CiscoCCNPEnterprise NetworkingBeginner23 min read

What Is VLAN Trunking in Networking?

Also known as: VLAN Trunking, 802.1Q, native VLAN, CCNA trunking, CCNP ENCOR switching

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

VLAN Trunking allows one network cable to carry messages for many separate virtual networks at the same time. It works by adding a special tag to each message that identifies which virtual network it belongs to. This way, devices on different virtual networks can share the same physical connection without mixing up their data. It is like a postal service that sorts mail by zip code so letters for different neighborhoods can travel together in the same truck.

Must Know for Exams

VLAN Trunking appears prominently in the Cisco Certified Network Professional (CCNP) Enterprise exam (350-401 ENCOR) and also in the CCNA exam. In the ENCOR exam, it is part of the Layer 2 technologies section, which covers VLANs, trunking, spanning tree, and EtherChannel. Candidates must understand not just the basics, but also the details of 802.1Q tagging, the native VLAN, DTP, and VTP.

Exam questions often focus on configuration commands, such as "switchport mode trunk" or "switchport trunk native vlan". You will also be asked to interpret show commands like "show interfaces trunk" or "show vlan". These commands reveal which ports are trunks, which VLANs are allowed, and the native VLAN. A typical multiple-choice question might ask: Which command configures an interface as a trunk? Or: What is the default native VLAN on a Cisco switch?

Scenario-based questions are very common. For example, you might be given a topology where two switches are connected, and voice and data VLANs must be carried over the link. You need to configure the trunk and verify that both VLANs are passing traffic. Troubleshooting questions might present a situation where PCs in VLAN 10 can communicate with each other but not with a server in VLAN 10 on a different switch. The answer often involves checking the trunk configuration, verifying that VLAN 10 is allowed, or fixing a native VLAN mismatch.

In the ENCOR exam, expect deeper understanding. You may be asked about the difference between access and trunk ports, or about the implications of using DTP. The exam also tests security concepts like VLAN hopping and how to prevent it by disabling DTP and using a dedicated native VLAN. Mastering VLAN Trunking is essential because it is a foundational topic that appears in multiple sections of the exam, and it connects to other topics like routing, switching, and security.

Simple Meaning

Imagine you work in a large office building with many different departments. Each department has its own team, its own projects, and its own conversations. But they all share the same hallways, elevators, and break rooms. This is similar to how a single physical network cable can carry data for many different virtual networks, or VLANs.

VLAN Trunking is the technique that makes this sharing possible and orderly. Without it, you would need a separate physical cable for each virtual network, which would be expensive and messy. Instead, VLAN Trunking adds a small digital label, called a VLAN tag, to every piece of data that travels over the shared link. This tag works like a colored sticker on a folder. It tells the equipment at the other end which VLAN that data belongs to.

Think of a library with multiple sections: fiction, non-fiction, reference, and children's books. The librarian uses a cart to move books from the returns desk to the shelves. If the cart is the trunk link, each book has a tag indicating its section. The librarian can then sort the books correctly at the destination. Without the tags, all the books would be mixed up. VLAN Trunking does the same for network data. It ensures that traffic from the accounting VLAN reaches only accounting computers, even though it travels on the same cable as traffic from the marketing VLAN.

This method is essential for building efficient, scalable networks. It allows network administrators to create separate broadcast domains, improve security, and reduce cable clutter. For example, a company with hundreds of employees can have separate VLANs for voice calls, video surveillance, guest Wi-Fi, and internal data. All these VLANs can use trunk links between switches to pass traffic throughout the building. VLAN Trunking is invisible to end users, but it is the backbone of modern enterprise networking. It follows a standard called IEEE 802.1Q, which defines how the tagging works so that equipment from different manufacturers can interoperate.

