Switch allowed 2 vlan

I have a Switch 3560/24 ports
i want know, how can i allow two vlans in a one switchport?
Vlan voice and vlan data.

Hi, alain.
I try, but the switchport continiuos in one vlan
SWFISA11-1(config)#interface fastEthernet 0/1
SWFISA11-1(config-if)#switchport mode access
SWFISA11-1(config-if)#switchport access vlan 220   <<<< data vlan
SWFISA11-1(config-if)#switchport access vlan 200   <<<<< voice vlan
SWFISA11-1#show vlan brief
VLAN Name                             Status    Ports
1    default                          active    Gig0/1, Gig0/2
30   VLAN0030                   active    Fa0/5, Fa0/21
128 MedicaSur                  active
200 VLAN0200                  active    Fa0/1, Fa0/6, Fa0/7, Fa0/8
                                                         Fa0/9, Fa0/10, Fa0/12
210 VLAN0210                  active    Fa0/2, Fa0/11, Fa0/13, Fa0/16
                                                        Fa0/17, Fa0/18, Fa0/19, Fa0/20
220 VLAN0220                 active    Fa0/15
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
I try, but the switchport continue in one vlan.
Maybe the configuration of the vlan?? need configuration additional??

Similar Messages

Switch Port Trunk allowed Vlan

Hi Guys
Request your help on my query :
I have a distribution switch and access switch and port channel between them.
Dist switch is the VTP server
lets assum I have 25 vlan
when I do show vlan brief on the access switch I can see all 25 vlans listed now
no when I configure switch port trunk allowed vlan (ex : permitting 10 vlans )on the link connecting to access switch at Dist switch
Dist switch po1 -- connecting to - po Access switch
Dist switch #
int po1
switch port trunk alllowed vlan x,x,x,x,x,x,x,x,x,
After permitting 10 vlan through trunk allowed vlan and then when I do show vlan brief on the access switch , I should see only the 10 vlan whcih I have permiited right ?
Thanks in advance

Hi,
John is absolutely correct - even if you do not permit a VLAN on a trunk, it can still provide communication among local ports on a switch that are all assigned to the same VLAN.
I have a feeling that your original question was focused on a different aspect, though: You probably expected that if you exclude some VLANs from trunks, these VLANs will not be propagated via VTP to surrounding switches. Sadly, this is not the case. The switchport trunk allowed vlan command only affects data traffic in individual VLANs but it has no impact on the operation of VTP protocol. The VTP still advertises all VLANs, regardless of which VLANs are allowed on a trunk. To put it plainly, in a VTP domain, all server/client switches will know about all VLANs. THere is no legal possibility of having a single VTP domain consisting of server/client switch and yet have the switches differ in their VLAN database contents. It's as easy as that: one VTP domain = one big common VLAN database.
Best regards,
Peter

Does it need add the native vlan to allowed vlan list ?

If I confiured the port like this "
switchport trunk native vlan 10
switchport trunk allowed vlan 11,12"
does the vlan 10 allowed passing ? or it still need add vlan 10 to the allowed vlan list like "
switchport trunk native vlan 10
switchport trunk allowed vlan 10,11,12"
Thanks

Yes you can remove the native VLAN from the list, and it does prevent the native VLAN from traversing the trunk. That is, if you look at the Spanning Tree for the native VLAN, the trunk will be absent from the list of ports on the VLAN.
The question of untagged frames is a different one. There are some control protocols, particularly link-local ones, that are sent untagged, and these will traverse the trunk regardless. However, they are not considered as part of the native VLAN Spanning Tree as such.
But beware: there is a bug in earlier IOS and in all CatOS switches! If you use a non-1 VLAN as your trunk native VLAN, and you disallow it from the trunks, and there are no other ports carrying that native VLAN, then the Spanning Tree for that VLAN shut down. That is fair enough. But the bug is that the Spanning Tree for VLAN 1 also breaks down, sending your network into meltdown.
Kevin Dorrell
Luxembourg

