 802.1q vlans as specified from service provider)

Fa0/0/0 - vlan 200 - to 4G LTE backup  for all offices (existing tunnels built)

Fa0/0/1 - Will become the new LAN (adding)

 

Kelvin Willacey Tue, 09/02/2014 - 14:47
User Badges:
  • Bronze, 100 points or more

I have never researched why it has this behavior but it is just saying that you need to also include the default VLANs, once you do that it will accept the command.

Actions

This Discussion