Courseiva
CCNA Study GuideCCNA 200-301

SW1 and SW2 VLAN Trunking Questions Explained

Trunk link configuration between two switches has several requirements that must all match. Here is what the exam tests and what breaks the trunk when even one thing is wrong.

8 min read
14 sections
Courseiva Study Hub

Quick answer

Trunk link configuration between two switches has several requirements that must all match. Here is what the exam tests and what breaks the trunk when even one thing is wrong.

In this guide

  1. 1.What a Trunk Link Does
  2. 2.Configuration Example
  3. 3.Requirement 1: Both Sides Must Be in Trunk Mode
  4. 4.Requirement 2: Native VLAN Must Match
  5. 5.Requirement 3: VLAN Must Exist on Both Switches
  6. 6.Requirement 4: VLAN Must Be in the Allowed List
  7. 7.Verification Commands
  8. 8.The Diagnostic Order for VLAN Communication Failures
  9. 9.Reading show interfaces trunk — Every Column Explained
  10. 10.The Native VLAN Mismatch — What Actually Happens
  11. 11.VLAN Hopping Attack — How 802.1Q Double Tagging Works
  12. 12.DTP Mode Combinations — The Complete Reference
  13. 13.VLAN Best Practices for Exam Scenarios
  14. 14.Practice Question Sets

VLAN trunking questions between SW1 and SW2 appear in both multiple choice and simulation format on the CCNA exam. The scenario is always some variation of: hosts in different VLANs cannot communicate through the trunk, the trunk is not forming, or specific VLANs are not passing traffic.

Understanding why each requirement exists helps you diagnose the problem quickly rather than guessing.

A trunk link carries traffic for multiple VLANs on a single physical link using 802.1Q encapsulation. Each frame is tagged with a VLAN ID so the receiving switch knows which VLAN it belongs to. Without trunking, each inter-switch port can only carry one VLAN.

Configuration Example

SW1(config)# interface GigabitEthernet0/1
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport trunk native vlan 99
SW1(config-if)# switchport trunk allowed vlan 10,20,30,99

The same configuration must be applied on SW2's corresponding interface. A mismatch in any parameter breaks the trunk or causes specific VLANs to fail.

Requirement 1: Both Sides Must Be in Trunk Mode

Cisco switches use DTP to negotiate trunk mode:

SW1 Mode SW2 Mode Trunk Forms?
Trunk Trunk Yes
Trunk Dynamic desirable Yes
Trunk Dynamic auto Yes
Dynamic desirable Dynamic desirable Yes
Dynamic desirable Dynamic auto Yes
Dynamic auto Dynamic auto No
Access Any No

Exam trap: dynamic auto / dynamic auto will not form a trunk. Both ports wait for the other to initiate — no trunk forms.

Requirement 2: Native VLAN Must Match

The native VLAN carries untagged frames on the trunk. Both sides must have the same native VLAN. A mismatch causes Cisco to generate a CDP warning:

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (99), with SW2 GigabitEthernet0/1 (1)

Beyond the warning, a native VLAN mismatch causes traffic from one native VLAN to appear in the other switch's native VLAN — a VLAN hopping risk and a connectivity problem.

Requirement 3: VLAN Must Exist on Both Switches

A VLAN must be in the VLAN database of a switch for it to pass traffic. Even if the trunk is correctly configured, if VLAN 20 does not exist on SW2, frames tagged as VLAN 20 are dropped on arrival.

Verify with show vlan brief. If VLAN 20 is missing, create it:

SW2(config)# vlan 20
SW2(config-vlan)# name Sales

Requirement 4: VLAN Must Be in the Allowed List

By default, a trunk allows all active VLANs. But if the allowed VLAN list has been restricted, a VLAN can exist and still not cross the trunk.

SW1(config-if)# switchport trunk allowed vlan 10,20,30

If this command was used and VLAN 40 is not in the list, VLAN 40 traffic is silently dropped. To add a VLAN without removing others:

SW1(config-if)# switchport trunk allowed vlan add 40

The exam presents scenarios where a new VLAN was created and hosts cannot communicate across switches. The trunk exists and the VLAN exists — but the allowed VLAN list was never updated.

Verification Commands

SW1# show interfaces trunk

This shows which ports are trunking, the native VLAN, VLANs allowed, VLANs active in STP, and VLANs that are forwarding. A VLAN can be allowed but still blocked by STP — the bottom section of show interfaces trunk shows which VLANs are actually forwarding.

SW1# show vlan brief
SW1# show cdp neighbors

The Diagnostic Order for VLAN Communication Failures

  1. Are both hosts assigned to the correct VLANs? (show vlan brief)
  2. Is the inter-switch link a trunk? (show interfaces trunk)
  3. Do the native VLANs match on both sides?
  4. Is the relevant VLAN in the allowed list on both trunks?
  5. Does the VLAN exist in the VLAN database on both switches?
  6. Is STP blocking the port? (show spanning-tree)

Work through this order and you will find the problem. Practice CCNA switching and VLAN questions with exhibit-based configurations to develop diagnostic speed.

Reading show interfaces trunk — Every Column Explained

SW1# show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/1       1,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1,10,20,30

Mode "on" — switchport mode trunk was configured statically. If this shows "desirable" or "auto," DTP is negotiating. "not-trunking" in the Status column means the port is actually an access port — a common misconfiguration symptom when you expected a trunk.

Native vlan — Frames in this VLAN cross the trunk without an 802.1Q tag. If SW1 shows native vlan 1 and SW2 shows native vlan 10, every untagged frame gets misplaced.

Vlans allowed and active — This is what actually matters for traffic. A VLAN must exist in the VLAN database (show vlan brief) AND appear in this column. If a VLAN is in "allowed" but not in "active," it either does not exist on this switch or was not added to the allowed list on the remote side.

The Native VLAN Mismatch — What Actually Happens

When SW1 sends a frame from VLAN 1 (native) over the trunk, it sends it untagged. SW2 receives the untagged frame and assigns it to SW2's native VLAN. If SW2's native VLAN is VLAN 10, that frame lands in VLAN 10 on SW2. Devices in VLAN 1 on SW1 are effectively communicating with VLAN 10 on SW2 without knowing it.

CDP generates a syslog warning when it detects the mismatch:

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1),
with SW2 GigabitEthernet0/1 (10).

On the exam, if a scenario includes a CDP mismatch message, the native VLAN configuration is the problem. The fix is to match both sides: switchport trunk native vlan 10 on SW1 to match SW2.

VLAN Hopping Attack — How 802.1Q Double Tagging Works

The attack exploits the fact that native VLAN frames are sent untagged. An attacker in VLAN 1 (the native VLAN) crafts a frame with two 802.1Q headers:

  • Outer tag: VLAN 1 (matches native VLAN)
  • Inner tag: VLAN 99 (the target VLAN)

SW1 receives the frame on the access port. At the trunk port, SW1 sees the outer tag matches the native VLAN and strips it. The frame is now forwarded with only the inner VLAN 99 tag remaining. SW2 reads the VLAN 99 tag and delivers the frame to VLAN 99 — even though the attacker has no authorized access to VLAN 99.

This is a one-way attack. Responses cannot travel back via the same mechanism. But it is sufficient for broadcast injection or reconnaissance across VLANs.

Mitigation: change the native VLAN to an unused VLAN not assigned to any users. Configure switchport trunk native vlan tag to explicitly tag native VLAN traffic. Restrict the allowed VLAN list. Disable DTP with switchport nonegotiate.

DTP Mode Combinations — The Complete Reference

SW1 Mode SW2 Mode Result
trunk (on) trunk (on) Trunk
trunk (on) dynamic desirable Trunk
trunk (on) dynamic auto Trunk
dynamic desirable dynamic desirable Trunk
dynamic desirable dynamic auto Trunk
dynamic auto dynamic auto Access (not trunk)
access dynamic auto Access
access dynamic desirable Access

Auto/Auto is the trap. Both sides wait for the other to initiate negotiation. Neither does. The link falls back to access mode. Candidates configure one side and assume the other will follow — it does not when both are auto.

The switchport nonegotiate command disables DTP entirely and is required when connecting to non-Cisco devices that may interpret DTP frames as malformed traffic.

VLAN Best Practices for Exam Scenarios

VLAN 1 is the default management VLAN — all ports, trunks, and STP BPDUs default to VLAN 1. Best practice is to move management to a different VLAN and keep VLAN 1 empty.

VLANs 1002-1005 are reserved — legacy VLANs for Token Ring and FDDI. They exist by default and cannot be deleted. Do not assign them to production traffic.

A VLAN must exist on both switches — if SW1 has VLAN 10 in its database and SW2 does not, frames tagged as VLAN 10 arriving at SW2 are dropped. The exam uses this in scenarios where "VLAN 10 traffic is not crossing the trunk" and the fix is creating VLAN 10 on SW2.

Practice Question Sets

The only way to build genuine speed on CCNA questions is reps under realistic conditions. Pick a session size that fits your schedule:

Session Questions Estimated time Link
Quick check 10 10-12 min Start
Standard session 20 20-25 min Start
Focused drill 30 30-40 min Start
Deep study block 50 50-65 min Start
Full mock exam 120 2-2.5 hours Start

Practise CCNA questions

Original exam-style practice questions with detailed, explained answers. Track your weak topics and review missed questions before exam day.

CCNA practice testAll CCNA questionsCCNA exam questions

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.