switchport trunk allowed vlan [list]
Restricts the VLANs that are allowed to traverse a trunk link on a Cisco switch, used to control which VLAN traffic is permitted on the trunk.
switchport trunk allowed vlan [list]When to Use This Command
- Limiting trunk to only specific VLANs for security or traffic segmentation
- Preventing VLAN hopping attacks by restricting allowed VLANs on trunk ports
- Isolating guest or IoT traffic to specific VLANs on a trunk to the distribution switch
- Removing unused VLANs from a trunk to reduce broadcast traffic and improve performance
Command Examples
Allow only VLANs 10, 20, and 30 on trunk
switchport trunk allowed vlan 10,20,30This command configures the trunk to permit only VLANs 10, 20, and 30. All other VLANs are blocked. No output is displayed if successful.
Add VLAN 40 to existing allowed list
switchport trunk allowed vlan add 40The 'add' keyword appends VLAN 40 to the current allowed list without removing existing VLANs. No output is displayed.
Understanding the Output
The command itself produces no output on success. To verify the allowed VLAN list, use 'show interfaces trunk' or 'show interfaces switchport'. In 'show interfaces trunk', the 'Vlans allowed on trunk' line shows the permitted VLANs (e.g., 10,20,30). If the list is empty or shows 'none', the trunk is blocking all VLANs. A common mistake is forgetting to include the native VLAN (usually VLAN 1) if needed. Always verify after configuration.
CCNA Exam Tips
Remember that 'switchport trunk allowed vlan' without 'add' or 'remove' replaces the entire list; use 'add' to append.
The native VLAN is allowed by default; if you remove it, control traffic may be disrupted.
CCNA exam may test the difference between 'allowed vlan' and 'native vlan' commands.
Know that 'switchport trunk allowed vlan except 1-99' blocks VLANs 1-99 and allows all others.
Common Mistakes
Using 'switchport trunk allowed vlan' without 'add' or 'remove' accidentally removes all existing VLANs except those specified.
Forgetting to allow the native VLAN, causing DTP or CDP failures.
Applying the command to an access port instead of a trunk port, which has no effect.
Related Commands
show interfaces trunk
Displays trunk interface status, allowed VLANs, and pruning information for all trunk ports on a Cisco switch, used to verify trunking configuration and VLAN membership.
switchport mode trunk
Configures a switch interface as a trunk port, allowing multiple VLANs to traverse the link using IEEE 802.1Q tagging.
switchport trunk native vlan [id]
Configures the native VLAN for an 802.1Q trunk interface, specifying which VLAN's frames are sent untagged on the trunk.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions