Imagine a switchport that only carries one VLAN — that's an access port. Now imagine needing to carry traffic for multiple VLANs over a single link between two switches. That's where 802.1Q trunking comes in. This lab is directly tied to CCNA 200-301 exam objective 2.1 (Configure and verify VLANs and trunking), and in real networks, trunk links are the backbone of every multi-VLAN switched network. Mastering this lab means you can build a scalable Layer 2 infrastructure.
Jump to a section
Think of a single Ethernet cable as a two-lane road connecting two towns (switches). Each town has several neighborhoods (VLANs). Without trunking, you would need a separate road for each neighborhood — expensive and wasteful. 802.1Q trunking is like adding lane markers (VLAN tags) to each car (Ethernet frame). When a car leaves a neighborhood, the town puts a colored flag (802.1Q tag) on it. The flag tells the other town which neighborhood the car belongs to. The road itself doesn't care about neighborhoods — it just moves cars. Similarly, the trunk link doesn't care about VLANs — it just moves tagged frames. The tagging happens at each end. The standard 802.1Q tag is 4 bytes inserted into the Ethernet frame after the source MAC address. It contains a 12-bit VLAN ID (0-4095, but 0 and 4095 are reserved, so 1-4094 usable). The tag also includes a 3-bit Priority Code Point (PCP) for QoS. The native VLAN is the exception: frames on the native VLAN are sent untagged, like cars without a flag. Both ends must agree on which VLAN is native, or the frames will be misinterpreted. Cisco switches default to VLAN 1 as the native VLAN, but best practice is to change it to an unused VLAN. In the CCNA exam, you must know that the native VLAN must match on both ends, or a spanning-tree error will occur (VLAN mismatch).
What is 802.1Q Trunking?
802.1Q is the IEEE standard for VLAN tagging on Ethernet trunk links. It allows multiple VLANs to traverse a single physical link by inserting a 4-byte tag into the Ethernet frame. The tag contains a 12-bit VLAN ID (VID), supporting up to 4094 VLANs (1-4094). Trunking is essential for interconnecting switches, routers, and firewalls in a VLAN-aware network.
How 802.1Q Works – Frame Walkthrough
When a switch receives a frame on an access port in VLAN 10, it must forward that frame out a trunk port to another switch. Before sending the frame out the trunk, the switch inserts the 802.1Q tag between the Source MAC Address and the EtherType/Length fields. The original Ethernet frame's FCS (Frame Check Sequence) is recalculated to include the tag. The receiving switch strips the tag and forwards the frame to the appropriate VLAN. This process is transparent to end devices, as they never see the tag.
Native VLAN – The Untagged Exception
The native VLAN is a special VLAN on a trunk. Frames belonging to the native VLAN are sent untagged on the trunk. This allows legacy devices that don't understand 802.1Q to connect to a trunk port. Both ends of the trunk must agree on the native VLAN; otherwise, a VLAN mismatch error occurs, and spanning tree will block the port (errdisable). Cisco switches default the native VLAN to VLAN 1. For security, best practice is to change it to an unused VLAN (e.g., VLAN 999).
Allowed VLAN List – Controlling Traffic
By default, a trunk carries all VLANs (1-4094). You can restrict which VLANs are allowed using the switchport trunk allowed vlan command. This is important for security and to prevent unnecessary broadcast traffic. The allowed list is configured per trunk interface. Note that VLAN 1 is always allowed by default, and you cannot remove it unless you explicitly exclude it.
Dynamic Trunking Protocol (DTP) – Cisco’s Automation
DTP is a Cisco proprietary protocol that negotiates trunking between two switches. It operates in several modes: Dynamic Auto, Dynamic Desirable, Trunk, and Access. DTP frames are sent every 30 seconds. For the CCNA exam, you must know that:
Dynamic Auto: Will become a trunk only if the other side is set to Trunk or Dynamic Desirable.
Dynamic Desirable: Actively tries to form a trunk.
Trunk: Forces the port to be a trunk (sends DTP frames).
Access: Forces the port to be an access port (no trunking).
Cisco recommends disabling DTP on trunk ports by using switchport nonegotiate to prevent misconfigurations and security risks.