VTP Pruning vs Allowing VLANs on Trunk ports

We would like to know best approach to reduce VLAN traffic on our network. We are currently trunking all fiber ports 802.1q.
We have about 73 VLANs across the network. We have done a lot of research and there seem to be a lot of theoretical answers but no one who uses it in practice.
Here is our current configs for fiber ports between closets:
Cisco WMH6509
interface GigabitEthernet2/8
description Fiber To STB Lab 3850
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
no snmp trap link-status
end
Cisco STB Lab 3850
interface GigabitEthernet1/1/1
description Fiber To WMH6509
switchport mode trunk
end
We are considering:
VTP Pruning Enable
or
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 26,99,109,188
switchport mode trunk
Thanks,
Tom

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
As I have some years (cough - decades) software development experience, I lean toward automation solutions, so, for example, I often prefer dynamic routing over static routing, and so likewise, I prefer VTP over manual configuration on multiple devices.
However, VTP does have some "quirks". For example, this year I ran into an issue where an edge switch had a new VLAN defined to a port which wasn't in use on a transit switch, so VTP auto pruning, pruned it off the transit's uplink trunk. (I was a bit of a pain to find the cause as VTP doesn't prune right away - edge worked for a bit and then it stopped working. One fix would have been to stop using VTP auto-pruning, across the whole VTP domain, but instead, configured VTP to not auto-prune the needed VLAN across the needed trunk.)
So, as Paul notes, VTP auto pruning might be easier to get going, but be prepared for unexpected incidents (again, not saying you'll have any, just be prepared). So, if you're prepared, I would go with VTP auto pruning, but if you want to "play safe", go with Paul's recommendation.

Cisco SG300-52 52-Port Gigabit Managed Switch losing VLAN-Port Membership

Hello
We have some cisco switches in use and we're facing some problems everytime the switch loses Power.
After a reboot the port/vlan membership is lost, so are other settings recently made (like SSH access allowed, etc.).
The settings made up a year ago like the IPs, password, etc. remain untouched.
Upgrading the Firmware, Saving the Configs, etc. didn't solve the problem.
Is this a known issue? Anyone facing the same problem?
Bye and thanks for the help.
Viktor

Vlan Name Tagged Ports UnTagged Ports Created by
1 1 gi51-52,Po1-8 D
10 10 gi51-52 S
20 20 gi51-52 S
30 30 gi51-52 S
40 40 gi51-52 gi1-9,gi14-34, S
gi38-41,gi49-50
50 50 gi51-52 S
100 100 gi51-52 S
190 SecurityNetwork gi51-52 gi11-13,gi35-37 S
200 200 gi51-52 S
210 Wireless gi51-52 gi10 S
300 ServerSubnetOne gi51-52 gi42-48 S
config-file-header
as4
v1.4.0.88 / R800_NIK_1_4_194_194
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
no cdp run
no spanning-tree
port jumbo-frame
vlan database
vlan 10,20,30,40,50,100,190,200,210,300
exit
voice vlan state disabled
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
no lldp run
hostname as4
no passwords complexity enable
username cisco password encrypted xxxxx
ip ssh server
snmp-server location Eingang
snmp-server contact [email protected]
clock timezone " " +1
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server 157.161.57.2 poll
ip name-server 192.168.200.1
interface vlan 190
name SecurityNetwork
interface vlan 200
ip address 192.168.200.34 255.255.255.0
interface vlan 210
name Wireless
interface vlan 300
name ServerSubnetOne
interface gigabitethernet1
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet2
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet3
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet4
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet5
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet6
spanning-tree disable
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet7
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet8
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet9
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet10
switchport mode access
switchport access vlan 210
lldp med disable
interface gigabitethernet11
switchport mode access
switchport access vlan 190
lldp med disable
interface gigabitethernet12
switchport mode access
switchport access vlan 190
lldp med disable
interface gigabitethernet13
switchport mode access
switchport access vlan 190
lldp med disable
interface gigabitethernet14
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet15
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet16
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet17
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet18
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet19
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet20
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet21
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet22
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet23
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet24
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet25
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet26
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet27
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet28
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet29
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet30
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet31
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet32
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet33
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet34
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet35
switchport mode access
switchport access vlan 190
lldp med disable
interface gigabitethernet36
switchport mode access
switchport access vlan 190
lldp med disable
interface gigabitethernet37
switchport mode access
switchport access vlan 190
lldp med disable
interface gigabitethernet38
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet39
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet40
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet41
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet42
switchport mode access
switchport access vlan 300
lldp med disable
interface gigabitethernet43
switchport mode access
switchport access vlan 300
lldp med disable
interface gigabitethernet44
switchport mode access
switchport access vlan 300
lldp med disable
interface gigabitethernet45
switchport mode access
switchport access vlan 300
lldp med disable
interface gigabitethernet46
switchport mode access
switchport access vlan 300
lldp med disable
interface gigabitethernet47
switchport mode access
switchport access vlan 300
lldp med disable
interface gigabitethernet48
switchport mode access
switchport access vlan 300
lldp med disable
interface gigabitethernet49
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet50
switchport mode access
switchport access vlan 40
lldp med disable
interface gigabitethernet51
switchport trunk allowed vlan add 10,20,30,40,50,100,190,200,210,300
lldp med disable
interface gigabitethernet52
switchport trunk allowed vlan add 10,20,30,40,50,100,190,200,210,300
lldp med disable
exit

Unable to add allowed VLANs to TenGig trunk port

Hi,
I've got a ten gig interface on a 6509 running 12.2(33) configured as a trunk, but I've not been able to add any allowed VLANs as I've done before on other ten gig ports on different 6509 chassis. Am I missing something obvious?
I'm assuming that the reason I'm unable to set the encapsulation to dot1q is because the new hardware doens't support ISL, hence no need. The command to add the VLANs however doesn't get rejected, it just doesn't appear to do anything.
I've tried adding single VLANs and multiples, but no joy. Any ideas?
Here's what I've done:
SWITCH_1631(config)#default int t4/1
Interface TenGigabitEthernet4/1 set to default configuration
SWITCH_1631#sh ru int t4/12
Building configuration...
Current configuration : 65 bytes
interface TenGigabitEthernet4/12
no ip address
shutdown
end
SWITCH_1631(config)#int t4/1
SWITCH_1631(config-if)#switchport
SWITCH_1631(config-if)#switchport mode trunk
SWITCH_1631(config-if)#switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
SWITCH_1631(config-if)#switchport trunk allowed vlan add 700
SWITCH_1631(config-if)#
SWITCH_1631#sh vlan id 700
VLAN Name Status Ports
700 VLAN_NAME active <snip>
SWITCH_1631#sh ru int t4/1
Building configuration...
Current configuration : 74 bytes
interface TenGigabitEthernet4/1
switchport
switchport mode trunk
end

Steve,
Thanks for getting back to me. You're right that it is by default a dot1q trunk allowing all VLANs, therefore it should work for what I want to do.
Port Mode Encapsulation Status Native vlan
Gi3/39 on 802.1q trunking 1
Te4/1 on 802.1q trunking 1
Po1 on 802.1q trunking 50
Po2 on 802.1q trunking 50
Po3 on 802.1q trunking 50
Po4 on 802.1q trunking 50
Po5 on 802.1q trunking 50
Port Vlans allowed on trunk
Gi3/39 15-16,20-23,30,401,608
Te4/1 1-4094
Po1 10,13,20-21,25,30,50,52,61,70,600,700-701,950
Po2 10,20,30,50,52,61,70,600,700-701,950
Po3 10,20,30,50,61,70,600,700-701,950
Po4 10,20,30,50,61,70,600,700-701,950
Po5 2-3,10-23,25-26,30,35-36,40,50-53,56,58,61,65,70,77,101-102,145-146,155-158,401-402,600-602,608,700-701,800,950
The problem was that I've always been advised that best practise is to only allow the VLANs that are actually required on a trunk to avoid broadcasting traffic unnecessarily. I worked out what the issue was though, and it was a pretty simple one!
Once I saw that 1-4094 was allowed I tried "switchport trunk allowed vlan remove 700" which worked and left me with 1-699,701-4094.
Then I realised what the problem was trying to use the "add" command when all possible VLANs had already been added. As soon as I got rid of it and used "switchport trunk allowed vlan 700" followed by "switchport trunk allowed vlan add 701" I was back in business.
So it was a very simple issue, but thank you Steve for pointing me in the right direction and confirming that all the VLANs were already allowed!

Set-VMNetworkAdapterVlan throws Failed while applying switch port settings 'Ethernet Switch Port VLAN Settings' error

Hi,
I'm following this
guide I'm getting an error when running the below command:
Set-VMNetworkAdapterVlan -vmname PurpleVM1 -Isolated -PrimaryVlanId 2 –SecondaryVlanId 4
Generates the following error:
Set-VMNetworkAdapterVlan : The operation failed.
Failed while applying switch port settings 'Ethernet Switch Port VLAN Settings' on switch 'New Virtual Switch': One or
more arguments are invalid (0x80070057).
A parameter that is not valid was passed to the operation.
Does anyone know why this is happening?
ta

Hi TomG101,
It seems that there is a configuration conflict on the virtual switch port .
Also I tested the command on my lab , it works .
For troubleshooting please create a new virtual switch then try to configure again .
Any further information please feel free to let us know .
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

897VAW: Cannot add Allowed vlans to Trunk on WLAN-GigabitEthernet interface

Hi,
I am trying to configure the Access Point module on my Cisco Router (897AVW), however I am unable to route / ping between the router and the AP.
In a few examples I've seen, the wlan-GigabitEthernet interface has the command:
switchport trunk allowed vlan 1-3,1002-1005
or
switchport trunk native vlan 2
I have tried both and although the router doesn't error, show-ing the config, neither commands have taken.
Is there something I am doing wrong or is this a bug in the IOS?
To save making this post long, my latest running configs are on my blog:
Router: http://www.thingsgeeky.walker.uk.com/?p=3781
AP: http://www.thingsgeeky.walker.uk.com/?p=3781
Many Thanks
W.

Hi,
I am trying to configure the Access Point module on my Cisco Router (897AVW), however I am unable to route / ping between the router and the AP.
In a few examples I've seen, the wlan-GigabitEthernet interface has the command:
switchport trunk allowed vlan 1-3,1002-1005
or
switchport trunk native vlan 2
I have tried both and although the router doesn't error, show-ing the config, neither commands have taken.
Is there something I am doing wrong or is this a bug in the IOS?
To save making this post long, my latest running configs are on my blog:
Router: http://www.thingsgeeky.walker.uk.com/?p=3781
AP: http://www.thingsgeeky.walker.uk.com/?p=3781
Many Thanks
W.

UC520 SNMP change fast ethernet switch port vlan

Hi,
I've a UC520 running with uc500-advipservicesk9-mz.151-4.M5. I try to change VLAN on the switchport using snmp however look like the UC520 doesn't support "vmVlan".
snmpwalk -v 1 -c private 10.1.1.1 ifDescr
IF-MIB::ifDescr.4 = STRING: FastEthernet0/1/1
snmpset -v 1 -c private 10.1.1.1 1.3.6.1.4.1.9.9.68.1.2.2.1.2.4 integer 151
Error in packet.
Reason: (noSuchName) There is no such variable name in this MIB.
Failed object: SNMPv2-SMI::enterprises.9.9.68.1.2.2.1.2.4
Does anyone know what is the MIB for change switch port vlan ?
Rg,
Gerald.

