By default, all VLANs are allowed across a trunk link on a Cisco switch. We can verify that using the show interfaces trunk command:
SW1#show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/1 1-1005 Port Vlans allowed and active in management domain Fa0/1 1,5,10 Port Vlans in spanning tree forwarding state and not pruned Fa0/1 1,5,10
In the output above you can see that all VLANs (1 through 1005) are allowed on the trunk by default.
We can prevent traffic from certain VLANs from traversing a trunk link using the following interface mode command:
(config-if)#switchport trunk allowed vlan {add | all | except | remove} vlan-list
For example, to prevent traffic from VLAN 5 to traverse the trunk link, we would use the following command:
SW1(config)#int fa0/1 SW1(config-if)#switchport trunk allowed vlan remove 5
The same command needs to be entered on the switch on the other end of the link.
To verify that the traffic from VLAN 5 will indeed be blocked from traversing a trunked link, we can enter the show interfaces trunk command again:
SW1#show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/1 1-4,6-1005 Port Vlans allowed and active in management domain Fa0/1 1,10 Port Vlans in spanning tree forwarding state and not pruned Fa0/1 none
Notice how now only VLANs 1-4 and 6-1005 are allowed on trunk.
You can use the switchport trunk allowed vlan all interface mode command to reset the switch port to its original default setting (permitting all VLANs on the trunk).
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: