[c-nsp] Not Allowing Vlan 1 on trunk ports
Eric Gauthier
eric at roxanne.org
Sun Jan 18 09:13:44 EST 2009
Ronnie,
> switchport trunk allowed vlan 2-4094, or specify exactly the vlans you want
> passing over the trunk, eg.
>
> interface GigabitEthernet0/14
> switchport trunk encapsulation dot1q
> switchport mode trunk
> switchport trunk allowed vlan 2,10,200-300
> !
Though not exactly what you asked, you should also
be careful of the native vlan on an 802.1q interface.
In the example above, the native vlan for the port
is the default, vlan 1, so any untagged packets
will be assigned to vlan 1. The easy fix for this
is to just change the native vlan to something else.
I can't remember if you do this by setting an
access vlan (switchport access vlan X) or
if there's a command under "switchport trunk",
but I think the configuration might look like:
interface GigabitEthernet0/14
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 2,10,200-300
switchport access vlan X
switchport trunk native vlan X
switchport nonegotiate
!
Depending on the IOS version, you might also consider
disabling DTP with "switchport nonegotiate".
(http://www.cisco.com/en/US/tech/tk389/tk390/tk181/tsd_technology_support_sub-protocol_home.html)
Eric :)
More information about the cisco-nsp
mailing list