Courseiva
Exam ScenariosCCNA 200-301

VLAN Trunk Allowed List Exam Question Trap

Presenting Symptom

PCs in VLAN 10 on switch A cannot communicate with PCs in VLAN 10 on switch B, but all other VLANs work fine across the trunk.

Network Context

Two Cisco Catalyst 2960 switches (A and B) are connected via a trunk port (GigabitEthernet0/1) running 802.1Q. VLANs 10, 20, 30 are configured on both switches. The trunk is configured with 'switchport trunk allowed vlan 20,30' on switch A, but switch B has no explicit allowed list (default allows all VLANs). The network is a small branch office with a flat Layer 2 topology.

Diagnostic Steps

1

Check trunk status and allowed VLAN list on both switches

show interfaces trunk
Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       20,30

Port        Vlans allowed and active in management domain
Gi0/1       20,30

On switch A, the allowed VLAN list shows only 20 and 30. VLAN 10 is missing, so traffic for VLAN 10 will not be forwarded across the trunk. On switch B, the allowed list should show all VLANs (1-4094) if not restricted.

2

Verify VLAN configuration on both switches

show vlan brief
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/2, Gi0/3
10   VLAN0010                         active    Gi0/4
20   VLAN0020                         active    Gi0/5
30   VLAN0030                         active    Gi0/6

Confirm that VLAN 10 exists and has active ports on both switches. If VLAN 10 is missing or inactive, that could also cause the issue, but here it is present.

3

Check interface status of trunk port

show interfaces gigabitethernet0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 20,30
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled

The 'Trunking VLANs Enabled' line shows 20,30, confirming that VLAN 10 is not allowed on the trunk. This is the root cause.

4

Check interface status on switch B for comparison

show interfaces gigabitethernet0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
...
Trunking VLANs Enabled: ALL
...

On switch B, the trunk allows all VLANs. The mismatch in allowed VLAN lists causes VLAN 10 traffic to be dropped on switch A's trunk port.

Root Cause

Switch A's trunk port Gi0/1 has an explicit 'switchport trunk allowed vlan 20,30' configuration, which excludes VLAN 10. Since the trunk does not allow VLAN 10, frames from VLAN 10 are not forwarded across the trunk, breaking connectivity between VLAN 10 hosts on different switches.

Resolution

On switch A, add VLAN 10 to the allowed list or remove the restriction entirely. Commands: SwitchA(config)# interface gigabitethernet0/1 SwitchA(config-if)# switchport trunk allowed vlan add 10 Alternatively, to allow all VLANs: SwitchA(config-if)# no switchport trunk allowed vlan Explanation: The 'add' keyword appends VLAN 10 to the existing allowed list. Removing the command restores the default of allowing all VLANs.

Verification

Run 'show interfaces trunk' on switch A. Expected output: Port Vlans allowed on trunk Gi0/1 10,20,30 Also test connectivity: ping from a PC in VLAN 10 on switch A to a PC in VLAN 10 on switch B should succeed.

Prevention

1. Use a consistent trunk allowed VLAN configuration on both ends of a trunk link, preferably allowing only the VLANs that are actually needed. 2. Document and standardize trunk configurations across the network to avoid mismatches. 3. Avoid using 'switchport trunk allowed vlan' unless there is a specific security requirement; otherwise, leave it as default (all VLANs).

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears as a troubleshooting question where the candidate must identify why a specific VLAN is not working across a trunk. The exam tests understanding of the 'switchport trunk allowed vlan' command and its effect on VLAN traffic. Candidates must know that the allowed list is per-interface and that a mismatch can cause one-way or no communication for specific VLANs.

Exam Tips

1.

Remember that 'switchport trunk allowed vlan' without 'add' replaces the entire list, so always use 'add' to include additional VLANs.

2.

The 'show interfaces trunk' command is the quickest way to see which VLANs are allowed on a trunk.

3.

If a VLAN is missing from the allowed list, traffic for that VLAN will not be forwarded, even if the VLAN exists and is active.

Commands Used in This Scenario

show interfaces switchport

Displays the administrative and operational status of a switch port, including VLAN membership, trunking mode, and access VLAN, used to verify VLAN configuration and port security settings.

show interfaces trunk

Displays trunk interface status, allowed VLANs, and pruning information for all trunk ports on a Cisco switch, used to verify trunking configuration and VLAN membership.

show vlan brief

Displays a summary of all VLANs configured on the switch, including VLAN ID, name, status, and ports, used to quickly verify VLAN configuration and port assignments.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions