Trunk Port Configuration (802.1Q)

Access ports connect end devices to a single VLAN. But what happens when devices in VLAN 10 on one switch need to communicate with devices in VLAN 10 on another switch? A single cable between the two switches must carry traffic for all VLANs simultaneously — this is exactly what a trunk link does. Using the IEEE 802.1Q standard, the switch inserts a 4-byte VLAN tag into each Ethernet frame so the receiving switch knows which VLAN the traffic belongs to.

This lab covers everything you need to configure, restrict, and verify trunk links on Cisco IOS switches. Before starting, ensure VLANs are already created by completing VLAN Creation and Management and Assigning VLANs to Switch Ports. For VLAN concepts see VLANs and VLAN Tagging 802.1Q. For troubleshooting trunk issues see Troubleshooting Layer 2 VLANs & Trunks.

1. How 802.1Q Trunking Works

When a switch sends a frame out a trunk port, it inserts a VLAN tag into the Ethernet frame header. The receiving switch reads this tag, identifies the VLAN, strips the tag, and forwards the frame to the correct access port.

802.1Q Frame Tag Structure

Field	Size	Value / Purpose
TPID (Tag Protocol ID)	2 bytes	Always `0x8100` — identifies this as an 802.1Q tagged frame
PCP (Priority Code Point)	3 bits	CoS (Class of Service) value for QoS — 0–7, used to prioritize voice/video traffic
DEI (Drop Eligible Indicator)	1 bit	Marks frames eligible to be dropped during congestion
VID (VLAN Identifier)	12 bits	The VLAN ID (1–4094) — tells the receiving switch which VLAN this frame belongs to

Access Port vs Trunk Port

Feature	Access Port	Trunk Port
Connected to	End devices (PC, printer, IP phone)	Other switches, routers, or Layer 3 switches
VLANs carried	One data VLAN only	Multiple VLANs simultaneously
Frame tagging	Untagged — end device unaware of VLAN	Tagged with 802.1Q headers (except native VLAN)
IOS mode command	`switchport mode access`	`switchport mode trunk`

Native VLAN — The Exception

One VLAN on a trunk is designated the native VLAN. Frames belonging to the native VLAN are sent untagged across the trunk. By default this is VLAN 1. The native VLAN must match on both ends of a trunk — a mismatch causes a CDP/STP warning and frames are delivered to the wrong VLAN, creating a subtle and dangerous security hole known as VLAN hopping.

Security best practice: Change the native VLAN from the default VLAN 1 to an unused VLAN (e.g., VLAN 999) on all trunk links. VLAN 1 is the default for all ports and is a common target for VLAN hopping attacks. This is covered in Step 4 of this lab.

2. DTP — Dynamic Trunking Protocol

Cisco switches use DTP (Dynamic Trunking Protocol) to automatically negotiate trunk links between Cisco devices. While convenient in labs, DTP should always be disabled in production environments — it can be exploited to cause unauthorized trunk negotiation.

DTP Mode	Behavior	Forms Trunk With
`dynamic auto`	Passively waits — will form trunk if other side initiates	dynamic desirable, trunk
`dynamic desirable`	Actively tries to negotiate a trunk	dynamic auto, dynamic desirable, trunk
`trunk`	Forces trunk mode — does not negotiate	Any mode (always a trunk)
`access`	Forces access mode — never a trunk	Never
`nonegotiate`	Disables DTP entirely — used with `trunk` mode	N/A — DTP frames not sent

Two dynamic auto ports facing each other will NOT form a trunk — both are passively waiting. At least one side must be desirable or trunk. This is a common exam scenario.

Lab Scenario

In this lab, NetsTuts_SW1 and NetsTuts_SW2 are connected via GigabitEthernet0/1 on each switch. Both switches have VLANs 10, 20, 30, and 40 created. The trunk link will carry all four VLANs, with VLAN 999 set as the native VLAN.

  [PC-VLAN10]──Fa0/1──[NetsTuts_SW1]──Gi0/1═══Gi0/1──[NetsTuts_SW2]──Fa0/1──[PC-VLAN10]
  [PC-VLAN20]──Fa0/2──[           ]                   [            ]──Fa0/2──[PC-VLAN20]
  [PC-VLAN30]──Fa0/3──[           ]                   [            ]──Fa0/3──[PC-VLAN30]

                        ═══ = 802.1Q Trunk Link (Gi0/1 — Gi0/1)
                            Native VLAN: 999
                            Allowed VLANs: 10, 20, 30, 40

Parameter	Value
Trunk interface (both switches)	GigabitEthernet0/1
Encapsulation	802.1Q (dot1q)
Native VLAN	999 (unused — security hardening)
Allowed VLANs	10, 20, 30, 40

3. Step 1 — Configure a Basic Trunk Port

Configure GigabitEthernet0/1 on NetsTuts_SW1 as a trunk port. Repeat the same commands on NetsTuts_SW2.

NetsTuts_SW1 — Trunk Configuration

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_SW1(config)#interface GigabitEthernet0/1
NetsTuts_SW1(config-if)#description Trunk to NetsTuts_SW2
NetsTuts_SW1(config-if)#switchport trunk encapsulation dot1q
NetsTuts_SW1(config-if)#switchport mode trunk
NetsTuts_SW1(config-if)#switchport nonegotiate
NetsTuts_SW1(config-if)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

Trunk configured on Gi0/1. switchport nonegotiate disables DTP — the port will not send or respond to DTP negotiation frames.

Command Breakdown

Command	What It Does	Notes
`description Trunk to NetsTuts_SW2`	Labels the interface for documentation	Best practice — makes the trunk link immediately identifiable
`switchport trunk encapsulation dot1q`	Sets the trunking encapsulation to IEEE 802.1Q	Required on some older Cisco switches that also support ISL. Not needed on most modern Catalyst switches that only support 802.1Q.
`switchport mode trunk`	Forces the port into permanent trunk mode	Does not wait for DTP negotiation — always a trunk
`switchport nonegotiate`	Disables DTP frame transmission	Prevents the port from sending or accepting DTP negotiation — security hardening

NetsTuts_SW2 — Mirror Configuration

NetsTuts_SW2>en
NetsTuts_SW2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NetsTuts_SW2(config)#interface GigabitEthernet0/1
NetsTuts_SW2(config-if)#description Trunk to NetsTuts_SW1
NetsTuts_SW2(config-if)#switchport trunk encapsulation dot1q
NetsTuts_SW2(config-if)#switchport mode trunk
NetsTuts_SW2(config-if)#switchport nonegotiate
NetsTuts_SW2(config-if)#end
NetsTuts_SW2#wr
Building configuration...
[OK]
NetsTuts_SW2#

Both ends of the trunk must be configured. A trunk port facing an unconfigured or access-mode port will not pass VLAN-tagged traffic correctly.

4. Step 2 — Restrict Allowed VLANs

By default, a trunk port carries all VLANs (1–4094). This is inefficient and a security risk — VLANs that have no devices on a particular switch segment should not be carried across that trunk. Restricting allowed VLANs limits traffic to only what is needed.

Set Allowed VLANs to 10, 20, 30, and 40

NetsTuts_SW1(config)#interface GigabitEthernet0/1
NetsTuts_SW1(config-if)#switchport trunk allowed vlan 10,20,30,40
NetsTuts_SW1(config-if)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

Only VLANs 10, 20, 30, and 40 are now permitted across this trunk. All other VLANs — including VLAN 1 — are blocked.

Allowed VLAN Command Options

Command	Result	Use Case
`switchport trunk allowed vlan 10,20,30`	Replaces the allowed list with exactly these VLANs	Setting the list from scratch
`switchport trunk allowed vlan add 40`	Adds VLAN 40 to the existing allowed list	Adding a new VLAN without disrupting others
`switchport trunk allowed vlan remove 20`	Removes VLAN 20 from the allowed list	Decommissioning a VLAN from a trunk segment
`switchport trunk allowed vlan all`	Restores the default — all VLANs allowed	Resetting to default (not recommended for production)
`switchport trunk allowed vlan except 1,999`	Allows all VLANs except the specified ones	Excluding specific VLANs from a trunk

Common mistake: Using switchport trunk allowed vlan add 40 vs switchport trunk allowed vlan 40. The first adds VLAN 40 to the existing list. The second replaces the entire list with just VLAN 40 — removing all previously allowed VLANs. Always use add when extending an existing list.

5. Step 3 — Set the Native VLAN

Change the native VLAN from the default VLAN 1 to an unused VLAN (999). This must be configured identically on both ends of every trunk link — a mismatch triggers CDP/STP warnings and causes traffic to be misdelivered.

On NetsTuts_SW1

NetsTuts_SW1(config)#interface GigabitEthernet0/1
NetsTuts_SW1(config-if)#switchport trunk native vlan 999
NetsTuts_SW1(config-if)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

On NetsTuts_SW2

NetsTuts_SW2(config)#interface GigabitEthernet0/1
NetsTuts_SW2(config-if)#switchport trunk native vlan 999
NetsTuts_SW2(config-if)#end
NetsTuts_SW2#wr
Building configuration...
[OK]
NetsTuts_SW2#

Native VLAN 999 set on both ends. VLAN 999 should exist in the VLAN database on both switches but have no access ports assigned — it exists only to serve as the untagged native VLAN on trunk links.

Create VLAN 999 on Both Switches

NetsTuts_SW1(config)#vlan 999
NetsTuts_SW1(config-vlan)#name NATIVE-UNUSED
NetsTuts_SW1(config-vlan)#end

Creating VLAN 999 with a descriptive name makes its purpose clear to any engineer reading the configuration. See VLAN Creation Lab.

6. Complete Trunk Configuration (Both Switches)

! ══════════════════════════════════════════════════════════
! NetsTuts Trunk Baseline — NetsTuts_SW1
! ══════════════════════════════════════════════════════════

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Create native VLAN ────────────────────────────────────
NetsTuts_SW1(config)#vlan 999
NetsTuts_SW1(config-vlan)#name NATIVE-UNUSED
NetsTuts_SW1(config-vlan)#exit

! ── Configure trunk port ──────────────────────────────────
NetsTuts_SW1(config)#interface GigabitEthernet0/1
NetsTuts_SW1(config-if)#description Trunk to NetsTuts_SW2
NetsTuts_SW1(config-if)#switchport trunk encapsulation dot1q
NetsTuts_SW1(config-if)#switchport mode trunk
NetsTuts_SW1(config-if)#switchport nonegotiate
NetsTuts_SW1(config-if)#switchport trunk allowed vlan 10,20,30,40
NetsTuts_SW1(config-if)#switchport trunk native vlan 999
NetsTuts_SW1(config-if)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

Apply the same configuration on NetsTuts_SW2 — replace the description with "Trunk to NetsTuts_SW1". Save configuration with write memory.

7. Verification

show interfaces trunk

The primary command for verifying trunk links — shows all active trunks, their encapsulation, native VLAN, and allowed/active VLAN lists:

NetsTuts_SW1#show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      999

Port        Vlans allowed on trunk
Gi0/1       10,20,30,40

Port        Vlans allowed and active in the management domain
Gi0/1       10,20,30,40

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       10,20,30,40

Four sections to read in the output — see the table below for what each means.

