Lab Objective:
The objective of this lab exercise is for you to learn and understand how to restrict VLANs traversing trunks. By default, all VLANs are allowed to traverse trunks.
Lab Purpose:
VLAN trunk restriction is a fundamental skill. By default, all VLANs traverse trunks. However, in some cases, this may result in unnecessary VLANs being propagated, and this may pose a security risk. As a Cisco engineer, as well as in the Cisco CCNA exam, you will be expected to know how to restrict VLANs from traversing trunks.
Certification Level:
This lab is suitable for CCNA certification exam preparation.
Lab Difficulty:
This lab has a difficulty rating of 6/10.
Readiness Assessment:
When you are ready for your certification exam, you should complete this lab in no more than 15 minutes.
Lab Topology:
Please use the following topology to complete this lab exercise:
Tas$k 1:
In preparation for VLAN configuration, configure a hostname on Sw1 and Sw2 as illustrated in the topology.
Task 2:
Configure and verify Sw1 and Sw2 as VTP Transparent switches. Both switches should be in the VTP domain named CISCO. Configure the switches to use legacy VTP version 1. Configure FastEthernet0/1 as a trunk between Sw1 and Sw2.
Task 3:
Configure and verify your VLAN configuration switches Sw1 or Sw2 and ensure that they are identical.
Task 4:
Allow only VLAN2040 to traverse the trunk link on Sw1 and verify your configuration.
Configuration and Verification
Task 1:
For reference information on configuring hostnames, please refer to earlier labs.
Task 2:
Sw1#config t Enter configuration commands, one per line. End with CTRL/Z. Sw1(config)#vtp mode transparent Setting device to VTP TRANSPARENT mode. Sw1(config)#vtp domain CISCO Changing VTP domain name from Null to CISCO Sw1(config)#vtp version 1 Sw1(config)#vlan2010 Sw1(config-vlan)#name SALES Sw1(config-vlan)#exit Sw1(config)#vlan2020 Sw1(config-vlan)#name MANAGERS Sw1(config-vlan)#exit Sw1(config)#vlan2030 Sw1(config-vlan)#name ENGINEERS Sw1(config-vlan)#exit Sw1(config)#vlan2040 Sw1(config-vlan)#name SUPPORT Sw1(config-vlan)#exit Sw1(config)#interface fastethernet0/1 Sw1(config-if)#switchport mode trunk Sw2#config t Enter configuration commands, one per line. End with CTRL/Z. Sw2(config)#vtp mode transparent Setting device to VTP TRANSPARENT mode. Sw2(config)#vtp domain CISCO Changing VTP domain name from Null to CISCO Sw2(config)#vtp version 1 Sw2(config)#vlan2010 Sw2(config-vlan)#name SALES Sw2(config-vlan)#exit Sw2(config)#vlan2020 Sw2(config-vlan)#name MANAGERS Sw2(config-vlan)#exit Sw2(config)#vlan2030 Sw2(config-vlan)#name ENGINEERS Sw2(config-vlan)#exit Sw2(config)#vlan2040 Sw2(config-vlan)#name SUPPORT Sw2(config-vlan)#exit Sw2(config)#interface fastethernet0/1 Sw2(config-if)#switchport mode trunk
Task 3:
For reference information on configuring and verifying VLANs, please refer to earlier labs.
Task 4:
Sw1#conf t Enter configuration commands, one per line. End with CTRL/Z. Sw1(config)#interface fastethernet0/1 Sw1(config-if)#switchport trunk allowed vlan2040 Sw1(config-if)#^Z Sw1# Sw1#show interfaces trunk Port Mode Encapsulation Status Native Vlan Fa0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/1 2040
NOTE: By default, ALL configured VLANs are allowed to traverse ALL configured trunk links. You can restrict certain VLANs to certain trunks by using the switchport trunk allowed vlan command. You can test this command, which can also add or remove ranges of VLANs, so please spend some time trying out all the options. Beware that it can remove VLANs you have currently allowed if you don’t enter the correct inputs.