NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

peos42's avatar
peos42
Tutor
Mar 04, 2018
Solved

Forbidden VLANs

Hi all

 

Let´s assume I configure a a trunk port this way....

--snip--

interface 1/xg26
description 'SERVER3'
switchport mode trunk
switchport trunk native vlan 2026
switchport trunk allowed vlan 2-4,21,899,2026
exit

--snip--

 

and an access port this way...

--snip--

interface 1/g10
description 'VLAN 2 - XPY transmitter'
switchport mode access
switchport access vlan 2
exit

--snip--

 

Will that mean a command like this:

vlan participation exclude 999,1201

 

is meaningless and has no effect. The question is if

switchport trunk allowed vlan 2-4,21,899,2026

on the trunk port, and

switchport access vlan 2

aon the access port

automatically forbids all other VLANs.

 

Tnx

/Peo

Security
security VLAN
  • peos42's avatar
    peos42
    Mar 29, 2018

    I am satisfied by doing exclude. Therefor I do not want to spend more time with a private chat. Also... I think the community deserve to know. To get help in the forum is one thing. To share info is another. The second one is not fulfilled if going into a private chat.

     

    As I have a work around with the exclude (that I think should not be needed), I am done in this thread. But I do think netgear should consider to clarify for all as it is a securrity matter.

     

    Tnx for your time

    /Peo

8 Replies

Replies have been turned off for this discussion
  • peos42's avatar
    peos42
    Tutor
    Mar 04, 2018

    Hi again. 

     

    Did some more checks. It at least seems like there is a potential security issuse by not using..

    vlan participation exclude <vlannum>

     

    At least for VLAN1 that seems to be allowed anyway..... Or do I interprete the output of the show command wrong?

     

     

     

    (switch0.incedo.org) #show running-config interface 1/g3

    !Current Configuration:
    !
    interface 1/g3
    description 'TRUNK - Switch 2 level3'
    switchport mode trunk
    switchport trunk native vlan 2003
    switchport trunk allowed vlan 2-4,21,899,2003
    exit

     

    (switch0.incedo.org) #show interfaces switchport 1/g3

    Port: 1/g3
    VLAN Membership Mode: Trunk
    Access Mode VLAN: 1 (default)
    General Mode PVID: 1 (default)
    General Mode Ingress Filtering: Disabled
    General Mode Acceptable Frame Type: Admit all
    General Mode Dynamically Added VLANs:
    General Mode Untagged VLANs: 1
    General Mode Tagged VLANs:
    General Mode Forbidden VLANs:
    Trunking Mode Native VLAN: 2003
    Trunking Mode Native VLAN tagging: Disable
    Trunking Mode VLANs Enabled: 2-4,21,899,2003
    Protected Port: False

     

    • peos42's avatar
      peos42
      Tutor
      Mar 12, 2018

      Is this maybe the wrong part of the forum for such questions?

       

      Tnx

      Peo

      • DaneA's avatar
        DaneA
        NETGEAR Employee Retired
        Mar 13, 2018

        Hi peos42,

         

        Welcome to the community! :) 

         

        I inquired your concern to the higher tier of NETGEAR Support.  As per the higher tier of NETGEAR Support, when using the switchport trunk allowed vlan command, if the switch port receives traffic with a VLAN tag for a VLAN ID not in the allowed list, it will drop the packet. 

         

        As reference, kindly read page 416 of the CLI Command reference manual here.  

         

        The command vlan participation exclude is used so the interface (port) is never a member of a particular VLAN. This is equivalent to registration forbidden.

         

         

        Regards,


        DaneA

        NETGEAR Community Team

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More