2.2 Trunking and 802.1Q
Key Takeaways
- A trunk port carries traffic for multiple VLANs between switches by adding an 802.1Q tag to each frame.
- The 802.1Q tag is 4 bytes (2-byte TPID 0x8100 plus 2-byte TCI holding PCP, DEI, and a 12-bit VLAN ID), raising max frame size from 1518 to 1522 bytes.
- The native VLAN (default VLAN 1) is sent untagged; both trunk ends must agree on it or frames land in the wrong VLAN.
- DTP can auto-negotiate trunks but should be disabled; hard-set mode with switchport mode trunk and switchport nonegotiate.
- The allowed-VLAN list prunes which VLANs cross a trunk; an omitted VLAN silently breaks that VLAN's inter-switch traffic.
Why Trunks Exist
An access port carries one VLAN, so connecting two switches that each have ten VLANs would need ten cables. A trunk solves this by carrying all (or a chosen subset of) VLANs over a single link. To keep frames separated, the sending switch inserts a VLAN identifier into each frame — a process called tagging — and the receiving switch reads the tag to deliver the frame to the correct VLAN.
Cisco uses IEEE 802.1Q (often written dot1q) as the only trunking encapsulation on modern switches; the older Cisco ISL is dead and untested on current CCNA. Know that 802.1Q is an open standard, so it interoperates with non-Cisco switches.
The 802.1Q Tag in Detail
The tag is 4 bytes inserted between the source MAC and the EtherType/Length field. Its structure is a frequent exam target:
| Field | Size | Purpose |
|---|---|---|
| TPID (Tag Protocol ID) | 2 bytes | Fixed value 0x8100 marking the frame as tagged |
| PCP (Priority Code Point) | 3 bits | Class of Service 0-7 for QoS |
| DEI | 1 bit | Drop Eligible Indicator |
| VLAN ID | 12 bits | The VLAN number, 0-4095 |
Because the VLAN ID field is 12 bits, the math is 2^12 = 4096 possible values, which is exactly why VLAN IDs stop at 4094 (0 and 4095 are reserved). Adding 4 bytes raises the maximum Ethernet frame from 1518 to 1522 bytes — a "baby giant" frame that switches must accept on trunks.
Native VLAN and Mismatches
The native VLAN is the single VLAN whose traffic crosses a trunk untagged. By default it is VLAN 1. When a switch receives an untagged frame on a trunk, it assumes the frame belongs to the native VLAN. If the two ends disagree — Switch A native VLAN 1, Switch B native VLAN 99 — untagged frames from A land in VLAN 99 on B, a classic security and connectivity bug. CDP logs a %CDP-4-NATIVE_VLAN_MISMATCH message. Best practice: set the same unused native VLAN on both ends: switchport trunk native vlan 999.
DTP and Configuring a Trunk
DTP (Dynamic Trunking Protocol) is Cisco-proprietary and auto-negotiates trunk formation. Its modes determine the outcome:
| Local mode | Neighbor mode | Result |
|---|---|---|
| dynamic auto | dynamic auto | Access (neither initiates) |
| dynamic desirable | dynamic auto | Trunk |
| trunk | dynamic auto/desirable | Trunk |
| access | anything | Access |
Because auto-auto silently stays an access port, hard-code trunks and disable negotiation:
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate
Switch(config-if)# switchport trunk allowed vlan 10,20,30
Allowed VLANs and Verification
The allowed-VLAN list prunes which VLANs cross the trunk. A trap: switchport trunk allowed vlan 30 replaces the list, so VLANs 10 and 20 are now blocked. Use add, remove, none, and all keywords to edit it safely (switchport trunk allowed vlan add 30).
Verify with show interfaces trunk. It reports four things to check in order: which ports are trunking, the trunk encapsulation, the native VLAN, and the allowed/active VLAN lists. If VLAN 20 is missing from "VLANs allowed and active in management domain," same-VLAN hosts on different switches cannot reach each other even though pings within one switch succeed. This is one of the most common simlet faults on the exam.
VLAN Hopping and Native VLAN Security
The native VLAN is not just a technicality — it underpins a real attack. In a double-tagging VLAN-hopping attack, the attacker (sitting in the native VLAN) sends a frame with two 802.1Q tags. The first switch strips the outer tag (because it matches the native VLAN, which is sent untagged) and forwards the frame on the trunk; the next switch reads the inner tag and delivers the frame into the victim VLAN. This only works when the attacker's access VLAN equals the trunk's native VLAN.
The CCNA-sanctioned defenses are: change the native VLAN to a dedicated unused VLAN, never use VLAN 1 for the native VLAN or for any user data, and explicitly prune the native VLAN from trunks where it is not needed.
A related defense is to tag the native VLAN with vlan dot1q tag native, forcing even native-VLAN frames to carry a tag so the strip-and-forward step cannot happen. Always pair these with switchport mode trunk plus switchport nonegotiate so DTP cannot be tricked into forming an unexpected trunk from an access port — a second VLAN-hopping vector called switch spoofing.
Common Trunking Exam Traps
Several trunk behaviors trip up candidates. First, switchport trunk allowed vlan 30 without the add keyword overwrites the list, instantly blacking out every other VLAN on that trunk — a single typo can drop an entire campus segment.
Second, a trunk's allowed list is the intersection of both ends plus which VLANs actually exist; a VLAN allowed on the trunk but not created in the database still will not appear under "allowed and active." Third, a native VLAN mismatch does not stop the trunk from forming or break tagged VLANs — it quietly misdelivers only the untagged native traffic, which makes it hard to spot without reading the CDP log or show interfaces trunk. Fourth, ISL no longer exists on modern CCNA switches, so 802.1Q is assumed; if an option mentions ISL it is almost always a distractor.
Knowing these saves points on both multiple-choice and simlet questions where the symptom is subtle.
How many bytes does an 802.1Q tag add to an Ethernet frame, and what does that make the new maximum frame size?
Switch A's trunk uses native VLAN 1 and Switch B's trunk uses native VLAN 99. What is the result?
Two trunk ends are both set to switchport mode dynamic auto. What happens?