Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1925
Views
0
Helpful
9
Replies

Switch Port Trunk allowed Vlan

Go to solution
cisconell
Level 1
Level 1

‎12-30-2013 06:33 AM - edited ‎03-07-2019 05:18 PM

Hi Guys

Request your help on my query :

I have a distribution switch  and access switch and port channel between them.

Dist switch is the VTP server

lets assum I have 25 vlan

when I do show vlan brief on the access switch I can see all 25 vlans listed now

no when I configure switch port trunk allowed vlan (ex : permitting 10 vlans )on the link connecting to access switch at Dist switch

Dist switch po1 -- connecting to - po Access switch

Dist switch #

int po1

switch port trunk alllowed vlan x,x,x,x,x,x,x,x,x,

After permitting 10 vlan through trunk allowed vlan and then when I do show vlan brief on the access switch , I should see only the 10 vlan whcih I have permiited right ?

Thanks in advance  

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎12-30-2013 06:38 AM

Hi,

After permitting 10 vlan through trunk allowed vlan and then when I do  show vlan brief on the access switch , I should see only the 10 vlan  whcih I have permiited right ?

No. The show vlan and show vlan brief commands display all VLANs that are created on the switch, regardless of whether they are used/allowed. If you want to check the allowed VLANs on a particular trunk, you must check the show interfaces trunk command output, especially the bottommost part with the heading "Vlans in spanning tree forwarding state and not pruned".

Best regards,

Peter

View solution in original post

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to cisconell

‎12-30-2013 11:01 AM

"So even if the access layer have the Vlan , and even if add an access port which is not part of allowed vlan

That access port will not communicate unless I permit it in trunk allowed vlan ?"

The access port can communicate on the local switch to other devices in the same vlan, but it would not be able to communicate across different switches if the vlan isn't allowed over the trunk. Of course, that would affect all hosts on the switch if the vlan isn't part of the trunk, so yes, you need to allow it over the trunk for it to communicate.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-30-2013 11:52 AM

That should be correct , so do we have any other solution for not showing the unwanted vlans in the access layer

As Peter has stated with VTP server/client no you don't. However if you change all switches to VTP transparent then you can manually remove the vlans you do not want from each switch.  VTP transparent gives you more control over which vlans can exist on which switches.

Jon

View solution in original post

0 Helpful
9 Replies 9

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎12-30-2013 06:37 AM

If you do a "show vlan brie" and you've made that a trunk port, you won't see the interface listed for vlan 10 any longer. You can however do a "show int po1 trunk" and see the vlans allowed over the trunk.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎12-30-2013 06:38 AM

Hi,

After permitting 10 vlan through trunk allowed vlan and then when I do  show vlan brief on the access switch , I should see only the 10 vlan  whcih I have permiited right ?

No. The show vlan and show vlan brief commands display all VLANs that are created on the switch, regardless of whether they are used/allowed. If you want to check the allowed VLANs on a particular trunk, you must check the show interfaces trunk command output, especially the bottommost part with the heading "Vlans in spanning tree forwarding state and not pruned".

Best regards,

Peter

0 Helpful

Go to solution
cisconell
Level 1
Level 1
In response to Peter Paluch

‎12-30-2013 10:57 AM

Thanks Jhon,

Hi Peter,

May be you are right , as I have not seen any supporing document , The show vlan and show vlan brief commands display all VLANs that are created on the switch, regardless of whether they are used/allowed.

This is what I have experienced after permittting the regured vlan still i see all the vlan in the access layer.

So even if the access layer have the Vlan , and even if add an access port which is not part of allowed vlan

That access port will not communicate unless I permit it in trunk allowed vlan ?

Thanks

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to cisconell

‎12-30-2013 11:01 AM

"So even if the access layer have the Vlan , and even if add an access port which is not part of allowed vlan

That access port will not communicate unless I permit it in trunk allowed vlan ?"

The access port can communicate on the local switch to other devices in the same vlan, but it would not be able to communicate across different switches if the vlan isn't allowed over the trunk. Of course, that would affect all hosts on the switch if the vlan isn't part of the trunk, so yes, you need to allow it over the trunk for it to communicate.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
cisconell
Level 1
Level 1
In response to John Blakley

‎12-30-2013 11:22 AM

Thanks John,

That should be correct , so do we have any other solution for not showing the unwanted vlans in the access layer .

Should be the pruning ?

Thanks

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to cisconell

‎12-30-2013 11:51 AM

edited      

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to cisconell

‎12-30-2013 11:38 AM

Hi,

John is absolutely correct - even if you do not permit a VLAN on a trunk, it can still provide communication among local ports on a switch that are all assigned to the same VLAN.

I have a feeling that your original question was focused on a different aspect, though: You probably expected that if you exclude some VLANs from trunks, these VLANs will not be propagated via VTP to surrounding switches. Sadly, this is not the case. The switchport trunk allowed vlan command only affects data traffic in individual VLANs but it has no impact on the operation of VTP protocol. The VTP still advertises all VLANs, regardless of which VLANs are allowed on a trunk. To put it plainly, in a VTP domain, all server/client switches will know about all VLANs. THere is no legal possibility of having a single VTP domain consisting of server/client switch and yet have the switches differ in their VLAN database contents. It's as easy as that: one VTP domain = one big common VLAN database.

Best regards,

Peter

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-30-2013 11:52 AM

That should be correct , so do we have any other solution for not showing the unwanted vlans in the access layer

As Peter has stated with VTP server/client no you don't. However if you change all switches to VTP transparent then you can manually remove the vlans you do not want from each switch.  VTP transparent gives you more control over which vlans can exist on which switches.

Jon

0 Helpful

Go to solution
cisconell
Level 1
Level 1
In response to Jon Marshall

‎12-30-2013 12:43 PM

Thanks to Jon , Jhon and Peter for your valid inputs.

My query is clear , I consided this query is answerd.. Catch you guys for the next one 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card