Switch# show interfaces trunk
A switch displays the following output:
Switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan Gi1/0/24 on 802.1q trunking 99
Port Vlans allowed on trunk Gi1/0/24 10,20,30
Port Vlans active in management domain Gi1/0/24 10,20,30,40
Users in VLAN 40 cannot reach resources across this trunk.
What is the most likely reason?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
VLAN 40 is active, so spanning tree must be blocking it
Spanning tree can block a VLAN path under some conditions, but this exhibit already shows a more direct and simpler explanation. VLAN 40 is not even in the allowed list. When a question gives you a concrete forwarding restriction, you should prefer that explicit evidence instead of assuming a second unseen issue such as STP blocking.
VLAN 40 is not in the native VLAN, so it cannot cross the trunk
A VLAN does not need to be the native VLAN in order to cross an 802.1Q trunk. Most VLANs cross as tagged traffic. The native VLAN is only the VLAN carried untagged on that trunk. VLAN 40 could still be transported normally if it were permitted on the trunk, but it is not.
VLAN 40 is not permitted on the trunk
Correct. This is correct. The allowed VLAN list controls which VLANs are transported across the trunk. Because VLAN 40 is absent from that list, users in VLAN 40 cannot use that trunk to reach resources on the far side.
802.1Q trunks can carry only three VLANs at a time
An 802.1Q trunk is not limited to only three VLANs. The number shown here is the result of configuration, not a protocol maximum. Switches can carry many VLANs on a trunk when configured appropriately.
Common exam trap
A common exam trap is assuming that because a VLAN is active on the switch, it automatically crosses all trunks. Many candidates mistakenly believe that spanning tree blocking or the native VLAN setting causes VLAN traffic to be blocked, overlooking the allowed VLAN list. The allowed VLAN list explicitly filters which VLANs a trunk carries. If a VLAN is missing from this list, its traffic is dropped at the trunk regardless of spanning tree state or native VLAN configuration. This trap leads to incorrect troubleshooting and answer choices that focus on STP or native VLAN rather than the actual VLAN permission issue.
Technical deep dive
A VLAN (Virtual Local Area Network) logically segments a switch into separate broadcast domains, allowing devices in the same VLAN to communicate as if they were on the same physical network. Trunk links between switches carry traffic for multiple VLANs simultaneously by tagging frames with VLAN identifiers using protocols like 802.1Q. The trunk port configuration determines which VLANs are allowed to traverse the link, controlling inter-switch VLAN traffic flow. The 'allowed VLANs' list on a trunk port explicitly controls which VLANs can send and receive traffic across that trunk. Even if a VLAN is active and configured on the switch, it will not be carried over the trunk unless it is included in the allowed VLAN list. This filtering mechanism is crucial for network segmentation and security, preventing unwanted VLAN traffic from crossing certain links. The native VLAN is only the VLAN that is sent untagged on the trunk and does not affect whether other VLANs are permitted. A common exam trap is to confuse VLAN presence on the switch with VLAN permission on the trunk. Just because a VLAN is active on the switch does not guarantee it can cross every trunk link. Misunderstanding the allowed VLAN list leads to incorrect assumptions about connectivity issues. Practically, network engineers must verify trunk allowed VLANs when troubleshooting VLAN reachability problems, as missing VLANs in this list block traffic even if the VLAN exists and is active on both ends.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
Practise DHCP scopes, relay, leases and troubleshooting.
Practise routing-table output, longest-prefix match, AD and route selection.
Practise trunk verification and VLAN forwarding across switches.
Practise WLAN security, authentication and wireless architecture concepts.
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
A VLAN logically segments a switch into separate broadcast domains to isolate traffic within the same physical network.
The correct answer is: VLAN 40 is not permitted on the trunk — The trunk is not carrying VLAN 40 because VLAN 40 is missing from the allowed VLAN list. This question tests a subtle but very common distinction: a VLAN can exist on the switch and still fail to cross a particular trunk if that trunk does not permit it. The output clearly shows VLAN 40 as active in the management domain, which means the switch knows the VLAN exists. But the allowed VLAN list on the trunk includes only 10, 20, and 30. In plain language, the trunk has been told to carry some VLANs but not VLAN 40. That is why traffic from VLAN 40 stops at this link even though the VLAN itself is present on the switch.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.