Restricting VLANS on Trunk Links ·

My friend works for a hosting company. The other night he and I were discussing his company’s policy of allowing only certain vlans over their internal trunk links. Actually it’s common practice and a good security measure, to allow only the necessary vlans over your trunk links. By limiting which vlans can propagate across the link, you also limit that opportunity for exploitation of your traffic and save resources.

When vlans are created, traffic is virtually segmented and the vlan acts as a virtual container for the traffic within. That is to say, when you configure vlans, you essentially segment your network at layer 2. In fact, it should no longer be possible for devices within two separate vlans to communicate with one another at layer 2. Only with the addition of some kind of inter-vlan routing, can the devices once again communicate. At layer 3 it is possible to treat each vlan as a network, often one vlan is equal to one subnet, and to route between them. This allows the use of layer 3 security controls such as Access Control Lists (ACLS) and takes advantage of the fact that routers inherently stop broadcasts from propagating beyond the segment.

There are two good reasons to limit which vlans can traverse a trunk link. Firstly security, Trunk links by nature, carry traffic from multiple vlans and so there is increased risk of attacks taking place on these links. Various attacks exist, such as multi tagging and vlan hopping attacks, where attackers try to “jump” from one vlan to another in order to capture traffic. The second major reason for limiting vlans on a trunk is overhead. Why waste resources sending packets across a link if they aren’t needed by the device on the other side? Therefore it’s good practice to control vlans on your trunk links.

The following syntax can be used on cisco ios to allow only vlan 20 on that particular trunk:

SW1(config)# interface f0/1
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan 20

One common problem which exists, is when the administrator wants to allow multiple vlans. Say we have a list of vlans already allowed on our trunk but we want to add one additional vlan to the list. Well, the problem is that the above syntax would completely delete the existing list [on older ios versions] and add back only vlan 20. The parser reads this syntax as, allow ONLY vlan 20. If we wantned to add vlan 20 to an exisiting list, we can do it with the add keyword:

SW1(config)# interface f0/1
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan add 20

We can also specify a range of vlans to be allowed:

SW1(config-if)# switchport trunk allowed vlan 20-60

Or allow all vlans except a few:

SW1(config-if)# switchport trunk allowed vlan except 20

A note on VTP Pruning:

If you use Vlan Trunking Protocol (VTP) on your network then a feature known as pruning can be used to automatically remove unnecessary vlans from trunk links. It works by working out which devices need to receive traffic for which vlans and then removes the unnecessary ones from trunk links on the fly. It is handy feature which largely automates the management of vlans on trunks, though you don’t get the same control as manually allowing them. Also it doesn’t remove some default vlans, so watch out for that. It can be enabled globally:

SW1(config)# vtp pruning