Configuration Commands – IOS CLI
To configure a trunk port on a Cisco switch:
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 999
Switch(config-if)# switchport trunk allowed vlan 10,20,30
Switch(config-if)# switchport nonegotiateNote: On newer switches (e.g., Catalyst 2960-X, 3650, 3850), the encapsulation is always 802.1Q and the switchport trunk encapsulation dot1q command is not available. On older switches (e.g., 2950, 3560), you must set the encapsulation before setting the mode.
Verification Commands
Switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 999
Port Vlans allowed on trunk
Gi0/1 10,20,30
Port Vlans allowed and active in management domain
Gi0/1 10,20,30
Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 10,20,30Switch# show interfaces gigabitethernet 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 999 (Inactive)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
...Interaction with Related Protocols
Spanning Tree Protocol (STP): STP runs per VLAN on trunk links. Each VLAN has its own spanning tree instance (PVST+). The trunk port may be blocked in one VLAN but forwarding in another.
VLAN Trunking Protocol (VTP): VTP propagates VLAN information across trunk links. However, VTP is not in the CCNA 200-301 exam, but you should be aware it exists.
EtherChannel: Trunks can be bundled into an EtherChannel for increased bandwidth and redundancy. All ports in the channel must have the same trunk configuration (native VLAN, allowed VLANs).
Common Misconfigurations and Troubleshooting
Native VLAN mismatch: If native VLANs differ, STP will detect a misconfiguration and place the port in errdisable state. Use show interfaces trunk to check.
Allowed VLAN mismatch: If one side allows VLAN 10 but the other does not, VLAN 10 traffic will be dropped.
DTP mismatch: If one side is set to Dynamic Auto and the other to Access, no trunk forms. Use show interfaces trunk to verify operational mode.
Encapsulation mismatch: On older switches, if one side uses ISL and the other uses 802.1Q, the trunk will not come up. Modern switches only support 802.1Q.
Verify current switchport mode
Before configuring trunking, check the current interface status. Use `show interfaces gigabitethernet 0/1 switchport` to see the administrative mode. The output will show 'Administrative Mode: dynamic auto' or 'static access'. This tells you the current state. Also check the operational mode: if it's 'down', the link might be down or the interface is not connected. Note the native VLAN (default is 1) and the allowed VLAN list (default is all). This baseline helps you confirm changes later.
Enter interface configuration mode
Use `configure terminal` then `interface gigabitethernet 0/1` to enter the interface configuration mode for the port you want to trunk. On a real switch, you would use the correct interface identifier (e.g., GigabitEthernet0/1, FastEthernet0/24). For the CCNA exam, you might see interface names like 'G0/1' or 'Fa0/1'. Always verify the interface number with `show ip interface brief` or `show interfaces status`.
Set encapsulation to 802.1Q (if required)
On older switches (e.g., Catalyst 2950, 3560), you must explicitly set the encapsulation with `switchport trunk encapsulation dot1q`. On modern switches (e.g., 2960-X, 3650, 3850), only 802.1Q is supported and this command is not available. If you try to enter it, the switch will reject it. For the exam, know that if the switch supports both ISL and 802.1Q, you must set encapsulation before mode. The default encapsulation is usually 'negotiate', which can cause issues.
Set the port to trunk mode
Use `switchport mode trunk` to force the port into trunking mode. This disables DTP negotiation and makes the port always trunk. Alternatively, you could use `switchport mode dynamic desirable` to allow DTP negotiation, but for a lab, static trunk is simpler and more predictable. The command `switchport mode trunk` also sends DTP frames by default; to disable DTP, add `switchport nonegotiate`.
Configure native VLAN and allowed VLANs
Change the native VLAN from default VLAN 1 to an unused VLAN (e.g., VLAN 999) with `switchport trunk native vlan 999`. Then restrict allowed VLANs with `switchport trunk allowed vlan 10,20,30`. To add a VLAN to the existing list, use `switchport trunk allowed vlan add 40`. To remove, use `switchport trunk allowed vlan remove 40`. The allowed list is saved in running-config. Verify with `show interfaces trunk`.
Disable DTP negotiation
For security and stability, disable DTP with `switchport nonegotiate`. This stops the interface from sending or responding to DTP frames. Without this, a misconfigured access port could accidentally form a trunk. After applying, verify with `show interfaces gigabitethernet 0/1 switchport` and look for 'Negotiation of Trunking: Off'. This is a best practice in production networks.
