Trunking_Top_VTP_Allowed

The above topology is a good reason you may not want to allow all traffic over your Trunk ports, which will be explained below, as you may have guessed!

(I did change the switch configs / cabling for this lab session to the  above topology)

Adjusting switch 2 properly with port moving and deleting VLANs:

To delete the VLANs on switch 2, in global config issued “no vlan #” and the VLAN was gone, but you do need to move the ports manually if they are hard coded to a VLAN #.

So to kick interfaces 2 and 4 on SW2 back to VLAN 1, I issued “no switchport access vlan #” and it kicked them back into the default VLAN 1.

Now when we speak about VLANs “Allowed” on the Trunk, we are referring to this section of the “sh int trunk” output:

SW1#sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/10 on 802.1q trunking 1
Fa1/0/20 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/10 1-4094
Fa1/0/20 1-4094

Port Vlans allowed and active in management domain
Fa1/0/10 1,100,200,300,400
Fa1/0/20 1,100,200,300,400

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/10 1,100,200,300,400
Fa1/0/20 1,100,200,300,400
SW1#

Lets say you have an Engineering department that requires a Voice / Data / Wireless / Server VLAN on one switch, and it is connected to a Trunk that leads to the Access switch for the Payroll department, which only has some hard wired PC’s / Printers all on the same subnet and VLAN 1 (or maybe they have their own unique VLAN #’s).

That is a lot of Broadcast traffic being allowed over the Trunk to a switch that does not have an of the VLAN’s for the Broadcast traffic, and is wasting or adding to the ‘cost’ of CPU and Bandwidth resources of the LAN on both switches.

So lets take a look at how to correct this, and the syntax involved

So lets take a look at first at our options on how to go about allowing or disallowing certain VLAN’s:

SW1(config)#int fa1/0/10
SW1(config-if)#switch trunk allowed ?
vlan Set allowed VLANs when interface is in trunking mode

SW1(config-if)#switch trunk ?
allowed Set allowed VLAN characteristics when interface is in trunking
mode
encapsulation Set trunking encapsulation when interface is in trunking mode
native Set trunking native characteristics when interface is in
trunking mode
pruning Set pruning VLAN characteristics when interface is in trunking
mode

SW1(config-if)#switch trunk allowed ?
vlan Set allowed VLANs when interface is in trunking mode

SW1(config-if)#switch trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list

So I wanted to show the path of commands to get to our options, and highlighted in red is the list of options, of which they are all pretty self explanatory. They are all pretty conclusive, if you stop to imagine creating an “allowed” list for a moment, there are obviously several ways using this output to accomplish creating one.

There was one thing I wanted to confirm, whether the nuke command of “none” would remove the default VLAN 1 from being allowed over the trunk:

SW1(config-if)#switch trunk allowed vlan none
SW1(config-if)#do sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/10 on 802.1q trunking 1
Fa1/0/20 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/10 none
Fa1/0/20 1-4094

Port Vlans allowed and active in management domain
Fa1/0/10 none
Fa1/0/20 1,100,200,300,400

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/10 none
Fa1/0/20 1,100,200,300,400
SW1(config-if)#

Yes indeedly doo, for the switchport I am working on anyways, but it in no way impacts that those 5 default VLANs 1, 1002-1005 are still on the switch itself so don’t let that trip you up on exam day!

To negate the command, unlike almost every other command you use a “no …” at the front, just put “switchport trunk allowed vlan all” and you’re back in business.

So we could prevent these from either SW1 or SW2, but we want to stop them before they even cross the link, so we disallow them on SW1.

So I remove the 4 VLANs from SW1’s side based upon the output at first, but in further digging into it I found an easier way not in IOS help, grr:

SW1(config-if)#switchport trunk allowed vlan except 100 ?
<cr>

SW1(config-if)#switchport trunk allowed vlan remove ?
WORD VLAN IDs of disallowed VLANS when this port is in trunking mode

SW1(config-if)#switchport trunk allowed vlan remove 100 ?
<cr>

SW1(config-if)#switchport trunk allowed vlan remove 100
SW1(config-if)#switchport trunk allowed vlan remove 200
SW1(config-if)#switchport trunk allowed vlan remove 300
SW1(config-if)#switchport trunk allowed vlan remove 400
SW1(config-if)#

Notice that “except” and “remove” do literally the exact same function, I was hoping one of them would let me take out multiple VLANs but no such luck, so I went with remove. Again I just unplugged the Trunk on Fa1/0/20, we’ll work with one trunk this lab.

NOW, there is an easier way to do this that I will demonstrate on Fa1/0/20 Trunk, that is not in IOS help as a sub-command modifier which should be:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int fa1/0/20
SW1(config-if)#switchport trunk allowed vlan except 100,200,300,400
SW1(config-if)#do sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/10 on 802.1q trunking 1
Fa1/0/20 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/10 1-99,101-199,201-299,301-399,401-4094
Fa1/0/20 1-99,101-199,201-299,301-399,401-4094

Port Vlans allowed and active in management domain
Fa1/0/10 1
Fa1/0/20 1

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/10 1
Fa1/0/20 1
SW1(config-if)#

 

I laughed out loud, this really makes me wish there was a “Port Vlans not allowed” section under the allowed portion of the output, crikey.

However it does illustrate those VLANs are now removed from being allowed with a few new allowed ranges in there, so just remember for exam day any numbers missing from that allowed range aren’t going over that Trunk! (I could see Cisco making a messy question like that to as one of its infamous gotcha type questions).

