Trunking for Only Some VLANs

By Chris November 2, 2015 10:30

VLAN trunks between Cisco Catalyst switches support all VLANs known to the switches. Then add a new VLAN, and the trunk supports it. Is that a good idea? In this post, you will get a chance to practice that common task – configuring ports into VLANs – while setting up a trunk to support only the VLANs used at the present, so that new VLANs are not automatically allowed to send traffic over a trunk.


Your job: Configure appropriate interfaces as trunks to pass traffic between PC’s, while supporting those VLANs only.

This lab begins with all the interfaces shown in Figure 1 working, because the cables have been connected, and the switches default to bring up the interfaces. However, you need to add the correct interfaces into the VLANs shown in the figure. Additionally, you must decide what commands to add to make sure the link between the switches trunks, and that the link does not depend on any trunking negotiation to do so. Finally, you must make sure that the trunk supports only the two VLANs show in the figure (plus the native VLAN) until someone else comes back to change the configuration.

The specific rules for this lab are:

  • Configure the interfaces connected to PCs to be access interfaces in the correct VLAN
  • Configure the link between switches to statically act as a trunk (that is, do not rely on trunk negotiation)
  • Configure to restrict the trunk to support only the native VLAN and the other VLANs shown in the figure
  • Do not configure settings not needed for this lab.

Figure 1: Two Switches – Point-to-Point


Initial Configuration

The two switches begin with basically default configuration and a hostname. The two examples here emphasize that point, with confirmation that the ports are enabled (no shutdown).

Example 1: SW1 Config


Example 1: SW2 Config



Answer on Paper, or Maybe Test in Lab

Next, write your answer on paper. Or if you have some real gear, or other tools, configure the lab with those tools.

If you do try this lab beyond just writing the answers on paper or in a text editor, give PC1 and PC3 an IP address in the same subnet. Likewise, for PC2 and PC4. Because this lab uses no routers or layer 3 switches, once working, the PCs in the same VLAN should be able to ping each other, but they should not be able to ping PCs in other VLANS.

Also, if you want to test for the restriction to support only VLANs 100 and 200, once you test all the pings, reconfigure the switches to put the PC1 and PC3 ports into a new VLAN (300). Then try to ping PC3 from PC1 again; it should now fail, because the trunk does not forward VLAN 300 traffic.


Do this Lab with Cisco’s VIRL

You can do these labs on paper and still get a lot out of the lab. As an extra help, we have added files for the Virtual Internet Routing Lab (VIRL) software as well. The .VIRL file found here is a file that when used with VIRL will load a lab topology similar to this lab’s topology, with the initial configuration shown in the lab as well. This section lists any differences between the lab exercise and the .VIRL file’s topology and configuration.

Download this lab’s VIRL file!


Network and Host Info:

No changes as compared to the lab exercises.


Initial Trunking Config Change for VIRL

The switches need one additional command to be correct at the initial starting point. VIRL uses an IOS image for Layer 2 switches that requires that the type of trunking be configured. The command added to both switches G0/3 interfaces, which is already added to the .VIRL file, is:

Many switches, like the 2960 access switches many people use for CCNA labbing at home, would not require this extra command.


Handy Host Commands:

To see PC IP address: ifconfig eth0

Ping example: ping -c 4

Trace example: tracepath


Answer: Basic Port Security 2
Answers: Trunking for Only Some VLANs
By Chris November 2, 2015 10:30
Write a comment


  1. Mike November 2, 21:14

    ! for both switches
    int gi0/1
    switchport mode access
    switchport access vlan 100

    int gi0/2
    switchport mode access
    switchport access vlan 200

    int gi0/3
    switchport mode trunk
    switchport trunk allowed vlan except 2-99,101-199,201-4094

    ! other option (simpler, less VLAN ID typing)
    int gi0/3
    switchport trunk allowed vlan none
    switchport trunk allowed vlan 1,100,200

    Reply to this comment
  2. gigi November 17, 18:02


    From definition 802.1q native VLAN can be default VLAN 1. If both switches agree !

    Reply to this comment
  3. Alejandro Lazaro Gutierrez July 15, 22:47

    • Configure the link between switches to statically act a trunk (that is, do not rely on trunk negotiation)

    In order to not rely on the trunk negotiation:
    SW2(config-if)#switchport nonegotiate

    Reply to this comment
    • Chris Author July 16, 09:29

      Hey Alejandro,
      Yes the switchport nonegotiate command could be used as part of the solution, but more config is needed to meet the goals of the lab.

      Reply to this comment
View comments

Write a comment

Leave a Reply to Collin Cancel reply


Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.