I am a network enthusiast and recently tracked down a problem and I'm looking for a solution. I've configured a small 8 port (CISCO SG200) switch as a trunk requiring tagging on VLAN1 and 2. In the Port VLAN membership, the following is displayed
Interface Mode PVID Operational VLAN Membership
g1 Trunk 1 1T,2T
NOTE: There is no command line access to the switch so I can't show typical command line commands and output.
So both sides of the trunk are configured as Trunk 1T,2T. The other switch is a CISCO SG-300 20port (so both are CISCO brand switches).
On reboot/power-cycle of the CISCO SG200, however, the SG200 changes it's configuration to 1U,2T. See below
Interface Mode PVID Operational VLAN Membership
g1 Trunk 1 1U,2T
The result is that VLAN1 traffic no longer flows over the trunk because the SG200 sends VLAN1 without tagging, and the other switch (SG300) requires VLAN1 to be tagged so the untagged VLAN1 traffic is ignored (that is my understanding).
I thought what I was doing was "legal" albeit not standard, but since it isn't working I need to change it. The question is how should I change it so that
- I have two VLANs.
- I have a trunk connecting my two switches that ONLY allow traffic from these two VLANs
- NOTE: I wanted to prevent untagged traffic from being sent at all (over the trunk), but apparently the SG200 doesn't want to support this (after a reboot), and some of the things I read indicated that CISCO wants to send switch communications on VLAN1 so I might want to avoid using VLAN1 and create two other VLANs.
So some thoughts are:
- Use VLAN 2 & 3 for my purposes. I would change the default VLAN to be 2 (in my case), so all ports by default connect to the primary LAN. I want VLAN2 (in this example) to be the wild west, and VLAN3 to be protected. The trunk port would be configured for 2T,3T.
The result would look like this:
Interface Mode PVID Operational VLAN Membership
g1 Trunk 1 2T,3T
g2 Access 2 2U
g3 Access 3 3U
I thought there might be some other options but this is all I've got.
Some other articles I found useful were:
Best Answer
You need to ensure the PVID, U and T VLANs match on both sides to makes sure you have correct VLAN forwarding across the trunk. If you have a PVID / untagged VLAN mismatch you will be bridging two VLANs together between the switches (STP may even block if there is a mismatch)
This may be a little overkill for your setup, but best practice for security (to avoid VLAN hopping among other things) is to configure your trunks as follows:
Define a dummy VLAN (other than VLAN 1) to be used on all trunks as the native VLAN. This VLAN should only be assigned as native VLAN on trunks and should never be used for user data.
Remove VLAN 1 if you can from the trunk (not really possible on Cisco switch). If you can’t remove it, tag it, but don’t ever use it for user data.
All other VLANs, the ones you use for user data should be tagged.
So, you could define VLAN 99 as the native VLAN, then set the trunks to:
and only ever use VLANs 2 and 3 for user traffic.
To avoid access ports being configured for VLAN 1 you can either preconfigure them to either VLAN 2 or VLAN 3. Alternatively, define a black hole VLAN for unused ports and assign all unused ports to that VLAN.