Verify trunk configuration
Use `show interfaces trunk` to see a summary of all trunk ports. Check that the mode is 'on', encapsulation is '802.1q', status is 'trunking', and native VLAN is 999 (or your configured value). Also verify the allowed VLAN list. Then use `show interfaces gigabitethernet 0/1 switchport` to see detailed information. Finally, test connectivity by pinging between devices in the same VLAN across the trunk. If pings fail, check for native VLAN mismatch or STP blocking.
In a typical enterprise campus network, trunk links connect access switches to distribution switches, and distribution switches to core switches. For example, a building with 50 access switches each serving multiple VLANs (e.g., VLAN 10 for staff, VLAN 20 for students, VLAN 30 for printers) will have a trunk from each access switch to the distribution switch. The distribution switch then trunks to the core. This allows all VLANs to be available everywhere without needing separate cables.
A common problem is the native VLAN mismatch. In one real scenario, a network engineer configured the native VLAN as 100 on one end but forgot to change it on the other. The result was that STP detected the mismatch and placed the port into errdisable state, causing an outage for all VLANs on that link. The fix was to correct the native VLAN and re-enable the port. The lesson: always double-check native VLAN consistency.
Another scenario: a security-conscious organization restricts allowed VLANs on trunk links to only those that are necessary. For instance, a trunk to a server farm might only allow VLAN 50 (servers) and VLAN 60 (management), blocking all others. This prevents unauthorized VLAN hopping and reduces broadcast traffic. Misconfiguration here can cause a VLAN to be unreachable; the symptom is that devices in that VLAN cannot communicate across the trunk. The troubleshooting step is to check show interfaces trunk and verify the allowed list.
Performance considerations: trunk links can carry multiple VLANs, but the bandwidth is shared. If one VLAN generates excessive broadcast traffic, it can impact other VLANs. Using storm-control and proper VLAN design mitigates this. Also, trunk links should be configured with EtherChannel for redundancy and increased throughput. The CCNA exam expects you to know that all ports in an EtherChannel must have identical trunk configurations.
CCNA 200-301 exam objective 2.1 specifically covers 'Configure and verify VLANs and trunking'. For trunking, you will be tested on:
The difference between access and trunk ports.
The 802.1Q tag structure (4 bytes, 12-bit VLAN ID).
Native VLAN concept and default (VLAN 1).
DTP modes and which combinations form a trunk.
Commands: switchport mode trunk, switchport trunk native vlan, switchport trunk allowed vlan.
Verification: show interfaces trunk, show interfaces switchport.
Common wrong answers: 1. 'ISL is the default encapsulation on Cisco switches.' WRONG: Modern Cisco switches only support 802.1Q. ISL is legacy and not in the exam. 2. 'The native VLAN must be the same on both ends, but if it's not, the trunk still works for other VLANs.' WRONG: A native VLAN mismatch causes STP to block the port (errdisable). 3. 'DTP is required for trunking.' WRONG: DTP is optional; you can statically configure trunking without DTP. 4. 'You can have multiple native VLANs on a trunk.' WRONG: There is only one native VLAN per trunk.
Exam traps:
- The phrase 'switchport trunk allowed vlan 10,20' replaces the existing list. To add, use 'add' keyword.
- The command switchport trunk encapsulation dot1q is only needed on older switches; newer switches reject it.
- The native VLAN is sent untagged, but the switch still processes it as a VLAN; it is not 'native' in the sense of being special beyond tagging.
Decision rule: If a question asks why two switches are not trunking, first check DTP mode combinations (auto/desirable/trunk/access). If DTP is off, check encapsulation and native VLAN. Use show interfaces trunk to see the operational state.
802.1Q inserts a 4-byte tag with a 12-bit VLAN ID (1-4094).
Native VLAN is sent untagged; default is VLAN 1; must match on both ends.
DTP modes: Dynamic Auto, Dynamic Desirable, Trunk, Access.
To form a trunk, at least one side must be Trunk or Dynamic Desirable.
Use `switchport mode trunk` for static trunk; add `switchport nonegotiate` to disable DTP.
Verify with `show interfaces trunk` and `show interfaces switchport`.
Allowed VLAN list controls which VLANs traverse the trunk; use `switchport trunk allowed vlan`.
A native VLAN mismatch causes STP errdisable; check with `show interfaces trunk`.
On modern switches, only 802.1Q is supported; no encapsulation command needed.
Trunk links can be bundled into EtherChannel for redundancy.
These come up on the exam all the time. Here's how to tell them apart.
Access Port
Belongs to a single VLAN.
Sends frames untagged.
Used to connect end devices (PCs, printers).
Default mode on Cisco switch ports.
No DTP negotiation (by default).
Trunk Port
Carries multiple VLANs.
Sends frames tagged (except native VLAN).
Used to connect switches, routers, firewalls.
Requires explicit configuration (or DTP).
Can use DTP for negotiation.
Mistake
ISL is still commonly used on Cisco switches.
Correct
ISL is a legacy Cisco proprietary protocol. Modern Cisco switches (e.g., Catalyst 2960-X, 3650, 3850) only support 802.1Q. The CCNA 200-301 exam only covers 802.1Q.
Candidates remember older study materials that included ISL, but Cisco has phased it out.
Mistake
DTP must be enabled for a trunk to work.
Correct
DTP is optional. You can statically configure a trunk with `switchport mode trunk` without DTP. DTP only negotiates trunking automatically.
Candidates confuse DTP as a requirement rather than an optional protocol.
Mistake
A native VLAN mismatch only affects the native VLAN itself.
Correct
A native VLAN mismatch causes STP to detect a configuration error and place the port into errdisable state, blocking all traffic on that trunk.
Candidates think the error is isolated to one VLAN, but STP treats it as a severe misconfiguration.
Mistake
The command 'switchport trunk allowed vlan add' is used to specify the initial allowed VLAN list.
Correct
The command `switchport trunk allowed vlan` without 'add' replaces the entire list. To add to an existing list, you must use the 'add' keyword.
Candidates misunderstand the syntax and think 'add' is always required, but it is only for appending.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
802.1Q is an IEEE standard that inserts a 4-byte tag into the Ethernet frame, modifying the FCS. It supports up to 4094 VLANs and includes a native VLAN concept where untagged frames belong to the native VLAN. ISL is a Cisco proprietary protocol that encapsulates the entire frame with a 26-byte header and 4-byte trailer, not modifying the original frame. ISL does not have a native VLAN. Modern Cisco switches only support 802.1Q, and the CCNA exam only covers 802.1Q.
No, a port cannot be both trunk and access simultaneously. However, you can configure a port as a trunk and then restrict the allowed VLANs to a single VLAN, effectively making it behave like an access port, but it will still send tagged frames (unless it's the native VLAN). For a true access port, use `switchport mode access`.
By default, the native VLAN is VLAN 1. If you don't change it, VLAN 1 frames will be sent untagged. It is recommended to change the native VLAN to an unused VLAN for security reasons, to prevent VLAN hopping attacks.
Use `show interfaces trunk` and look for the 'Native vlan' column. Alternatively, `show interfaces gigabitethernet 0/1 switchport` shows 'Trunking Native Mode VLAN'. Both commands display the native VLAN number.
DTP (Dynamic Trunking Protocol) is a Cisco proprietary protocol that negotiates trunking between switches. It can be a security risk because an attacker could potentially negotiate a trunk and gain access to multiple VLANs. Best practice is to disable DTP on trunk ports using `switchport nonegotiate` and on access ports using `switchport mode access`.
Common causes include a native VLAN mismatch, a port-channel misconfiguration, or a spanning-tree BPDU guard violation. For native VLAN mismatch, check with `show interfaces trunk` and ensure both ends have the same native VLAN. Use `show interfaces status` to see the port state. To recover, fix the configuration and use `shutdown` / `no shutdown` on the interface.
The allowed VLAN list controls which VLANs are permitted on a trunk. By default, all VLANs are allowed. To restrict, use `switchport trunk allowed vlan {vlan-list}`. To add a VLAN to the existing list, use `switchport trunk allowed vlan add {vlan-id}`. To remove, use `switchport trunk allowed vlan remove {vlan-id}`. The list is stored in the running configuration.
You've just covered Lab: Configure 802.1Q Trunk — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?