Accidentally Removed Allowed VLANs from Cisco Switch Dot1Q Trunk

24

3

I am adding a new VLAN to an existing trunk port between two Cisco Catalyst switches (3750's). In the process of adding the new VLAN, it appears that I've removed the existing allowed VLANs on the trunk... How is this possible?

Existing trunk port configuration:

SW-LAB-1#show run int g1/0/49
Building configuration...

Current configuration : 255 bytes
!
interface GigabitEthernet1/0/49
 description SW-LAB-2 G1/0/48
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20
 switchport mode trunk
 switchport nonegotiate
 ip dhcp snooping trust
end

I used the following syntax to also allow VLAN 30:

SW-LAB-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW-LAB-1(config)#interface g1/0/49
SW-LAB-1(config-if)#switchport trunk allow vlan 30

However now, my running config on g1/0/49 is missing VLANs 10 and 20!

<SNIP>
switchport trunk allowed vlan 30
</SNIP>

What am I missing?

Brett Lykins

Posted 2013-05-28T05:28:43.470

Reputation: 6 783

13Classic error. I've seen this happen so many times. ADD is your saviour here :) – mellowd – 2013-05-28T06:31:26.420

Answers

38

You need to use the following command to add your VLAN 30 to an existing Dot1Q trunk on a Cisco Catalyst switch:

switchport trunk allowed vlan add 30

Otherwise IOS just thinks you're trying to overwrite the existing configuration and you are left with an accidentally deleted set of allowed VLANs.

You could similarly use "remove" in place of "add" to remove only one VLAN. See the entire syntax below. (It is actually the same syntax in Cisco Nexus OS or IOS, FYI.)

SW-FOO(config-if)#switchport trunk allowed vlan ?
  WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
  add     add VLANs to the current list
  all     all VLANs
  except  all VLANs except the following
  none    no VLANs
  remove  remove VLANs from the current list

Another option is to put all of your allowed VLANs into the command, like so:

switchport trunk allowed vlan 10,20,30

This option is more time consuming but also works.

Brett Lykins

Posted 2013-05-28T05:28:43.470

Reputation: 6 783

1Cisco might have avoided much confusion with this command by using "vlans" (plural) to indicate the definitive list of allowed vlans and just "vlan" (singular) to indicate an implied add operation. – generalnetworkerror – 2013-05-28T05:43:49.587

12I recommend dropping dangerous commands like this in TACACS that you cannot do 'switchport trunk allowed vlan X' without add/remove/none. Then work flow for new port is 'switchport trunk allowed vlan none', 'switchport trunk allowed vlan add 42'. Has saved us bunch of downtime. 'no router isis' is also dangerous (accidentally enter it in interface, forgetting 'IP', and you remove ISIS from whole box') – ytti – 2013-05-28T06:59:01.350

What we typically do as a precaution is mandate that the engineers doing this type of configuration enter a "reload 5" command such that if ever they do make the mistake, the switch will reload to its previous configuration a few minutes later. This is also making us look at automation solutions for our more critical environments, to avoid having people hack away at the CLI altogether. – Jeremy Gibbons – 2016-07-03T06:43:29.963

8

To add VLANs to a trunk you have to use the following syntax:

switchport trunk allowed vlan add 30

To remove a VLAN from the trunk you need to use the remove syntax:

switchport trunk allowed vlan remove 30

When you don't use add/remove you're telling the port to only configure the new VLAN.

This is a common error. If your platform supports it you can use the Cisco Embedded Event Manager to forbid this harmful syntax:

event manager applet forbid-vlan-trunk
 event cli pattern "switchport trunk allowed vlan\s+[0-9]" skip yes sync no
 action 1.0 syslog msg "switchport trunk allowed vlan MUST be configured via add/remove"

Sebastian

Posted 2013-05-28T05:28:43.470

Reputation: 5 528

1Or use TACACS and configuration command authorization when EEM is not available. – aakso – 2013-05-31T09:53:42.283

1Handy. Would be better to adjust the script to also send output to the console – mellowd – 2013-05-31T10:31:28.127

1I'm not aware that EEM can send output to the console. Can you give an example? – Sebastian – 2013-05-31T10:36:29.327

0

Short answer: There are two modes for specifying vlans: one explicitly sets (overwrites) the list [this is the one you used], the other adds or removes the specified vlans.

(Every vendor does this differently, so tread lightly.)

Ricky Beam

Posted 2013-05-28T05:28:43.470

Reputation: 21 142

0

Like stated in previous answers, "add/remove/none" is your (only) friend...

switchport trunk allowed vlan add 30

As mentionned by ytti, I recommend dropping dangerous commands like this in TACACS that you cannot do 'switchport trunk allowed vlan X' without add/remove/none.

Why I added this answer is because Brett's second suggestion

switchport trunk allowed vlan 10,20,30

is really a bad idea

Let's say you use vlan 900 for management (stupid idea by the way, you'll see why)

port configuration with a show run:

interface Gi1/0/1
 ...
 switchport trunk allowed vlan 1,2,5,51,101,235,245,247
 switchport trunk allowed vlan add 507,539,900,1058,2677
 ...

please note that cisco is using 2 lines for easier ready and copy/paste, with an "add" on the second line... why not?

Now, let's say I want to add vlan 30...

first solution :

 switchport trunk allowed vlan add 30

Great! it's working, let's have a beer now.

Second solution :

 switchport trunk allowed vlan 1,2,5,30,51,101,235,245,247

and... hum.. hey? WTF!!! I cannot paste the second part of my command

 switchport trunk allowed vlan add 507,539,900,1058,2677

Unfortunately, vlan 900 is not anymore configured on the switch, the switch is unreacheable since it was used for management.

So :

  • use add/remove/none, always
  • use a small Vlan ID for management (<10)

Golgot

Posted 2013-05-28T05:28:43.470

Reputation: 330

-3

when Adding VLAN without removing other VLAN use this command

switchport trunk allowed vlan add 30

this will add Vlan 30 to the trunk without removing the existing vlans in trunk interface

Cheers

Gopi

Posted 2013-05-28T05:28:43.470

Reputation: 1

How does this add anything to the accepted answer? – Ron Maupin – 2016-06-10T23:23:41.793