From: Fahad Khan (fahad.khan@gmail.com)
Date: Sun Aug 31 2008 - 02:42:39 ART
Yes, if the allowed vlan list doesnot contain the native vlan, its (native
vlan's) traffic will also be blocked.
On 8/31/08, Huan Pham <pnhuan@yahoo.com> wrote:
>
> Laduchesse,
>
> If you do not use VLAN1, then it is safe to exclude it from your ALLOW VLAN
> list.
>
>
> > If VLAN 1 is your native vlan, then it really doesn't
> > matter whether you
> > stick it in the list or not 'cause it's not tagged!
>
> Scott,
>
> Not sure if I read it correctly. Did you mean that we wont be able to block
> traffic for native VLAN? The info on the doc is not clear, and your statment
> above (based on your interpretation of the Doc info) may be inaccurate.
>
> If you do use VLAN1, then even if it is native, you can still block its
> data traffic from traversing the trunk interface. You wont be able to block
> the control traffic though (which uses VLAN1).
>
>
>
> Rack1SW2#sh int trunk
>
> Port Mode Encapsulation Status Native vlan
> Fa0/13 desirable 802.1q trunking 1
> Fa0/14 desirable 802.1q trunking 1
>
> Port Vlans allowed on trunk
> Fa0/13 2-1000
> Fa0/14 2-1000
>
> Port Vlans allowed and active in management domain
> Fa0/13 2,5,7-10,22,43,58,67,79,146
> Fa0/14 2,5,7-10,22,43,58,67,79,146
>
> Port Vlans in spanning tree forwarding state and not pruned
> Fa0/13 2,8,58
> Fa0/14 2,8,58
>
> Rack1SW2#show run
> interface FastEthernet0/13
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 2-1000
> switchport mode dynamic desirable
> !
> interface FastEthernet0/14
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 2-1000
> switchport mode dynamic desirable
>
>
>
> Rack1SW2#sh span vlan 1
>
> Spanning tree instance(s) for vlan 1 does not exist.
>
> Rack1SW2#sh ip int brief | in Vlan1
> Vlan1 12.0.0.2 YES manual
> up down
>
> Rack1SW2#ping 12.0.0.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 12.0.0.1, timeout is 2 seconds:
> .....
> Success rate is 0 percent (0/5)
>
>
> Rack1SW2#c
> Enter configuration commands, one per line. End with CNTL/Z.
> Rack1SW2(config)#int range fa0/13-14
> Rack1SW2(config-if-range)#
> Rack1SW2(config-if-range)# switchport trunk allowed vlan 1-1000
> Rack1SW2(config-if-range)#
> Rack1SW2#
> *Mar 1 00:32:40.476: %SYS-5-CONFIG_I: Configured from console by console
> Rack1SW2#
> *Mar 1 00:33:09.895: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> Vlan1, changed state to up
> Rack1SW2#sh spanning vlan 1
>
> VLAN0001
> Spanning tree enabled protocol ieee
> Root ID Priority 32769
> Address 0014.a86b.df00
> This bridge is the root
> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
>
> Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
> Address 0014.a86b.df00
> Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
> Aging Time 15
>
> Interface Role Sts Cost Prio.Nbr Type
> ------------------- ---- --- --------- --------
> --------------------------------
> Fa0/13 Desg FWD 19 128.15 P2p
> Fa0/14 Desg FWD 19 128.16 P2p
>
> Rack1SW2#ping 12.0.0.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 12.0.0.1, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms
>
>
>
> --- On Sun, 8/31/08, Scott Morris <smorris@internetworkexpert.com> wrote:
>
> > From: Scott Morris <smorris@internetworkexpert.com>
> > Subject: RE: CCIE exam trunk allowed?
> > To: "'gui-doo laduchesse'" <gui_doo@hotmail.com>, ccielab@groupstudy.com
> > Date: Sunday, August 31, 2008, 11:20 AM
> > Per Docs:
> >
> > "Set the list of allowed VLANs that can receive and
> > send traffic on this
> > interface in tagged format when in trunking mode. See the
> > following
> > vlan-list format. The none keyword is not valid. The
> > default is all. "
> >
> > If VLAN 1 is your native vlan, then it really doesn't
> > matter whether you
> > stick it in the list or not 'cause it's not tagged!
> >
> > HTH,
> >
> >
> > Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP,
> > et al.
> > CCSI/JNCI-M/JNCI-ER
> > Senior CCIE Instructor
> >
> > smorris@internetworkexpert.com
> >
> >
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987
> > Outside US: 775-826-4344
> > Online Community: We're not allowed to tell you where
> > it is (on GS), but
> > it's easy to find!
> > CCIE Blog: All the fun stuff, and free information!
> >
> > Knowledge is power.
> > Power corrupts.
> > Study hard and be Eeeeviiiil......
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> > On Behalf Of
> > gui-doo laduchesse
> > Sent: Saturday, August 30, 2008 2:05 PM
> > To: ccielab@groupstudy.com
> > Subject: CCIE exam trunk allowed?
> >
> > Hi group,
> >
> > I would like to have your opinion about a thing. My exam is
> > next week... If
> > they ask only allowed vlan use in my topologie... Do I
> > include the 1 or not?
> >
> > Thanks
> >
> > _________________________________________________________________
> > If you like crossword puzzles, then you'll love
> > Flexicon, a game which
> > combines four overlapping crossword puzzles into one!
> > http://g.msn.ca/ca55/208
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Fahad KhanBlogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:33 ART