What do you mean by dumb siwthc? What model/make/company is that switch?
Can you try to do the reset of the switch so that it wipe off all the config what so ever present on the box and then try to connect the switch to the router?

Missing Allowed vlans on trunk on Standby ACE.

Guys,
I would like to know if allowing vlans under portchannel will replicate on standby unit.Somehow I see all configuration is sync except switchport trunk allowed vlan under Portchannel.
Thanks
Ajay

Hi Siva,
I remove 3rd port from port channel but still vlans are not getting sync.
ACE1/Admin# sh vlan
Vlans configured on physical port(s)
vlan3001 vlan3060 vlan3200-3201 vlan3208 vlan3260-3262 vlan3264-3265 vlan3270-3272 vlan3274-3275 vlan3280 vlan3300-3302 vlan3650-3652 vlan3661-3663 vlan3668-3669 vlan4090
ACE1/Admin#
ACE2/Admin# sh vlan
Vlans configured on physical port(s)
vlan3001 vlan3200-3201 vlan3208 vlan3260-3262 vlan3264-3265 vlan3270-3272 vlan3274-3275 vlan3300-3302 vlan3650-3652 vlan3661 vlan3668-3669 vlan4090
ACE2/Admin#
ACE1/Admin# sh ft group status
FT Group                     : 1
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_ACTIVE
Peer State                   : FSM_FT_STATE_STANDBY_HOT
Peer Id                      : 1
No. of Contexts              : 1
Running cfg sync status      : Running configuration sync has completed
Startup cfg sync status      : Startup configuration sync has completed
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 4090
query-interface vlan 3001
ft group 1
peer 1
no preempt
priority 150
associate-context Admin
inservice
any suggestion/ next steps to troubleshoot ?
Thanks
Ajay

CSCur53506 - broadcast flood when allowed vlan add/remove on protected port

Does not this Bug occur in IOS 15.XX ?

Thanks for the reply - yes I did save it. All the other ports have the command. But when the phone boots up - it ends up disappearing after the above occurs:
When the phone boots up - it seems to encounter a broadcast storm (???) the port goes from this:
interface gigabitethernet36
switchport trunk allowed vlan add 10
to this:
interface gigabitethernet36
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
switchport trunk allowed vlan add 10
macro description ip_phone
!next command is internal.
macro auto smartport dynamic_type ip_phone
Then in a minute or two I'm no longer able to ping the voicelan - and when I do a show run - gi36 isn't even visible. However, the PC that is also on gi36 works fine.
If I then reissue the 'switchport trunk allowed vlan add 10' to gi36 - the phone is pingable - and works continuously until the phone is rebooted.
So I'm not really sure what happens during the bootup that causes this to happen, or a way to try and prevent it from occuring.

Two network segment on the same switch (no vlan), possible?

Why can't 2 or more network segment work on same switch (without VLAN configuration)? It seems like switch should learn MAC addresses for each interface then work but what when I try to connnect two network segment (different network id ex.192.168.1.0 and 172.16.1.0), a lot of (or all) requests are timed out. Why? Should switch igore network id because it is layer2? I know that this might be a stupid question but I kind of confuse. Thank you

