VLANs and trunk links are the backbone of any switched network, but they are also the source of some of the most common and costly configuration errors on the CCNA 200-301 exam — and in real networks. A single misconfigured trunk can silently drop traffic, create security holes, or cause an entire VLAN to go dark. This chapter covers the exact traps Cisco sets in the exam (objective 2.1: Configure and verify VLANs and trunking) and how to avoid them in production. Master these details, and you will not only pass the exam but also earn the trust of your future network team.
Jump to a section
Imagine a large apartment building with 100 units, each unit representing a different VLAN. The building has a central mailroom (the switch) that sorts mail into 100 different mail slots (VLANs). The mailroom is connected to the outside world via a single hallway (the trunk link). Now, here is where the trap appears: the hallway has a sign that says "Only letters with a valid apartment number tag may pass." This tag is the 802.1Q VLAN ID in the frame header. If the mailroom forgets to tag a letter (native VLAN mismatch), the letter might end up in the wrong apartment or get lost. Worse, if the hallway is accidentally configured to allow only apartments 1-50 (allowed VLAN list), but someone sends a package to apartment 75, that package never arrives — and no one gets an error message. In exam terms, this is traffic black-holing. Also, if the hallway is set to allow all apartments (VLAN 1 default), but some apartments are actually restricted (VLAN 1 being used for management), a malicious package could sneak through. The apartment building manager (network engineer) must carefully configure which apartments (VLANs) are allowed on the hallway (trunk) and ensure both ends agree on the untagged apartment (native VLAN). Otherwise, tenants complain of missing mail, and the manager gets blamed.
What Are VLANs and Trunks?
A VLAN (Virtual Local Area Network) is a logical grouping of devices that behave as if they are on the same physical LAN segment, regardless of their physical location. VLANs provide segmentation, security, and broadcast containment. In a typical enterprise, you will see VLANs for users (e.g., VLAN 10), servers (VLAN 20), voice (VLAN 30), management (VLAN 99), and so on.
A trunk is a point-to-point link between two switches (or between a switch and a router) that carries traffic for multiple VLANs. Without a trunk, each VLAN would require a separate physical link — an expensive and unscalable solution. Trunks use a tagging protocol to identify which frame belongs to which VLAN. On Cisco switches, the default trunking protocol is 802.1Q (dot1q).
How 802.1Q Trunking Works
When a frame enters a switch port assigned to a specific access VLAN, the switch adds a 4-byte 802.1Q tag between the source MAC address and the EtherType/Length field. This tag contains:
Tag Protocol Identifier (TPID): 0x8100 (2 bytes)
Priority Code Point (PCP): 3 bits for CoS (Class of Service)
Drop Eligible Indicator (DEI): 1 bit
VLAN ID (VID): 12 bits, allowing 4094 VLANs (1-4094; 0 and 4095 are reserved)
The receiving switch strips the tag and forwards the frame to the appropriate access port. The entire process is transparent to end devices — they never see the tag.
Native VLAN: The Common Trap
The native VLAN is the VLAN that carries untagged traffic on a trunk. By default, Cisco switches use VLAN 1 as the native VLAN. The key rule: both ends of a trunk must have the same native VLAN. If they differ, the switch will not report an error, but control plane traffic (CDP, VTP, DTP, STP BPDUs) may be misdirected, and user traffic on the native VLAN can leak between VLANs — a serious security issue. On the exam, watch for questions where one switch has native VLAN 1 and the other has native VLAN 99 — traffic on VLAN 1 will be silently dropped or misdelivered.
Allowed VLAN List: The Black Hole Trap
By default, a trunk allows all VLANs (1-4094). However, it is common practice to prune unused VLANs for security and efficiency. The command switchport trunk allowed vlan restricts which VLANs can traverse the trunk. The trap: if you forget to add a new VLAN to the allowed list, traffic for that VLAN will be dropped at the trunk. No error, no log — just a black hole. On the exam, you might see a scenario where a new VLAN is created and assigned to access ports, but ping fails between hosts on that VLAN across a trunk. The solution is to add the VLAN to the allowed list.
DTP (Dynamic Trunking Protocol): The Negotiation Trap
Cisco switches use DTP to automatically negotiate trunking. The modes are:
- dynamic desirable: Actively tries to form a trunk.
- dynamic auto: Will form a trunk if the other side is trunk or dynamic desirable.
- trunk: Puts the port into trunking unconditionally.
- access: Puts the port into access mode (never trunks).
- nonegotiate: Disables DTP frames; useful when connected to non-Cisco devices.
The exam trap: if one side is dynamic auto and the other is dynamic auto, the link will be an access port, not a trunk — because both are passive. Candidates often assume two auto ports will trunk, but they won't. Similarly, dynamic desirable + dynamic desirable works, as does trunk + any dynamic mode.