Full Technical Definition

VLAN Trunking is the process of using a single network link to carry traffic from multiple VLANs. The core technology behind this is VLAN tagging, most commonly implemented using the IEEE 802.1Q standard. In a standard Ethernet frame, a four-byte VLAN tag is inserted between the source MAC address and the EtherType field. This tag contains a 12-bit VLAN ID (VID), which can range from 1 to 4094, allowing up to 4094 distinct VLANs on a single trunk link. There are also reserved VLAN IDs, such as 0 and 4095, which are used for special purposes.

When a switch receives a frame on an access port, it knows which VLAN that port belongs to. If the frame needs to be sent out a trunk port, the switch inserts the appropriate VLAN tag into the frame header. This process is called tagging. At the receiving end, another switch reads the tag, strips it off, and forwards the frame to the correct VLAN on an access port. This entire process happens in hardware for speed, using application-specific integrated circuits (ASICs) on the switch.

Cisco switches also support a proprietary protocol called Dynamic Trunking Protocol (DTP), which can automatically negotiate trunk links between two switches. However, for security and exam accuracy, it is recommended to manually configure trunk links. The command "switchport mode trunk" on a Cisco switch interface makes it a permanent trunk. The native VLAN is a special concept in 802.1Q trunking. Frames on the native VLAN are sent untagged. This is important for backward compatibility with devices that do not understand VLAN tags. By default, the native VLAN is VLAN 1, but it should be changed to an unused VLAN for security reasons.

Another protocol related to trunking is VLAN Trunking Protocol (VTP), which is a Cisco proprietary protocol that advertises VLAN information across a network. While VTP can simplify VLAN creation, it can also cause network-wide issues if misconfigured. In modern Cisco exams, candidates are expected to know how to configure trunks, understand the role of the native VLAN, and be aware of the security implications of using DTP and VTP. Implementing VLAN Trunking correctly allows an organization to have a flat Layer 2 network design while logically separating traffic. This is crucial for network segmentation, reducing broadcast traffic, and enforcing security policies between different departments or user groups.

Real-Life Example

Think of a large hospital with multiple wings. The cardiology wing, the pediatrics wing, the emergency department, and the administrative offices all need to send and receive messages, patient records, and lab results. Each wing is like a separate VLAN. They need to stay separate for security and organization, but they all share the same main hallway connecting the entire hospital.

Now, imagine a motorized cart that travels up and down that main hallway. This cart is the trunk link. The cart carries mail and packages from one wing to the other. But how does the cart driver know which package belongs to which wing? Each package has a colored tag on it. Red for cardiology, blue for pediatrics, yellow for emergency, and green for administration. The tag is the VLAN tag. When the cart arrives at the cardiology wing, the staff only unloads packages with red tags. Blue tagged packages stay on the cart until it reaches pediatrics.

This system works perfectly because the tags allow all packages to travel together on one cart, but they are sorted correctly at each stop. Without the tags, the cart driver would have to make a separate trip for each wing, which would be slow and inefficient. The hospital would need many more carts and more hallway space. In networking terms, you would need many more cables. VLAN Trunking is that efficient cart system. It allows data from many separate VLANs to travel over one cable, with tags ensuring that each piece of data reaches the correct VLAN. The native VLAN is like the hospital's internal mail that does not need a colored tag because it is only used between the main office and the cart driver. Everyone else uses tags. This analogy shows how VLAN Trunking reduces cable use, simplifies network design, and keeps data correctly separated.

Why This Term Matters

VLAN Trunking matters because it enables the creation of scalable, secure, and manageable enterprise networks without requiring a separate physical cable for every network segment. In real IT work, network administrators must design networks that handle traffic for voice, video, data, guest access, and management, all while keeping them logically isolated. Trunking is the method that makes this possible over shared infrastructure.

For example, in an office building with multiple floors, you can run a single cable from the basement server room to a switch on each floor. That single cable can carry traffic for the sales VLAN, the HR VLAN, and the guest Wi-Fi VLAN simultaneously. This saves significant cost in cabling, ports, and and physical space. Without trunks, you would need a separate cable for each VLAN to each floor.

