On IOS switches with EEM, protect yourself (and less careful Jr engineers) with this applet that will prevent allowed-vlan-mishaps on trunks!
I stash my error message in a .tcl file so its less likely to be discovered since the text won't show in the switch's configuration.
First, create: flash:/nedry.tcl with the following text:
puts "\n ## Ahh ahh ahh, you didn't say the magic word.\n ##\n ##\n ## Command was rejected, please try again.\n ## ...remember to use 'add|remove' when following 'switchport trunk allowed' with a number.\n ## e.g. switchport trunk allowed vlan add|remove <vlan(s)>\n ##\n ## For *NEW* trunked interfaces, start with `switchport trunk allowed vlan none`."
Then add this EEM applet to the switch's config:
event manager applet dennis
event cli pattern "switchport trunk allowed vlan [0-9*]" sync yes
action 00.00 cli command "enable"
action 00.01 cli command "tclsh flash:/nedry.tcl"
action 00.02 puts "$_cli_result"
With this, the switch will reject the command and print out an error message any time switchport trunk allowed vlan is typed and followed with a number; i.e. without explicitly including add or remove.
Note: This will catch shorthand versions of the command since EEM doesn't parse it until the switch translates it to the full command; e.g. sw tr all vl # will get snagged just fine.
## Ahh ahh ahh, you didn't say the magic word.
##
##
## Command was rejected, please try again.
## ...remember to use 'add|remove' when following 'switchport trunk allowed' with a number.
## e.g. switchport trunk allowed vlan add|remove <vlan(s)>
##
## For *NEW* trunked interfaces, start with `switchport trunk allowed vlan none`.
