Accidentally Removed Allowed VLANs from Cisco Switch Dot1Q Trunk

  • I am adding a new VLAN to an existing trunk port between two Cisco Catalyst switches (3750's). In the process of adding the new VLAN, it appears that I've removed the existing allowed VLANs on the trunk... How is this possible?

    Existing trunk port configuration:

    SW-LAB-1#show run int g1/0/49
    Building configuration...
    
    Current configuration : 255 bytes
    !
    interface GigabitEthernet1/0/49
     description SW-LAB-2 G1/0/48
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 10
     switchport trunk allowed vlan 10,20
     switchport mode trunk
     switchport nonegotiate
     ip dhcp snooping trust
    end
    

    I used the following syntax to also allow VLAN 30:

    SW-LAB-1#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    SW-LAB-1(config)#interface g1/0/49
    SW-LAB-1(config-if)#switchport trunk allow vlan 30
    

    However now, my running config on g1/0/49 is missing VLANs 10 and 20!

    <SNIP>
    switchport trunk allowed vlan 30
    </SNIP>
    

    What am I missing?

    Classic error. I've seen this happen so many times. ADD is your saviour here :)

  • You need to use the following command to add your VLAN 30 to an existing Dot1Q trunk on a Cisco Catalyst switch:

    switchport trunk allowed vlan add 30
    

    Otherwise IOS just thinks you're trying to overwrite the existing configuration and you are left with an accidentally deleted set of allowed VLANs.

    You could similarly use "remove" in place of "add" to remove only one VLAN. See the entire syntax below. (It is actually the same syntax in Cisco Nexus OS or IOS, FYI.)

    SW-FOO(config-if)#switchport trunk allowed vlan ?
      WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
      add     add VLANs to the current list
      all     all VLANs
      except  all VLANs except the following
      none    no VLANs
      remove  remove VLANs from the current list
    

    Another option is to put all of your allowed VLANs into the command, like so:

    switchport trunk allowed vlan 10,20,30
    

    This option is more time consuming but also works.

    Cisco might have avoided much confusion with this command by using "vlans" (plural) to indicate the definitive list of allowed vlans and just "vlan" (singular) to indicate an implied *add* operation.

    I recommend dropping dangerous commands like this in TACACS that you cannot do 'switchport trunk allowed vlan X' without add/remove/none. Then work flow for new port is 'switchport trunk allowed vlan none', 'switchport trunk allowed vlan add 42'. Has saved us bunch of downtime. 'no router isis' is also dangerous (accidentally enter it in interface, forgetting 'IP', and you remove ISIS from whole box')

    What we typically do as a precaution is mandate that the engineers doing this type of configuration enter a "reload 5" command such that if ever they do make the mistake, the switch will reload to its previous configuration a few minutes later. This is also making us look at automation solutions for our more critical environments, to avoid having people hack away at the CLI altogether.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM