An engineer is configuring a new access switch for a branch office. The switch must support multiple VLANs for different departments: VLAN 10 (Engineering), VLAN 20 (Sales), and VLAN 30 (Management). The uplink to the distribution switch is a trunk. The engineer wants to ensure that only the required VLANs are allowed on the trunk and that the native VLAN is changed from the default to VLAN 99 for security reasons. Which configuration commands should the engineer apply on the access switch's uplink interface?
Correct because it sets the trunk, changes the native VLAN, and restricts allowed VLANs.
Why this answer
Option A is correct because it explicitly sets the interface to trunk mode, changes the native VLAN from the default VLAN 1 to VLAN 99 for security, and uses the 'allowed vlan' command to permit only VLANs 10, 20, and 30 on the trunk. This ensures that only the required department VLANs are carried, reducing unnecessary broadcast traffic and preventing VLAN hopping attacks by changing the native VLAN.
Exam trap
Cisco often tests the distinction between 'allowed vlan' and 'allowed vlan except' — candidates may confuse the syntax and select the option that excludes the required VLANs instead of permitting them.
How to eliminate wrong answers
Option B is wrong because 'switchport trunk allowed vlan except 10,20,30' permits all VLANs except 10, 20, and 30, which is the opposite of the requirement. Option C is wrong because 'switchport mode dynamic desirable' uses DTP to negotiate trunking, which is less secure and not a deterministic trunk configuration; the requirement is for a static trunk. Option D is wrong because it omits the 'switchport trunk allowed vlan' command, so all VLANs would be permitted by default, failing to restrict the trunk to only the required VLANs.