Trunk Ports are switch interfaces that carry traffic from multiple VLANs over a single physical connection, unlike access ports which belong to only one VLAN.
802.1Q (dot1q) Encapsulation is the industry-standard protocol that inserts a 4-byte tag into Ethernet frames to identify which VLAN the traffic belongs to when traversing trunk links.
The Native VLAN is a special VLAN whose traffic is sent untagged over trunk ports; by default this is VLAN 1, and it must match on both ends of a trunk link.
Router on a Stick (ROAS) is an inter-VLAN routing method that uses a single physical router interface divided into multiple logical subinterfaces to route between VLANs.
VLAN tagging allows switches to identify which VLAN a frame belongs to when received on a trunk port, enabling proper forwarding decisions.
Topic
Key Information
Trunk vs Access
Access = single VLAN, Trunk = multiple VLANs
Trunk alternate name
"Tagged port" (Access = "Untagged port")
Trunking protocols
ISL (Cisco proprietary, legacy) and 802.1Q (industry standard)
802.1Q tag location
Between Source MAC and Type/Length fields
802.1Q tag size
4 bytes (32 bits)
VLAN range
1-4094 usable (0 and 4095 reserved)
Normal VLANs
1-1005
Extended VLANs
1006-4094
Default Native VLAN
VLAN 1
Default allowed VLANs on trunk
All (1-4094)
Trunk Port: A switch interface configured to carry traffic from multiple VLANs using VLAN tags to identify frame membership.
802.1Q: IEEE industry-standard trunking protocol that adds a 4-byte tag to Ethernet frames for VLAN identification.
ISL (Inter-Switch Link): Cisco's legacy proprietary trunking protocol (rarely used today).
Native VLAN: The VLAN whose traffic is transmitted untagged over a trunk; receiving switches assume untagged frames belong to the native VLAN.
ROAS (Router on a Stick): Inter-VLAN routing method using subinterfaces on a single physical router interface.
Subinterface: A logical division of a physical router interface, each configured with its own VLAN tag and IP address.
|-------- 4 bytes (32 bits) --------|
| TPID (16 bits) | TCI (16 bits) |
|PCP|DEI| VID |
| 3 | 1 | 12 | bits
Field
Size
Purpose
TPID
16 bits
Tag Protocol Identifier - Always 0x8100
PCP
3 bits
Priority Code Point - QoS/CoS prioritization
DEI
1 bit
Drop Eligible Indicator - Marks droppable frames
VID
12 bits
VLAN ID - Identifies the VLAN (0-4095)
Item
Value
4 bytes / 32 bits
TPID value
0x8100
VID field size
Total possible VLANs
4096 (2^12)
Usable VLAN range
1-4094
Normal VLAN range
Extended VLAN range
Reserved VLANs
0 and 4095
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan {vlan-list | all | none | add | remove | except}
Switch(config-if)# switchport trunk native vlan {vlan-id}
Command
Function
allowed vlan 10,30
Sets allowed VLANs to ONLY 10 and 30
allowed vlan add 20
Adds VLAN 20 to existing list
allowed vlan remove 20
Removes VLAN 20 from list
allowed vlan all
Allows all VLANs (default state)
allowed vlan except 1-5
Allows all EXCEPT specified
allowed vlan none
Blocks all VLANs
Router(config)# interface g0/0
Router(config-if)# no shutdown
Router(config)# interface g0/0.10
Router(config-subif)# encapsulation dot1q 10
Router(config-subif)# ip address 192.168.1.62 255.255.255.192
Switch# show interfaces trunk
Switch# show vlan brief
Router# show ip interface brief
Router# show ip route
Encapsulation requirement: On switches supporting both ISL and dot1q, you MUST configure switchport trunk encapsulation dot1q BEFORE switchport mode trunk
switchport trunk encapsulation dot1q
switchport mode trunk
Native VLAN mismatch: If native VLANs don't match on both ends of a trunk, traffic will be placed in the wrong VLAN - frames won't reach destinations
show vlan brief doesn't show trunk ports: This command only shows ACCESS port assignments; use show interfaces trunk for trunk information
show interfaces trunk
VLAN must exist to be "active": Even if a VLAN is allowed on a trunk, it won't appear in "VLANs allowed and active" unless created on the switch