show interfaces trunk — Output Explained

Section	Meaning	What to Check
Mode: on	Port is statically set to trunk (`switchport mode trunk`)	Confirm "on" — "desirable" or "auto" means DTP is still active
Encapsulation: 802.1q	Using IEEE 802.1Q tagging standard	Should always be 802.1q in modern networks
Status: trunking	Trunk is operational	"not-trunking" means the link is not forming a trunk — check both ends
Native vlan: 999	Native VLAN is set to 999	Must match on both ends — mismatch causes CDP warning and traffic issues
Vlans allowed on trunk	VLANs configured in the allowed list	Confirm only required VLANs are listed
Vlans allowed and active	VLANs that exist in the VLAN database AND are allowed	A VLAN missing here means it was not created — check `show vlan brief`
Vlans in STP forwarding	VLANs actively forwarding traffic (not blocked by STP)	A VLAN missing here is blocked by STP

show interfaces GigabitEthernet0/1 switchport

NetsTuts_SW1#show interfaces GigabitEthernet0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 999 (NATIVE-UNUSED)
Trunking VLANs Enabled: 10,20,30,40

"Negotiation of Trunking: Off" confirms switchport nonegotiate is working. Native VLAN shows the name "NATIVE-UNUSED" — confirming VLAN 999 was created and named.

show running-config interface GigabitEthernet0/1

NetsTuts_SW1#show running-config interface GigabitEthernet0/1
!
interface GigabitEthernet0/1
 description Trunk to NetsTuts_SW2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 10,20,30,40
 switchport mode trunk
 switchport nonegotiate
!

8. Troubleshooting Trunk Issues

Problem	Symptom	Cause	Fix
Trunk not forming	`show interfaces trunk` shows no output for the port	Both sides set to `dynamic auto` — neither initiates; or one side is access mode	Set at least one side to `switchport mode trunk`
Native VLAN mismatch	CDP warning: `%CDP-4-NATIVE_VLAN_MISMATCH`	Native VLAN configured differently on each end of the trunk	Set the same native VLAN on both ends with `switchport trunk native vlan 999`
VLAN traffic not crossing trunk	Devices in same VLAN on different switches cannot ping each other	VLAN not in the allowed list, or VLAN not created on the remote switch	Check `show interfaces trunk` "allowed and active" section; create the VLAN on both switches
VLAN active but not forwarding	VLAN appears in "allowed and active" but not in "STP forwarding" section	STP has blocked this VLAN on the port	Check `show spanning-tree vlan [id]` — identify root bridge and port roles
DTP still active	`show interfaces switchport` shows "Negotiation of Trunking: On"	`switchport nonegotiate` not configured	Add `switchport nonegotiate` under the trunk interface
VLAN 1 traffic appearing unexpectedly	Untagged management traffic crossing the trunk	Native VLAN left as default VLAN 1 — untagged frames are associated with VLAN 1	Change native VLAN to an unused VLAN: `switchport trunk native vlan 999`

Key Points & Exam Tips

A trunk port carries multiple VLANs simultaneously using 802.1Q tagging — a 4-byte tag is inserted into each Ethernet frame identifying its VLAN.
The native VLAN is the one VLAN whose traffic is sent untagged across a trunk. It must match on both ends — a mismatch causes CDP/STP warnings and traffic misdelivery.
Change the native VLAN from the default VLAN 1 to an unused VLAN (e.g., 999) on all trunk links — this is a security best practice that prevents VLAN hopping attacks.
By default a trunk carries all VLANs (1–4094). Always restrict with switchport trunk allowed vlan [list] — only carry VLANs that have devices on both sides of the trunk.
Use switchport trunk allowed vlan add [id] to add a VLAN — never just switchport trunk allowed vlan [id] which replaces the entire allowed list.
Always disable DTP with switchport nonegotiate on trunk ports in production — DTP negotiation can be exploited to create unauthorized trunks.
Two ports both set to dynamic auto will not form a trunk — both are waiting for the other to initiate.
show interfaces trunk is the primary verification command — memorize its four output sections: mode/encapsulation/status/native VLAN, allowed VLANs, allowed and active, STP forwarding.
A VLAN appearing in "allowed" but not in "allowed and active" means the VLAN was not created on this switch — run show vlan brief to confirm.
Trunk links are required for Router-on-a-Stick and Layer 3 Switch inter-VLAN routing — mastering trunk configuration is a prerequisite for both.
Multiple trunk links between switches can be bundled using EtherChannel (LACP) for increased bandwidth and redundancy.

Next Steps: With trunk links in place, devices in the same VLAN can now communicate across switches. To route traffic between VLANs, continue to Inter-VLAN Routing — Router-on-a-Stick or Inter-VLAN Routing — Layer 3 Switch (SVI). For loop prevention across trunk links, see Spanning Tree Protocol (STP), Spanning Tree Root Bridge Configuration, and RSTP / Rapid Spanning Tree. For edge port protection on access ports adjacent to trunks, see PortFast & BPDU Guard. For bundling trunk links see EtherChannel LACP Configuration. For troubleshooting trunk issues see Troubleshooting Layer 2 VLANs & Trunks.

TEST WHAT YOU LEARNED

1. Both ends of an inter-switch link are configured with `switchport mode dynamic auto`. What will happen?

A. A trunk forms automatically because DTP detects both are Cisco switches B. One end becomes a trunk and the other becomes an access port C. No trunk forms — both sides are passively waiting for the other to initiate DTP negotiation D. The link shuts down due to a DTP conflict

Correct answer is C. dynamic auto is a passive mode — it will form a trunk only if the other side actively initiates. Two dynamic auto ports facing each other both wait indefinitely and no trunk is formed. At least one side must be set to dynamic desirable or switchport mode trunk.

2. An engineer runs `switchport trunk allowed vlan 40` on a trunk that already carries VLANs 10, 20, and 30. What is the result?

A. VLAN 40 is added to the list — VLANs 10, 20, 30, and 40 are now allowed B. The allowed list is replaced — only VLAN 40 is now permitted, and VLANs 10, 20, and 30 are dropped C. IOS rejects the command because VLANs are already configured D. VLAN 40 is added but VLANs 10, 20, and 30 are suspended until a reload

Correct answer is B. switchport trunk allowed vlan [list] replaces the entire allowed VLAN list. VLANs 10, 20, and 30 are immediately removed from the trunk, causing an outage for those VLANs. To add without disruption, always use switchport trunk allowed vlan add 40.

3. A CDP warning `%CDP-4-NATIVE_VLAN_MISMATCH` appears on NetsTuts_SW1. What does this indicate and what is the risk?

A. The VLAN database is out of sync — run show vlan brief on both switches B. The trunk encapsulation is wrong — change from ISL to 802.1Q C. The allowed VLAN list differs between the two switches D. The native VLAN is configured differently on each end — untagged frames will be delivered to the wrong VLAN, enabling VLAN hopping

Correct answer is D. A native VLAN mismatch means the two switches have different VLANs configured as native. Untagged frames sent by SW1's native VLAN will arrive at SW2 and be placed into SW2's (different) native VLAN. This causes traffic misdelivery and is a known security vulnerability called VLAN hopping. Fix by setting the same native VLAN on both ends.

4. In the `show interfaces trunk` output, VLAN 30 appears in "Vlans allowed on trunk" but is missing from "Vlans allowed and active in the management domain". What is the cause?

A. VLAN 30 has not been created in the VLAN database on this switch B. VLAN 30 is blocked by STP C. VLAN 30 is configured as the native VLAN D. VLAN 30 has no ports assigned to it yet

Correct answer is A. "Vlans allowed and active" shows only VLANs that are both in the allowed list AND exist in the local VLAN database. If VLAN 30 is allowed but not created, it will not appear as active. Fix by running vlan 30 in global configuration mode. Verify with show vlan brief.

