VLANInterface Config

switchport trunk allowed vlan [list]

Configures the list of VLANs allowed on a trunk interface on Cisco NX-OS (Nexus) switches.

Overview

The 'switchport trunk allowed vlan' command is a fundamental tool for controlling which VLANs are permitted to traverse a trunk link on Cisco NX-OS (Nexus) switches. Trunk links carry traffic for multiple VLANs between switches, routers, or other network devices. By default, a trunk port allows all VLANs (1-4094), but network administrators often need to restrict this for security, performance, or administrative reasons. This command enables precise control over the VLAN membership of a trunk interface.

In Cisco NX-OS, the command syntax differs slightly from classic IOS: it uses 'vlan' (singular) instead of 'vlans' (plural). The command supports several keywords: 'add' to include additional VLANs without affecting existing ones, 'remove' to exclude specific VLANs, 'except' to allow all VLANs except those listed, 'all' to permit all VLANs, and 'none' to block all VLANs. If no keyword is used, the specified VLAN list replaces the current allowed list entirely.

This command is typically used in conjunction with 'switchport mode trunk' to set the interface as a trunk. It is crucial for VLAN segmentation in campus networks, data center fabrics, and virtualized environments. In troubleshooting workflows, verifying the allowed VLAN list helps identify connectivity issues when certain VLANs are not passing traffic. For example, if a host on VLAN 10 cannot communicate across a trunk, checking the allowed VLAN list on both ends is a primary step.

On Nexus switches, the command is applied per interface and is stored in the running configuration. It is important to note that the native VLAN is always allowed on a trunk, even if not explicitly listed, unless the 'switchport trunk native vlan' command is used to change it. However, if the native VLAN is not in the allowed list, traffic for that VLAN will be dropped. This is a common pitfall. The command can be verified using 'show interface trunk' or 'show running-config interface <interface>'.

Syntax·Interface Config
switchport trunk allowed vlan {add | all | except | none | remove} vlan-list

When to Use This Command

  • Restricting trunk to carry only specific VLANs for security or traffic segmentation.
  • Adding a new VLAN to an existing trunk without disrupting other VLANs.
  • Removing a VLAN from a trunk to isolate a compromised VLAN.
  • Configuring a trunk to carry all VLANs except a few for administrative purposes.

Parameters

ParameterSyntaxDescription
addadd vlan-listAdds the specified VLANs to the current allowed list without removing existing ones. Use this to incrementally expand trunk VLAN membership.
allallAllows all VLANs (1-4094) on the trunk. This is the default behavior when no allowed VLAN list is configured.
exceptexcept vlan-listAllows all VLANs except those specified in the list. Useful for blocking a few VLANs while permitting the rest.
nonenoneBlocks all VLANs on the trunk. This effectively disables the trunk for data traffic, though control traffic may still pass.
removeremove vlan-listRemoves the specified VLANs from the current allowed list. Use this to selectively prune VLANs without affecting others.
vlan-listvlan-listA comma-separated list of VLAN IDs or ranges (e.g., 10,20,30-40). Specifies which VLANs to add, remove, or except.

Command Examples

Allow only VLANs 10, 20, 30 on trunk

switchport trunk allowed vlan 10,20,30

This command replaces any existing allowed VLAN list with only VLANs 10, 20, and 30. No output is shown if successful.

Add VLAN 40 to existing allowed list

switchport trunk allowed vlan add 40

The 'add' keyword appends VLAN 40 to the current allowed VLAN list without removing existing VLANs.

Remove VLAN 20 from trunk

switchport trunk allowed vlan remove 20

The 'remove' keyword deletes VLAN 20 from the allowed list. Other VLANs remain.

Allow all VLANs except 99

switchport trunk allowed vlan except 99

The 'except' keyword allows all VLANs except the specified ones. Useful for blocking a specific VLAN.

Understanding the Output

The 'switchport trunk allowed vlan' command does not produce output when executed successfully. To verify the configuration, use 'show interface trunk' or 'show running-config interface <interface>'. The 'show interface trunk' output displays the allowed VLAN list under the 'Vlans allowed on trunk' field. A healthy trunk shows the expected VLAN list; a problem might show 'none' if misconfigured or 'all' if not restricted. The 'show running-config' output shows the exact command configured. If the allowed VLAN list is empty, the trunk will not forward any VLAN traffic, which is a common misconfiguration.

Configuration Scenarios

Restricting trunk to specific VLANs for security

A data center switch connects to a server rack. Only VLANs 100, 200, and 300 should be allowed for security reasons.

