This chapter covers 802.1Q trunking configuration, a critical skill for the Network+ N10-009 exam under Objective 2.1 (Network Implementation). Trunking allows multiple VLANs to traverse a single link between switches, and misconfiguration is a common source of network issues. Expect 3–5% of exam questions to touch on trunking concepts, configuration commands, and troubleshooting scenarios. Mastering this topic ensures you can implement VLAN segmentation in real-world switched networks.
Jump to a section
Imagine an apartment building with 200 units, each belonging to a different owner. The building has a single main entrance with a large mailbox bank. Each resident has their own mailbox, and the mail carrier sorts all incoming mail by apartment number before placing it in the correct slot. When a resident sends a letter, they drop it in the outgoing slot with their apartment number written on it, and the carrier knows exactly which mailbox it came from.
Now, consider a trunk link between two switches. The trunk is like the main hallway that carries traffic for multiple VLANs. Each frame must be tagged with its VLAN ID — just like each letter has an apartment number. Without the tag, the switch at the other end wouldn't know which VLAN the frame belongs to, just as the mail carrier wouldn't know which mailbox to put an untagged letter into.
The 802.1Q standard defines a 4-byte tag inserted into the Ethernet frame. This tag contains a 12-bit VLAN ID (0–4095), which is like the apartment number. The native VLAN is special: it's like the building's lobby mail slot — frames on the native VLAN are sent untagged, because both switches agree that any untagged frame belongs to that VLAN. This saves tag overhead for traffic that doesn't need it.
If you misconfigure the native VLAN on one end, it's like the mail carrier and residents disagreeing on which mailbox is for which apartment — letters get lost or delivered to the wrong place. That's why both ends of a trunk must match native VLAN assignments exactly.
What is 802.1Q Trunking?
802.1Q is the IEEE standard for VLAN tagging on Ethernet networks. A trunk link is a point-to-point link between two switches (or a switch and a router) that carries traffic for multiple VLANs. Without trunking, each VLAN would require a separate physical link, which is impractical. 802.1Q solves this by inserting a 4-byte tag into the Ethernet frame header, identifying the VLAN to which the frame belongs.
Why Trunking Exists
In a switched network, VLANs logically segment broadcast domains. Hosts in different VLANs cannot communicate directly without a Layer 3 device (router or Layer 3 switch). However, traffic from multiple VLANs often needs to traverse the same physical cable between switches. Trunking allows that single cable to carry frames from many VLANs simultaneously, each tagged with its VLAN ID. This reduces cabling costs and simplifies network design.
How 802.1Q Tagging Works
When a switch forwards a frame from a host in VLAN 10 to another switch via a trunk port, it inserts a 4-byte tag between the source MAC address and the EtherType/Length field. The tag contains: - Tag Protocol Identifier (TPID): 2 bytes, fixed value 0x8100, indicating the frame is 802.1Q-tagged. - Tag Control Information (TCI): 2 bytes, further divided into: - Priority Code Point (PCP): 3 bits for Class of Service (0–7). - Drop Eligible Indicator (DEI): 1 bit for congestion management. - VLAN ID (VID): 12 bits, identifying the VLAN (0–4095). VLANs 0 and 4095 are reserved; usable VLANs are 1–4094.
After insertion, the switch recalculates the Frame Check Sequence (FCS). The receiving switch strips the tag and forwards the frame to the appropriate VLAN.
Native VLAN Concept
The native VLAN is a special VLAN on a trunk port. Frames belonging to the native VLAN are sent untagged over the trunk. Both ends of the trunk must agree on the native VLAN ID; otherwise, frames will be misclassified. By default, Cisco switches use VLAN 1 as the native VLAN. The exam tests that mismatched native VLANs cause connectivity issues and potential security risks (VLAN hopping).
Allowed VLAN List
A trunk port can be configured to allow only specific VLANs. By default, all VLANs (1–4094) are allowed. Restricting allowed VLANs improves security and reduces unnecessary broadcast traffic. The command switchport trunk allowed vlan controls this.
Dynamic Trunking Protocol (DTP)
DTP is a Cisco proprietary protocol that negotiates trunking between two switches. It can set a port to dynamic desirable, dynamic auto, trunk, or access mode. DTP is not covered in depth on N10-009, but you should know that it exists and that relying on DTP can cause trunking failures if mismatched. For exam purposes, assume manually configured trunks (no DTP) are best practice.
