Config Lab: Trunking for Only Some VLANs
VLAN trunks between Cisco Catalyst switches support all VLANs known to the switches. As time progresses, each time the switch learns of a new VLAN, the VLAN trunk also allows traffic in the VLAN to use the trunk. Is that a good idea? In this post, you will get a chance to practice those tasks – first to configure ports into VLANs and directly control the VLANs allowed on a VLAN trunk. As a result, traffic for newly-added VLANs does not cross the trunk until you specifically configure the trunk to allow the new VLANs.
The Lab Exercise
Requirements
Your job: Configure appropriate interfaces as trunks to pass traffic between PCs while supporting those VLANs only.
This lab begins with all the interfaces shown in Figure 1 working because the cables have been connected, and the switches default to bring up the interfaces. However, you need to add the correct interfaces into the VLANs shown in the figure. Additionally, you must decide what commands to add to make sure the link between the switches trunks and that the link does not depend on any trunking negotiation. Finally, you must ensure that the trunk supports only the two VLANs show in the figure (plus the native VLAN) until someone else comes back to change the configuration.
The specific rules for this lab are:
- Configure the interfaces connected to PCs to be access interfaces in the correct VLAN.
- Configure the link between switches to statically act as a trunk (do not rely on trunk negotiation).
- Configure to restrict the trunk to support only the native VLAN and the other VLANs shown in the figure.
- Do not configure settings not needed for this lab.
Figure 1: Two Switches – Point-to-Point
Initial Configuration
The two switches begin with default configuration and a hostname. The two examples here emphasize that point, confirming that the ports are enabled (no shutdown).
hostname SW1
!
interface GigabitEthernet1/0/1
no shutdown
!
interface GigabitEthernet1/0/2
no shutdown
!
interface GigabitEthernet1/0/3
no shutdown
Example 1: SW1 Config
hostname SW2
!
interface GigabitEthernet1/0/1
no shutdown
!
interface GigabitEthernet1/0/2
no shutdown
!
interface GigabitEthernet1/0/3
no shutdown
Example 2: SW2 Config
Answer Options - Click Tabs to Reveal
You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!
To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.
You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.
(Use this link for more information about Cisco Packet Tracer.)
Use this workflow to do the labs in Cisco Packet Tracer:
- Download the .pkt file linked below.
- Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.
If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:
- Download the CML file (filetype .yaml) linked below.
- Import the lab’s CML file into CML and then start the lab.
- Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
- Add your planned configuration to the lab.
- Test the configuration using some of the suggestions below.
Download this lab’s CML file!
Network Device Info:
Device | Lab Port | Â CML Port |
SW1 | G1/0/1 | G0/1 |
SW1 | G1/0/2 | G0/2 |
SW1 | G1/0/3 | G0/3 |
SW2 | G1/0/1 | G0/1 |
SW2 | G1/0/2 | G0/2 |
SW2 | G1/0/3 | G0/3 |
Initial Trunking Config Change for CML
The switches need one additional command to be correct at the initial starting point. CML uses an IOS image for Layer 2 switches that requires that the type of trunking be configured. The command added to both switches G0/3 interfaces, which is already added to the .YAML file, is:
switchport trunk encapsulation dot1q
Many switches, like the 2960 access switches many people use for CCNA labbing at home, would not require this extra command.
Lab Answers Below: Spoiler Alert
Lab Answers: Configuration (Click Tab to Reveal)
Answers
Figure 1: Two Switches – Point-to-Point
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 100
!
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 200
interface GigabitEthernet1/0/3
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan remove 2-99,101-199,201-4094
Example 3: SW1 Config
interface GigabitEthernet1/0/1
switchport mode access
switchport access vlan 100
!
interface GigabitEthernet1/0/2
switchport mode access
switchport access vlan 200
!
interface GigabitEthernet1/0/3
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan remove 2-99,101-199,201-4094
Example 4: SW2 Config
Commentary, Issues, and Verification Tips (Click Tabs to Reveal)
Commentary
The VLAN configuration follows a straightforward and familiar pattern. In this case, however, the configuration in the suggested answers happens to omit any vlan vlan-id global commands. In each switch, the first time the switchport access vlan vlan-id global command identifies a new VLAN not formerly known by the switch, the switch automatically adds the matching vlan vlan-id global command.
A VLAN trunk forwards traffic from multiple VLANs at the same time. Most switches created since the mid-2000’s use IEEE 802.1Q for the trunking protocol, with most switches today no longer even supporting the older ISL trunking protocol. With 802.1Q, with a default native VLAN setting, Ethernet frames from all VLANs except for VLAN 1 (the default native VLAN) will have an additional tag added to the frame while being forwarded over the VLAN trunk. This tag is essentially a label that marks traffic with its respective VLAN. Once the traffic reaches the second device, that device can strip the tag off and use the information in it to properly forward the traffic.