VLAN 1: The Security Trap
VLAN 1 is the default VLAN and the native VLAN by default. Many engineers leave VLAN 1 for management, but this is a security risk because VLAN 1 cannot be removed from a trunk (Cisco IOS prevents it). Attackers can potentially hop VLANs if the native VLAN is not changed. Best practice: change the native VLAN to an unused VLAN (e.g., 999) and prune VLAN 1 from trunks where possible.
Verification Commands
Always verify trunk configuration with:
- show interfaces trunk — shows trunk status, native VLAN, and allowed VLANs.
- show interfaces gigabitethernet 0/1 switchport — detailed port mode and VLAN info.
- show vlan brief — shows VLANs and their assigned access ports.
Example output:
Switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 desirable 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/1 1-1005
Port Vlans allowed and active in management domain
Gi0/1 1,10,20,30
Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 1,10,20,30Notice: the native VLAN is 1. If the other side expects native VLAN 99, this is a mismatch.
Interaction with STP
STP runs per VLAN (PVST+ by default on Cisco). A trunk carries BPDUs for each VLAN. If the native VLAN mismatches, STP may not converge correctly, causing loops or blocked ports. Also, if a VLAN is not in the allowed list, STP will not run for that VLAN on that trunk, potentially causing loops if another trunk carries that VLAN.
Summary of Common Exam Traps
Native VLAN mismatch: silent failure, control plane issues.
Allowed VLAN list missing the VLAN: traffic black hole.
DTP mode mismatch: link stays access when trunk is expected.
VLAN 1 not changed: security risk.
Forgetting to create the VLAN globally: even if allowed on trunk, VLAN must exist in vlan database.
Verify trunk status
Use `show interfaces trunk` to see all trunk ports, their mode, encapsulation, status, native VLAN, and allowed VLANs. If a trunk is not listed, the link is not trunking. Check if the port is in access mode or if DTP negotiation failed. For example, if you see no output, the link is likely an access port. Also check `show interfaces gigabitethernet 0/1 switchport` for the operational mode. Look for 'Operational Mode: trunk' to confirm.
Check native VLAN consistency
On both ends of the trunk, run `show interfaces trunk` and compare the native VLAN. They must match. If they differ, configure the correct native VLAN using `switchport trunk native vlan <vlan-id>`. Remember: changing the native VLAN on one side only will break connectivity for the native VLAN traffic. Always change both sides. Also, ensure the native VLAN is not used for user data; use an unused VLAN like 999.
Verify allowed VLAN list
Examine the 'Vlans allowed on trunk' line from `show interfaces trunk`. Ensure the VLAN you need is in the list. If not, add it with `switchport trunk allowed vlan add <vlan-id>`. Be careful: the command `switchport trunk allowed vlan <vlan-id>` without 'add' will replace the entire list with only that VLAN. This is a common exam trap. Always use 'add' unless you intend to prune all others. Also, verify the VLAN exists in the global VLAN database with `show vlan brief`.
Check DTP mode
Use `show interfaces gigabitethernet 0/1 switchport` and look for 'Negotiation of Trunking: On/Off' and 'Trunking Native Mode VLAN'. The 'Administrative Trunking Encapsulation' and 'Operational Trunking Encapsulation' should both be '802.1Q'. If the operational mode is 'access', the DTP negotiation failed. Common causes: one side is `dynamic auto` and the other is `dynamic auto`, or one side has `switchport nonegotiate`. Fix by setting at least one side to `switchport mode trunk` or `dynamic desirable`.
Validate VLAN creation
A VLAN must exist in the switch's VLAN database for traffic to be forwarded. Use `show vlan brief` to list all VLANs and the ports assigned to them. If a VLAN is missing, create it with `vlan <vlan-id>` in global config. Note: VLAN 1 and VLANs 1002-1005 are default and cannot be deleted. Also, some IOS versions require the VLAN to be created before assigning ports to it. If you see 'VLAN is not active' in `show interfaces trunk`, the VLAN likely doesn't exist or is shutdown.
Test connectivity
From a host in the VLAN, ping another host in the same VLAN across the trunk. If it fails, go back and verify each step. Use `show mac address-table vlan <vlan-id>` to see if MAC addresses are learned on the trunk. If the trunk is not forwarding frames for that VLAN, the MAC will not appear. Also, check STP state with `show spanning-tree vlan <vlan-id>`. The trunk port should be in Forwarding state. If it's Blocking, there may be a loop or STP misconfiguration.
In a typical enterprise campus network, you might have a distribution switch connected to multiple access switches via trunk links. The access switches serve hundreds of users across several VLANs (e.g., VLAN 10 for HR, VLAN 20 for Engineering, VLAN 30 for Guest Wi-Fi). The network engineer must ensure that only the necessary VLANs are allowed on each trunk to prevent unauthorized access and to conserve bandwidth. For example, the trunk to the HR access switch should only carry VLAN 10, not the Engineering or Guest VLANs. This is done using the switchport trunk allowed vlan 10 command. A common real-world mistake: after adding a new VLAN (e.g., VLAN 40 for IoT devices), the engineer forgets to update the allowed list on the trunk. IoT devices cannot communicate with the server on another floor, and hours are wasted troubleshooting. The fix is simple: add the VLAN to the allowed list.
Another scenario: two data center switches are connected via a trunk. The native VLAN is left as default (VLAN 1), but VLAN 1 is also used for management traffic. An attacker could potentially send frames tagged with VLAN 1 on the native VLAN and cause a VLAN hopping attack. Best practice: change the native VLAN to an unused ID (e.g., 999) and explicitly prune VLAN 1 from the trunk. In production, you might see switchport trunk native vlan 999 and switchport trunk allowed vlan remove 1.
Performance considerations: trunk links are typically high-speed (1G or 10G) and may carry traffic for many VLANs. The switch CPU must process BPDUs for each VLAN (PVST+), so having hundreds of VLANs on a trunk can increase CPU utilization. Cisco recommends using MST (Multiple Spanning Tree) to reduce BPDU overhead. Also, the allowed VLAN list should be as narrow as possible to reduce the number of STP instances.
Misconfiguration consequences: a native VLAN mismatch can cause asymmetric routing and security breaches. For example, if Switch A has native VLAN 1 and Switch B has native VLAN 99, then frames from VLAN 1 on Switch A are sent untagged, but Switch B expects them to be tagged with VLAN 99. Switch B will drop the untagged frames, but control traffic like CDP and STP BPDUs may be mishandled. In one real incident, a misconfigured native VLAN caused a spanning-tree loop that brought down an entire floor for 30 minutes.
The 200-301 exam tests your ability to configure and verify VLANs and trunking under objective 2.1. Expect 3-5 questions on this topic, often in simulation or multiple-choice format. The exam focuses on:
Native VLAN mismatch: You will be given a scenario where pings fail between hosts in the same VLAN across a trunk. The most common wrong answer is 'The VLAN does not exist' or 'The access port is in the wrong VLAN'. The correct answer is 'Native VLAN mismatch' because the hosts are in the same VLAN, so the issue is at the trunk. Another trap: candidates think native VLAN mismatch causes all traffic to fail, but it only affects the native VLAN traffic. If the native VLAN is not used for user data, the user may not notice, but control protocols may break.
Allowed VLAN list: A question might show a trunk configuration with switchport trunk allowed vlan 10,20 and then a new VLAN 30 is added to access ports. The candidate is asked why hosts in VLAN 30 cannot communicate across the trunk. Wrong answers: 'The trunk is down', 'The native VLAN is wrong', 'The hosts have wrong IP'. Correct: 'VLAN 30 is not in the allowed list'. The fix is switchport trunk allowed vlan add 30.
DTP modes: The exam loves to ask: 'Two switches are connected. One has switchport mode dynamic auto, the other has switchport mode dynamic auto. What is the result?' Many candidates think they will trunk, but the correct answer is they will be in access mode because both are passive. Another variant: one side is dynamic desirable, the other is dynamic auto — they will trunk because desirable actively negotiates.
VLAN 1 and security: The exam may ask about the security risk of leaving VLAN 1 as native. The correct answer is that VLAN 1 cannot be removed from a trunk, so it is a vector for VLAN hopping. The solution is to change the native VLAN to an unused VLAN.
Verification commands: Know show interfaces trunk and what each field means. For example, 'Vlans allowed and active in management domain' shows VLANs that exist and are allowed. If a VLAN is not listed there, it is either not created or not allowed.
Decision rule for scenario questions: If hosts in the same VLAN cannot communicate across a trunk, check the trunk status first. If the trunk is up, check native VLAN and allowed list. If the trunk is down, check DTP mode. If the hosts are in different VLANs, the issue is routing, not trunking.
Calculation traps: None directly, but you may need to know that 802.1Q adds 4 bytes to the frame, which can affect MTU. Also, the maximum VLAN ID is 4094 (not 4096).
Native VLAN must match on both ends of a trunk; default is VLAN 1.
Allowed VLAN list controls which VLANs traverse the trunk; use 'add' keyword when modifying.
DTP mode 'dynamic auto' + 'dynamic auto' results in access mode, not trunk.
VLAN 1 cannot be removed from a trunk; change native VLAN to an unused ID for security.
VLAN must be created globally before it can be used on a trunk.
Use 'show interfaces trunk' to verify trunk status, native VLAN, and allowed VLANs.
802.1Q tag adds 4 bytes to the frame; maximum VLAN ID is 4094.
These come up on the exam all the time. Here's how to tell them apart.
802.1Q Trunk
Carries multiple VLANs using tagging.
Adds 4-byte 802.1Q tag to frames.
Native VLAN carries untagged traffic.
Used between switches or switch-router.
Default trunking protocol on Cisco.
Access Port
Carries single VLAN (access VLAN).
No tagging; frames are plain Ethernet.
No native VLAN concept.
Used to connect end devices (PC, printer).
Default port mode on Cisco switches.
Mistake
A trunk carries all VLANs by default, and you cannot restrict it.
Correct
By default, a trunk allows all VLANs (1-4094), but you can restrict using 'switchport trunk allowed vlan'.
Candidates think default is all-or-nothing, but Cisco allows pruning for security and efficiency.
Mistake
If one side of a trunk is set to 'dynamic auto', the link will always become a trunk.
Correct
A 'dynamic auto' port will only become a trunk if the other side is 'trunk' or 'dynamic desirable'. Two 'auto' ports result in access mode.
The word 'auto' sounds like it automatically trunks, but it is actually passive.
Mistake
Native VLAN mismatch will cause all traffic on the trunk to fail.
Correct
Only traffic on the native VLAN (and control traffic) is affected. Traffic on other tagged VLANs may still work.
Candidates overgeneralize; they think mismatch breaks everything, but it only breaks untagged traffic.
Mistake
You can remove VLAN 1 from a trunk using 'switchport trunk allowed vlan remove 1'.
Correct
Cisco IOS does not allow removing VLAN 1 from a trunk. The command is accepted but ignored.
VLAN 1 is the default and is considered special; candidates assume all VLANs can be pruned equally.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default native VLAN is VLAN 1. On a trunk, the native VLAN is the VLAN that carries untagged frames. Both ends of a trunk must have the same native VLAN. Changing the native VLAN to an unused ID (e.g., 999) is a security best practice to prevent VLAN hopping attacks. To change it, use 'switchport trunk native vlan <vlan-id>' on both sides. Exam tip: if you see a question about native VLAN mismatch, the default is always VLAN 1 unless changed.
Use the 'add' keyword: 'switchport trunk allowed vlan add <vlan-id>'. If you omit 'add', the command replaces the entire allowed list with only the specified VLAN, which will break connectivity for other VLANs. For example, 'switchport trunk allowed vlan 10' would remove all other VLANs. Always verify with 'show interfaces trunk' after changes. Exam tip: the 'add' keyword is a frequent trick in simulation questions.
Cisco IOS does not allow removing VLAN 1 from a trunk because VLAN 1 is the default VLAN and is used for control plane traffic (CDP, VTP, STP BPDUs). The command 'switchport trunk allowed vlan remove 1' is accepted but has no effect. To reduce risk, change the native VLAN to an unused ID and avoid using VLAN 1 for user or management traffic. Exam tip: if you see a question about removing VLAN 1, the answer is that it cannot be done.
Both modes allow DTP negotiation, but 'dynamic desirable' actively sends DTP frames to try to form a trunk, while 'dynamic auto' only responds to DTP frames it receives. A link with 'dynamic auto' on both ends will remain an access port because neither side initiates negotiation. 'dynamic desirable' on one side will successfully trunk with 'dynamic auto' or 'trunk' on the other. Exam tip: remember 'auto' is passive, 'desirable' is active.
Yes, if both sides use 802.1Q encapsulation. However, DTP is Cisco proprietary, so the Cisco switch must be configured with 'switchport nonegotiate' to prevent sending DTP frames, and the port must be set to 'switchport mode trunk'. The non-Cisco switch must be configured for 802.1Q trunking. Exam tip: if a question involves a non-Cisco device, expect 'nonegotiate' to be part of the answer.
It displays all trunk ports on the switch, including their mode (e.g., desirable), encapsulation (802.1Q), status (trunking), native VLAN, and the list of VLANs allowed on the trunk. It also shows which VLANs are active and in the spanning-tree forwarding state. This command is essential for troubleshooting trunk issues. Exam tip: memorize the output fields, especially 'Vlans allowed on trunk' and 'Native vlan'.
The 802.1Q tag adds 4 bytes to the Ethernet frame, increasing the maximum frame size from 1518 bytes to 1522 bytes. This can cause issues if the network uses a standard MTU of 1500 bytes for the payload; the total frame becomes 1522 bytes, which is still within the IEEE 802.3ac limit of 1522 bytes. However, some older devices may drop jumbo frames. Exam tip: you may be asked about the tag size (4 bytes) or the new maximum frame size (1522 bytes).
You've just covered Exam Trap: VLAN and Trunk Errors — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?