Solved: ''Switchport trunk allowed vlan'' command not blocking vlans.

Oliver42 · ‎03-15-2021

Hi everybody.

In my network down below I'm trying to block a specific vlan to go through the trunk link between the switch in the orange zone (switchhute) and the switch that it is connected to (2950-1). I want to prevent everybody in the green zone (vlan 22) from getting to the PC called Davicom in the orange zone (vlan 20).

I tried using the command ''switchport trunk allowed vlan 20,21,99'' (99 being the native vlan), but it doesn't work. PCs in the green zone can still ping the Davicom PC in the orange zone through the trunk.

What am I doing wrong? Should I use ACLs instead?

Thank you.

paul driver · ‎03-15-2021

Hello

@Oliver42 wrote:

What am I doing wrong? Should I use ACLs instead?

Yes you should, as denying the vlan on the trunk wont negate connection

your L3 switch:
ip access-list extended no-vlan22
deny ip any 22.22.22.0 0.0.0.255 <-- change for the real address of vlan 22 subnet
permit ip any any

int vlan 20
ip access-group no-vlan22 in

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎03-15-2021