What is the main purpose of an 802.1Q trunk?

To allow multiple VLANs to share a single physical link between switches (or between a switch and a router) while keeping each VLAN's traffic logically separate using VLAN tags.

Where is the 802.1Q tag inserted in an Ethernet frame?

Between the source MAC address and the EtherType/length field. It adds 4 bytes containing the TPID (0x8100) and TCI, which includes the VLAN ID.

Define the native VLAN on a Cisco 802.1Q trunk.

The native VLAN is the VLAN whose frames are sent untagged on the trunk by default. Untagged frames received on the trunk are associated with this VLAN.

Default native VLAN on Cisco switches and its tagging behavior?

The default native VLAN is VLAN 1. Frames in VLAN 1 are sent untagged on trunks by default; all other VLANs are sent with 802.1Q tags.

Command to force an interface to be a trunk on Cisco IOS?

`interface g0/x` then `switchport mode trunk`.

Dynamic Trunking Protocol (DTP) is a Cisco-proprietary protocol that negotiates whether a link becomes an access port or a trunk based on switchport modes.

A Layer 2 link that carries traffic for multiple VLANs between network devices, typically using 802.1Q tagging.

An IEEE standard for VLAN tagging on Ethernet frames that allows multiple VLANs to share a single physical link using a 4-byte tag containing the VLAN ID.

802.1Q Trunking and Inter-Switch Links — CCNA 200-301 Deep-Dive Masterclass: Network Fundamentals, Security, and Automation

Q: Which command on a Cisco switch most directly shows you the trunking encapsulation, native VLAN, and allowed VLAN list for all trunk ports?

show interfaces trunk. `show interfaces trunk` summarizes all trunk ports, including encapsulation (dot1q), native VLAN, and the list of VLANs allowed on each trunk. The other commands are useful but less focused on trunk details.

Why We Need 802.1Q Trunks

From Single Switch to Campus

VLANs work well on a single switch, but real campuses use many switches. VLAN 10 on Switch A must talk to VLAN 10 on Switch B without mixing with other VLANs.

The Scaling Problem

Running one physical link per VLAN between switches does not scale and wastes ports. We need a way to carry many VLANs over one link.

802.1Q Trunks

An 802.1Q trunk is a single physical link that carries traffic for multiple VLANs by tagging frames with a VLAN ID. It is an IEEE standard and vendor‑neutral.

What You Will Learn

You will learn how 802.1Q tagging works, what the native VLAN is, how to configure and verify trunks on Cisco, and how to troubleshoot common trunking issues.

Inside the 802.1Q Tag

Access vs Trunk Frames

Access ports send untagged frames. On a trunk, each frame must be marked with a VLAN so the far end knows which VLAN it belongs to.

Where the Tag Goes

802.1Q inserts a 4‑byte tag between the source MAC and the EtherType field. This slightly increases the frame size on the wire.

Tag Fields

The tag has a TPID of 0x8100 and a 16‑bit TCI that includes priority bits and a 12‑bit VLAN ID (1–4094 usable). The VLAN ID is the key for segmentation.

Exam‑Relevant Notes

For CCNA, focus on 802.1Q: it is the standard VLAN tagging method. Tags appear on trunks, while access ports use untagged frames.

Native VLAN and VLAN Tagging Behavior

What Is the Native VLAN?

On a trunk, one VLAN is the native VLAN. On Cisco, it is VLAN 1 by default. Native VLAN frames are sent untagged; all other VLANs are tagged.

Handling Untagged Frames

If an untagged frame arrives on a trunk, the switch assumes it belongs to the native VLAN on that trunk.

Why It Exists

The native VLAN provides backward compatibility with non‑tag‑aware devices and is used by some control protocols on trunks.

Design and Security Tips

Use a dedicated, unused VLAN as the native VLAN; keep it consistent on both ends; and avoid carrying user data on it to reduce risk.

Configuring an 802.1Q Trunk on Cisco IOS

Scenario Setup

SW1 and SW2 are connected on G0/1. You want VLANs 10, 20, 30 to cross, with VLAN 99 as a dedicated native VLAN and no other VLANs allowed.

Configuring SW1

On SW1, set G0/1 to trunk mode, change the native VLAN to 99, and restrict allowed VLANs to 10,20,30,99. Add a helpful description.

Configuring SW2

Repeat the same trunk settings on SW2’s G0/1. Both ends must match: trunk mode, native VLAN 99, and allowed VLANs 10,20,30,99.

Verifying the Trunk

Use `show interfaces g0/1 switchport` and `show interfaces trunk` to confirm trunk status, encapsulation, native VLAN, and allowed VLANs.

