VLANCCNA 200-301

VLAN Not in Trunk Allowed List — Users Isolated

Presenting Symptom

Users in VLAN 20 cannot communicate with users in VLAN 10, even though both VLANs exist on the same switch and the trunk between switches is up.

Network Context

A small enterprise campus network with two Cisco Catalyst 2960 switches (SW1 and SW2) running IOS 15.0. SW1 connects to the core and has VLANs 10, 20, and 30 configured. SW2 connects to access switches and has VLANs 10 and 20. The trunk link between SW1 and SW2 is configured as a 802.1Q trunk. Users in VLAN 10 on SW2 can reach resources in VLAN 10 on SW1, but users in VLAN 20 on SW2 cannot reach any resources in VLAN 20 on SW1.

Diagnostic Steps

Check trunk status and allowed VLAN list on SW1

show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-1005

Port        Vlans allowed and active in management domain
Gi0/1       1,10,30

The output shows that VLAN 20 is not listed in the 'Vlans allowed and active' section. This indicates that VLAN 20 is either not allowed on the trunk or not active on SW1. Compare with SW2's trunk output.

Check trunk status and allowed VLAN list on SW2

show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-1005

Port        Vlans allowed and active in management domain
Gi0/1       1,10,20

SW2 shows VLAN 20 as allowed and active. The mismatch between SW1 (missing VLAN 20) and SW2 (has VLAN 20) confirms that VLAN 20 is not allowed on the trunk from SW1's side.

Verify VLAN 20 exists on SW1

show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/2, Gi0/3
10   VLAN0010                         active    Gi0/4
20   VLAN0020                         active    Gi0/5
30   VLAN0030                         active    Gi0/6

VLAN 20 exists and is active on SW1. The problem is not that VLAN 20 is missing; it's that it is not allowed on the trunk.

Check the trunk configuration on SW1

show running-config interface gigabitEthernet 0/1

interface GigabitEthernet0/1
 switchport trunk allowed vlan 1,10,30
 switchport mode trunk

The output shows that the allowed VLAN list on the trunk explicitly includes only VLANs 1, 10, and 30. VLAN 20 is missing. This is the root cause.

Root Cause

The trunk interface on SW1 (GigabitEthernet0/1) has an explicit 'switchport trunk allowed vlan' command that permits only VLANs 1, 10, and 30. VLAN 20 is not included, so traffic from VLAN 20 is blocked on the trunk, isolating users in VLAN 20 on SW2 from SW1.

Resolution

On SW1, enter global configuration mode and add VLAN 20 to the allowed VLAN list on the trunk interface. Commands: configure terminal interface gigabitEthernet 0/1 switchport trunk allowed vlan add 20 end Explanation: The 'switchport trunk allowed vlan add' command adds VLAN 20 to the existing allowed list without removing other VLANs.

Verification

Run 'show interfaces trunk' on SW1. Expected output should now show VLAN 20 in the 'Vlans allowed and active' list. Example output: Port Vlans allowed and active in management domain Gi0/1 1,10,20,30 Also, test connectivity by pinging from a host in VLAN 20 on SW2 to a host in VLAN 20 on SW1. The ping should succeed.

Prevention

1. Use a consistent trunk configuration across both ends of a trunk link, preferably by using a configuration template or automation. 2. Avoid using explicit 'switchport trunk allowed vlan' unless necessary; if used, ensure all required VLANs are included. 3. Regularly audit trunk configurations using 'show interfaces trunk' to detect mismatches.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify why a VLAN is not passing over a trunk. The exam tests understanding of the 'switchport trunk allowed vlan' command and its effect on VLAN traffic. A candidate must know that an explicit allowed list overrides the default (all VLANs) and that adding a VLAN requires the 'add' keyword.

Exam Tips

Remember that 'switchport trunk allowed vlan' without 'add' replaces the entire list, so always use 'add' to include additional VLANs.

The 'show interfaces trunk' command is critical for troubleshooting VLAN issues on trunks; pay attention to the 'Vlans allowed and active' line.

A common exam trap is that a VLAN may exist and be active but still not pass traffic if it's not in the trunk allowed list.

Commands Used in This Scenario

show interfaces trunk

Displays trunk interface status, allowed VLANs, and pruning information for all trunk ports on a Cisco switch, used to verify trunking configuration and VLAN membership.

show vlan brief

Displays a summary of all VLANs configured on the switch, including VLAN ID, name, status, and ports, used to quickly verify VLAN configuration and port assignments.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions