VLAN and Trunking on Cisco IOS: Access Ports, Trunk Ports, and Native VLANs
VLANs (Virtual Local Area Networks) segment a physical switch into multiple logical broadcast domains. Trunking using IEEE 802.1Q allows multiple VLANs to traverse a single link between switches. For the CCNA 200-301 exam, you must master VLAN creation, access port assignment, trunk configuration, native VLAN handling, and troubleshooting common issues like native VLAN mismatches.
VLAN Configuration Basics
A VLAN is identified by a VLAN ID (1–4094). VLAN 1 is the default VLAN; VLANs 1002–1005 are reserved for legacy Token Ring and FDDI. To create a VLAN on a Cisco IOS switch:
Switch(config)# vlan 10
Switch(config-vlan)# name Sales
Alternatively, you can create VLANs in global configuration mode and then enter VLAN database mode (though the latter is deprecated). After creation, assign an access port to a VLAN:
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Verify with show vlan brief or show interfaces status.
802.1Q Trunking
A trunk port carries traffic for multiple VLANs. Cisco switches support two trunking protocols: ISL (Cisco proprietary, deprecated) and 802.1Q (open standard). The CCNA focuses on 802.1Q.
To configure a trunk port:
Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# switchport mode trunk
By default, all VLANs are allowed on the trunk. To restrict allowed VLANs:
Switch(config-if)# switchport trunk allowed vlan 10,20,30
To add or remove VLANs:
Switch(config-if)# switchport trunk allowed vlan add 40
Switch(config-if)# switchport trunk allowed vlan remove 20
Native VLAN
The native VLAN is the VLAN that carries untagged traffic on an 802.1Q trunk. By default, native VLAN is VLAN 1. The native VLAN must match on both ends of the trunk; otherwise, traffic from the native VLAN will be misdirected or dropped.
To change the native VLAN:
Switch(config-if)# switchport trunk native vlan 99
To verify native VLAN:
Switch# show interfaces trunk
Trunking Negotiation: DTP
Dynamic Trunking Protocol (DTP) negotiates trunking between switches. Cisco switches have four modes: access, dynamic desirable, dynamic auto, and trunk. For the exam, remember:
switchport mode access– forces the port to be an access port; no DTP frames sent.switchport mode trunk– forces trunking; sends DTP frames.switchport mode dynamic desirable– actively attempts to form a trunk.switchport mode dynamic auto– passively waits for the other side to initiate trunking.
A trunk forms when at least one side is trunk or dynamic desirable. Two dynamic auto ports will become access ports (no trunk).
To disable DTP on a trunk, use switchport nonegotiate.
Troubleshooting Native VLAN Mismatch
A native VLAN mismatch occurs when the native VLAN differs on two ends of a trunk. Symptoms: CDP messages indicating a native VLAN mismatch, and traffic from the native VLAN fails to pass.
Example: SW1 native VLAN 99, SW2 native VLAN 1. CDP will log:
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (99), with SW2 GigabitEthernet0/1 (1).
Fix by setting the native VLAN to the same value on both sides:
SW2(config-if)# switchport trunk native vlan 99
Allowed VLAN List Issues
If a VLAN is not in the allowed list on a trunk, traffic for that VLAN is not forwarded. Verify with show interfaces trunk. Common mistake: forgetting to include the native VLAN in the allowed list. The native VLAN must be allowed; otherwise, untagged traffic is dropped.
Exam Tips: What to Watch For
- Native VLAN mismatch is a frequent exam topic. Always check both sides.
- Allowed VLAN list – if you see
switchport trunk allowed vlan 10,20, remember VLAN 1 is not allowed unless explicitly added. However, the native VLAN (default VLAN 1) might still be allowed if it's in the list; if not, untagged traffic fails. - DTP modes – know which combinations form a trunk.
- Router-on-a-stick – uses subinterfaces with 802.1Q encapsulation.
- VLAN 1 – avoid using VLAN 1 for user traffic; change native VLAN to an unused VLAN for security.
- Commands to memorize:
show vlan brief,show interfaces trunk,show interfaces switchport.
Conclusion
Mastering VLANs and 802.1Q trunking is essential for the CCNA 200-301 exam. Practice configuring access ports, trunks, native VLANs, and allowed VLAN lists. Use simulation tools like Packet Tracer to reinforce these concepts. Troubleshoot mismatches and DTP issues until they become second nature.
To solidify your knowledge, try practice questions that ask you to identify the correct trunk configuration or debug a native VLAN mismatch scenario. Hands-on labs and quiz banks will help you pass the exam confidently.