Topology

[Nexus-A] -- trunk --> [Nexus-B]

Steps

  1. 1.Enter interface configuration mode for the trunk port.
  2. 2.Set the interface as trunk: switchport mode trunk.
  3. 3.Restrict allowed VLANs: switchport trunk allowed vlan 100,200,300.
Configuration
interface Ethernet1/1
 switchport mode trunk
 switchport trunk allowed vlan 100,200,300

Verify: Use 'show interface trunk' to verify that only VLANs 100,200,300 are allowed on the interface.

Watch out: If the native VLAN is not in the allowed list, native VLAN traffic will be dropped. Ensure native VLAN is included if needed.

Adding a new VLAN to an existing trunk

A new VLAN 50 is created for a new department. It must be added to the trunk without disrupting existing VLANs.

Topology

[Nexus-A] -- trunk --> [Nexus-B]

Steps

  1. 1.Enter interface configuration mode for the trunk port.
  2. 2.Add VLAN 50: switchport trunk allowed vlan add 50.
Configuration
interface Ethernet1/1
 switchport trunk allowed vlan add 50

Verify: Use 'show interface trunk' to confirm VLAN 50 is now in the allowed list.

Watch out: Using 'switchport trunk allowed vlan 50' without 'add' would replace the entire list, removing all other VLANs.

Troubleshooting with This Command

When troubleshooting VLAN connectivity issues across a trunk on Cisco NX-OS, the 'switchport trunk allowed vlan' command is a critical check. Start by verifying the trunk status with 'show interface trunk'. This command displays the allowed VLAN list for each trunk interface. If a VLAN is missing from the allowed list, traffic for that VLAN will not be forwarded. Common symptoms include hosts on the same VLAN unable to communicate across the trunk, or routing protocols failing to establish neighbors.

First, ensure both ends of the trunk have matching allowed VLAN lists. Mismatches can cause one-way or no traffic. Use 'show running-config interface <interface>' to see the exact configuration. If the allowed list is empty (none), the trunk will not forward any VLAN traffic. If the list is 'all', but traffic still fails, check the native VLAN configuration and ensure it is consistent.

Another common issue is forgetting to include the native VLAN in the allowed list. By default, the native VLAN is VLAN 1, but it can be changed. If the native VLAN is not in the allowed list, traffic for that VLAN will be dropped, even though it is untagged. To resolve, either add the native VLAN to the allowed list or change the native VLAN to one that is allowed.

On Nexus switches, the command 'show interface trunk' also shows the 'Vlans allowed on trunk' and 'Vlans in spanning tree forwarding state'. If a VLAN is allowed but not forwarding, check spanning-tree or other Layer 2 issues. Use 'show spanning-tree vlan <vlan>' to investigate. Additionally, if the trunk is not coming up, verify the interface is set to trunk mode and that the other end is also trunking.

In summary, the allowed VLAN list is a primary filter for trunk traffic. Always verify it when troubleshooting Layer 2 connectivity across trunks.

CCNA Exam Tips

1.

Remember that 'switchport trunk allowed vlan' without add/remove/except replaces the entire list.

2.

Know that 'none' keyword blocks all VLANs, effectively disabling the trunk.

3.

Be aware that NX-OS uses 'vlan' (singular) unlike IOS which uses 'vlans' (plural).

Common Mistakes

Using 'add' when intending to replace the list, causing unexpected VLANs to remain.

Forgetting to include the native VLAN in the allowed list, causing native VLAN traffic to be dropped.

Using 'except' with a VLAN that is also the native VLAN, which may cause issues.

Platform Notes

On Cisco NX-OS (Nexus), the command syntax uses 'vlan' (singular) as opposed to Cisco IOS which uses 'vlans' (plural). For example, NX-OS: 'switchport trunk allowed vlan add 10'; IOS: 'switchport trunk allowed vlan add 10'. The behavior is identical. However, NX-OS does not support the 'switchport trunk allowed vlan' command on some platform-specific interfaces like port-channels in certain modes; always check compatibility.

On Nexus 9000 series running NX-OS, the command is fully supported. On older Nexus models like 5000 or 7000, the command is similar but may have minor differences in output formatting. The 'show interface trunk' command output on NX-OS includes additional fields like 'Vlans in spanning tree forwarding state' and 'Vlans in spanning tree blocking state'.

Compared to other vendors, Juniper JunOS uses 'set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk' and 'set vlans <vlan> interface ge-0/0/0' to achieve similar functionality. Arista EOS uses 'switchport trunk allowed vlan' similar to IOS. On Cisco IOS-XE, the command is identical to classic IOS. Always verify the exact syntax for your platform version.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions