SkarpSkarp

Chapter 8 of 27

Inter-Switch Links: 802.1Q Trunks, DTP, and VLAN Propagation

Connect multiple switches into a cohesive campus by carrying many VLANs over shared links using 802.1Q trunking and related mechanisms.

27 min readen

Big Picture: Why Trunks Matter in Campus Networks

Campus Networks Need Trunks

Campus networks use multiple switches. To keep VLANs consistent across them, you need inter-switch trunks that can carry many VLANs over a single physical link.

From Single Switch to Fabric

Previously, VLANs and access ports were confined to one switch. Inter-switch links extend those VLANs so hosts in the same VLAN but on different switches share one broadcast domain.

Role of IEEE 802.1Q

IEEE 802.1Q is the standards-based method that inserts a VLAN tag into Ethernet frames, allowing one physical link to carry traffic for many VLANs simultaneously.

CCNA-Relevant Skills

You must know when to use access vs trunk ports, configure 802.1Q trunks, control allowed VLANs, understand the native VLAN, and manage Cisco DTP on trunk links.

Highway Analogy

Imagine the trunk as a multi-lane highway. Each VLAN is a lane; the 802.1Q tag is the lane marking. Your configuration decides which lanes exist and how traffic flows.

Inside 802.1Q: Tags, VLAN IDs, and the Native VLAN

802.1Q Is the Standard

IEEE 802.1Q is the current standard for VLAN trunk encapsulation. Cisco’s older ISL is obsolete; CCNA focuses on 802.1Q for inter-switch trunks and router-on-a-stick.

Where the Tag Lives

802.1Q inserts a 4-byte tag between the source MAC and EtherType fields. It contains TPID 0x8100 and Tag Control Information, including a 12-bit VLAN ID.

VLAN ID Ranges

The 12-bit VLAN ID supports 0–4095. IDs 1–4094 are normal VLANs; 0 is priority-only; 4095 is reserved. Production networks usually use a subset of 1–4094.

Native VLAN Concept

On a trunk, most frames are tagged, but the native VLAN’s frames are sent untagged by default. Untagged frames arriving on a trunk are assumed to belong to the native VLAN.

Native VLAN on Cisco

Cisco defaults the native VLAN to VLAN 1, but you can change it. Both ends of the trunk must agree on the native VLAN to avoid mismatches and traffic leaks.

Access Ports vs Trunk Ports: Roles and Behaviors

Access Port Behavior

Access ports belong to exactly one VLAN, typically connect to end devices, and send/receive untagged frames. The switch internally maps all traffic to the configured VLAN.

Trunk Port Behavior

Trunk ports carry multiple VLANs, usually between switches or to routers/firewalls. They tag most frames with 802.1Q VLAN IDs; native VLAN traffic is untagged.

Key Cisco Commands

`switchport mode access` or `trunk` sets port type. `switchport access vlan X` sets the access VLAN. `switchport trunk native vlan X` and `allowed vlan` tune trunk behavior.

Design Patterns

Access-to-distribution links are usually trunks to carry many VLANs. Switch-to-host links are almost always access ports. Exam questions often hinge on this distinction.

Configuring a Basic 802.1Q Trunk Between Two Switches

Scenario Setup

Two switches, SW1 and SW2, are linked via G0/1. You want VLANs 10 (Users), 20 (Voice), and 99 (Native) to span both switches using an 802.1Q trunk.

Create VLANs First

On both switches, define VLANs 10, 20, and 99, optionally naming them. Trunks only carry VLANs that exist locally on each switch.

Configure Trunk Parameters

On G0/1, set `switchport mode trunk`, change the native VLAN to 99, and restrict the allowed VLANs to 10, 20, and 99 on both SW1 and SW2.

Verify with Show Commands

Use `show interfaces trunk` and `show interfaces g0/1 switchport` to confirm trunking, encapsulation 802.1Q, native VLAN 99, and allowed VLANs 10, 20, 99.

Key Point

Both ends of the trunk must match on native VLAN and allowed VLANs to avoid mismatches and unexpected traffic behavior.

Dynamic Trunking Protocol (DTP): Modes and Exam Pitfalls

What Is DTP?

Dynamic Trunking Protocol (DTP) is Cisco-proprietary. It negotiates whether a link becomes a trunk or stays access by exchanging frames to MAC 01-00-0C-CC-CC-CC.

Key Switchport Modes

`mode access` forces access; `mode trunk` forces trunk; `dynamic desirable` actively tries to trunk; `dynamic auto` waits and trunks only if the other side initiates.

Mode Combinations

desirable+desirable, trunk+desirable, trunk+auto, and desirable+auto form trunks; auto+auto does not. Auto+auto is a classic exam trap: the link stays access.

Disabling DTP

Use `switchport nonegotiate` to stop sending DTP frames. Combine this with `mode trunk` when connecting to non-Cisco devices that do not understand DTP.

Exam Pitfalls

Expect questions where trunks fail due to both sides being dynamic auto, or where unexpected trunks form because one side is dynamic desirable.

VLAN Propagation: How VLANs Appear Across Switches

Trunks vs VLAN Knowledge

Trunks can carry many VLANs, but each switch must still have those VLANs defined locally. A switch drops frames tagged with VLANs it does not know.

Manual VLAN Creation

In many modern designs, you manually create VLANs with the `vlan` command on each switch that needs to carry them, then configure trunks to transport the traffic.

VTP Historical Context

Cisco’s VTP once auto-propagated VLANs but can cause large-scale misconfigurations. Many networks run VTP transparent and rely on manual or automated VLAN creation.

Verification Commands

`show vlan brief` lists local VLANs and ports. `show interfaces trunk` shows which VLANs are allowed and active over trunks in the management domain.

STP’s Role

Spanning Tree Protocol (STP) keeps the Layer 2 topology loop-free across all VLANs that span multiple switches via trunks.

Troubleshooting Trunks: Native VLAN Mismatches and Allowed Lists

Two Classic Trunk Problems

The most common trunk issues are native VLAN mismatches and incorrect allowed VLAN lists. Both appear frequently in CCNA troubleshooting questions.

Native VLAN Mismatch Effects

If SW1 uses native VLAN 99 and SW2 uses VLAN 1, untagged frames are mapped to different VLANs, causing warnings and potential traffic leakage between VLANs.

Detecting Native Mismatches

Use `show interfaces trunk` and `show cdp neighbors detail` to spot mismatched native VLANs and correct them so both sides use the same native VLAN.

Allowed VLAN List Mistakes

If one side’s allowed VLAN list omits a VLAN, traffic for that VLAN cannot cross the trunk. The trunk shows up, but connectivity for that VLAN fails.

Verifying Allowed VLANs

Compare `Vlans allowed on trunk` on both switches. Ensure the VLAN you expect to work appears on both sides and is in STP forwarding state.

Thought Exercise: Designing Trunks in a Small Campus

Imagine a small campus network with three switches:

  • SW-Access1 and SW-Access2 on the first floor.
  • SW-Distribution1 in the closet.

VLANs:

  • VLAN 10: Staff
  • VLAN 20: Students
  • VLAN 30: Voice
  • VLAN 99: Management (also used as native VLAN)

Links:

  • SW-Access1 G0/1 connects to SW-Distribution1 G0/1.
  • SW-Access2 G0/1 connects to SW-Distribution1 G0/2.
  • All other ports on Access switches connect to end hosts.

Work through these questions in your head or jot down answers:

1) Which ports should be trunks and which should be access ports? Explain your reasoning.

2) On SW-Access1 G0/1, write the exact Cisco IOS commands you would use to:

  • Make it a trunk.
  • Set VLAN 99 as the native VLAN.
  • Allow only VLANs 10, 20, 30, and 99.

3) Suppose a VoIP phone and a PC are daisy-chained on a single access port in VLAN 20 with voice VLAN 30. Should the access port itself be configured as a trunk? How is VLAN tagging handled between phone and switch in this case?

4) If hosts in VLAN 20 on SW-Access2 cannot reach VLAN 20 on SW-Access1, list at least three trunk-related checks you would perform on SW-Distribution1.

After you answer, compare against these hints:

  • Trunks usually run between access and distribution switches.
  • End-host ports are access, sometimes with a voice VLAN.
  • `show interfaces trunk`, `show vlan brief`, and `show interfaces switchport` are your primary verification tools.

Quiz 1: 802.1Q and Native VLAN Behavior

Test your understanding of 802.1Q tagging and native VLANs.

On an 802.1Q trunk between two Cisco switches, both sides are configured with native VLAN 50. A frame from VLAN 50 is sent across the trunk. How does it appear on the wire, and how is it treated on the receiving switch?

  1. It is tagged with VLAN ID 50 on the wire and treated as VLAN 1 on the receiving switch.
  2. It is untagged on the wire and treated as VLAN 50 on the receiving switch.
  3. It is tagged with VLAN ID 50 on the wire and treated as VLAN 50 on the receiving switch.
  4. It is untagged on the wire and dropped because native VLAN frames must be tagged.
Show Answer

Answer: B) It is untagged on the wire and treated as VLAN 50 on the receiving switch.

On an 802.1Q trunk, frames for the native VLAN are sent untagged by default. When an untagged frame arrives on a trunk port, the receiving switch assigns it to the configured native VLAN (VLAN 50 in this case).

Quiz 2: DTP Modes and Trunk Formation

Check your grasp of DTP negotiation and switchport modes.

Two Cisco switches are connected back-to-back. On SW1 the interface is configured as `switchport mode dynamic auto`. On SW2 the interface is also `switchport mode dynamic auto`. What is the resulting link type and why?

  1. The link becomes a trunk because both sides support DTP.
  2. The link becomes a trunk because dynamic auto initiates trunk negotiation.
  3. The link remains an access link because neither side actively initiates trunking.
  4. The link remains down because DTP requires at least one side to be in trunk mode.
Show Answer

Answer: C) The link remains an access link because neither side actively initiates trunking.

With `dynamic auto` on both sides, neither switch actively proposes trunking. They both wait for the other side to initiate, so no trunk is formed and the link stays as an access link. This is a common CCNA exam trap.

Key Term Review: Trunks, DTP, and VLAN Behavior

Use these flashcards to reinforce the most important concepts from this module.

802.1Q trunk
A Layer 2 link that uses IEEE 802.1Q tagging to carry traffic for multiple VLANs over a single physical connection between devices such as switches, routers, or firewalls.
Native VLAN (on 802.1Q trunk)
The single VLAN on a trunk whose frames are sent untagged by default. Untagged frames received on the trunk are associated with this VLAN. Both ends of the trunk must agree on the same native VLAN.
Allowed VLAN list
The configured set of VLAN IDs that are permitted to traverse a trunk port. VLANs not in this list are filtered and their frames are not forwarded over the trunk.
Dynamic Trunking Protocol (DTP)
A Cisco-proprietary protocol that negotiates whether a switchport becomes a trunk or access port, based on the configured switchport mode on each side of the link.
switchport mode trunk
Cisco IOS interface command that forces a port to operate as an 802.1Q trunk and actively sends DTP frames unless `switchport nonegotiate` is also configured.
switchport mode access
Cisco IOS interface command that forces a port to operate as an access port in a single VLAN and disables trunk negotiation.
switchport mode dynamic desirable
DTP mode in which the port actively attempts to form a trunk with the neighbor. It will trunk with ports in trunk, dynamic desirable, or dynamic auto mode.
switchport mode dynamic auto
DTP mode in which the port is willing to become a trunk but does not initiate negotiation. It trunks only if the neighbor is in trunk or dynamic desirable mode.
switchport nonegotiate
Cisco IOS interface command that disables sending DTP frames on the port. Often used with `switchport mode trunk` when connecting to non-Cisco devices.
show interfaces trunk
Cisco IOS command that displays trunking status, including encapsulation, native VLAN, allowed VLANs, and VLANs in forwarding state on each trunk port.

Key Terms

Native VLAN
The VLAN on an 802.1Q trunk whose frames are sent untagged by default; untagged frames received on the trunk are associated with this VLAN.
802.1Q trunk
A Layer 2 link that uses IEEE 802.1Q tagging to carry traffic for multiple VLANs over a single physical connection between switches, routers, or firewalls.
Allowed VLAN list
The configured set of VLAN IDs that are permitted to traverse a trunk port; VLANs not listed are filtered on that trunk.
show interfaces trunk
Cisco IOS command that displays trunk ports, encapsulation, native VLAN, and allowed and active VLANs on each trunk.
switchport mode trunk
Cisco IOS command that forces a port to operate as an 802.1Q trunk and sends DTP frames unless `switchport nonegotiate` is configured.
switchport mode access
Cisco IOS command that forces a port to operate as an access port in a single VLAN and disables trunk negotiation.
switchport nonegotiate
Cisco IOS command that disables sending DTP frames on a port, typically used when connecting to non-Cisco devices.
switchport mode dynamic auto
DTP mode where the port waits for the neighbor to initiate trunking and forms a trunk only if the neighbor is trunk or dynamic desirable.
Dynamic Trunking Protocol (DTP)
A Cisco-proprietary protocol that negotiates whether a switchport becomes a trunk or access port based on switchport modes on each side.
switchport mode dynamic desirable
DTP mode where the port actively tries to form a trunk with the neighbor and will trunk with ports in trunk, dynamic desirable, or dynamic auto mode.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself