How to define the VLANs allowed on a trunk link

Document

Tue, 12/30/2014 - 22:53
Jun 18th, 2009

Introduction

How to define the VLANs allowed on a trunk link.

Resolution

When a trunk link is established, all of the configured VLANs are allowed to send and receive traffic across the link. VLANs 1 through 1005 are allowed on each trunk by default. However, VLAN traffic can be removed from the allowed list. This keeps traffic from the VLANs from passing over the trunk link.

Note: The allowed VLAN list on both the ends of the trunk link should be the same.

For Integrated Cisco IOS  Software based switches

perform these steps:   

  1. To restrict the traffic that a trunk carries, issue the switchport trunk vlan-list interface configuration command.

    This removes specific VLANs from the allowed list.

    Note: VLANs 1 and 1002 through 1005 are reserved VLANs and cannot be removed from any trunk link.

    The vlan-list parameter is either a single VLAN ID or a range of VLAN IDs. This parameter is described by two VLAN numbers separated by a hyphen. Do not enter any spaces between comma-separated VLAN IDs or in hyphen-specified ranges.

    For example, to remove VLANs 5 through 10 and 12 from the trunk, issue the switchport trunk allowed vlan remove 5-10, 12 command. 

  2. To add a VLAN to the trunk, issue the switchport trunk allowed vlan add vlan-list command. 

  3. This example shows how to remove VLANs 5 through 10 and 12.

    Add VLAN 7 back and verify the allowed VLANs on the trunk link.

       
        c3550#configure terminal
      Enter configuration commands, one per line.  End with CNTL/Z.
      c3550(config)#int fa0/2
      c3550(config-if)#switchport trunk encapsulation dot1q
      c3550(config-if)#switchport mode trunk
      c3550(config-if)#switchport trunk allowed vlan remove 5-10,12
      c3550(config-if)#switchport trunk allowed vlan add 7
      c3550(config-if)#end
      c3550#show interfaces fastEthernet 0/2 trunk
    
    Port        Mode         Encapsulation  Status        Native vlan
    Fa0/2       on           802.1q         trunking      1
    
    Port     Vlans allowed on trunk
    Fa0/2    1-4,7,11,13-4094
    
    Port        Vlans allowed and active in management domain
    Fa0/2       1
    
    Port        Vlans in spanning tree forwarding state and not pruned
    Fa0/2       1
    c3550# 
    

For Catalyst OS (CatOS) Software based switches

perform these steps: 

Note: Even when the VLAN is removed from the port, the trunk remains in On state.

  1. When you first configure a port as a trunk port, the set trunk command always adds the VLANs to the allowed VLAN list for the trunk link.

    Even if you specify a VLAN range, it is ignored.

  2. To modify the allowed VLANs list, use a combination of the clear trunk or set trunk commands to specify the allowed VLANs.       
  3. To remove VLANs from the allowed VLANs list for a trunk, issue the clear trunk mod_num/port_num vlans command.       
  4. To add specific VLANs to the allowed VLANs list for a trunk, issue the set trunk mod_num/port_num vlans command.       
  5. To verify the allowed VLAN list for the trunk, issue the show trunk mod_num/port_num command.

Example

This example shows:

              
Console> (enable) clear trunk 1/1 101-499
Removing Vlan(s) 101-499 from allowed list.
Port 1/1 allowed vlans modified to 1-100,500-1005.
Console> (enable) set trunk 1/1 250
Adding vlans 250 to allowed list.
Port(s) 1/1 allowed vlans modified to 1-100,250,500-1005.
Console> (enable) show trunk 1/1
Port      Mode         Encapsulation  Status        Native vlan
--------  -----------  -------------  ------------  -----------
1/1      desirable    isl            trunking      1
Port      Vlans allowed on trunk
--------  ---------------------------------------------------------------------
1/1      1-100,250,500-1005
Port      Vlans allowed and active in management domain
--------  ---------------------------------------------------------------------
1/1      1,521-524
Port      Vlans in spanning tree forwarding state and not pruned
--------  ---------------------------------------------------------------------
1/1      1,521-524
Console> (enable) 
  • How to verify the allowed VLAN list for the trunk           
  • How to define the allowed VLANs for trunk port 1/1           
  • How to allow VLANs 1 through 100, VLAN 250 and VLANs 500 through 1005

Reference

For more information on configuring VLANs on Catalyst switches, refer to Creating Ethernet VLANs on Catalyst Switches.

charitha1013 Wed, 05/15/2013 - 13:36

Switchport trunk allowed vlan all

What is the advantage of allowing certain vlans vs allowing all? Currently we have all vlans allowed in the network and want to allow only certain vlans instead; how can we determine which vlans to be allowed?

Appreciate response in this regards. Thanks

steinmannb Mon, 06/16/2014 - 04:37

If the network administrator can't tell the purpose of the various VLANs you have a secious problem! VLANs are used to have just one backbone but providing "shielded" separate networks within that infrastructure. Like having Internet in one VLAN and the internal stuff in another.

As an example for allowing only specific VLANs imagine a company that has an ICT department that provides the network backbone and the programmer department is having some ESX servers running. The network card going to the ESX server should only allow the VLANs used by the programmers to inhibit them creating a VM that has a NIC in the wrong VLAN. Like they think they know what they do but (unintentionally) enter the wrong VLAN ID and putting a VM in your production server VLAN disrupting your whole server park.

If you want to see the VLANs on a switch and which access port is member of which VLAN issue the command "show vlans" to get a nice list. For the ports in trunk mode this will not help thus you have to check the device attached to the port for its configuration. All in all coming back to the question: why did you allow all VLANs on all trunk ports ultimately resulting in not beeing able to answer the question which device is member of which VLAN. Thus always have a perfect documentation and/or use the "switchport trunk allowed vlan" command to limit to the necessary.

Actions

This Document

Related Content