Trunks & 802.1Q Tagging
How switches carry multiple VLANs over a single link using 802.1Q tags. Includes DTP behavior, native VLAN gotchas, and the allowed-VLAN list.
- A trunk carries multiple VLANs across one link by inserting a 4-byte 802.1Q tag into each frame.
- Native VLAN frames travel untagged. Default is VLAN 1 — never leave this default in production.
- Both ends of a trunk must agree on mode, native VLAN, and allowed VLAN list.
Mental model
An access port is a single-purpose wire — it belongs to exactly one VLAN and frames go through naked (untagged). A trunk is a shared wire — it carries many VLANs by stamping each frame with an “I belong to VLAN N” sticker called the 802.1Q tag.
That stamp is 4 bytes inserted into the Ethernet header. Without it, the receiving switch would have no way to know which VLAN a given frame belongs to.
The 802.1Q tag, byte by byte
+-------------+-------------+-------------+-------------+
| TPID (2) | PCP | DEI | VID (12 bits) |
| 0x8100 | 3b | 1b | 1–4094 |
+-------------+-------------+-------------+-------------+
- TPID — fixed value
0x8100, tells the receiver “this is a tagged frame” - PCP — Priority Code Point, used by QoS (CoS values 0–7)
- DEI — Drop Eligible Indicator (rarely used)
- VID — the VLAN ID itself, 12 bits = values 1 through 4094 (0 and 4095 reserved)
You don’t memorize this byte-by-byte for the exam, but you should remember that the tag is 4 bytes — that’s why an Ethernet frame on a trunk can be up to 1522 bytes instead of the usual 1518.
Commands
Configure a trunk port (both ends)
SW1(config)# interface GigabitEthernet0/24
SW1(config-if)# switchport trunk encapsulation dot1q ! on older switches only
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk native vlan 999
SW1(config-if)# switchport trunk allowed vlan 10,20,30
Mirror exactly on the other end.
Restrict the allowed list (adding/removing VLANs)
! Add VLAN 40 to an existing allowed list
SW1(config-if)# switchport trunk allowed vlan add 40
! Remove VLAN 20
SW1(config-if)# switchport trunk allowed vlan remove 20
! Replace the entire list
SW1(config-if)# switchport trunk allowed vlan 10,30,40
! Allow everything (default)
SW1(config-if)# switchport trunk allowed vlan all
Gotcha: plain switchport trunk allowed vlan 40 REPLACES the list — it does not add. Always use add / remove when modifying an existing trunk.
Verification
SW1# show interfaces trunk
SW1# show interfaces GigabitEthernet0/24 switchport
SW1# show vlan brief
show interfaces trunk is the most useful single command: it confirms which interfaces are trunks, which VLANs they carry, and what the native VLAN is.
Common mistakes
-
Native VLAN mismatch. The biggest CCNA exam trap. If SW1’s native is VLAN 1 and SW2’s native is VLAN 99, CDP/LLDP raises a
%CDP-4-NATIVE_VLAN_MISMATCHand STP behaviour gets weird. Set both sides to the same unused VLAN ID. -
switchport trunk allowed vlan 40instead of... add 40. This silently replaces the whole allowed list. Suddenly VLANs 10, 20, 30 stop crossing the trunk. -
Forgetting to set
switchport mode trunkand relying on DTP. Dynamic Trunking Protocol can auto-negotiate trunks, but it’s a security risk (VLAN-hopping attacks). Always hard-code mode trunk +switchport nonegotiate. -
Mismatched encapsulation. On older switches that support both ISL and 802.1Q, you must explicitly set encapsulation to dot1q. ISL is legacy, never use it in 2026.
-
Putting management traffic on the native VLAN. A misconfigured trunk could leak management frames into a user VLAN. Keep the management VLAN separate from the native VLAN.
Lab to try tonight
- Two switches, three VLANs (10/20/30), three PCs per switch (one per VLAN).
- Configure the inter-switch link as a trunk on both ends. Set native VLAN to 999. Allow VLANs 10, 20, 30 only.
- Confirm PC1-VLAN10 can ping PC4-VLAN10 (same VLAN, across the trunk).
- Verify with
show interfaces trunkthat the allowed list is exactly 10,20,30. - Run
switchport trunk allowed vlan 40on one side. Check what happens to existing inter-VLAN traffic. (Spoiler: it dies.) - Recover with
switchport trunk allowed vlan add 10,20,30to add the lost VLANs back.
Cheat strip
| Concept | Plain English |
|---|---|
| Trunk | A port that carries multiple VLANs by tagging frames with 802.1Q |
| 802.1Q tag | 4 bytes inserted into the Ethernet header; contains the VLAN ID (1–4094) |
| Native VLAN | The one VLAN whose frames travel untagged on a trunk. Set explicitly. |
| Allowed list | Which VLANs may cross this trunk. add/remove to modify safely. |
| DTP | Cisco’s trunk-negotiation protocol. Turn it off in production. |
| Frame size | Tagged frame = 1522 bytes max (1518 + 4 tag). Some old gear chokes on >1518. |
VLANs
Definitive CCNA-level VLAN guide — broadcast domains, access vs trunk ports, 802.1Q tagging, native VLAN, voice VLANs, VTP, VLAN design, the 6-step trunk debug, security pitfalls, and 7 worked exam scenarios.
Cabling & Media Standards
What's actually inside the cables and fiber you're plugging in — Cat5e/6/6A/8, single-mode vs multi-mode fiber, transceivers (SFP/SFP+/QSFP), distance and bandwidth limits, when to use what.
Want this drilled into reflex?
1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.
Related topics
EtherChannel (Link Aggregation)
Bundle multiple physical links between two switches into one logical Port-Channel — more bandwidth, instant failover, and STP sees it as a single link. Covers LACP, PAgP, static, and load-balancing methods.
Network AccessSpanning Tree Protocol (STP)
Definitive CCNA-level STP guide — why loops are catastrophic, bridge ID + priority election, three port roles, five port states, BPDU anatomy, PortFast + BPDU Guard + Root Guard + Loop Guard, RSTP convergence, MSTP overview, and 8 worked scenarios.
Network AccessVLANs
Definitive CCNA-level VLAN guide — broadcast domains, access vs trunk ports, 802.1Q tagging, native VLAN, voice VLANs, VTP, VLAN design, the 6-step trunk debug, security pitfalls, and 7 worked exam scenarios.
One topic per email, every fortnight
VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.
We respect your inbox. One email per week, max. Unsubscribe any time.