Cisco Catalyst switches default their administrative trunking setting to a mode that tells the switch to use the Dynamic Trunking Protocol (DTP) to negotiate whether to operate as a trunk or not. The instructions told us statically set trunking rather than dynamically negotiate trunking. To do that, a simple config is needed on both switches: the switchport mode trunk command is used on both switches. Both happen to connect to each other with their G1/0/3 interfaces.
Trunks support all defined VLANs by default. To achieve that final requirement of disallowing any new VLANs, at least until additional configuration is added, you could remove all the other VLANs from the trunk besides VLANs 100, 200, and the (default) native VLAN 1. The sample answers use the switchport trunk allowed vlan remove 2-99,101-199,200-4094 interface subcommand to do so, which removes all VLANs except 1, 100, and 200 from the list of VLANs from 1 through 4094. Alternately, you could directly define the VLANs using the switchport trunk allowed vlan 1,100,200Â interface subcommand.
Finally, depending on how you read the requirements, you might have added the switchport nonegotiate command to the access ports (G1/0/1 and G1/0/2 on each switch) in addition to the trunk ports (G1/0/3 on each switch.) Switches disable DTP if you configure the switchport mode access command, but not on ports with the switchport mode trunk command configured. To be doubly sure, you could just use the switchport nonegotiate command on each port.
Known Issues in this Lab
This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:
# | Summary | Detail |
1 | Switch trunks must know the trunking protocol. | Packet Tracer LAN switches operate like older Cisco switch generations in that they support both ISL and 802.1Q trunking. To make a trunk work in this lab, you may need to configure the switchport trunk encapsulation dot1q command on each switch interface. Depending on the PT version and switch model used in PT, you may not need the command. |
2 | PT supports fewer switchport trunk allowed parameters | This lab suggests removing VLANs from the trunks, but Packet Tracer LAN switches do not support the related command, as seen in the answer section. Instead, if using PT, use the switchport trunk allowed vlan <list> command, where <list> is the list of VLANs to allow. |
Why Would Cisco Packet Tracer Have Issues?
(Note: The below text is the same in every Config Lab.)
Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software as real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without owning real devices.
CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.
Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. For this lab, once you have completed the configuration, try these verification steps.Â
- Test with IP pings once you complete the PC configurations as follows:
- Create configuration on PC1 and PC3 to place them in the same subnet.
- Ping PC3’s address from PC1, and vice versa. If the ping works, the traffic must have crossed the trunk in VLAN 100.
- Likewise, configure PC2 and PC4 with IP addresses in a second subnet.
- Ping PC4’s address from PC2, and vice versa. If the ping works, the traffic must have crossed the trunk in VLAN 200.
- Note that because this lab uses no routers or layer 3 switches, once working, the PCs in the same VLAN should be able to ping each other, but they should not be able to ping PCs in other VLANs.
- To test the restriction to support only VLANs 100 and 200:
- Reconfigure the switches to put the PC1 and PC3 ports into a new VLAN (300).
- Again ping PC3 from PC1; the ping should now fail because the trunk does not forward VLAN 300 traffic.
- Reconfigure the trunk to allow VLAN 300.
- Repeat the ping test, which should now work.
Hi Mr Odom, instead of configuring “switchport trunk allowed vlan remove 2-99,101-199,201-4094”, could it be valid to configure “switchport trunk allowed vlan 100,200” ?
Almeida,
Yes indeed. Even if the “remove” command worked like real switches, IOS would have morphed into into the command without “remove”, listing only the included VLANs.
This is how I configured this step.
Good question also I cant get that last command to work. It just tells me its wrong.
SW1(config-if)#switchport trunk allowed vlan remove 2-99,101-199,201-4094
^
% Invalid input detected at ‘^’ marker.
Branden,
I don’t catch all PT issues ahead of time, but this one is noted in the “Packet Tracer Issues” tab. The rejected command is due to PT not supporting the command. If you want to do the lab in PT, you’ll need to think about an alternative, like using a version of the command without the “remove” option (which seems to work better in PT.)
Dang this took me way longer to complete than I thought it would. There are a lot of CLI command issues in this one. One that was super frustrating was the following on G1/0/3 for both switches:
sw trunk allowed vlan add 100
sw trunk allowed vlan add 200
This did nothing.
It wasn’t until I typed:
sw trunk allowed vlan 100
sw trunk allowed vlan 200
Then this did not add both VLAN’s, it added only one or the other but not both.
It wasn’t until I went back and typed the original 2 commands with the ‘add’ modifier that it added both shown as 100,200.
Very frustrating!
Thanks for this thread; it helped me find “switchport trunk allowed vlan 1,100,200” where I had originally tried “switchport trunk allowed except vlan 2-199,201-1005 (my PT only had this range). This didn’t work for me either as others experienced above despite having the correct syntax per the CLI.
I did something similar, I used:
And it worked fine. I guess the first command restricted just vlan 1 in the trunk and then the second and third commands added the additional 2 vlans to achieve the result in the instructions. I pinged pc’s within the same vlans to check connectivity and they worked fine.
Wendell,
Everything mentioned in the above conversation regarding the CPT issue I ran into as well. The “known PT issues tab was very helpful and the verification tips for CPT was excellent. It worked perfectly. Let me ask you this. Do you recommend using CML over CPT for the labs as I go deeper into the tougher concepts?
Hey old guy,
From another old guy… 🙂
Short answer is yes. As you progress, you will find more and more features for which CPT drifts too far from reality to be useful. That happens a little within CCNA – but you can learn most of what you need for CCNA CLI with CPT. Doing the labs here at my site – CPT is plenty good for almost all of them. That said, if you plan to go deeper with routing and switching, say getting into CCNP Enterprise, Security, Service Provider, then you may as well start looking into alternatives like CML. If so… check out Cisco DevNet (developer.cisco.com). I think they have a CML lab there that’s enough function to kick the tires and try it out. See: https://devnetsandbox.cisco.com/RM/Topology
Wendell
Hello Wendell,
Please forgive my stupid question, I am new to networking and still trying to make sense of all these requirements. I am hoping you would be able to help me out with this question. I have attached an image to try to express my thoughts. I am hung up on which port to configure switchport trunk allowed vlan option to remove some vlans. Any explanation you can offer will be very well appreciated.
Hey Tewa,
I am going to try and help you out here. When you are using VLANs in networks that have multiple interconnected switches, the switches need to use VLAN trunking on the links between the switches. From the looks of your test lab in the “image” you created layer 2 switches interconnected switches with multiple vlans for voice and data. The links between all the switches in your lab should be configured as trunk links. If you want to restrict the vlans you created to be the only ones allowed on the “trunks links” then you can apply this interface subcommand switchport trunk allowed vlan 1-99,101-149,151-4094 on each of the trunk links between switches and that should restrict vlans 100 and 150 from the trunk. Or you could simply specify the specific vlans you want allowed on the trunk links with the same interface subcommand only switchport trunk allowed vlan 100,200,250,300,350,400,450. I am using CPT so it took the command as I entered it. Then you can verify by issuing the show interfaces trunk global config command. See my output below. Hope this helps out some. I am sure Wendell will have a much better and shorter answer when he is available.
Access2(config-if)#switchport trunk allowed vlan 1,30,40,200
Access2(config-if)#^Z
Access2#
%SYS-5-CONFIG_I: Configured from console by console
sh
Access2#show int
Access2#show interfaces t
Access2#show interfaces tr
Access2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gig1/1/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gig1/1/1 1,30,40,200
Port Vlans allowed and active in management domain
Gig1/1/1 1,30,40,200
Port Vlans in spanning tree forwarding state and not pruned
Gig1/1/1 1,30,40,200
Thank you Ermundo for your help
Hi Tewa,
Not a stupid question – actually you’re thinking beyond the mechanisms to the application. Keep’em coming. Sorry for the delay – caught me at a distracting week.
Anyway…
Best practice would be to restrict on all the trunks between the switches. You’re correct in thinking that if you did so on each access switch only, on their ends of the trunks, you would achieve the same effect.
Also, if those VLANs were the only ones in the design anyway, you wouldn’t have to restrict them on the trunks. Instead, by virtue of not configuring the VLANs at all on the four switches (that is, for instance, no vlan 101, vlan 102, etc commands on the switches), then the only VLANs supported on the trunks will be VLAN 1 (always) and the couple that you created.
But if you have bunches more, but also want to restrict… best practice is to do so on both ends of all sw-sw trunks.
Thank you so much Wendell for taking time out of your busy schedule to respond. I am grateful
I am a little ashamed, I tried the (swtichport trunk allowed vlan remove 2-99, 101-199, 201-4094, but that didn’t work I also used the REMOVE command that didn’t work, so I used the (Remove All) and then did the (ADD) command using 1, 100, 200 but that didn’t work, so I had to do them individually does that make sense. or should I have done it another way.
I feel as if I am slow ahaha
after reading the notes I could have used the Switchport trunk allowed vlan 1,100,200
silly me
Yeah, it would be great if Packet Tracer was exactly like real gear, or at least noted where it wasn’t. Glad the notes helped! Hope the tool doesn’t get in the way too much.