TransWikia.com

Use of VLAN allowed feature and security risk associated with not configuring it

Network Engineering Asked by PDHide on December 24, 2020

if i have 3 vlans say, 10,20 ,30

if i don’t assign vlan allowed to trunk port , what are the security risks i could face if i am using default vlan allowed range

what are the benefits of VLAN allowed feature

Thanks in advance 🙂

3 Answers

Generally, you'll want to secure VLAN membership for all ports that you don't control on both link ends. If a trunk port - or rather the link partner - can simply join any VLAN they want then an attacker can very easily penetrate each VLAN. This is called VLAN hopping.

You can leave trunk ports unsecured when the link is entirely within your control - your switches, your routers, your hosts, and these links are physically secured on both ends, ie. in locked closets or cabinets. This may simplify your administration, depending on how you do things.

However, if VLAN separation is part of your security concept it's utterly foolish to leave it to "someone else" to choose the VLANs they connect to.

Correct answer by Zac67 on December 24, 2020

Vlan allowed features allow us to allows only specific Vlans which we are specifying on trunk port .

**For example **

Switch (config)#int f0/1

Switch(config)#switchport mode trunk

Switch(config)Switchport trunk allowed vlan 10,20,30

Switch(config)#no shutdown

Allowing specifically Vlan is good practice instead of allowing all vlans because network is isolated precisely . If devices connected on vlan 10 has exposed to vunarability only vlan 10 connected host will be in serious threat .other vlans won't have any issue because there are already isolated

Answered by Sagar Uragonda on December 24, 2020

You would allow things like unknown unicast, broadcast, and multicast frames for VLANs not used on the switch to get to the switch, which will unnecessarily waste bandwidth on the trunk that may otherwise be needed for the VLANs actually used on the switch.

Also, when there is a broadcast storm on a VLAN not used on the switch, you could overload the switch. Blocking unused VLANs could keep the switch functional and isolate a broadcast storm or STP failure.


The best practices are to only allow a VLAN on a single access switch. You can have multiple VLANs on an access switch, but they do not go to any other access switch, and an access switch only connects to distribution switches, not any other access switch. You also do not allow access interfaces on the distribution switch(es). This will prevent most layer-2 problems on the network, and isolate any to a single access switch.

Taking that even further, you can now run layer-3 between the distribution and access to further isolate any layer-2 problems.

Answered by Ron Maupin on December 24, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP