Cisco – Which VLANs are allowed on this trunk

ciscotrunkvlan

I'm getting some mixed signals when configuring a trunk on a Cisco switch and I'd like to know which VLANs are actually being allowed on it. The way I want it to be is that only VLANs 1,10,20,30,99 should be allowed. Have a look at the output:

S1(config-if)#do show int tru
Port        Mode         Encapsulation  Status        Native vlan
Gig1/1      on           802.1q         trunking      99
Gig1/2      on           802.1q         trunking      99

Port        Vlans allowed on trunk //What is this?
Gig1/1      1-1005
Gig1/2      1-1005

Port        Vlans allowed and active in management domain //What is this?
Gig1/1      1,10,20,30,99
Gig1/2      1,10,20,30,99

Port        Vlans in spanning tree forwarding state and not pruned //What is this?
Gig1/1      none
Gig1/2      1,10,20,30,99

What confuses me is that first it states that all VLANs in range 1-1005 are allowed and then it says 1,10,20,30,99 are "allowed and active in management domain" – what is that supposed to mean? What do the different headings mean?

Best Answer

When you configure a trunk link with the command:

(config-if)#switchport mode trunk

all the vlans will be allowed in the trunk link.

If you want to control which VLANs are allowed in a trunk link use the following commands:

(config-if)#switchport trunk allowed vlan
  WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
  add     add VLANs to the current list
  all     all VLANs
  except  all VLANs except the following
  none    no VLANs
  remove  remove VLANs from the current list

For example if you want to allow VLANs 1,10,20,30,99 in a trunk link you have to type:

(config-if)#switchport trunk allowed vlan 1,10,20,30,99

Pay attention that if you want to add a vlan on a trunk link (for example VLAN 100) you have to use the add statement (this is really a commond mistake), for example:

(config-if)#switchport trunk allowed vlan add 100

When you read "Vlans allowed and active" it simply means that just the active VLANs (the ones you have defined) are allowed in that trunk link.

Reference here: How to define the VLANs allowed on a trunk link

EDIT: Analyzing the output of the show interface trunk command it's easy to see that it is organized in 4 sections;

The first one is a list of all the trunk interfaces togheter with the encapsulation and the native VLAN.
For what concern the second and the third lines the important point to clarify is the difference between allowed and active. Allowed simply stays for "It is allowed to pass" meanwhile active means "this VLAN is up and running in the swtich". Note that active does not simply mean "it is present in the database" since you can shutdown a vlan with (config-vlan)#shutdown.
The last one deserves a little note; when dealing with PVST (Per-VLAN Spanning Tree) the switch creates a loop-free topology for each L2 broadcast domain (VLAN). Since it is not said that each VLAN share the same phisical topology there could be the case in which, even if a vlan is active and allowed, that vlan will not be forwarded across the trunk interface. This is because that interface it is not in the Forwarding state for that particular PVST process. Is it also possible that a VLAN is not forwarded across a trunk if it has been pruned by the VTP pruning process.

Related Solutions

Cisco – Accidentally Removed Allowed VLANs from Cisco Switch Dot1Q Trunk

You need to use the following command to add your VLAN 30 to an existing Dot1Q trunk on a Cisco Catalyst switch:

switchport trunk allowed vlan add 30

Otherwise IOS just thinks you're trying to overwrite the existing configuration and you are left with an accidentally deleted set of allowed VLANs.

You could similarly use "remove" in place of "add" to remove only one VLAN. See the entire syntax below. (It is actually the same syntax in Cisco Nexus OS or IOS, FYI.)

SW-FOO(config-if)#switchport trunk allowed vlan ?
  WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
  add     add VLANs to the current list
  all     all VLANs
  except  all VLANs except the following
  none    no VLANs
  remove  remove VLANs from the current list

Another option is to put all of your allowed VLANs into the command, like so:

switchport trunk allowed vlan 10,20,30

This option is more time consuming but also works.

Native VLAN – Configuring Native VLAN Between Switch and Router

Hope I understand what you are asking here (your writing is long and my memory is short :))

The HP untagged VLAN on a tagged interface functions similarly as the native VLAN you configure on Cisco switch trunk interface (actually tag/untag makes more sense than access/trunk technically speaking), the VLAN 8 in your case.

On your router interface facing HP switch, it is running as access/untagged port. So all ingress traffic on that router interface is VLAN 69; meantime router will remove VLAN 69 tag of the egree traffic to switch and when traffic arrives on switch, it will be VLAN 8. However if you have traffic marked with other VLAN, like VLAN 10 and send the traffic to router as the interface facing router is tagged/trunk port, router will not be able to understand it as the edge interface is expecting something without VLAN tag.

There is no native VLAN mismatch just like you connect a laptop to a trunk interface with certain native VLAN configured and switch does not complain about mismatch, right?

Hope this helps.

Best Answer

Related Solutions

Cisco – Accidentally Removed Allowed VLANs from Cisco Switch Dot1Q Trunk

Native VLAN – Configuring Native VLAN Between Switch and Router

Related Topic