Hi,
it should be possible, but you need a router for connectivity or maybe a small trick.
Let us assume you have a host A 192.168.1.10/24 and another host B with 172.16.1.5/24 connected to one switch (or in one VLAN, which would give the same result).
When you f.e. ping 172.16.1.5 from host A, it will first consult its internal routing table ("route print" on a MS host). As the destination address is not local it would not send any packet unless there is a default gateway, because otherwise no route to the destination is known. The same applies to host B, when you try to reach host A. So one possible solution is installing a router and setting it to be the default gateway. Example config:
host A
IP 192.168.1.10
Mask 255.255.255.0
GW 192.168.1.1
host B
IP 172.16.1.5
Mask 255.255.255.0
GW 172.16.1.1
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip address 172.16.1.1 255.255.255.0 secondary
The router will get the IP packet from host A and forward it to host B and vice versa, which results in connectivity.
Another possibility is to modify the routing tables of host A and B.
host A
IP 192.168.1.10
Mask 255.255.255.0
GW 192.168.1.10
host A
IP 172.16.1.5
Mask 255.255.255.0
GW 172.16.1.5
The small trick here is that both hosts have their own IP as default gateway. This will result in host A sending an ARP for host Bs MAC, when you execute f.e. ping 172.16.1.5
As long as those ARPs are successful - and they finally should, because the switch would deliver them being OSI layer broadcasts to all ports - connectivity should be given.
Regarding your specific network problem with timed out connection attempts, I do not know your specific configuration (hosts, router), so it is hard to tell, what is going on. If you can reveal your settings it should be possible to find a solution.
Hope this helps! Please rate all posts.
Regards, Martin

Manipulating allowed VLAN list on trunks

I am in the process of restricting some of my VLANs so that they can be accessed only on the switches that actually need them. I have a VTP domain, so I am doing it by manipulating the "allowed" lists on the trunks. I have a mixed environment of IOS 4500, CatOS 4000, CatOS 5500, and IOS 29xx.
So, I have a number of questions and observations:
1. There are some special default VLANs, 1002-1005, which are designated fddi-default, token-ring-default etc. In an Ethernet-only environment, is there any harm if I clear these from all the trunks?
2. I do not use the extended VLAN range 1025-4095. Is there any harm if I clear these from all trunks?
3. Just out of academic interest, what ever happened to VLANs 1006 to 1024? They do not appear in any of the default "allowed" lists. Are they reserved for something?
4. Suppose my native VLAN for my trunks is not 1, let us say 99. And my management is on yet another VLAN, say 98. What happens if I try and clear the native VLAN 99 from the trunks? (Yes, I know I should try this in a lab, but does anyone know the answer to save me the effort of setting it up?)
5. Suppose I have a VLAN, say 50, that is only needed in two switches, so I clear it from all trunks except the one between those two switches. But all the switches know about it cos it is in the VTP list. I notice that in the IOS switches, the PVST+ instance for that VLAN get shut down. In the CatOS switches, the STP seems to continue to run, but the root bridge is designated as 00-00-00-00-00-00. Are these two behaviors consistent, i.e. what is actually going on in the CatOS case? (AAMOF, in the IOS switches, it is enough that none of the ports has an "up" presence in the VLAN, and the PVST+ instance shuts down, even if there are "down" ports configured to use it.
6. Is there any way to set a global default "allowed" list in a switch, so that any new trunks only allow those VLANs, regardless of what is in the VTP list? (That is, apart from setting it to "transparent", which have other unwanted side effects such as not being aware of the creation of new VLANs.)
That's a lot of questions. The new edition of the Clarke/Hamilton book is well overdue!
Kevin Dorrell
Luxembourg

