trunk and switchport status

notgoing2failnotgoing2fail Member Posts: 1,138
Ok, I've been staring at configs all day. For some reason this config has me baffled, does it not look right?

interface fastethernet0/20
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport mode trunk




Now help me understand why the switchport would be set to "access vlan 10" when it is also set to "mode trunk" as well as using encapsulation dot1q.

Clearly it looks like the fellow who did this is expecting to trunk on this port no?

So what is the significance of trying to apply it to vlan 10?

Comments

  • WillTech105WillTech105 Member Posts: 216
    "interface fastethernet0/20
    switchport access vlan 10
    switchport trunk encapsulation dot1q
    switchport mode trunk"

    Yeah that vlan10 looks little funny. dot1 and trunk look OK but thats actually a pretty good question. Is there any reason to assign the trunk port in a VLAN? I'm sure with VLAN purning the trunk would still work. Maybe theres some reason for it being in VLAN10 -- is there a description for the vlan?
    In Progress: CCNP ROUTE
  • HeeroHeero Member Posts: 486
    I believe all it does is set the vlan if the interface is not trunking, and since it is set to trunking only, the line is irrelevant. If you had a dynamic trunk, that line would be helpful for when the port was not trunking.
  • kyojikyoji Member Posts: 9 ■□□□□□□□□□
    My guess is for security. Perhaps he meant to use "switchport trunk native vlan"? Security wise, you should never leave any thing in the default vlan.

    For a good read, Google: "Virtual LAN Security: weaknesses and countermeasures".
  • notgoing2failnotgoing2fail Member Posts: 1,138
    Thanks for the suggestions guys.

    There is no comments about this port so it's really up to me to either assume it was intentional or it was just a misuse of the commands. Tough to say, thought maybe it was worth posting here to see if others have ran into anything like this?

  • *BB**BB* Member Posts: 95 ■■□□□□□□□□
    If the port was previously an access port set to access vlan 10, then changed to a trunk, the "switchport access vlan 10" statement will remain regardless.

    If they are not using vlan 10 for anything, it doesnt explain why it was configured in the first place. Are they not using vlan 10?
    Procrastinator extraordinaire
  • notgoing2failnotgoing2fail Member Posts: 1,138
    *BB* wrote: »
    If the port was previously an access port set to access vlan 10, then changed to a trunk, the "switchport access vlan 10" statement will remain regardless.

    If they are not using vlan 10 for anything, it doesnt explain why it was configured in the first place. Are they not using vlan 10?

    They are, VLAN 10 is the primary network. What you just said seems to make the most sense.

    So the port was probably apart of VLAN10, and at some point, someone must have wanted to make it a trunk without removing that command.

    I suppose in this way, if it no longer is a trunk port, it will naturally fall back to being a VLAN 10 access port?

  • greenerekgreenerek Member Posts: 99 ■■□□□□□□□□
    They are, VLAN 10 is the primary network. What you just said seems to make the most sense.

    So the port was probably apart of VLAN10, and at some point, someone must have wanted to make it a trunk without removing that command.

    I suppose in this way, if it no longer is a trunk port, it will naturally fall back to being a VLAN 10 access port?

    Hi, enable a sh interf fa0/20 switchport. The port can be either trunk or access. If Switchport mode trunk was the last command I think the port will be in Trunking mode , and vlan access it doesn't matter.
    Per aspera ad astra-Seneka


  • SteveO86SteveO86 Member Posts: 1,423
    Ok, I've been staring at configs all day. For some reason this config has me baffled, does it not look right?

    interface fastethernet0/20
    switchport access vlan 10
    switchport trunk encapsulation dot1q
    switchport mode trunk




    Now help me understand why the switchport would be set to "access vlan 10" when it is also set to "mode trunk" as well as using encapsulation dot1q.

    Clearly it looks like the fellow who did this is expecting to trunk on this port no?

    So what is the significance of trying to apply it to vlan 10?

    Can't think of any logical reason for this..

    Ports should either be access or trunk.. Leaving it in desirable mode is not best practice (they go over that in the CCNA:Sec), plus when you issue the switchport mode access command it can't be negotiated to be a trunk in the future.

    Why would some one they go back and change the ports function? I suppose that depends what's on the other side of the port and the topology of the network.