5. Why is it a security best practice to change the native VLAN from the default VLAN 1 to an unused VLAN such as 999?

A. VLAN 1 cannot carry management traffic across trunk links B. VLAN 1 causes STP instability on trunk ports C. All switch ports default to VLAN 1 — an attacker on any unconfigured port can send untagged frames that traverse the trunk and reach the native VLAN on the other side D. VLAN 1 is not supported by 802.1Q encapsulation

Correct answer is C. Since all switch ports default to VLAN 1, a device connected to any unconfigured port is in VLAN 1. If VLAN 1 is also the native VLAN on trunk links, untagged frames from that device can traverse the trunk and reach the other switch's native VLAN — a VLAN hopping attack. Using an unused VLAN as native eliminates this attack surface.

6. What does `switchport nonegotiate` do and why should it be applied to trunk ports in production?

A. It forces the port to negotiate a trunk with all connected devices B. It disables DTP — the port stops sending and responding to DTP frames, preventing unauthorized trunk negotiation by an attacker C. It disables 802.1Q tagging on the port D. It prevents the port from being assigned to any VLAN

Correct answer is B. DTP frames can be sent by an attacker to negotiate a trunk link from a device connected to an access port, gaining access to all VLANs on the switch. switchport nonegotiate stops the switch from sending or responding to DTP frames entirely, preventing this attack. It should be applied to all trunk ports alongside switchport mode trunk.

7. A trunk is operational between SW1 and SW2. Devices in VLAN 20 on SW1 cannot ping devices in VLAN 20 on SW2. `show interfaces trunk` on SW1 shows VLAN 20 in the "allowed" section but not in "allowed and active". What should the engineer check on SW2?

A. Whether the trunk encapsulation matches B. Whether DTP is still active on SW2 C. Whether VLAN 20 is in SW2's allowed VLAN list D. Whether VLAN 20 exists in SW2's VLAN database using show vlan brief

Correct answer is D. When a VLAN appears in "allowed" but not "allowed and active", it means the VLAN does not exist in the local VLAN database. Since SW1 shows this for VLAN 20, VLAN 20 was likely not created on SW1. The same issue may exist on SW2. Run show vlan brief on both switches and create any missing VLANs.

8. An engineer needs to add VLAN 50 to an existing trunk that currently allows VLANs 10, 20, 30, and 40, without disrupting the existing VLANs. Which command is correct?

A. switchport trunk allowed vlan add 50 B. switchport trunk allowed vlan 10,20,30,40,50 C. switchport trunk vlan 50 D. switchport trunk allowed vlan 50

Correct answer is A. switchport trunk allowed vlan add 50 appends VLAN 50 to the existing list without modifying what is already there. Option B also works but requires knowing the full current list and retyping it — risky in production. Option D replaces the entire list with just VLAN 50, causing an outage for VLANs 10–40.

9. `show interfaces trunk` shows a port with Status: "not-trunking". The port is configured with `switchport mode trunk`. What is the most likely cause?

A. The allowed VLAN list is empty B. The native VLAN is misconfigured C. The far end is configured as an access port or the physical link is down D. DTP has not completed negotiation yet — wait 30 seconds

Correct answer is C. "not-trunking" with switchport mode trunk configured means the trunk is not operational. The most common causes are the far-end port is set to access mode (rejecting trunk frames), or the physical link itself is down. Check show interfaces GigabitEthernet0/1 for link status and verify the far-end configuration with show interfaces switchport on the remote switch.

10. What is the purpose of the `switchport trunk encapsulation dot1q` command, and on what type of switch is it required?

A. It is required on all Cisco switches to enable trunking B. It selects 802.1Q as the trunking encapsulation on switches that also support the older Cisco-proprietary ISL protocol — modern switches that only support 802.1Q do not require this command C. It enables VLAN tagging on access ports D. It sets the 802.1Q TPID value to 0x8100

Correct answer is B. On older Cisco switches (such as some Catalyst 3550/3560 models) that support both 802.1Q and the proprietary ISL encapsulation, you must specify which one to use before setting trunk mode. On modern Cisco switches that only support 802.1Q, this command is not needed and may not even be available — switchport mode trunk is sufficient.

Back to Home