Now if suddenly we decide to give Payroll phones, even though they never use at any company ever, we can use the ‘add’ option to throw a VLAN back in their for both Trunks and allow VLAN 200 (Yes I named the VLAN Voice as you should always name your VLAN!)

Lets actually see if I can add it back by name “Voice” in the command:

SW1(config-if)#switchport trunk allowed vlan add Voice
Command rejected: Bad VLAN list – character #1 is a non-numeric
character (‘V’).
SW1(config-if)#

Lame. We could verify the Voice VLAN is 200 by “sh vlan br” but I’ll spare the output, and just add 200 back to both Trunks:

SW1(config-if)#switchport trunk allowed vlan add 200
SW1(config-if)#int fa1/0/10
SW1(config-if)#switchport trunk allowed vlan add 200
SW1(config-if)#do sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/10 on 802.1q trunking 1
Fa1/0/20 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/10 1-99,101-299,301-399,401-4094
Fa1/0/20 1-99,101-299,301-399,401-4094

Port Vlans allowed and active in management domain
Fa1/0/10 1,200
Fa1/0/20 1,200

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/10 1
Fa1/0/20 1
SW1(config-if)#

I highlight in red where it shows its obviously back in the allowed range there on the Trunk, but it appears to have been allowed “and active” in the management domain.

That extra stuff regarding the VLAN Database, and Management Domain

So I am not finding a very coherent response to the several different ways this was asked on support forums, however the one thing I found is it is somehow engrained into the local VLAN database – So I want to test this.

In Flash Memory, there is a file on the switch called “vlan.dat” which will be review extensively in the VTP section, but for now I am going to “wr” the config / delete vlan.dat / reload the switch to see if the interfaces in the management domain are part of the local database.

If so, they should be gone from int trunk after deleting the vlan.dat file:

SW1#sh flash

Directory of flash:/

2 drwx 512 Mar 1 1993 00:10:05 +00:00 c3750-ipservicesk9-mz.150-2.SE9
528 -rwx 109 Mar 1 1993 00:23:50 +00:00 info
529 -rwx 1915 Mar 1 1993 03:14:50 +00:00 private-config.text
530 -rwx 796 Mar 1 1993 02:15:15 +00:00 vlan.dat
531 -rwx 4120 Mar 1 1993 03:14:50 +00:00 multiple-fs
532 -rwx 2243 Mar 1 1993 03:14:50 +00:00 config.text

27998208 bytes total (5273088 bytes free)
SW1#

Thar she blows:

SW1#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
SW1#wr
Building configuration…
[OK]
SW1#reload
Proceed with reload? [confirm]

For good measure I did a write before the reload, and we’ll see once it reboots…

… okay lets check it out, first one interesting thing I noticed during its boot sequence that you can only see when using a console connection, telnet / ssh with ‘term mon’ on will not show boot sequence info (your welcome for the real world info) is this:

cisco WS-C3750V2-24PS (PowerPC405) processor (revision S0) with 131072K bytes of memory.
Processor board ID FDO1640X1W8
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 1C:E6:C7:C1:C8:00
Motherboard assembly number : 73-12633-01
Power supply part number : 341-0266-03
Motherboard serial number : FDO16400W2E
Power supply serial number : LIT1621081M
Model revision number : S0
Motherboard revision number : F0
Model number : WS-C3750V2-24PS-S
System serial number : FDO1640X1W8
Top Assembly Part Number : 800-33158-03
Top Assembly Revision Number : B0
Version ID : V08
CLEI Code Number : CMMEE00BRB
Hardware Board Revision Number : 0x02

 

Switch Ports Model SW Version SW Image
—— —– —– ———- ———-
* 1 26 WS-C3750V2-24PS 15.0(2)SE9 C3750-IPSERVICESK9-M

 

% Access VLAN does not exist. Creating vlan 100
% Access VLAN does not exist. Creating vlan 200
% Access VLAN does not exist. Creating vlan 300
% Access VLAN does not exist. Creating vlan 400

 

Press RETURN to get started!

This to me just screams bloody murder that in Flash, there was a file called vlan.dat, which contained these VLANs for them to be re-created automatically on boot sequence!

So lets have a look at “sh int trunk” :

SW1#sh int trunk

Port Mode Encapsulation Status Native vlan
Fa1/0/10 on 802.1q trunking 1
Fa1/0/20 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa1/0/10 1-99,101-4094
Fa1/0/20 1-99,101-299,301-399,401-4094

Port Vlans allowed and active in management domain
Fa1/0/10 1,200,300,400
Fa1/0/20 1,200

Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/10 1,200,300,400
Fa1/0/20 1,200

I checked Flash and of course, there is another vlan.dat file in there, so I think this is actually tied into what we’ll be looking into next with VTP and I’m spinning my wheels here:

SW1#sh vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 1ce6.c7c1.c800
Configuration last modified by 0.0.0.0 at 3-1-93 00:02:08
Local updater ID is 0.0.0.0 (no valid interface found)

Feature VLAN:
————–
VTP Operating Mode : Server
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9
Configuration Revision : 4
MD5 digest : 0x17 0xCB 0x40 0x14 0x59 0x24 0xA0 0x7F
0x8F 0xAA 0xE7 0xEF 0x53 0x52 0xCC 0x61
SW1#

Yep so VTP is giving this switch the VLAN configuration upon boot up, but we will cover that entirely coming up shortly.

Next up is a quick lab from the above topology to demonstrate disallowing a lab, then we have Voice VLANs to cover, and then we are gonna get down with VTP (Yeah you know me)!