    As far as setting the native VLAN, you want the native VLAN to be one that is not used. (Using the switchport mode trunk native vlan ###, another topic covered in the CCNA:Security to stop double tagging).
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • chmorinchmorin Member Posts: 1,446 ■■■■■□□□□□
    I'm pretty sure it is just set there not doing anything. Say you have a port that was orginially an access port, and you had it configured with an access vlan. If you then change it over the trunk the access vlan command stays. It does not do anything, but it is still there.
    Currently Pursuing
    WGU (BS in IT Network Administration) - 52%| CCIE:Voice Written - 0% (0/200 Hours)
    mikej412 wrote:
    Cisco Networking isn't just a job, it's a Lifestyle.
  • kyojikyoji Member Posts: 9 ■□□□□□□□□□
    SteveO86 wrote: »
    As far as setting the native VLAN, you want the native VLAN to be one that is not used. (Using the switchport mode trunk native vlan ###, another topic covered in the CCNA:Security to stop double tagging).

    Correct, with the new info brought forth, this does not seem to be security oriented. My thought process was, perhaps he read about dedicated trunk vlans and tried to implement it using the wrong command.

    Correct me if i'm wrong. Having dedicated trunk vlans helps add an extra layer of security, in case the attacker is able to gain "Trunk" he will have one more obstacle. As trunks must be in the same vlan.
  • SteveO86SteveO86 Member Posts: 1,423
    kyoji wrote: »
    Correct, with the new info brought forth, this does not seem to be security oriented. My thought process was, perhaps he read about dedicated trunk vlans and tried to implement it using the wrong command.

    Correct me if i'm wrong. Having dedicated trunk vlans helps add an extra layer of security, in case the attacker is able to gain "Trunk" he will have one more obstacle. As trunks must be in the same vlan.

    That's what I foresee, a security measure gone. However mis-configurations are typically more a security weakness then the unsuspecting end user icon_sad.gif

    Not sure about the term "dedicated trunk vlan", but as far as trunk security, setting the native VLAN to an un-used VLAN it a great practice, and if you want to go another step further, you can specify what VLANs are allowed to cross the trunk using the switchport trunk allowed vlan add #

    Plus it's also best practice to remove the trunk negotiation, set them as either trunk or access ports specifically, so an attacker can not create other trunks in your network and access other VLANs.

    That limits the attack surface.

    (Of course that is more CCNA:Security/SWITCH material, I almost forgot this the CCENT/CCNA forum)

    After reading it again, by "dedicated trunk vlan" I assume you have the trunk links/ports in it's own VLAN, separate from the other VLANs passing client data.. The "trunk vlan" would have it's own subnet requiring some Layer 3 routing, if you've got a L3 switch or the classic router on a stick setup you can do that as well. For Layer 2 switches/connections I find that setting the native VLAN just easier.

    (Forgive me if I mis-interpreted the dedicated trunk vlan, it's not a term I am familiar with feel free to correct me)
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • *BB**BB* Member Posts: 95 ■■□□□□□□□□
    You guys are reading into to this way too much. Vlan 10 is the vlan thats being used on the switch already. Most likely this was originally an access port that was changed to a trunk, in which case the switchport access vlan 10 statement- while still there, is negated unless they change it back to an access port.
    Procrastinator extraordinaire
  • SteveO86SteveO86 Member Posts: 1,423
    *BB* wrote: »
    You guys are reading into to this way too much. Vlan 10 is the vlan thats being used on the switch already. Most likely this was originally an access port that was changed to a trunk, in which case the switchport access vlan 10 statement- while still there, is negated unless they change it back to an access port.

    It's not that were reading too much into it, just one question leading to another, and what best practice is. Maybe I did steer the thread in a more security oriented way.

    Either way, I prefer to keep my own configs clean.. I would have to remove the switchport mode access (or trunk) statement, that's just me.
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • jojopramosjojopramos Member Posts: 415
    + 1 for *BB*. If it configured for trunk, then it is trunked. No need to add the vlan10. If you need to use it for access port then it is easy to configure it to vlan10.
  • notgoing2failnotgoing2fail Member Posts: 1,138
    SteveO86 wrote: »

    Either way, I prefer to keep my own configs clean.. I would have to remove the switchport mode access (or trunk) statement, that's just me.

    I'm the same way, I hate having leftover commands floating around when they are of no use. Especially description on interfaces that no longer connect to the proper end device!

  • Forsaken_GAForsaken_GA Member Posts: 4,024
    *BB* wrote: »
    You guys are reading into to this way too much. Vlan 10 is the vlan thats being used on the switch already. Most likely this was originally an access port that was changed to a trunk, in which case the switchport access vlan 10 statement- while still there, is negated unless they change it back to an access port.

    +1

    just a lazy admin who didn't clean up his configurations after himself. Probably didn't set a description on the interface either
Sign In or Register to comment.