Authenticating Trunk Ports - VLAN list

Similar Messages

• Unable to add allowed VLANs to TenGig trunk port

  Hi,
  I've got a ten gig interface on a 6509 running 12.2(33) configured as a trunk, but I've not been able to add any allowed VLANs as I've done before on other ten gig ports on different 6509 chassis. Am I missing something obvious?
  I'm assuming that the reason I'm unable to set the encapsulation to dot1q is because the new hardware doens't support ISL, hence no need. The command to add the VLANs however doesn't get rejected, it just doesn't appear to do anything.
  I've tried adding single VLANs and multiples, but no joy. Any ideas?
  Here's what I've done:
  SWITCH_1631(config)#default int t4/1
  Interface TenGigabitEthernet4/1 set to default configuration
  SWITCH_1631#sh ru int t4/12
  Building configuration...
  Current configuration : 65 bytes
  interface TenGigabitEthernet4/12
   no ip address
   shutdown
  end
  SWITCH_1631(config)#int t4/1
  SWITCH_1631(config-if)#switchport
  SWITCH_1631(config-if)#switchport mode trunk
  SWITCH_1631(config-if)#switchport trunk allowed vlan ?
    WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
    add     add VLANs to the current list
    all     all VLANs
    except  all VLANs except the following
    none    no VLANs
    remove  remove VLANs from the current list
  SWITCH_1631(config-if)#switchport trunk allowed vlan add 700
  SWITCH_1631(config-if)#
  SWITCH_1631#sh vlan id 700
  VLAN Name                             Status    Ports
  700  VLAN_NAME                        active    <snip>
  SWITCH_1631#sh ru int t4/1
  Building configuration...
  Current configuration : 74 bytes
  interface TenGigabitEthernet4/1
   switchport
   switchport mode trunk
  end

  Steve,
  Thanks for getting back to me. You're right that it is by default a dot1q trunk allowing all VLANs, therefore it should work for what I want to do.
  Port                Mode         Encapsulation  Status        Native vlan
  Gi3/39              on           802.1q         trunking      1
  Te4/1               on           802.1q         trunking      1
  Po1                 on           802.1q         trunking      50
  Po2                 on           802.1q         trunking      50
  Po3                 on           802.1q         trunking      50
  Po4                 on           802.1q         trunking      50
  Po5                 on           802.1q         trunking      50
  Port                Vlans allowed on trunk
  Gi3/39              15-16,20-23,30,401,608
  Te4/1               1-4094
  Po1                 10,13,20-21,25,30,50,52,61,70,600,700-701,950
  Po2                 10,20,30,50,52,61,70,600,700-701,950
  Po3                 10,20,30,50,61,70,600,700-701,950
  Po4                 10,20,30,50,61,70,600,700-701,950
  Po5                 2-3,10-23,25-26,30,35-36,40,50-53,56,58,61,65,70,77,101-102,145-146,155-158,401-402,600-602,608,700-701,800,950
  The problem was that I've always been advised that best practise is to only allow the VLANs that are actually required on a trunk to avoid broadcasting traffic unnecessarily. I worked out what the issue was though, and it was a pretty simple one!
  Once I saw that 1-4094 was allowed I tried "switchport trunk allowed vlan remove 700" which worked and left me with 1-699,701-4094.
  Then I realised what the problem was  trying to use the "add" command when all possible VLANs had already been added. As soon as I got rid of it and used "switchport trunk allowed vlan 700" followed by "switchport trunk allowed vlan add 701" I was back in business.
  So it was a very simple issue, but thank you Steve for pointing me in the right direction and confirming that all the VLANs were already allowed!

• Manipulating allowed VLAN list on trunks

  I am in the process of restricting some of my VLANs so that they can be accessed only on the switches that actually need them. I have a VTP domain, so I am doing it by manipulating the "allowed" lists on the trunks. I have a mixed environment of IOS 4500, CatOS 4000, CatOS 5500, and IOS 29xx.
  So, I have a number of questions and observations:
  1. There are some special default VLANs, 1002-1005, which are designated fddi-default, token-ring-default etc. In an Ethernet-only environment, is there any harm if I clear these from all the trunks?
  2. I do not use the extended VLAN range 1025-4095. Is there any harm if I clear these from all trunks?
  3. Just out of academic interest, what ever happened to VLANs 1006 to 1024? They do not appear in any of the default "allowed" lists. Are they reserved for something?
  4. Suppose my native VLAN for my trunks is not 1, let us say 99. And my management is on yet another VLAN, say 98. What happens if I try and clear the native VLAN 99 from the trunks? (Yes, I know I should try this in a lab, but does anyone know the answer to save me the effort of setting it up?)
  5. Suppose I have a VLAN, say 50, that is only needed in two switches, so I clear it from all trunks except the one between those two switches. But all the switches know about it cos it is in the VTP list. I notice that in the IOS switches, the PVST+ instance for that VLAN get shut down. In the CatOS switches, the STP seems to continue to run, but the root bridge is designated as 00-00-00-00-00-00. Are these two behaviors consistent, i.e. what is actually going on in the CatOS case? (AAMOF, in the IOS switches, it is enough that none of the ports has an "up" presence in the VLAN, and the PVST+ instance shuts down, even if there are "down" ports configured to use it.
  6. Is there any way to set a global default "allowed" list in a switch, so that any new trunks only allow those VLANs, regardless of what is in the VTP list? (That is, apart from setting it to "transparent", which have other unwanted side effects such as not being aware of the creation of new VLANs.)
  That's a lot of questions. The new edition of the Clarke/Hamilton book is well overdue!
  Kevin Dorrell
  Luxembourg

  Glen,
  Thanks for the responses.
  1. I shall clear them out immediately.
  2. I shall clear them out immediately.
  3. It's a mystery. Anyone?
  4. It was 99 because that VLAN was created specifically to accommodate the trunks. Unfortunately, in that particular network, VLAN 1 was still in use as an access VLAN. It is recommended not to have any access ports on the VLAN that is used as the native on the trunks, to prevent VLAN-hopping. Most NetAdmins do this by putting all the access ports anywhere but VLAN 1, and keeping VLAN 1 for trunk natives and/or management. This network did it the other way round, by shifting the native of the trunks off onto an unused VLAN. But I don't know what would happen if I cleared the native VLAN off the trunk.
  5. I think here we need to distinguish between VTP and STP, and between allowed lists and pruning. I am not pruning here, I am actually clearing the VLANs from the trunks. In the case of pruning, the VTP declines to send the broadcasts down the trunk if they are not useful at the access layer switch, but the Spanning Tree topology is not affected. In the case of clearing, the Spanning Tree topology of the VLAN is actually modified, as if the trunk did not exist for that VLAN. OTOH, the VTP VLAN list is propagated to all switches, regardless of whether they have any presence on each VLAN. So according to the VTP server and all clients, there is a load of VLANs active in the domain. But if you have an allowed list on all the trunks, it could well be that the access switch knows about a VLAN, but does not have any presence on it. That is when the IOS shuts down the PVST+ STP for that VLAN, and a CatOS switch registers the root bridge as 00-00-00-00-00-00. As opposed to the case where the VTP domain does not have a VLAN in its database, so the CatOS has no STP instance for it.
  6. Anyone else?
  Thanks for the responses.
  Kevin Dorrell
  Luxembourg

• Multiple ports vlan trunking

  Hello, I recently purchased a 3560 switch and I am relatively new with VLANs.
  What I need to do is quite simple:
  I need multiple fastethernet ports into multiple VLANs on a single switch. For that, I need to trunk these ports but nothing seems to work properly.
  I created multiple VLANs (vlan 100, 200 and 300), but by default each VLAN can see each other (my allowed vlan list is set to ALL on each port).
  When I setup the restrictions of that allowed vlan list, the problem is each port see each other. Example: Port 0/22 is set allowed vlan 100,200 .. but that port still can see vlan 300. I configured Native VLAN on VLAN50 (empty VLAN) for each port on the switch.
  I tried on a 3560 and a 2950, but exactly the same problem occurs.
  The problem is really basic but I'm on it since 1 week. Is there anyone who could help me please?

  Check below link for detail configuration & information.
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d84be.html
  If you want to remove the vlan from the trunk, you can simply use below command :
  switchport trunk allowed vlan remove 300
  Hope this helps.

• Switch Port Trunk allowed Vlan

  Hi Guys
  Request your help on my query :
  I have a distribution switch  and access switch and port channel between them.
  Dist switch is the VTP server
  lets assum I have 25 vlan
  when I do show vlan brief on the access switch I can see all 25 vlans listed now
  no when I configure switch port trunk allowed vlan (ex : permitting 10 vlans )on the link connecting to access switch at Dist switch
  Dist switch po1 -- connecting to - po Access switch
  Dist switch #
  int po1
  switch port trunk alllowed vlan x,x,x,x,x,x,x,x,x,
  After permitting 10 vlan through trunk allowed vlan and then when I do show vlan brief on the access switch , I should see only the 10 vlan whcih I have permiited right ?
  Thanks in advance  

  Hi,
  John is absolutely correct - even if you do not permit a VLAN on a trunk, it can still provide communication among local ports on a switch that are all assigned to the same VLAN.
  I have a feeling that your original question was focused on a different aspect, though: You probably expected that if you exclude some VLANs from trunks, these VLANs will not be propagated via VTP to surrounding switches. Sadly, this is not the case. The switchport trunk allowed vlan command only affects data traffic in individual VLANs but it has no impact on the operation of VTP protocol. The VTP still advertises all VLANs, regardless of which VLANs are allowed on a trunk. To put it plainly, in a VTP domain, all server/client switches will know about all VLANs. THere is no legal possibility of having a single VTP domain consisting of server/client switch and yet have the switches differ in their VLAN database contents. It's as easy as that: one VTP domain = one big common VLAN database.
  Best regards,
  Peter

• How to add VLAN to trunk port on Cisco SF200-24

  Hello All,
  I have question want to ask: 
  I have Cisco switch SF200-24 I want to configuration VLAN as below:
  Port 1 to 10 = Vlan 100
  Port 11 to 21 = Vlan 200
  Port 22 to 24 = Vlan 300
  Port GE1 = Trunking (Primary)
  Port GE2 = Trunking (Secondary)
  How to add all VLAN 100, 200, 300 go through Trunking Primary and Secondary?
  Which port can I connect for management switch?
  Thanks 

  > How to add all VLAN 100, 200, 300 go through Trunking Primary and Secondary?
  firstly set those ports as trunks via "VLAN Management" -> "Interface settings" - click on corresponding port, click on "edit.." button and select "Trunk" from list.
  Once those ports (GE1 and GE2) are as trunks, you can now assign them all desired VLANs via "VLAN Management" -> "Port VLAN Membership". Select first port (GE1), click "join VLAN" and select all desired VLANs from left list and put them to right list.
  and you are done.
  > Which port can I connect for management switch?
  by default, switch management IP is a part of default VLAN1. If you wanted to keep access to your switch, assign "VLAN1" to one of access ports, or change management VLAN to different number than 1 - but in this case dont forget to apply correct IP settings in order to meet subnet assigned in new VLAN.

• Trunked port active in vlan

  Maybe there's an obvious answer, but I have this strange thing;
  Switchport config
  interface GigabitEthernet0/2
   description Trunk to CORE02
   switchport mode trunk
   shutdown
   srr-queue bandwidth share 10 10 60 20
   queue-set 2
   priority-queue out
   mls qos trust cos
   auto qos voip trust
  sh vlan brie
  VLAN Name                             Status    Ports
  1    default                          active    Gi0/2
  Why is it that this port, which is configured as a trunk port, shows up as active in vlan1? Also when I do a show interfaces trunk, this specific port is not listed as a trunked port. By the way I had to shutdown the port because it was causing issues. It's a redundant link, when enabled I would expect spanning tree to do it's magic, but somehow it does not and instead causes half of our lan to become unreachable. Not sure why.

  in my switch I can not delete it
  Switch Ports Model              SW Version            SW Image                 
  *    1 52    WS-C2960S-48TS-L   12.2(58)SE2           C2960S-UNIVERSALK9-M     
  interface GigabitEthernet1/0/41
   description 2960_24_POE_5_24
   switchport mode trunk
   spanning-tree portfast
  _Cat_2960s_5_1#sh vla br
  VLAN Name                             Status    Ports
  1    default                          active    Gi1/0/41, 
  _Cat_2960s_5_1#
  _Cat_2960s_5_1#sh runn all | b interface GigabitEthernet1/0/41
  interface GigabitEthernet1/0/41
   description 2960_24_POE_5_24
   switchport
   switchport access vlan 1
   switchport private-vlan trunk encapsulation dot1q
   switchport private-vlan trunk native vlan tag
   switchport mode trunk
   no switchport nonegotiate
   no switchport protected
   no switchport block multicast
   no switchport block unicast
   switchport port-security maximum 1
   no switchport port-security
  _Cat_2960s_5_1#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  _Cat_2960s_5_1(config)#interface GigabitEthernet1/0/41
  _Cat_2960s_5_1(config-if)#no switchport access vlan 1
  _Cat_2960s_5_1(config-if)#^Z
  _Cat_2960s_5_1#
  _Cat_2960s_5_1#
  _Cat_2960s_5_1#
  _Cat_2960s_5_1#
  _Cat_2960s_5_1#
  _Cat_2960s_5_1#
  _Cat_2960s_5_1#sh runn all | b interface GigabitEthernet1/0/41
  interface GigabitEthernet1/0/41
   description 2960_24_POE_5_24
   switchport
   switchport access vlan 1
   switchport private-vlan trunk encapsulation dot1q
   switchport private-vlan trunk native vlan tag
   switchport mode trunk
  another trunk port with native vlan configured is not in vlan 1

• Trunk port changes assigned VLANs spontaneously

  Hello,
  I have problem with GE2 port VLAN membership in trunk mode.
  When I set GE2 port as a trunk for VLAN 11 tagged, VLAN 48 tagged
  and VLAN 666 untagged+PVID, it stays so only untill reboot.
  After reboot there are 11, 48 and 666 tagged, while VLAN 1
  untagged+PVID. Everything works somehow, but there are warnings.
  Default VLAN 11. The other side is 2960G with no vtp on port
  and vtp is globally off.
  Thank you
  SF 200-24 24-Port 10/100 Smart Switch
  Model Description:  24-Port 10/100 Smart Switch  Firmware Version:  1.1.1.8 
  Serial Number:  DNI15330085  Firmware MD5 Checksum:  0b73c744e12a6f93c711867b1188736e 
  PID VID:  SLM224GT V01  Boot Version:  1.0.0.1 
    Boot MD5 Checksum:  81359f6e6c7e640b53df27c4f05b8d60 
    Locale:  en-US 
    Language Version:  1.1.1.6 
    Language MD5 Checksum:  N/A

  Hi Igor
  Just out of interest, I see no mention that you saved the configuration in your problem description.
  As the administrators guide says on page 30,  Configurations will be lost if not saved.
  Just in case you didn't save your configuration, here is a 6 minute video that shows,  in the last minute,  how to save the configuration of a 300 series switch, but it should be identical for a 200 series product..
  https://cisco.webex.com/ciscosales/lsr.php?AT=pb&SP=MC&rID=56220782&rKey=5fc47a1c7b566b8c
  or try from the GUI
  Click Administration > File Management > Copy/Save Configuration
  Copy the running configuration to the startup configuration.
  If you have saved your configuration but still lose VLAN assignment, yes please follow the advice in the previous posting.
  regards Dave

• VTP Pruning vs Allowing VLANs on Trunk ports

  We would like to know best approach to reduce VLAN traffic on our network. We are currently trunking all fiber ports 802.1q.
  We have about 73 VLANs across the network. We have done a lot of research and there seem to be a lot of theoretical answers but no one who uses it in practice.
  Here is our current configs for fiber ports between closets:
  Cisco WMH6509
  interface GigabitEthernet2/8
   description Fiber To STB Lab 3850
   switchport
   switchport trunk encapsulation dot1q
   switchport mode trunk
   no ip address
   no snmp trap link-status
  end
  Cisco STB Lab 3850
  interface GigabitEthernet1/1/1
   description Fiber To WMH6509
   switchport mode trunk
  end
  We are considering:
  VTP Pruning Enable
             or
   switchport
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 26,99,109,188
   switchport mode trunk
  Thanks,
  Tom

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of   the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  As I have some years (cough - decades) software development experience, I lean toward automation solutions, so, for example, I often prefer dynamic routing over static routing, and so likewise, I prefer VTP over manual configuration on multiple devices.
  However, VTP does have some "quirks".  For example, this year I ran into an issue where an edge switch had a new VLAN defined to a port which wasn't in use on a transit switch, so VTP auto pruning, pruned it off the transit's uplink trunk.  (I was a bit of a pain to find the cause as VTP doesn't prune right away - edge worked for a bit and then it stopped working.  One fix would have been to stop using VTP auto-pruning, across the whole VTP domain, but instead, configured VTP to not auto-prune the needed VLAN across the needed trunk.)
  So, as Paul notes, VTP auto pruning might be easier to get going, but be prepared for unexpected incidents (again, not saying you'll have any, just be prepared).  So, if you're prepared, I would go with VTP auto pruning, but if you want to "play safe", go with Paul's recommendation.

