How-to: Configure trunk VLAN allowed list?

By default all VLANs configured on a switch are allowed over all trunking interfaces. Sometimes you need to change the allowed list over a specific trunk. When a VLAN is allowed on a trunk, traffic coming from interfaces belonging to this VLAN is allowed to traverse the trunk.

In our example we have R1 and R2 connected to two different switches. Both belong to VLAN 12 and the switches are connected by a dot1q trunk as shown in the diagram below.

Topology Configuration:

R1(config)#int f0/0
R1(config-if)#ip address 192.168.12.1 255.255.255.0

!-- R2 interface configuration

R2(config)#int f0/0
R2(config-if)#ip address 192.168.12.2 255.255.255.0

!-- Sw1 Configuration 

SW1(config)#int f0/1
SW1(config-if)#description connected to R1
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 12

SW1(config-if)#int f0/13
SW1(config-if)#description connected to SW2
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mod trunk

!-- SW2 configuration

SW2(config)#int f0/2
SW2(config-if)#description connected to R2
SW2(config-if)#switchport mod access
SW2(config-if)#switchport access vlan 12

SW2(config-if)#int f0/13
SW2(config-if)#description connected to SW1
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk

All configured VLANs are allowed on the trunk interface by default as shown in the output below:

SW1(config)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1,3,5-6,8,10,12,26,33,52,100,255,783

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      3,5-6,8,10,12,26,33,52,100,255,783

!-- SW2 trunk interface

SW2(config)#do sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-4094

Port        Vlans allowed and active in management domain
Fa0/13      1,3,5-6,8,10,12,26,33,52,100,255,783

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      1,3,5-6,8,10,12,26,33,52,100,255,783

R1 and R2 should be able to communicate as shown below:

R1#ping 192.168.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Now I am going to remove VLAN 12 from the allowed list on the trunk:

SW1(config)#int f0/13
SW1(config-if)#switchport trunk allowed vlan remove 12

!-- VLAN 12 is removed from the allowed list
SW1#sh interface trunk

Port        Mode         Encapsulation  Status        Native vlan
Fa0/13      on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/13      1-11,13-4094

Port        Vlans allowed and active in management domain
Fa0/13      1,3,5-6,8,10,26,33,52,100,255,783

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/13      3,5-6,8,10,26,33,52,100,255,783

R1 and R2 is not able to communicated any more over the trunk interface because frames tagged with VLAN 12 ID are not allowed to traverse the trunk anymore:

R1#ping 192.168.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

for more information on using the command please visit the command reference for show trunk