Switch trunk native and switchport trunk allowed commands

Similar Messages

• Switchport trunk native vlan & switchport access vlan dual configuration

  I've discovered this dual configuration on a 3500xl switch while troubleshooting an incrementing runts issue. Could the config of this port be related to the issue at hand?
  port configuration:
  interface FastEthernet0/3
  duplex full
  speed 100
  switchport access vlan 203
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 203
  switchport trunk allowed vlan 1,203,204,220,1002-1005
  switchport mode trunk
  spanning-tree portfast

  Hi,
  The 'switchport access vlan' command will have no effect on the configuration you have on this port. The port will operate as a trunk and will dis-regard any config that pertains to an access port.
  Hope that helps ...
  Paresh

• Conflicting available HDD space when switching between Native and Emulation

  I have installed Bootcamp and Windows 7 Home 64-bit. I have found one issue...
  When I am booted into Mac and using VMware Fusion, my Bootcamp partition indicates I have 16Gb free of the 32Gb partition. This is what I expected. This also seems to be the case when using WIndows to check available space.
  However...
  When I natively boot into Windows, Windows indicates I have less than 2Gb free, which seems strange because I don't know where this space seems to have gone...
  Any clues out there?

  Thanks for the reply.
  I do not have a file in that location. I do have one here though...
  Hard Drive/Users/My Account/Library/Application Support/VMware Fusion/Virtual Machines/Boot Camp/Bootcamp.vmwarevm
  Is this the same thing?
  When I have Bootcamp running using Fusion the Bootcamp drive on my desktop disappears. Is this normal?
  When the Drive is available it says I have less than 2Gb free. However when I do a check within Windows running through fusion it says I have 13Gb free.
  I just want to know how much space I have left and if it is really 2gb, where did it all go? Windows 7 Surely does not take up 20Gb of space!

• Switchport comparision, "trunk native vlan" versus "access vlan"

  I want to understand the logic when I install IP phone with PC attached. Is there any difference between two configurations. for exmaple, consideration to handle QoS.
  switchport access vlan 100
  switchport voice vlan 200
  versus
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 100
  switchport voice vlan 200
  switchport mode trunk
  Thanks in adance,

  The difference is that these applies to two different set of switches.
  The first set of configuration applies to the new series switches, Cisco 3550, 3560, 3750 series.
  The second set applies to the olders series Cisco 2900, Cisco 3500XL etc. In these switches, you need to configure the port as a trunk before the port can take both voice and data vlan.
  In the newer series, the port can take both voice and data vlan and still not run in trunk mode.
  Regards,
  Anup

• ASA5585-X Switchport Trunk ask security expert

  Hi, I have ASA5585-X version 9.1 and asdm version 7.1
  have alot of diffrent vlans on the asr router. asr router have a subif with vlans. asa 5585 are behind to asr router. want to setting up asa 5585 switch ports trunk mode. is it possible?
  Topology are below.
  ISP -> Cisco ASR with bgp and subif and gateway for the vlans -> ASA5585 all ip addresses security configrations -> Cisco 6500 aggregations switch -> Cisco 2960 cabinets switchs -> Servers

  I can't speak to the ASR router configuration, but you can definitely have trunk ports on the ASA side.  What has worked for me between 3750 switches and assorted generations of ASA hardware and software is configurations like:
  On the switch you set it to mode trunk with negotiation off:
  interface GigabitEthernet1/0/38
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 400
  switchport trunk allowed vlan 1,430-435,543-545
  switchport mode trunk
  switchport nonegotiate
  On the ASA you put the parent physical interface into "no shutdown" state and then set up subinterfaces with vlan tags:
  interface GigabitEthernet0/3
  description trunk port
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3.543
  description first subinterface
  vlan 543
  nameif whatever
  security-level 80
  ip address 192.0.2.1 255.255.255.0
  -- Jim Leinweber, WI State Lab of Hygiene

• Switchport trunk

  De la siguiente configuración cual es la mas apropiada para que tarabajen en redundancia entre 2 equipos 4507.
  interface GigabitEthernet4/15
  switchport access vlan 110
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 110
  switchport mode trunk
  duplex full
  speed 100
  interface GigabitEthernet4/15
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 110
  switchport mode trunk
  duplex full
  speed 100

  Hi Frind,
  Can you please post the question in english. I tried translating it but was not very successfull.
  Your first config and second config is exactly the same with only one difference that in your first config you have configured native vlan as 110 and in your second config the native vlan is 1 which is bydefault.
  Native vlan is the vlan which is sent across the trunk without tagging.
  Make sure if you are connecting these 2 switches together try to make native vlan as same on both the end. Also for etherchannel or teaming to work config on both the ports shoould be same.
  HTH
  Ankur

• 3750 metro series switch does not support dot1q trunking?

