Configuring allowed VLANs

By default, all VLANs are allowed across a trunk link on a Cisco switch. We can verify that using the show interfaces trunk command:

SW1#show interfaces trunk 
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/1       1-1005

Port        Vlans allowed and active in management domain
Fa0/1       1,5,10

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1,5,10

In the output above you can see that all VLANs (1 through 1005) are allowed on the trunk by default.

We can prevent traffic from certain VLANs from traversing a trunk link using the following interface mode command:

(config-if)#switchport trunk allowed vlan {add | all | except | remove} vlan-list

For example, to prevent traffic from VLAN 5 to traverse the trunk link, we would use the following command:

SW1(config)#int fa0/1
SW1(config-if)#switchport trunk allowed vlan remove 5

The same command needs to be entered on the switch on the other end of the link.

To verify that the traffic from VLAN 5 will indeed be blocked from traversing a trunked link, we can enter the show interfaces trunk command again:

SW1#show interfaces trunk 
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/1       1-4,6-1005

Port        Vlans allowed and active in management domain
Fa0/1       1,10

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       none

Notice how now only VLANs 1-4 and 6-1005 are allowed on trunk.

NOTE
You can use the switchport trunk allowed vlan all interface mode command to reset the switch port to its original default setting (permitting all VLANs on the trunk).