Trunk Ports & 802.1Q — CCNA Lab Hub

A trunk port is a switch port configured to carry traffic for multiple VLANs across a single physical link between network devices. Trunks use tagging (most commonly 802.1Q) so the receiving device can identify which VLAN each frame belongs to.

Why Use Trunk Ports?

VLAN Communication: Trunk ports enable devices (switches, routers, firewalls) to carry traffic for all VLANs without needing separate physical links for each VLAN.
Efficient Bandwidth Use: Consolidate traffic from multiple VLANs over one link, reducing cabling and port usage.

Trunk Port Configuration

Access Mode vs. Trunk Mode

By default, switch ports are in access mode and belong to a single VLAN.
To enable trunking, change the port mode to trunk so it can carry multiple VLANs.

802.1Q Encapsulation

Trunking Protocols: ISL vs. 802.1Q

When a frame traverses a trunk link, it must be "tagged" so the receiving switch knows which VLAN it belongs to. There are two main protocols for this:

1. ISL (Inter-Switch Link)

Type: Cisco Proprietary (Legacy).
Method: Encapsulates the entire original Ethernet frame with a new header (26 bytes) and trailer (4 bytes).
Overhead: High (30 bytes total).
Native VLAN: Does not support Native VLANs; all frames are tagged.
Status: Deprecated and not supported on most modern Cisco hardware.

2. IEEE 802.1Q (Dot1q)

Type: Industry Standard (IEEE).
Method: Inserts a 4-byte tag inside the original Ethernet header.
Overhead: Low (4 bytes).
Native VLAN: Supports Native VLANs. Frames belonging to the Native VLAN are untagged.
Status: The standard protocol used in modern networks.

Note: On modern Cisco switches, 802.1Q is often the only supported encapsulation method. On older Layer 3 switches, you might need to manually specify it using switchport trunk encapsulation dot1q.

Deep Dive: Native VLAN

The Native VLAN is a unique concept in 802.1Q trunking. While all other VLANs are tagged to identify them, traffic for the Native VLAN is sent across the trunk untagged.

Key Characteristics:

Untagged Traffic: Any frame arriving at a trunk port without a tag is assumed to belong to the Native VLAN.
Default Setting: On Cisco switches, the default Native VLAN is VLAN 1.
Compatibility: It allows switches to communicate with devices that don't understand VLAN tags (like old hubs or unmanaged switches).

Security & Best Practices

Critical Rule: The Native VLAN must match on both ends of the trunk link!

If Switch A uses VLAN 1 as native and Switch B uses VLAN 99, you will receive "Native VLAN mismatch" errors on the console, and traffic might be misdirected (VLAN leaking).

Security Tip: It is a security best practice to change the Native VLAN from the default (VLAN 1) to an unused VLAN ID (e.g., VLAN 999) to prevent specific types of attacks known as VLAN Hopping.

Troubleshooting Trunk Ports

Use show commands like show interfaces trunk and show vlan brief to inspect trunk status and VLAN membership.
Verify both ends of the trunk agree on encapsulation (802.1Q) and native VLAN settings.
Check for mismatched VLAN lists or allowed VLAN ranges that could block traffic.

Quick CLI example:

Switch(config)# interface gigabitEthernet0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk encapsulation dot1q ! Required on some L3 switches
Switch(config-if)# switchport trunk native vlan 99
Switch(config-if)# switchport trunk allowed vlan 10,20,30

Trunks are fundamental when designing multi-VLAN networks and are commonly used between switches, and between switches and routers or virtualization hosts.