Configuration Syntax (Cisco IOS)
To configure a trunk port on a Cisco switch:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 99
Switch(config-if)# switchport trunk allowed vlan 10,20,30switchport mode trunk forces the port into trunking mode unconditionally.
switchport trunk native vlan 99 changes the native VLAN from default 1 to 99.
switchport trunk allowed vlan 10,20,30 restricts the trunk to only VLANs 10, 20, 30.
To verify trunk configuration:
Switch# show interfaces trunk
Switch# show interfaces gigabitethernet0/1 switchportshow interfaces trunk displays all trunk ports, their mode, encapsulation, native VLAN, and allowed VLAN list. show interfaces switchport shows detailed port information including administrative and operational mode.
Interaction with Other Technologies
VLAN Trunking Protocol (VTP): Cisco proprietary; propagates VLAN database across switches. Not on N10-009, but be aware it exists.
Spanning Tree Protocol (STP): Operates per VLAN (PVST+) on Cisco switches. Trunk ports carry BPDUs for each VLAN. Misconfiguration can cause loops.
Router-on-a-Stick: A router with a single trunk link to a switch, using subinterfaces (e.g., interface gigabitethernet0/0.10) to route between VLANs. The router must have 802.1Q encapsulation enabled.
Common Pitfalls
Native VLAN mismatch: Both ends must use the same native VLAN. If mismatched, frames from the native VLAN on one switch are received as tagged on the other, causing them to be dropped or misrouted.
Allowed VLAN mismatch: If one end allows VLAN 10 but the other does not, VLAN 10 traffic is dropped.
Trunk mode mismatch: One end configured as trunk, the other as access, causes the link to fail to trunk.
Encapsulation mismatch: 802.1Q is the only encapsulation on modern switches; older switches may support ISL (Cisco proprietary), which is not compatible.
Frame Size Consideration
Adding a 4-byte tag increases the frame size beyond the standard 1518 bytes to 1522 bytes. Most modern switches and NICs support jumbo frames, but older equipment may drop tagged frames. This is rarely an issue in modern networks.
Security Implications
VLAN Hopping: An attacker can exploit misconfigured native VLANs to send traffic to other VLANs. Mitigation: change the native VLAN to an unused VLAN, disable DTP, and set all unused ports to access mode.
Double Tagging: An attacker can send a frame with two 802.1Q tags. The first tag is stripped by the first switch, revealing the second tag that may belong to a different VLAN. Mitigation: ensure native VLAN is not used for user traffic.
Summary of Key Values
Tag size: 4 bytes
TPID: 0x8100
VLAN ID range: 1–4094 (0 and 4095 reserved)
Default native VLAN: 1 (Cisco)
Default allowed VLANs: all (1–4094)
Maximum frame size with tag: 1522 bytes
Plan VLAN and trunk topology
Determine which VLANs need to traverse each trunk link. Assign VLAN IDs (e.g., 10 for Sales, 20 for Engineering). Choose a native VLAN that is not used for user traffic (e.g., 99 or 999) to reduce security risks. Document the allowed VLAN list per trunk. This planning phase prevents misconfiguration later.
Access switch CLI and enter global config
Connect to the switch via console or SSH. Enter privileged EXEC mode with `enable`. Then enter global configuration mode with `configure terminal`. On the exam, you may be given a scenario where you must choose the correct commands from a list.
Select the interface and set trunk mode
Use `interface gigabitethernet0/1` (or similar) to enter interface configuration mode. Then issue `switchport mode trunk` to force the port into trunking unconditionally. On the exam, remember that `switchport mode dynamic desirable` or `dynamic auto` rely on DTP negotiation and are not recommended.
Configure native VLAN on both ends
Set the native VLAN to a non-default, unused VLAN using `switchport trunk native vlan 99`. Repeat on the neighboring switch. A mismatch causes frames to be dropped or misdirected. The exam often tests that both ends must match exactly.
Restrict allowed VLANs for security
Use `switchport trunk allowed vlan 10,20,30` to limit the trunk to only necessary VLANs. To add a VLAN without removing existing ones, use `switchport trunk allowed vlan add 40`. To remove, use `switchport trunk allowed vlan remove 10`. The exam expects you to know the difference between `add`, `remove`, and `all` keywords.
Verify trunk configuration
Use `show interfaces trunk` and `show interfaces gigabitethernet0/1 switchport` to confirm the port is trunking, the native VLAN is correct, and the allowed VLAN list matches expectations. Check the operational mode (should be 'trunk') and encapsulation (should be '802.1q').
Enterprise Deployment Scenarios
1. Campus Network with Multiple Access Switches
A university campus has 50 access switches distributed across buildings, each connecting to a distribution switch in the main data center. Each access switch supports multiple VLANs for faculty, students, and guests. The uplink from each access switch to the distribution switch is a trunk carrying 5–10 VLANs. The native VLAN is set to 999 (unused) to prevent VLAN hopping. Allowed VLAN lists are restricted per switch to only the VLANs needed in that building. Misconfiguration here (e.g., forgetting to allow a VLAN on one side) causes complete loss of connectivity for that VLAN in that building.
2. Data Center with Virtual Servers
A data center uses trunk ports to connect hypervisors to top-of-rack switches. Each hypervisor runs multiple virtual machines in different VLANs. The trunk must carry all relevant VLANs (often 50+). The native VLAN is set to a dedicated management VLAN (e.g., VLAN 5) that carries untagged traffic for hypervisor management interfaces. Performance considerations: trunk links often use Link Aggregation (LACP) to combine multiple physical links into one logical trunk, increasing bandwidth and redundancy.
3. Router-on-a-Stick for Inter-VLAN Routing
A small business uses a single router with a trunk link to a switch. The router has subinterfaces (e.g., Gi0/0.10, Gi0/0.20) each configured with encapsulation dot1Q 10 and an IP address in the respective VLAN. The switch port connected to the router is configured as a trunk. A common mistake is forgetting to enable encapsulation dot1Q on the router subinterface, causing the router to drop tagged frames.
What Goes Wrong When Misconfigured?
Native VLAN mismatch: The two switches interpret untagged frames differently. One switch may tag frames with the native VLAN ID, causing the other to see them as tagged and potentially dropping them. This results in intermittent connectivity for devices in the native VLAN.
Allowed VLAN mismatch: A VLAN allowed on one end but not the other causes frames to be dropped silently. This is hard to troubleshoot because the link appears up, but traffic for that VLAN never passes.
Trunk mode mismatch: One side set to trunk, the other to access. The access side expects untagged frames only; tagged frames are dropped. The link may show as up/up but no traffic flows.
In production, always configure both ends manually, use a dedicated native VLAN, and restrict allowed VLANs. Document all trunk configurations and verify with show interfaces trunk after changes.
N10-009 Exam Focus: 802.1Q Trunking Configuration
Objective Code: 2.1 (Network Implementation) – specifically, 'Configure and verify VLANs and trunking.'
What the Exam Tests:
The ability to identify correct trunk configuration commands (Cisco IOS syntax).
Understanding of native VLAN concept and its security implications.
Knowledge of allowed VLAN lists and how to modify them.
Troubleshooting scenarios where trunking fails due to mismatch.
Top 3 Wrong Answers and Why Candidates Choose Them:
1. 'Set native VLAN to VLAN 1' – Candidates think default is safe. Reality: VLAN 1 is the default, but best practice is to change it to an unused VLAN to prevent VLAN hopping. The exam expects you to know that native VLAN should be changed.
2. 'Use switchport mode dynamic desirable on both ends' – Candidates remember DTP exists and think it's fine. Reality: Dynamic modes rely on negotiation; if one end is set to access, trunking fails. Manual trunk mode is more reliable and is what the exam tests.
3. 'Add VLANs with switchport trunk allowed vlan 10,20,30' without knowing it replaces the list' – Candidates think the command adds VLANs. Reality: The syntax without add replaces the entire allowed list. To add, you must use switchport trunk allowed vlan add 10,20,30. The exam loves to test this nuance.
Specific Numbers and Values:
Tag size: 4 bytes (TPID 0x8100).
VLAN ID range: 1–4094 (0 and 4095 reserved).
Default native VLAN: 1 (Cisco).
Maximum frame size with tag: 1522 bytes.
Commands: switchport mode trunk, switchport trunk native vlan, switchport trunk allowed vlan.
Verification: show interfaces trunk, show interfaces switchport.
Edge Cases and Exceptions:
Trunking between a switch and a router (router-on-a-stick) requires the router subinterface to have encapsulation dot1Q.
If a trunk port is used to connect to a host (e.g., server with VLAN tagging), the host must support 802.1Q and the switch port must be in trunk mode.
Some switches support switchport trunk encapsulation dot1q if they also support ISL (older models). Modern switches only use 802.1Q.
How to Eliminate Wrong Answers:
If a question involves 'native VLAN mismatch,' the symptom is that devices in the native VLAN lose connectivity, but other VLANs work fine.
If a question asks for 'best practice,' choose the option that changes native VLAN away from 1 and manually sets trunk mode.
If a question lists a command with allowed vlan without add, assume it replaces the list unless the context says otherwise.
Remember that DTP is not required; manual trunk is more secure and predictable.
802.1Q adds a 4-byte tag (TPID 0x8100) to Ethernet frames, with a 12-bit VLAN ID (1–4094).
The native VLAN on a trunk is sent untagged; both ends must match the native VLAN ID.
Default native VLAN on Cisco switches is VLAN 1; change it to an unused VLAN for security.
Use 'switchport mode trunk' to manually enable trunking; avoid DTP for reliability.
Use 'switchport trunk allowed vlan' with 'add' or 'remove' to modify the allowed VLAN list without replacing it.
Verify trunk status with 'show interfaces trunk' and 'show interfaces switchport'.
Misconfigured native VLAN or allowed VLAN mismatch causes traffic loss for affected VLANs.
Router-on-a-stick requires subinterface encapsulation dot1Q on the router.
These come up on the exam all the time. Here's how to tell them apart.
Access Port
Belongs to a single VLAN.
Sends and receives untagged frames only.
Used to connect end devices (PCs, printers).
Configuration: 'switchport mode access' and 'switchport access vlan 10'.
No native VLAN concept; all frames are in the assigned VLAN.
Trunk Port
Carries multiple VLANs over one link.
Sends tagged frames for non-native VLANs, untagged for native VLAN.
Used to connect switches, routers, or servers with VLAN support.
Configuration: 'switchport mode trunk' and optional 'switchport trunk native vlan' and 'switchport trunk allowed vlan'.
Native VLAN is a key concept; must match on both ends.
Mistake
802.1Q tags are added to all frames on a trunk, including the native VLAN.
Correct
Frames on the native VLAN are sent untagged. Only non-native VLAN frames receive the 4-byte tag. This is a fundamental 802.1Q rule.
Mistake
The native VLAN must be VLAN 1.
Correct
VLAN 1 is the default native VLAN on Cisco switches, but it can (and should) be changed to any unused VLAN for security reasons.
Mistake
The command 'switchport trunk allowed vlan 10,20' adds VLANs 10 and 20 to the existing allowed list.
Correct
This command replaces the allowed list with only VLANs 10 and 20. To add without removing existing VLANs, use 'switchport trunk allowed vlan add 10,20'.
Mistake
Both ends of a trunk must be configured with the same allowed VLAN list.
Correct
While best practice dictates matching lists for full connectivity, technically each end can have a different list. Traffic for a VLAN not allowed on the receiving end will be dropped. The exam often tests that mismatched allowed lists cause traffic loss.
Mistake
DTP is required for trunking to work.
Correct
DTP is optional. Manually configuring 'switchport mode trunk' on both ends eliminates the need for DTP and is more reliable. DTP can even be a security risk if left enabled on access ports.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An access port belongs to a single VLAN and sends untagged frames. It connects end devices like PCs. A trunk port carries multiple VLANs and tags frames with VLAN IDs (except for the native VLAN). Trunk ports connect switches, routers, or servers. On the exam, remember that access ports are for hosts, trunk ports for infrastructure links.
VLAN 1 is the default native VLAN, but using it poses a security risk known as VLAN hopping. An attacker can send double-tagged frames to access other VLANs. By changing the native VLAN to an unused VLAN, you reduce this risk. The exam expects best practice: set native VLAN to an unused ID (e.g., 999).
When native VLANs differ, both switches send untagged frames expecting them to be in their own native VLAN. The receiving switch may tag the frame with its native VLAN ID and forward it to the wrong VLAN, or drop it. This causes connectivity issues for devices in the native VLAN. Always ensure both ends match.
Use the command 'switchport trunk allowed vlan add <vlan-id>'. For example, 'switchport trunk allowed vlan add 30' adds VLAN 30 to the existing list. Without 'add', the command replaces the list. The exam often tests this distinction.
Use 'show interfaces trunk' to see all trunk ports, their mode, encapsulation, native VLAN, and allowed VLANs. Use 'show interfaces <interface> switchport' for detailed port information. These are essential for troubleshooting trunk issues.
Yes, if the server NIC supports 802.1Q tagging and the server OS is configured to handle tagged frames (e.g., using VLAN interfaces in Linux or Windows). The switch port must be in trunk mode. This is common in virtualized environments where the hypervisor manages multiple VLANs.
Standard Ethernet MTU is 1500 bytes, with a maximum frame size of 1518 bytes (including header and FCS). Adding the 4-byte 802.1Q tag increases the maximum to 1522 bytes. Most modern switches support this without issue, but older equipment may drop frames larger than 1518 bytes.
You've just covered 802.1Q Trunking Configuration — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?