Skip to main content
Your first session is free. Claim mine
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
LabsPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
Network Access Foundational

Trunks & 802.1Q Tagging

How switches carry multiple VLANs over a single link using 802.1Q tags. Includes DTP behavior, native VLAN gotchas, and the allowed-VLAN list.

TL;DR
  • A trunk carries multiple VLANs across one link by inserting a 4-byte 802.1Q tag into each frame.
  • Native VLAN frames travel untagged. Default is VLAN 1 — never leave this default in production.
  • Both ends of a trunk must agree on mode, native VLAN, and allowed VLAN list.
SW1 SW2 802.1Q trunk allowed VLANs: 10, 20, 30 native VLAN: 999 (untagged) One link · many VLANs Frames carry a 4-byte 802.1Q tag identifying their VLAN DST SRC 802.1Q type payload The orange field is the inserted VLAN tag
A single inter-switch link carrying VLANs 10, 20, and 30. The 4-byte 802.1Q tag is the only thing that tells the receiving switch which VLAN each frame belongs to.

Mental model

An access port is a single-purpose wire — it belongs to exactly one VLAN and frames go through naked (untagged). A trunk is a shared wire — it carries many VLANs by stamping each frame with an “I belong to VLAN N” sticker called the 802.1Q tag.

That stamp is 4 bytes inserted into the Ethernet header. Without it, the receiving switch would have no way to know which VLAN a given frame belongs to.

The 802.1Q tag, byte by byte

+-------------+-------------+-------------+-------------+
|   TPID (2)  |  PCP | DEI  |     VID (12 bits)         |
|   0x8100    |  3b  |  1b  |     1–4094                |
+-------------+-------------+-------------+-------------+
  • TPID — fixed value 0x8100, tells the receiver “this is a tagged frame”
  • PCP — Priority Code Point, used by QoS (CoS values 0–7)
  • DEI — Drop Eligible Indicator (rarely used)
  • VID — the VLAN ID itself, 12 bits = values 1 through 4094 (0 and 4095 reserved)

You don’t memorize this byte-by-byte for the exam, but you should remember that the tag is 4 bytes — that’s why an Ethernet frame on a trunk can be up to 1522 bytes instead of the usual 1518.

Commands

Configure a trunk port (both ends)

SW1(config)# interface GigabitEthernet0/24
SW1(config-if)# switchport trunk encapsulation dot1q   ! on older switches only
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk native vlan 999
SW1(config-if)# switchport trunk allowed vlan 10,20,30

Mirror exactly on the other end.

Restrict the allowed list (adding/removing VLANs)

! Add VLAN 40 to an existing allowed list
SW1(config-if)# switchport trunk allowed vlan add 40

! Remove VLAN 20
SW1(config-if)# switchport trunk allowed vlan remove 20

! Replace the entire list
SW1(config-if)# switchport trunk allowed vlan 10,30,40

! Allow everything (default)
SW1(config-if)# switchport trunk allowed vlan all

Gotcha: plain switchport trunk allowed vlan 40 REPLACES the list — it does not add. Always use add / remove when modifying an existing trunk.

Verification

SW1# show interfaces trunk
SW1# show interfaces GigabitEthernet0/24 switchport
SW1# show vlan brief

show interfaces trunk is the most useful single command: it confirms which interfaces are trunks, which VLANs they carry, and what the native VLAN is.

Common mistakes

  1. Native VLAN mismatch. The biggest CCNA exam trap. If SW1’s native is VLAN 1 and SW2’s native is VLAN 99, CDP/LLDP raises a %CDP-4-NATIVE_VLAN_MISMATCH and STP behaviour gets weird. Set both sides to the same unused VLAN ID.

  2. switchport trunk allowed vlan 40 instead of ... add 40. This silently replaces the whole allowed list. Suddenly VLANs 10, 20, 30 stop crossing the trunk.

  3. Forgetting to set switchport mode trunk and relying on DTP. Dynamic Trunking Protocol can auto-negotiate trunks, but it’s a security risk (VLAN-hopping attacks). Always hard-code mode trunk + switchport nonegotiate.

  4. Mismatched encapsulation. On older switches that support both ISL and 802.1Q, you must explicitly set encapsulation to dot1q. ISL is legacy, never use it in 2026.

  5. Putting management traffic on the native VLAN. A misconfigured trunk could leak management frames into a user VLAN. Keep the management VLAN separate from the native VLAN.

Lab to try tonight

  1. Two switches, three VLANs (10/20/30), three PCs per switch (one per VLAN).
  2. Configure the inter-switch link as a trunk on both ends. Set native VLAN to 999. Allow VLANs 10, 20, 30 only.
  3. Confirm PC1-VLAN10 can ping PC4-VLAN10 (same VLAN, across the trunk).
  4. Verify with show interfaces trunk that the allowed list is exactly 10,20,30.
  5. Run switchport trunk allowed vlan 40 on one side. Check what happens to existing inter-VLAN traffic. (Spoiler: it dies.)
  6. Recover with switchport trunk allowed vlan add 10,20,30 to add the lost VLANs back.

Cheat strip

ConceptPlain English
TrunkA port that carries multiple VLANs by tagging frames with 802.1Q
802.1Q tag4 bytes inserted into the Ethernet header; contains the VLAN ID (1–4094)
Native VLANThe one VLAN whose frames travel untagged on a trunk. Set explicitly.
Allowed listWhich VLANs may cross this trunk. add/remove to modify safely.
DTPCisco’s trunk-negotiation protocol. Turn it off in production.
Frame sizeTagged frame = 1522 bytes max (1518 + 4 tag). Some old gear chokes on >1518.
← Previous topic

VLANs

Definitive CCNA-level VLAN guide — broadcast domains, access vs trunk ports, 802.1Q tagging, native VLAN, voice VLANs, VTP, VLAN design, the 6-step trunk debug, security pitfalls, and 7 worked exam scenarios.
Next topic →

Cabling & Media Standards

What's actually inside the cables and fiber you're plugging in — Cat5e/6/6A/8, single-mode vs multi-mode fiber, transceivers (SFP/SFP+/QSFP), distance and bandwidth limits, when to use what.
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Related topics

Network Access

EtherChannel (Link Aggregation)

Bundle multiple physical links between two switches into one logical Port-Channel — more bandwidth, instant failover, and STP sees it as a single link. Covers LACP, PAgP, static, and load-balancing methods.

 Network Access

Spanning Tree Protocol (STP)

Definitive CCNA-level STP guide — why loops are catastrophic, bridge ID + priority election, three port roles, five port states, BPDU anatomy, PortFast + BPDU Guard + Root Guard + Loop Guard, RSTP convergence, MSTP overview, and 8 worked scenarios.

 Network Access

VLANs

Definitive CCNA-level VLAN guide — broadcast domains, access vs trunk ports, 802.1Q tagging, native VLAN, voice VLANs, VTP, VLAN design, the 6-step trunk debug, security pitfalls, and 7 worked exam scenarios.

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.

Start typing — or browse popular topics below.

↑↓ navigate open Searches topics · labs · programs · pages