Trunking and 802.1Q

What Is a Trunk?

A trunk is a point-to-point link between two switches (or a switch and a router) that carries traffic for multiple VLANs. Without trunks, you would need a separate physical cable for each VLAN between switches.

802.1Q Tagging

IEEE 802.1Q is the standard for VLAN tagging on trunk links. When a frame enters a trunk port, the switch inserts a 4-byte tag into the Ethernet header that identifies the frame's VLAN.

802.1Q Tag Structure

The 12-bit VLAN ID field supports 4096 values (0-4095), but VLANs 0 and 4095 are reserved, giving a usable range of 1-4094.

Native VLAN

The native VLAN is the VLAN whose traffic is sent untagged on a trunk link. By default, the native VLAN is VLAN 1.

How it works:

• Frames in the native VLAN are sent across the trunk without an 802.1Q tag
• Frames in all other VLANs are sent with a tag
• The receiving switch places any untagged frame into the native VLAN

Security risk: If an attacker sends untagged frames to a trunk port, they will be placed in the native VLAN. This is the basis of VLAN hopping attacks.

Best practice: Change the native VLAN to an unused VLAN:

Switch(config-if)# switchport trunk native vlan 999

On the Exam: A native VLAN mismatch (where one side uses VLAN 1 and the other uses VLAN 999 as the native VLAN) will cause traffic to be placed in the wrong VLAN. CDP/LLDP will report native VLAN mismatches.

Configuring a Trunk Port

Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# switchport mode trunk                     ! Force trunk mode
Switch(config-if)# switchport trunk native vlan 999          ! Change native VLAN
Switch(config-if)# switchport trunk allowed vlan 10,20,30    ! Allow only specific VLANs

Trunk Verification

Switch# show interfaces trunk
Switch# show interfaces GigabitEthernet0/24 switchport

Sample "show interfaces trunk" Output

Port        Mode         Encapsulation  Status        Native vlan
Gi0/24      on           802.1q         trunking      999

Port        Vlans allowed on trunk
Gi0/24      10,20,30

Port        Vlans allowed and active in management domain
Gi0/24      10,20,30

DTP (Dynamic Trunking Protocol)

DTP is a Cisco-proprietary protocol that automatically negotiates trunk links between switches.

Best practice: Disable DTP and manually configure ports as access or trunk:

Switch(config-if)# switchport mode access           ! For endpoint ports
Switch(config-if)# switchport nonegotiate            ! Disables DTP on trunk ports

On the Exam: Know the DTP negotiation combinations. Dynamic auto + dynamic auto = access (neither actively negotiates). Dynamic desirable + dynamic auto = trunk. Always set ports explicitly to avoid unexpected behavior.

Inter-VLAN Routing

Devices in different VLANs cannot communicate at Layer 2. A Layer 3 device (router or Layer 3 switch) is required to route traffic between VLANs.

Method 1: Router-on-a-Stick

A single router interface is configured with sub-interfaces, one per VLAN, all on a single trunk link to the switch.

Router(config)# interface GigabitEthernet0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 192.168.10.1 255.255.255.0

Router(config)# interface GigabitEthernet0/0.20
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# ip address 192.168.20.1 255.255.255.0

Router(config)# interface GigabitEthernet0/0
Router(config-if)# no shutdown

Method 2: Layer 3 Switch (SVI)

A Layer 3 switch uses Switch Virtual Interfaces (SVIs) for inter-VLAN routing, which is faster and more scalable.

Switch(config)# ip routing                          ! Enable Layer 3 routing
Switch(config)# interface vlan 10
Switch(config-if)# ip address 192.168.10.1 255.255.255.0
Switch(config-if)# no shutdown

Switch(config)# interface vlan 20
Switch(config-if)# ip address 192.168.20.1 255.255.255.0
Switch(config-if)# no shutdown