By default, all VLANs are allowed across a trunk link on a Cisco switch. We can verify that using the show interfaces trunk command:
SW1#show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/1 1-1005 Port Vlans allowed and active in management domain Fa0/1 1,5,10 Port Vlans in spanning tree forwarding state and not pruned Fa0/1 1,5,10
In the output above you can see that all VLANs (1 through 1005) are allowed on the trunk by default.
We can prevent traffic from certain VLANs from traversing a trunk link using the following interface mode command:
(config-if)#switchport trunk allowed vlan {add | all | except | remove} vlan-list
For example, to prevent traffic from VLAN 5 to traverse the trunk link, we would use the following command:
SW1(config)#int fa0/1 SW1(config-if)#switchport trunk allowed vlan remove 5
The same command needs to be entered on the switch on the other end of the link.
To verify that the traffic from VLAN 5 will indeed be blocked from traversing a trunked link, we can enter the show interfaces trunk command again:
SW1#show interfaces trunk Port Mode Encapsulation Status Native vlan Fa0/1 on 802.1q trunking 1 Port Vlans allowed on trunk Fa0/1 1-4,6-1005 Port Vlans allowed and active in management domain Fa0/1 1,10 Port Vlans in spanning tree forwarding state and not pruned Fa0/1 none
Notice how now only VLANs 1-4 and 6-1005 are allowed on trunk.
NOTE
You can use the switchport trunk allowed vlan all interface mode command to reset the switch port to its original default setting (permitting all VLANs on the trunk).
You can use the switchport trunk allowed vlan all interface mode command to reset the switch port to its original default setting (permitting all VLANs on the trunk).