Dynamic Trunking Protocol (DTP) Basics

What Is DTP?

Dynamic Trunking Protocol (DTP) is a Cisco protocol that can auto‑negotiate whether a link becomes an access port or a trunk.

DTP Modes

`access` forces access; `trunk` forces trunk; `dynamic desirable` actively tries to trunk; `dynamic auto` waits and trunks only if the neighbor initiates.

Negotiation Outcomes

Desirable with trunk/desirable/auto usually forms a trunk. Auto with auto stays access. Access with anything stays access.

Best Practices

Hard‑code access on user ports and trunk on inter‑switch links. Disable DTP where possible to avoid accidental trunks, especially with non‑Cisco gear.

Designing Inter-Switch Links in a Small Campus

Campus Scenario

Three switches: a core in the server room, and access switches on Floors 1 and 2. VLANs 10, 20, 30 for users and voice, plus VLAN 99 as native.

Inter‑Switch Trunks

Each access switch connects to the core via a trunk. All trunks carry VLANs 10, 20, 30, and 99, with VLAN 99 as the native VLAN everywhere.

Config Pattern

On each trunk port, set `switchport mode trunk`, `switchport trunk native vlan 99`, and `switchport trunk allowed vlan 10,20,30,99`.

Verifying and Troubleshooting

Use `show vlan brief` and `show interfaces trunk`. If a VLAN is missing from an allowed list, devices in that VLAN on that path will lose connectivity.

Predict the Link Behavior (DTP and Trunking)

Use this thought exercise to solidify your intuition about DTP and trunking.

Imagine two switches connected back-to-back on interface g0/1.

Scenario A

SW1 g0/1: `switchport mode dynamic desirable`
SW2 g0/1: `switchport mode dynamic auto`

Question: Will this link become a trunk or stay an access port? Why?

Scenario B

SW1 g0/1: `switchport mode access`
SW2 g0/1: `switchport mode dynamic desirable`

Question: What is the final link type? Does DTP negotiation override the forced access mode?

Scenario C

SW1 g0/1: `switchport mode trunk`
SW2 g0/1: `switchport mode access`

Question: What happens here? Is the link trunk on one side and access on the other? How does that affect traffic?

Try to answer before revealing the explanations below.

Check your reasoning

Scenario A: The link becomes a trunk. Desirable actively tries to trunk; auto is willing to trunk if asked.
Scenario B: The link is access. A port in `mode access` does not negotiate trunking; DTP cannot force it into trunk mode.
Scenario C: You have a mismatch: one side trunk, one side access. The trunk side tags non-native VLANs; the access side expects untagged frames only. This can cause traffic to land in the wrong VLAN (especially the native VLAN) and is a classic misconfiguration to avoid.

Quick Check: Native VLAN and Tagging

Test your understanding of native VLAN behavior on 802.1Q trunks.

On a Cisco 802.1Q trunk with the native VLAN set to 50, how are frames handled?

All VLANs, including VLAN 50, are tagged with 802.1Q headers.
Frames in VLAN 50 are sent untagged; frames in other VLANs are tagged.
Frames in VLAN 50 are dropped; only tagged VLANs are allowed.
Untagged frames received on the trunk are discarded as errors.

Show Answer

Answer: B) Frames in VLAN 50 are sent untagged; frames in other VLANs are tagged.

On Cisco switches, the native VLAN on a trunk is sent untagged by default, while all other VLANs on that trunk are tagged. Untagged incoming frames are associated with the native VLAN.

Quick Check: Trunk Verification

Confirm that you can read the key outputs for trunk troubleshooting.

Which command on a Cisco switch most directly shows you the trunking encapsulation, native VLAN, and allowed VLAN list for all trunk ports?

show vlan brief
show interfaces status
show interfaces trunk
show running-config interface g0/1

Show Answer

Answer: C) show interfaces trunk

`show interfaces trunk` summarizes all trunk ports, including encapsulation (dot1q), native VLAN, and the list of VLANs allowed on each trunk. The other commands are useful but less focused on trunk details.

Troubleshooting Common 802.1Q Trunk Issues

Native VLAN Mismatch

Different native VLANs on each end cause STP warnings and possible traffic leaks. Use `show interfaces trunk` on both ends and standardize the native VLAN.

Missing VLAN in Allowed List

If one VLAN works only in parts of the network, check `switchport trunk allowed vlan`. Add the missing VLAN with `allowed vlan add`.

Trunk Not Forming

If a port stays access, suspect DTP mode mismatches or a non‑Cisco neighbor. Hard‑set `switchport mode trunk` to fix.

VLAN Not Created

Even with a good trunk, a VLAN must exist on each switch. Check `show vlan brief` and create missing VLANs with `vlan <id>`.

Key Trunking Concepts Review

Flip through these cards to reinforce the most important ideas about 802.1Q trunking and inter-switch links.

What is the main purpose of an 802.1Q trunk?: To allow multiple VLANs to share a single physical link between switches (or between a switch and a router) while keeping each VLAN's traffic logically separate using VLAN tags.
Where is the 802.1Q tag inserted in an Ethernet frame?: Between the source MAC address and the EtherType/length field. It adds 4 bytes containing the TPID (0x8100) and TCI, which includes the VLAN ID.
Define the native VLAN on a Cisco 802.1Q trunk.: The native VLAN is the VLAN whose frames are sent untagged on the trunk by default. Untagged frames received on the trunk are associated with this VLAN.
Default native VLAN on Cisco switches and its tagging behavior?: The default native VLAN is VLAN 1. Frames in VLAN 1 are sent untagged on trunks by default; all other VLANs are sent with 802.1Q tags.
Command to force an interface to be a trunk on Cisco IOS?: `interface g0/x` then `switchport mode trunk`.
Command to restrict which VLANs are carried on a trunk?: `switchport trunk allowed vlan <vlan-list>` (for example, `switchport trunk allowed vlan 10,20,30,99`).
Which show command summarizes trunk ports, native VLANs, and allowed VLANs?: `show interfaces trunk`.
What is Dynamic Trunking Protocol (DTP)?: A Cisco-proprietary protocol used to negotiate whether a link becomes a trunk or an access port based on switchport modes like dynamic desirable and dynamic auto.
Why is a native VLAN mismatch dangerous?: Because untagged (native) traffic from one side can be interpreted as belonging to a different VLAN on the other side, potentially causing traffic leaks and STP inconsistencies.
List a recommended best practice for native VLAN usage.: Use a dedicated, unused VLAN as the native VLAN across all trunks, keep it consistent on both ends, and avoid carrying user data on it.

Key Terms

DTP: Dynamic Trunking Protocol (DTP) is a Cisco-proprietary protocol that negotiates whether a link becomes an access port or a trunk based on switchport modes.
Trunk: A Layer 2 link that carries traffic for multiple VLANs between network devices, typically using 802.1Q tagging.
802.1Q: An IEEE standard for VLAN tagging on Ethernet frames that allows multiple VLANs to share a single physical link using a 4-byte tag containing the VLAN ID.
VLAN ID: A 12-bit value in the 802.1Q tag that identifies the VLAN to which a frame belongs, with usable values from 1 to 4094.
Access port: A switch port configured to carry traffic for a single VLAN, sending and receiving untagged frames on the wire.
Native VLAN: On an 802.1Q trunk, the VLAN whose frames are sent untagged by default; untagged frames received on the trunk are associated with this VLAN.
Allowed VLAN list: The configured set of VLANs that are permitted to traverse a trunk port; VLANs not in this list are blocked on that trunk.
Inter-switch link: A physical connection between two switches, typically configured as a trunk so multiple VLANs can span the switches.
Native VLAN mismatch: A condition where the two ends of an 802.1Q trunk are configured with different native VLANs, which can cause traffic leaks and protocol issues.
Encapsulation (trunk): The method used on a trunk to distinguish VLANs, such as 802.1Q tagging on modern Cisco switches.

Why We Need 802.1Q Trunks

From Single Switch to Campus

The Scaling Problem

802.1Q Trunks

What You Will Learn

Inside the 802.1Q Tag

Access vs Trunk Frames

Where the Tag Goes

Tag Fields

Exam‑Relevant Notes

Native VLAN and VLAN Tagging Behavior

What Is the Native VLAN?

Handling Untagged Frames

Why It Exists

Design and Security Tips

Configuring an 802.1Q Trunk on Cisco IOS

Scenario Setup

Configuring SW1

Configuring SW2

Verifying the Trunk

Dynamic Trunking Protocol (DTP) Basics

What Is DTP?

DTP Modes

Negotiation Outcomes

Best Practices

Designing Inter-Switch Links in a Small Campus

Campus Scenario

Inter‑Switch Trunks

Config Pattern

Verifying and Troubleshooting

Predict the Link Behavior (DTP and Trunking)

Quick Check: Native VLAN and Tagging

Quick Check: Trunk Verification

Troubleshooting Common 802.1Q Trunk Issues

Native VLAN Mismatch

Missing VLAN in Allowed List

Trunk Not Forming

VLAN Not Created

Key Trunking Concepts Review

Key Terms

Finished reading?