Switchport trunk allowed VLAN explained with an example lab
To transfer traffic from different VLANs to other switches in the network, we have trunk links as these links will transfer traffic from all VLANs over to another switch within the network.
In some network designs or with some specific requirements, we may have to block the traffic from some VLANs from reaching out to other switches.
To allow or block specific VLANs on the Cisco switch, we can use the following command with different parameters.
Below are the parameters that can be used with the ‘Switchport trunk allowed VLAN’ command
The following command can be used to check the number of VLANs allowed on the trunk link so suppose interface fast Ethernet 0/1 is used for the trunk link and we want to see the allowed VLANs then we can use the following command.
Switch#show interfaces fa 0/1 switchport
In the output, we can see that all VLANs are allowed on the trunk link.
By default, all VLANs are allowed on the trunk link so we can use the following command to block all the VLANs
Switch(config-if)#switchport trunk allowed vlan none
The above command will block all the VLANs on the switch; we can confirm that by using the switch port command shared above
We can check the output that no VLAN is allowed on the trunk link.
To allow all VLANs again, we can use the following command.
Switch(config-if)#switchport trunk allowed vlan all
The following command will allow only the specified VLAN on the trunk link
Switch(config-if)#switchport trunk allowed vlan 2
In the above command, VLAN 2 is configured to be allowed on the trunk link.
Now, if we want to enable other VLANs then the following command must be used otherwise it will only allow the latest VLAN specified with the above command.
Switch(config-if)#switchport trunk allowed vlan add 5
The above command adds the newly allowed VLAN to the current list without disabling the previously allowed VLAN.
The following image shows that now, two VLANs are allowed on the trunk link.
To remove any VLAN from the current list, we can use the below command
Switch(config-if)#switchport trunk allowed vlan remove 2
We have removed VLAN 2 from the list now only VLAN 5 is allowed as seen in the image.
In most situations, we have to allow all the VLANs and only block some that we don’t want so the following command can be used to achieve this.
If we want to block two VLANs on the trunk link then we can use this command twice to block two VLANs
Switch(config-if)#switchport trunk allowed vlan except 10
Switch(config-if)#switchport trunk allowed vlan except 20
The below image shows the results, only two VLANs are now blocked on the trunk link while all others are allowed.
Two examples where we would want to block the VLANs on the trunk connection
In the first example, we can see that switch 2 does not have VLAN 20 and VLAN 30 so even if this switch will receive the traffic, it will drop that traffic anyway so it’s better to block these two VLANs on the trunk connection.
In the second example, although ports are assigned to the VLANs probably for future use however no device has been attached to those ports so we can block these VLANs until the devices are attached for these particular VLANs.