  Folks,
  I have a 3750 metro series switch and i am trying to use it to do inter vlan routing. I do not see an option for "encapsulation dot1q" under sub interface?? why is it not supported??
  Thanks

  Narvin,
  if you want inter-vlan routing, the interface Vlan nn itself specify vlan.I think you confuse with router subinterface where you must specify what Vlan a subinterface must use ( and encaps type ). Encaps type ( dot1q or ISL ) is used at trunk level, and whatever trunk use you can do intervlan routing using vlan interface.
  maurizio

• VLANs - Default, Native and Management

  Okay, please help in understanding the concept of VLANs by confirming whether the following is true or not, and based on that please help me to clear my doubts.
  Default vlan - Always Vlan 1 on a switch and cannot be changed. It's purpose is to account the interfaces/ports which are not assigned with a vlan explicitly.
  Native vlan - By default, it is also vlan 1 in a switch, but can be changed. Frames belonging to the native vlan are sent across the trunk link untagged. It's sole purpose is to provide back ward compatibility to the devices that doesn't understand frame tagging, as per 802.1q.
  Management vlan- for managing switches.
  Now my doubts ::
  1. Can anyone please draw and explain a scenario in which NATIVe vlan comes into use, so that I can understand its purpose completely.
  2. Management vlan- how they are created/assigned and is used ?

  Hello
  From a security perspective its best practice to not use vlan1 whatsoever as it well documented that all cisco switches default to this vlan.
  Also it is best to define a native vlan that will be not used.
  This is due to something I think is called ( double tagging or vlan hopping) - and it when a hacker knowing that vlan 1 is untagged and the default vlan  can apply an outer tag to a encapsulated packet and send this into your network, then when this outer tag is stripped away the native vlan1 is seen by the switch which is excepted into your network.and sent on its merry way toward its destination.
  So to negate this threat it is best to either tagged ALL vlans or define a unused native vlan  and a tagged management vlan and not allow the native vlan to cross any trunks
  example:
  vlan 1 = shutdown
  vlan 10 = management
  vlan 11-49 - user vlans
  vlan 50 = native
  conf t
  vlan 2-50
  exit
  int vlan 1
  shut
  int vlan 10
  ip address x.x.x.x y.y.y.y.y
  interface gig x/x
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 50
  switchport trunk allowed vlan 2-49
  res
  Paul

• VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1

  Hi All,
  L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
  Thanks,
  HC

  Hi HC,
  the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
  Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
  If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
  Simon

• What is the effect of the command switchport trunk native vlan x

  Hello all,
  I have a SG500 switch. The port Gi0/19 is directly connected to a machine. When i show the running config file i find the following config in the interface gi0/19:
  switchport trunk native vlan 70
  I need to understand this command because i'm a bit confused that i know that only if we have a link between two switch that we put an interface in a trunk mode.
  Please Help :)

  Trunks can carry all the traffic(vlan 70,80,........Including vlan1)
  Access port can only be in one vlan (Say vlan 70)
  So if you configured as trunk and connect the server,  and since native vlan is 70, when traffic is of vlan 70, it will not be tagged so your server can understand it.(Assuming that server do not have the capacity to understand the tagged frames). Traffic in other vlan will also be received by this interface (say vlan 80,....vlan1....) but will be dropped.
  If you configure it as only access and in vlan 70, only untagged vlan 70 traffic will be received on the interface.
  Thanks

• 2960 will not allow "switchport trunk encapsulation dot1q" CLI

  I have a Cisco 2960 switch that is not allowing me to setup switchport trunk encapsulation dot1q on a trunking interface.
  The show capabilities shows that the interface can use 802.1q, but when I try to CLI the command the work encapsulation is not an option.
  Please advise with a solution.
  Thanks, S
  Model - WS-C2960G-24TC-L  
  SW Version - 12.2(44)SE6          
  SW Image - C2960-LANBASEK9-M
  S1#
  S1#sh int gi0/23 capabilities
  GigabitEthernet0/23
  Model:                 WS-C2960G-24TC-L
  Type:                 1000BaseLX SFP
  Speed:                 1000
  Duplex:               full
  Trunk encap. type:     802.1Q
  Trunk mode:           on,off,desirable,nonegotiate
  Channel:               yes
  Broadcast suppression: percentage(0-100)
  Flowcontrol:           rx-(off,on,desired),tx-(none)
  Fast Start:           yes
  QoS scheduling:       rx-(not configurable on per port basis),
                           tx-(4q3t) (3t: Two configurable values and one fixed.)
  CoS rewrite:           yes
  ToS rewrite:           yes
  UDLD:                 yes
  Inline power:         no
  SPAN:                 source/destination
  PortSecure:           yes
  Dot1x:                yes
  Multiple Media Types: rj45, sfp, auto-select
  S1#
  S1#
  S1#
  S1(config-if)#switchport ?
  access         Set access mode characteristics of the interface
  backup         Set backup for the interface
  block         Disable forwarding of unknown uni/multi cast addresses
  host           Set port host
  mode           Set trunking mode of the interface
  nonegotiate   Device will not engage in negotiation protocol on this
                   interface
  port-security Security related command
  priority       Set appliance 802.1p priority
  protected     Configure an interface to be a protected port
  trunk         Set trunking characteristics of the interface
  voice         Voice appliance attributes
  S1#
  S1#
  S1#
  S1(config-if)#switchport trunk ?
  allowed Set allowed VLAN characteristics when interface is in trunking mode
  native   Set trunking native characteristics when interface is in trunking
             mode
  pruning Set pruning VLAN characteristics when interface is in trunking mode
  S1#
  S1#
  S1#

  Newer devices don't support ISL so you can only run 802.1Q. That means that there is no need for an encapsulation command because only one encapsulation is supported. If the device had support for ISL then you would also have that command.
  Daniel Dib
  CCIE #37149
  Please rate helpful posts.

• Switchport trunk allowed - Cisco / HP

  Hi, I have a simple query and just seeking some clarification....
  I have a Cisco 3750X with various vlans configured. One interface has the command: "Switchport Trunk allowed vlan 100, 200". I understand it will ONLY forward packets for vlan 100 & 200 on this interface - certainly the case if connected to another Cisco device.
  On the other end of the interface is a HP1810 switch. The ports are configured for vlan 100, 200 and 300. I have looked at the config of the Cisco stack and there is no mention of vlan 300 at all. Is it safe to assume the Cisco switch is not doing any forwarding for vlan 300 to the HP if it is not defined in its config or the allowed command?
  Thanks, Harv

  yes, you can assume that the Cisco switch is not forwarding anything from itself to towards HP for vlan 300 but the HP will be sending the traffic for VLAN300 on the Tagged ports. 
  I think you can remove the Tagged PORTNAME on HP under the VLAN 300 configuration as well. Removing the Tagged PortXX under the vlan 300 configuration on HP where XX is the trunk port connecting to the Cisco will stop HP for forwarding any traffic towards the Cisco as well.
  Manish

• Switchport trunk encapsulation on L3 switches

                  Why is 'switchport trunk encapsulation <dot1q or isl> required on L3 switches?  The default trunk encapsuation mode on 'modern' Cisco switches is to 'auto' negotiate, so why doesn't 'auto-negotiate' work when configured from the L3 switch port?  If I configure 'switchport mode trunk' on an L2 switch (capable of only dot1q) and don't configure the adjacent L3 port, the trunk is auto-negotiated.  However, if I configure 'switchport mode trunk' on the L3 port first, it gives the error we've all witnessed: Command rejected: An interface whose trunk encapsulation is "Auto" can not be configured to "trunk" mode. Interestingly, if I configure, 'switchport mode dynamic desirable' on the L3 port, the interface does indeed negotiate the trunk encapsulation and establish the trunk.  According to Cisco documentation, the 'switchport mode trunk' command is also supposed to negotiate the trunking status and encapsulation--so why doesn't this command work the same as 'switchport mode dynamic desirable?'

  John,
  You're absolutely correct.  My hope is that Cisco will change its definition for 'switchport mode trunk.'
  This is from their documentation:
  switchport mode dynamic desirable
  Makes the interface actively attempt to convert the link to a trunk link. The interface becomes a trunk interface if the neighboring interface is set to trunk, desirable, or auto mode.
  switchport mode trunk
  Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link. The interface becomes a trunk interface even if the neighboring interface is not a trunk interface.
  switchport nonegotiate
  Prevents the interface from generating DTP frames. You can use this command only when the interface switchport mode is access or trunk. You must manually configure the neighboring interface as a trunk interface to establish a trunk link.
  I've highlighted negotiates to point out that DTP frames are still sent to the neighboring device to negotiate the trunking status. Therefore, why doesn't it also negotiate the encapsulation type when desiring to trunk? My point being, if it's going to trunk unconditionally and not negotiate the trunking protocol, and since you'd have to have an ISL-only switch (non-extant), Cisco should simply get rid of ISL on their switches or have the 'negotiation' process or (unconditional state) select dot1Q as the trunking protocol.

• Switchport trunk native vlan question...

  What am I missing in regards to the following two lines assigned to a sw interface:
  switchport trunk native vlan 80
  switchport mode trunk
  Why assign a VLAN to the port when your trunking it (meaning you allowing all VLANs to pass)?
  Thank you.

  By default native VLAN is VLAN 1, but can be changed to any No. on the trunk port by command "switchport trunk native vlan #". This will make a new vlan# as native & allow all pkts from this vlan to pass thru trunk untagged.
  Native VLANs are used to carry CDP, PAgP & VTP messages. Thus the Frames on native VLAN are untagged. For these messages to propagate between devices, native VLANS must match on both sides of the trunk. In case of native VLAN mismatch on bothsides of the trunk, STP will put the trunk port in err-disabled state.

• Native VLAN on switchport trunk

  Is i possible to set more than ONE native vlan on a switchport trunk.
  Thanks

  Hi there,
  Just to clarify, the native vlan is set in the trunk configuration. This means that you can set this per trunk.
  You can only have 1 per trunk. If you had more than 1, which one would it send it to??
  Hope that clarifys,
  LH
  Please rate all posts