Glen,
Thanks for the responses.
1. I shall clear them out immediately.
2. I shall clear them out immediately.
3. It's a mystery. Anyone?
4. It was 99 because that VLAN was created specifically to accommodate the trunks. Unfortunately, in that particular network, VLAN 1 was still in use as an access VLAN. It is recommended not to have any access ports on the VLAN that is used as the native on the trunks, to prevent VLAN-hopping. Most NetAdmins do this by putting all the access ports anywhere but VLAN 1, and keeping VLAN 1 for trunk natives and/or management. This network did it the other way round, by shifting the native of the trunks off onto an unused VLAN. But I don't know what would happen if I cleared the native VLAN off the trunk.
5. I think here we need to distinguish between VTP and STP, and between allowed lists and pruning. I am not pruning here, I am actually clearing the VLANs from the trunks. In the case of pruning, the VTP declines to send the broadcasts down the trunk if they are not useful at the access layer switch, but the Spanning Tree topology is not affected. In the case of clearing, the Spanning Tree topology of the VLAN is actually modified, as if the trunk did not exist for that VLAN. OTOH, the VTP VLAN list is propagated to all switches, regardless of whether they have any presence on each VLAN. So according to the VTP server and all clients, there is a load of VLANs active in the domain. But if you have an allowed list on all the trunks, it could well be that the access switch knows about a VLAN, but does not have any presence on it. That is when the IOS shuts down the PVST+ STP for that VLAN, and a CatOS switch registers the root bridge as 00-00-00-00-00-00. As opposed to the case where the VTP domain does not have a VLAN in its database, so the CatOS has no STP instance for it.
6. Anyone else?
Thanks for the responses.
Kevin Dorrell
Luxembourg

Connect additional switch to existing switch, receiving vlan mismatch, also want to configure same VLAN's

Hello! I have a network in with a i have a switch stack configured for voice and data. Particularly, both are configured to pass over the same port.
I want to add a temporary switch (different model) to the network and configure it the same way. In particular, I want to see that I can set up the voice/data VLAN's on this new switch and test to confirm all is working. I need an uplink though back to the original switches so that this new switch can get a proper connection.
When I connect the new switch in, I can't seem to get an IP and the CLI keeps showing a "Native VLAN mismatch error" and shows the hostname of the original switch.
So my questions are:
How can I add this temporary switch to the existing switch to get a connection, not as another stacked switch?
How can I configure the voice/data VLAN's on the switch so as to be able to test the voice/data traffic over the same port?

Hi! Yes I did change the native vlan for that particular port on "Sw2" (New switch) to match "Sw1" (existing switch). The Sw2 port shows native vlan inactive though.
Below is an output from them on that port.
(SW1)
Name: Gi3/0/5
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 100 (VLAN0100)
Administrative Native VLAN tagging: enabled
Voice VLAN: 10 (VLAN0010)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
SW2
Name: Gi3/0/5
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 100 (Inactive)
Administrative Native VLAN tagging: enabled
Voice VLAN: 10 (Voice)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

RV042G (router), SG200-26 (switch) vpn vlan issue

HI,
I have a RV042G (router), SG200-26 (switch)
ISP Modem on cable have dual wan static ip
Switch have 4 Vlan
vlan1 default
vlan2 networkA
vlan3 networkB
vlan5 Modem
port (1UP,2T) management port
port 2-12 (2UP) Network A
port 13 (5UP,2T,3T) wan cable plug
port 14 (5UP,2T) go back to router wan port assign IP to network A
port 18 (5UP,3T)
port 19-26 (3UP) Network B
port25 (2UP,1T) router lan1 port connect to the switch port 25
it can separate 2 different network, if i plug a cable to port1 i can manage the switch
but if i use vpn to connect the router i wont able to ping or see the switch, but i can ping the router and all other computers are on vlan2, and vlan2 not able to go to manage the switch too or ping it
what should i change to let vpn can access to vlan1 to manage the switch, thanks

Hello Gianluca,
In order for this setup to work, you will have to have a router that supports multiple vlans. You did not mention the model of the router or if it does this so I wanted to first mention that.
I understand your setup to be as follows- Internet -> Router -> Switch 1 -> Switch 2
On each port that connects a network device you will want to set the following-
Trunk port
Vlan settings of 1U, 2T, 3T
This allows default vlan of 1 and also other vlans
On other ports (1-4 , 7-9) you want to set them as follows-
Access port
Vlan of 2U OR 3U
This puts that port into the vlan of your choice
This will be the configuration needed, but again, you must have a router that will support vlans or multiple subnets.

Switch allowed 2 vlan

Similar Messages

Maybe you are looking for