From a cybersecurity perspective, VLAN Trunking must be configured carefully. A misconfigured trunk can allow traffic from one VLAN to leak into another, which is a serious security vulnerability. For instance, leaving the native VLAN as the default VLAN 1 and using DTP in dynamic desirable mode can allow an attacker to connect a rogue switch and gain access to multiple VLANs. This is called VLAN hopping. Understanding how to secure trunks by disabling unused ports, setting the native VLAN to an unused ID, and explicitly configuring trunk mode is essential for any network professional.

Trunking also plays a role in wireless networking. When a wireless LAN controller (WLC) connects to a switch, the uplink is often a trunk carrying multiple SSIDs, each mapped to a different VLAN. This allows guests to use Wi-Fi without accessing the corporate network. In cloud and data center environments, trunking is used with virtual switches to carry traffic for multiple virtual machines (VMs) across physical hosts. Without a solid grasp of VLAN Trunking, an IT professional cannot design or troubleshoot modern networks effectively.

How It Appears in Exam Questions

VLAN Trunking appears in several types of exam questions. The most straightforward are multiple-choice questions that test terminology and configuration commands. For example: "Which IEEE standard defines VLAN tagging?" with options including 802.1Q, 802.1X, 802.3, and 802.11. Another example: "What is the default native VLAN on a Cisco switch?" The correct answer is VLAN 1. These questions are designed to check that you have read the theory and memorized key facts.

Configuration questions often require you to place commands in the correct order. You might see a drag-and-drop question where you must order the steps to configure a trunk interface. The correct sequence would be: enter interface configuration mode, set the interface to trunk mode, set the native VLAN, and specify allowed VLANs. You must know the exact syntax, such as "switchport trunk allowed vlan 10,20,30".

Troubleshooting questions present a scenario with a problem. For instance: "Users in VLAN 20 cannot reach the server in VLAN 20. The switches are connected via a trunk. The output of 'show interfaces trunk' shows that VLAN 20 is not in the allowed list. What is the cause?" The answer is that VLAN 20 was removed from the trunk using the "switchport trunk allowed vlan remove" command.

Simulation questions may require you to configure a trunk on a lab topology within a simulated environment. You would need to use the correct commands and verify your configuration. These questions test your ability to apply knowledge under time pressure. Another pattern is the "output interpretation" question, where you are given the output of "show vlan" or "show interfaces trunk" and must identify which ports are trunks, which VLANs are active, or what the native VLAN is. You must read the output carefully because examiners often include subtle clues, like a port being in "dynamic desirable" mode, which indicates it is not a static trunk.

Finally, security-related questions may ask how to prevent VLAN hopping. You need to know that disabling DTP, setting the native VLAN to an unused VLAN, and using dedicated trunk ports are all valid protections. These questions confirm that you understand not just how to configure a trunk, but also how to secure it against attacks.

Study encor

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized company has two switches, Switch A in the IT department and Switch B in the Sales department. The company has three VLANs: VLAN 10 for IT staff, VLAN 20 for Sales staff, and VLAN 30 for guest Wi-Fi. The IT department is on the first floor, and Sales is on the second floor. There is only one cable connecting Switch A and Switch B.

To allow all three VLANs to communicate across the building using that single cable, the network administrator configures the connection between the two switches as a trunk. On Switch A, the interface connected to Switch B is set to trunk mode. The native VLAN is changed from the default VLAN 1 to an unused VLAN 99 for security. VLANs 10, 20, and 30 are allowed on the trunk. The same configuration is applied on Switch B.

Now, a salesperson on the second floor can access the sales server on the first floor because their traffic travels over the trunk with a VLAN 20 tag. At the same time, an IT technician on the first floor can access a file server on the second floor using VLAN 10. A guest using Wi-Fi on the second floor is isolated in VLAN 30 and cannot reach the IT or Sales networks. The trunk makes all of this possible over one physical cable. If the trunk were not configured, only one VLAN could be carried across the link, limiting communication between departments. This scenario shows how trunking is essential for supporting multiple VLANs over a shared network link.

Common Mistakes

Thinking that an access port can carry multiple VLANs.

An access port belongs to a single VLAN only. It accepts untagged traffic and assigns it to that one VLAN. It cannot differentiate between traffic from different VLANs.

Remember that an access port is like a single parking spot for one car (one VLAN). For multiple VLANs, you need a trunk port, which is like a multi-lane highway with lane markers (VLAN tags).

Assuming that the native VLAN should always be the default VLAN 1.

VLAN 1 is the default native VLAN on all Cisco switches. Using it for user traffic is a security risk because attackers can potentially exploit it for VLAN hopping. It is also used for control traffic like CDP and STP.

Always change the native VLAN to an unused VLAN ID (like 999 or 1001) on all trunk ports to improve security and prevent VLAN hopping attacks.

Forgetting to allow specific VLANs on a trunk after configuring it.

By default, a trunk allows all VLANs (1-4094). But if you use the command 'switchport trunk allowed vlan 10' without including other needed VLANs, you will block all other traffic, causing network outages.

When limiting VLANs on a trunk, use the 'add' keyword to include additional VLANs. For example: 'switchport trunk allowed vlan add 20'. Verify with 'show interfaces trunk'.

Configuring DTP in 'dynamic desirable' mode on a port that should be a trunk.

DTP can negotiate trunking automatically, but this creates a security vulnerability. An attacker could connect a rogue switch and gain trunk access. It also leads to unpredictable behavior if the other side is configured differently.

Manually configure trunk ports by using 'switchport mode trunk' and disable DTP with 'switchport nonegotiate'. This gives you full control and eliminates negotiation risks.

Confusing the native VLAN on a 802.1Q trunk with the native VLAN on an access port.

On a trunk, the native VLAN is the one that is not tagged. On an access port, the native VLAN is simply the VLAN assigned to that port. These are different concepts and mixing them causes configuration errors.

Remember: On a trunk, 'native VLAN' means 'untagged traffic'. On an access port, 'native VLAN' means 'the VLAN that this port belongs to'. Always keep these definitions separate.

Exam Trap — Don't Get Fooled

A question shows that a trunk is configured with the command 'switchport mode trunk' but the native VLAN is left as VLAN 1. The question asks if this is a valid configuration. Many learners think it is fine because it works.

Always apply security best practices in exam answers. Even if a configuration works, if it violates best practices (like using VLAN 1 as native, or enabling DTP), it is not fully correct. For the exam, remember that the native VLAN should be an unused VLAN.

Always choose the most secure and best practice answer.

Commonly Confused With

VLAN TrunkingvsAccess Port

An access port belongs to a single VLAN and carries only untagged traffic for that one VLAN. A trunk port carries traffic for multiple VLANs using tags. The access port is like a single lane road for one destination, while a trunk is a multi-lane highway for many destinations.

An access port connects a single PC to VLAN 10. A trunk port connects two switches and carries VLANs 10, 20, and 30 simultaneously.

VLAN TrunkingvsVLAN Tagging

VLAN Trunking is the overall method of carrying multiple VLANs over a link. VLAN tagging is the specific mechanism of adding a tag to each Ethernet frame so that the receiving switch knows which VLAN it belongs to. Trunking uses tagging, but they are not the same thing. Tagging is the tool; trunking is the application of that tool.

Think of trunking as a highway system. Tagging is like the lane markers on the highway. Without lane markers, you cannot have a multi-lane highway.

VLAN TrunkingvsEtherChannel

EtherChannel bundles multiple physical links into one logical link for increased bandwidth and redundancy. A trunk carries multiple VLANs over one link, while EtherChannel is about combining links. They can be used together: you can have an EtherChannel that is also a trunk, carrying multiple VLANs over the bundle.

Imagine you need more capacity between two switches. You connect four cables and form an EtherChannel. On that same bundle, you configure it as a trunk to carry VLANs 10, 20, and 30. The EtherChannel gives more speed; the trunk gives VLAN separation.

VLAN TrunkingvsVLAN Trunking Protocol (VTP)

VTP is a Cisco proprietary protocol that synchronizes VLAN information across switches. It automatically creates and deletes VLANs on all switches in a VTP domain. VLAN Trunking is about carrying traffic for multiple VLANs on a link. VTP is about managing which VLANs exist. They are related but serve different purposes.

You use VTP to tell all switches that VLAN 50 should exist. After VTP does that, you use trunking to actually carry VLAN 50 traffic between those switches.

Step-by-Step Breakdown

1

Designate VLANs

First, the network administrator decides which virtual networks (VLANs) are needed. For example, VLAN 10 for accounting, VLAN 20 for sales, and VLAN 30 for guest Wi-Fi. Each VLAN gets a unique ID. This is a planning step that happens before any configuration.

2

Configure Access Ports

Each end device, like a PC or printer, is connected to a switch port configured as an access port. That access port is assigned to one specific VLAN. For instance, an access port for a sales PC is placed in VLAN 20. The switch adds the VLAN tag when it receives a frame from the PC, but the PC itself does not know about VLANs.

3

Configure Trunk Ports

The ports connecting two switches (or a switch to a router) are configured as trunk ports using the command 'switchport mode trunk' on Cisco devices. This tells the port to expect tagged frames and to tag frames leaving the port (except for the native VLAN).

4

Set the Native VLAN

The native VLAN is configured on the trunk port, preferably to an unused VLAN ID (e.g., VLAN 999). Any traffic on the native VLAN is sent untagged. Both ends of the trunk must agree on the native VLAN, otherwise a native VLAN mismatch occurs, causing network issues.

5

Specify Allowed VLANs

By default, a trunk allows all VLANs. To restrict traffic, the administrator can use the 'switchport trunk allowed vlan' command to list only the VLANs that should traverse the trunk. This improves security and reduces unnecessary broadcast traffic.

6

Verify the Trunk

After configuration, the administrator uses show commands like 'show interfaces trunk' to verify that the port is in trunking mode, that the allowed VLANs are correct, and that the native VLAN matches on both ends. This step ensures the trunk is functional.

7

Implement Security Measures

Finally, security best practices are applied. This includes disabling DTP with 'switchport nonegotiate', changing the native VLAN away from VLAN 1, and shutting down unused ports. These steps prevent attacks like VLAN hopping and unauthorized trunk negotiation.

Practical Mini-Lesson

VLAN Trunking is one of those topics that sounds intimidating but becomes straightforward once you break it down into hands-on practice. Let us walk through what you, as a network professional, need to know to configure and troubleshoot trunking in a real environment.

First, always plan your VLAN IDs. In a typical Cisco switch, VLANs 1 and 1002-1005 are reserved. Use a consistent numbering scheme, like VLANs 10-19 for data, 20-29 for voice, and 30-39 for management. Assign each VLAN a meaningful name. This makes later troubleshooting much easier.

To configure a trunk on a Cisco switch, you enter the interface configuration mode for the port that connects to another switch. The command 'switchport mode trunk' sets the port to permanent trunk mode. It is better to use this than DTP because it removes negotiation overhead and security risk. After that, configure the native VLAN with 'switchport trunk native vlan 999'. Then, define which VLANs are allowed with 'switchport trunk allowed vlan 10,20,30'. If you need to add a VLAN later, use 'switchport trunk allowed vlan add 40'.

Now, what can go wrong? The most common issue is a native VLAN mismatch. If one switch has native VLAN 1 and the other has native VLAN 999, CDP (Cisco Discovery Protocol) will report a mismatch, and broadcast traffic may not pass correctly. Another problem is forgetting to enable trunking on both ends. If one port is an access port and the other is a trunk, the link may come up but not pass traffic for all VLANs.

When troubleshooting, start with 'show interfaces trunk'. This command lists all trunk interfaces, their mode (trunk, dynamic, etc.), the native VLAN, and the allowed VLANs. Then use 'show vlan' to see which VLANs exist and which ports are assigned to them. If you see a port that is supposed to be a trunk but is not showing up, check if the port is administratively down. Also, verify that both switches have the required VLANs created; a trunk cannot carry a VLAN that does not exist.

Broader context: VLAN Trunking is not limited to physical switches. In virtualized environments like VMware vSphere, virtual switches use trunking to carry multiple VLANs to virtual machines. A VM can be placed in a specific VLAN by tagging its virtual port. Similarly, in cloud networks, VLAN trunking is used to extend on-premises networks into the cloud. Understanding trunking gives you a foundation for understanding more advanced topics like VXLAN (Virtual Extensible LAN) and network virtualization.

A final tip: Always document your trunk configurations. Note which VLANs are allowed, what the native VLAN is, and which security features are enabled. When the network grows or a colleague needs to make changes, that documentation will save hours of troubleshooting. Trunking is a basic but powerful tool, and mastering it is a key step in becoming a competent network engineer.

Memory Tip

Think of the trunk as a highway for police cars. The cars are from different precincts (VLANs). They all use the same highway (trunk), but each car has an identifying badge number (VLAN tag). The highway patrol (switch) reads the badge and directs the car to its correct precinct exit. Remember: no badge means native VLAN.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What is the difference between a trunk port and an access port?

An access port belongs to a single VLAN and sends traffic without any VLAN tags. A trunk port carries traffic for multiple VLANs and adds VLAN tags to frames so the receiving device knows which VLAN they belong to.

What does the native VLAN do on a trunk?

The native VLAN is the VLAN that carries untagged traffic on a trunk. It is used for backward compatibility with devices that do not understand VLAN tags. Both ends of the trunk must have the same native VLAN configured.

Can I use VLAN 1 as the native VLAN?

Technically yes, but it is not recommended for security reasons. VLAN 1 is the default native VLAN and is used for control traffic. Changing it to an unused VLAN helps prevent VLAN hopping attacks.

How do I configure a trunk on a Cisco switch?

Enter interface configuration mode for the port, then use the command 'switchport mode trunk'. Optionally, set the native VLAN with 'switchport trunk native vlan <id>' and specify allowed VLANs with 'switchport trunk allowed vlan <list>'.

What is the maximum number of VLANs on a trunk?

The IEEE 802.1Q standard supports up to 4094 VLAN IDs (1-4094). However, some switch models may have hardware limitations that reduce this number in practice.

What happens if I configure a trunk but the other side is an access port?

The link may come up, but traffic will not pass correctly. The access port will drop tagged frames, and the trunk port may not receive untagged frames properly. This causes a network misconfiguration.

What is DTP and should I use it?

DTP (Dynamic Trunking Protocol) is a Cisco proprietary protocol that automatically negotiates trunk links. For security and control, it is better to disable DTP and configure trunks manually using 'switchport mode trunk' and 'switchport nonegotiate'.

Summary

VLAN Trunking is a foundational networking concept that allows a single physical link to carry traffic for multiple virtual networks, or VLANs, by adding a tag to each frame. This tag, defined by the IEEE 802.1Q standard, identifies which VLAN the traffic belongs to, enabling network segmentation without requiring separate cables for each network.

Trunking is essential for building efficient, scalable, and secure enterprise networks. It reduces cabling costs, simplifies network design, and supports logical separation of departments, guest traffic, and management traffic. For IT certification exams like CCNA and CCNP ENCOR, candidates must understand how to configure trunks, set the native VLAN, specify allowed VLANs, and apply security measures such as disabling DTP and using a non-default native VLAN.

Common mistakes include confusing trunk and access ports, leaving the native VLAN as the default, and forgetting to allow specific VLANs. Mastery of VLAN Trunking opens the door to more advanced networking topics like VXLAN, software-defined networking, and cloud network integration. Always verify your trunk configuration with show commands and document your design for future troubleshooting.

With this knowledge, you are well prepared to handle real-world networking challenges and certification exam questions.