• Dynamic Vlan-Trunk port

  Hi,
  Is posible to configure a Switchport like dynamic vlan port and in the same time to be trunk port?

  Hi,
  Static ports that are trunking cannot become dynamic ports. You must turn off trunking on the trunk port before changing it from static to dynamic.
  You can find more info here.
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007f2ec.html
  HTH,
  Sundar

• Private VLAN Promiscuous Trunk Port - Switches which support this function

  Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks

  4500x Yes
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
  Nexus 5k Yes
  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
  3850s
  They dont support pvs at all yet
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
  Restrictions for VLANs
  The following are restrictions for VLANs:
  The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
  The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
  Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
  Private VLANs are not supported on the switch.
  You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

• Dedicated VLAN ID's on trunk ports

  I was reading the SAFE:Security Blueprint for Enterprise Networks. This document addresses in its "Switches are targets" section on Page 6 that "Always use a dedicated VLAN ID for all trunk ports"...
  I am trying to understand this concept fully.
  If I consider my trunk ports, most are physical fiber "links" that interconnect the switches. Some trunk links connect Distribution L to Access L; some Distribution to Core.
  Where do I put the VLAN ID on thes?? Should I translate this to mean that on Gig0/0 on SW.1 i place this interface in VLAN 23 and on the switch on the other end of the link I also place the Gig0/0 in VLAN 23 as well??
  Also I am not sure why this helps secure the switch. Can someone pls assist. I am grateful.

  Hi,
  This is not actually the VLAN pruning.This is just specifically allowing some vlans on the trunk ports and removing other unwanted vlans.
  Prunning works in a diff way and it will save the bandwidth on the trunk links by prunning the unwanted broadcast on the trunks for a particular vlan if no host is active on that vlan on a particular switch. I.e If you dont have any active host on a vlan on a particular switch and if there is a broadcast on that vlan which will come over the trunk so if no host is active that broadcast is prunned on the trunk where no host is active on the switch.
  HTH,
  -amit singh

• SG300: MAC authentication with Radius VLAN assignment problems

  Hi,
  I just can't get the dynamic vlans working. I've tried everything, switch in L3 mode, switch in L2, several port configs, several tunnel configs in Radius server (freeradius 2.1.1)
  Here's the final switch config:
  config-file-header
  switchf460dc
  v1.3.7.18 / R750_NIK_1_35_647_358
  CLI v1.0
  set system mode switch
  file SSD indicator encrypted
  ssd-control-start
  ssd config
  ssd file passphrase control unrestricted
  no ssd file integrity control
  ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
  no spanning-tree
  vlan database
  vlan 12,100,110,666
  exit
  voice vlan oui-table add 0001e3 Siemens_AG_phone________
  voice vlan oui-table add 00036b Cisco_phone_____________
  voice vlan oui-table add 00096e Avaya___________________
  voice vlan oui-table add 000fe2 H3C_Aolynk______________
  voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
  voice vlan oui-table add 00d01e Pingtel_phone___________
  voice vlan oui-table add 00e075 Polycom/Veritel_phone___
  voice vlan oui-table add 00e0bb 3Com_phone______________
  dot1x system-auth-control
  no bonjour enable
  hostname switchf460dc
  line ssh
  exec-timeout 0
  exit
  encrypted radius-server host 192.168.99.93 key xXx priority 1 usage dot1.x
  logging host 1.2.3.4 severity debugging
  passwords aging 0
  ip ssh server
  snmp-server server
  snmp-server community public ro 192.168.99.93 view Default
  clock timezone " " +1
  clock summer-time web recurring eu
  clock source sntp
  sntp unicast client enable
  sntp server 172.16.1.1
  interface vlan 12
   ip address 192.168.99.170 255.255.255.0
   no ip address dhcp
  interface gigabitethernet5
   dot1x host-mode multi-sessions
   dot1x reauthentication
   dot1x authentication mac
   dot1x radius-attributes vlan static
   dot1x port-control auto
   switchport mode general
   switchport general allowed vlan add 100,110,666 untagged
   no macro auto smartport
  interface gigabitethernet6
   switchport mode access
   switchport access vlan 110
  interface gigabitethernet9
   switchport mode access
   switchport access vlan 12
  interface gigabitethernet10
   switchport trunk allowed vlan add 12,100,110
  exit
  ip default-gateway 192.168.99.1
  On the switch side I would expect VLAN 666 to be set but it's not there:
  switchf460dc#show dot1x users
                            MAC               Auth   Auth   Session        VLAN
  Port     Username         Address           Method Server Time
  gi5      0090dca15880     00:90:dc:a1:58:80 MAC    Remote 01:09:25
  This is the radius users file. It's a simple file for test.
  DEFAULT Auth-Type := Accept
          Tunnel-Type = VLAN,
          Tunnel-Medium-Type = IEEE-802,
          Tunnel-Private-Group-Id = 666
  I am attaching a screenshot of the Radius reply sent by the server.
  I also tried setting "copy_request_to_tunnel = yes" and "use_tunneled_reply = yes" as found in another post, no success.
  It may be that the tag is missing in the Radius reply? If yes, how do I add it?
  Any ideas?
  Thanks.
  Update Dec 11: I tried with FW 1.4.0, and using the same config the switch doesn't perform any Radius requests at all anymore.

  I was wrong when I said that 1.4.0 wouldn't work at all. I simply had a device connected which didn't produce much traffic. My bad.
  So 1.4.0 works as far as the auth is concerned, but no improvement as far as dynamic VLAN is concerned. So there is no improvement over 1.3.7, or there is a config issue.
  I have opened SR 633001533 although the last appointment for WebEx went by without anyone getting back to me. I'll try again on Monday.
  Feel free to get back to me if you need anything to make experiments. I'll keep this thread updated too.

• SG-300 CLI How to display trunk ports

  Hello
  I have a very simple question about CLI on SG-300. How to display trunk ports via cli? I have switch with 28 ports and I wanted to see what switchport mode is applied to every port - or simply we can just focus on trunk ports. On Cisco Catalysts there is "show trunk" command in order to get list of ports in Trunk mode. Is there any way to do it on SG-300?
  srv-sw-1#show version
  SW version    1.3.0.62 ( date  02-May-2013 time  14:55:01 )
  Boot version    1.1.0.6 ( date  11-May-2011 time  18:31:00 )
  HW version    V02
  thank you
  michal

  Hi,
  I remember something at least that works port by port:
  >#sh int switchport fa 1
  Port : fa1
  Port Mode: Trunk
  Gvrp Status: disabled
  Ingress Filtering: true
  Acceptable Frame Type: admitAll
  Ingress UnTagged VLAN ( NATIVE ): 1
  Port is member in:
  Vlan               Name               Egress rule Port Membership Type
  1                  1                  Untagged          System
  Displays detailed info about each port, range command will not work, but it's something.
  You can check for vlans and or tags with:
  sh vlan
  sh vlan tag 1.
  NTex

• Does it need add the native vlan to allowed vlan list ?

  If I confiured the port like this "
  switchport trunk native vlan 10
  switchport trunk allowed vlan 11,12"
  does the vlan 10 allowed passing ? or it still need add vlan 10 to the allowed vlan list like "
  switchport trunk native vlan 10
  switchport trunk allowed vlan 10,11,12"
  Thanks

  Yes you can remove the native VLAN from the list, and it does prevent the native VLAN from traversing the trunk. That is, if you look at the Spanning Tree for the native VLAN, the trunk will be absent from the list of ports on the VLAN.
  The question of untagged frames is a different one. There are some control protocols, particularly link-local ones, that are sent untagged, and these will traverse the trunk regardless. However, they are not considered as part of the native VLAN Spanning Tree as such.
  But beware: there is a bug in earlier IOS and in all CatOS switches! If you use a non-1 VLAN as your trunk native VLAN, and you disallow it from the trunks, and there are no other ports carrying that native VLAN, then the Spanning Tree for that VLAN shut down. That is fair enough. But the bug is that the Spanning Tree for VLAN 1 also breaks down, sending your network into meltdown.
  Kevin Dorrell
  Luxembourg