Courseiva
CCNA Study GuideCCNA 200-301

VLAN Trunking Questions: Native VLAN and Allowed VLAN Traps

Native VLAN mismatches cause CDP warnings but do not always break traffic — and that is exactly what makes them a trap. Here is what the CCNA exam tests about trunking, native VLANs, and allowed VLAN lists.

8 min read
11 sections
Courseiva Study Hub

Quick answer

Native VLAN mismatches cause CDP warnings but do not always break traffic — and that is exactly what makes them a trap. Here is what the CCNA exam tests about trunking, native VLANs, and allowed VLAN lists.

In this guide

  1. 1.What trunk ports actually do
  2. 2.Reading show interfaces trunk
  3. 3.The native VLAN trap
  4. 4.The allowed VLAN trap
  5. 5.DTP and the auto/auto trap
  6. 6.Practice trunking questions
  7. 7.Frequently asked questions
  8. 8.What a Frame Looks Like on a Trunk — The 802.1Q Tag
  9. 9.VLAN Hopping via Double Tagging — The Complete Attack
  10. 10.VLAN Best Practices That Appear on the Exam
  11. 11.Practice Question Sets

What trunk ports actually do

An access port carries one VLAN. Traffic on that port is untagged. A trunk port carries multiple VLANs. Traffic is tagged with the 802.1Q header so the receiving switch knows which VLAN each frame belongs to.

The CCNA exam tests whether you understand how trunking works, how misconfigurations cause traffic failures, and how to read show interfaces trunk output to identify problems.

Reading show interfaces trunk

SW1# show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/1       1,10,20,30

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1,10,20,30

Four sections. The exam tests all of them:

Mode: on, desirable, auto, or nonegotiate. A port in on mode will always trunk. A port in auto mode will trunk only if the other side is on or desirable. Two ports both set to auto will not trunk.

Native VLAN: Frames from this VLAN are sent untagged over the trunk. The native VLAN must match on both ends. If it does not, Cisco switches generate a CDP warning, and traffic from the native VLAN may end up in the wrong VLAN on the other side — a VLAN hopping vector.

VLANs allowed on trunk: This is the configured list of VLANs permitted to cross the trunk. By default it is 1-4094. If a VLAN is removed from this list using switchport trunk allowed vlan remove X, traffic for that VLAN will not cross this link even if the VLAN is active on both switches.

VLANs allowed and active: This is the intersection of allowed VLANs and VLANs that actually exist in the VLAN database. If VLAN 40 is allowed but not created on this switch, it will not appear here.

The native VLAN trap

This is the most-tested trunk concept on the CCNA. Here is the scenario:

SW1 trunk port has native VLAN 1. SW2 trunk port has native VLAN 10. What happens?

Both switches generate a CDP warning about native VLAN mismatch. Frames from VLAN 1 on SW1 cross the trunk untagged. SW2 receives untagged frames and assigns them to its native VLAN — VLAN 10. The traffic arrives in the wrong VLAN.

This is not a complete traffic failure. It is a silent misrouting. Devices in VLAN 1 on SW1 think they are communicating with other VLAN 1 devices, but the traffic is landing in VLAN 10 on SW2.

The exam usually presents this as: "A technician reports that traffic is crossing VLANs unexpectedly. Which configuration is the most likely cause?" Native VLAN mismatch is the correct answer.

The allowed VLAN trap

A VLAN that is not in the allowed list on the trunk will not carry traffic across that link. The exam tests this in two ways:

  1. A host in VLAN 30 can reach other devices in the same room (same switch) but not devices in another building (across a trunk). Check whether VLAN 30 is in the allowed VLAN list on both trunk ports between the buildings.

  2. An administrator adds a new VLAN to the network but traffic does not flow. If the trunk ports still have the original allowed VLAN list that does not include the new VLAN, the VLAN is isolated.

The fix is switchport trunk allowed vlan add X on both trunk port interfaces.

DTP and the auto/auto trap

DTP (Dynamic Trunking Protocol) negotiates trunk formation automatically. The default mode on most Cisco switches is dynamic auto.

Two ports both set to dynamic auto will NOT form a trunk. They are both waiting for the other to initiate. The result is an access port on both sides. To form a trunk, at least one side must be dynamic desirable or on.

The exam presents this as: "SW1 and SW2 are connected. Both ports are left at default. VLANs cannot cross between switches. What is the cause?" The answer is that both ports are in dynamic auto mode and have not negotiated a trunk.

Practice trunking questions

Work through CCNA switching questions on Courseiva to drill VLAN and trunking scenarios. The VLANs and trunking topic guide covers 802.1Q tagging, native VLAN behaviour, and inter-VLAN routing in detail. See the CCNA practice test for full-length timed sessions.

Frequently asked questions

Should the native VLAN be VLAN 1? In production it is a security best practice to change the native VLAN away from VLAN 1 (because VLAN 1 carries CDP, VTP, and spanning tree traffic by default). On the CCNA exam, the default native VLAN is VLAN 1, and questions about native VLAN mismatch usually involve VLAN 1 on one side.

Does allowed VLAN list pruning affect STP? Yes. VLANs that are not in the allowed list are also removed from spanning tree on that trunk. This affects the STP topology for those VLANs.

What is the difference between VLAN allowed and VLAN active? Allowed: administratively permitted on the trunk. Active: permitted AND existing in the VLAN database. A VLAN can be allowed but not active if it has not been created with the vlan X command in global configuration.

What a Frame Looks Like on a Trunk — The 802.1Q Tag

When a switch sends a tagged frame over a trunk, it inserts a 4-byte 802.1Q tag between the source MAC and the EtherType field:

[ Dst MAC ][ Src MAC ][ 0x8100 ][ VLAN ID (12-bit) ][ EtherType ][ Payload ][ FCS ]
                        TPID      Tag inserted here

A frame from VLAN 10: the switch inserts tag with VLAN ID = 10. The far switch strips the tag and delivers the frame to VLAN 10 ports.

A frame from the native VLAN: no tag is inserted. The frame travels as a standard untagged Ethernet frame. The far switch receives it, has no tag to read, and assigns it to its own configured native VLAN. If native VLANs match on both sides, this works correctly. If they do not match, the frame ends up in the wrong VLAN silently — no error, no alert.

VLAN Hopping via Double Tagging — The Complete Attack

The attack requires one condition: the attacker's access port is in the same VLAN as the trunk's native VLAN.

  1. Attacker is on an access port in VLAN 1 (same as the native VLAN)
  2. Attacker crafts a frame with two 802.1Q tags: outer = VLAN 1, inner = VLAN 99
  3. SW1 receives the frame on the access port
  4. At the trunk port, SW1 processes the outer tag: VLAN 1 = native VLAN, so the outer tag is stripped and the frame goes untagged — but it still has the inner VLAN 99 tag
  5. SW2 receives what looks like a tagged frame for VLAN 99, strips the inner tag, and delivers to VLAN 99

The attacker never had trunk access. The attack works because native VLAN frames are not tagged, and SW1 strips only the outer tag before forwarding.

This is one-way only. Responses cannot return via the same mechanism. But it is sufficient for broadcast injection and reaching services that should be isolated.

Hardening checklist to prevent VLAN hopping:

SW1(config)# interface GigabitEthernet0/1
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk native vlan 999
SW1(config-if)# switchport trunk allowed vlan 10,20,30
SW1(config-if)# switchport nonegotiate

This changes the native VLAN to an unused VLAN (eliminating the untagged-frame attack vector), restricts the trunk to only the VLANs that actually need to cross it, and disables DTP to prevent fake trunk formation from a rogue switch.

VLAN Best Practices That Appear on the Exam

VLAN 1 is the default for everything — all switch ports, all trunks, all STP BPDUs, and Cisco management traffic. This makes it high-value to attack and worth isolating. Best practice: move management to a dedicated VLAN, leave VLAN 1 empty.

VLANs 1002-1005 are reserved — legacy VLANs for Token Ring (1003, 1005) and FDDI (1004). They exist by default, cannot be deleted, and should not be used for production traffic.

A VLAN must exist on both switches for traffic to cross the trunk — if SW1 has VLAN 10 in its database and SW2 does not, frames tagged as VLAN 10 arriving at SW2 are dropped silently. The exam presents this as "VLAN 10 traffic is not crossing the trunk between SW1 and SW2" and the fix is creating VLAN 10 on SW2 with the vlan 10 command.

VTP pruning removes inactive VLANs from trunks — if SW2 has no ports in VLAN 30, VTP pruning removes VLAN 30 from the trunk between SW1 and SW2, reducing broadcast traffic. The exam tests pruning as the answer for "reduce unnecessary broadcast traffic on inter-switch trunks." VLANs 1 and 1002-1005 cannot be pruned.

Practice Question Sets

The only way to build genuine speed on CCNA questions is reps under realistic conditions. Pick a session size that fits your schedule:

Session Questions Estimated time Link
Quick check 10 10-12 min Start
Standard session 20 20-25 min Start
Focused drill 30 30-40 min Start
Deep study block 50 50-65 min Start
Full mock exam 120 2-2.5 hours Start

Practise CCNA questions

Original exam-style practice questions with detailed, explained answers. Track your weak topics and review missed questions before exam day.

CCNA practice testAll CCNA questionsCCNA exam questions

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.