Subinterface number ≠ VLAN number (technically): They don't HAVE to match, but best practice is to match them for clarity
Physical interface needs no shutdown: Router interfaces are disabled by default - enable the physical interface for subinterfaces to work
no shutdown
Confusing allowed vlan with allowed vlan add: Using just allowed vlan 20 REPLACES the entire list; use add to append
allowed vlan
allowed vlan add
allowed vlan 20
add
"TPID = 8100"
Think: "81 hundred percent sure it's dot1q"
"VID = 12 bits = 4096 VLANs"
12 bits → 2^12 = 4096
Minus 2 reserved = 4094 usable
"Tag goes after Source MAC"
Remember: "Source tags the frame" (Source MAC → Tag)
802.1Q Tag Fields: "TPID-PCP-DEI-VID"
Mnemonic: "The Priority Determines VLAN"
Native VLAN:
"Native = No tag" (both start with N)
ROAS Subinterface:
"Match the numbers" - subinterface .10 = VLAN 10
Normal vs Extended VLANs:
Normal: 1-1005 (think "1000-ish")
Extended: 1006-4094 (everything after)
SW1 (Native VLAN 10) ←——trunk——→ SW2 (Native VLAN 30)
PC1 (VLAN 10) sends frame → SW1
SW1 sends UNTAGGED (native VLAN 10)
SW2 receives untagged → assumes VLAN 30
Frame placed in wrong VLAN → communication fails!
Topology: PC (VLAN 10) → SW1 → R1
SW1 Configuration:
interface g0/1
switchport trunk allowed vlan 10,20,30
R1 Configuration:
interface g0/0
interface g0/0.10
encapsulation dot1q 10
ip address 192.168.10.1 255.255.255.0
interface g0/0.20
encapsulation dot1q 20
ip address 192.168.20.1 255.255.255.0
What is a trunk port?
A switch interface that carries traffic from multiple VLANs over a single physical connection, using VLAN tags to identify frame membership.
What is the difference between a trunk port and an access port?
Access port = belongs to single VLAN, frames untagged. Trunk port = carries multiple VLANs, frames tagged with 802.1Q.
What are the two trunking protocols?
ISL (Cisco proprietary, legacy) and 802.1Q/dot1q (IEEE industry standard). Only dot1q is used today.
What is the size of the 802.1Q tag?
Where is the 802.1Q tag inserted in an Ethernet frame?
Between the Source MAC Address and the Type/Length field.
What are the two main sections of the 802.1Q tag?
TPID (Tag Protocol Identifier) - 16 bits, and TCI (Tag Control Information) - 16 bits
What is the TPID value that identifies an 802.1Q-tagged frame?
What are the three sub-fields of the TCI?
PCP (Priority Code Point) - 3 bits, DEI (Drop Eligible Indicator) - 1 bit, VID (VLAN ID) - 12 bits
How many bits is the VID field, and how many VLANs does this allow?
12 bits, allowing 4096 total VLANs (2^12), but only 1-4094 are usable (0 and 4095 reserved).
What is the range of Normal VLANs vs Extended VLANs?
Normal: 1-1005, Extended: 1006-4094
What is the Native VLAN?
A VLAN whose traffic is sent untagged over trunk ports. Default is VLAN 1. Receiving switch assumes untagged frames belong to native VLAN.
What happens if native VLANs don't match on both sides of a trunk?
Traffic will be placed in the wrong VLAN, causing communication failures. The switch still forwards but frames go to incorrect VLAN.
What command configures an interface as a trunk?
switchport mode trunk (may need switchport trunk encapsulation dot1q first on some switches)
What command changes the native VLAN on a trunk port?
switchport trunk native vlan {vlan-id}
What command allows only VLANs 10 and 30 on a trunk?
switchport trunk allowed vlan 10,30
What command adds VLAN 20 to the existing allowed VLANs on a trunk?
switchport trunk allowed vlan add 20
What command returns a trunk to allowing all VLANs (default)?
switchport trunk allowed vlan all
Why might switchport mode trunk be rejected on some switches?
On switches supporting both ISL and dot1q, you must first specify encapsulation type with switchport trunk encapsulation dot1q
What command verifies trunk port configuration?
Does show vlan brief display trunk ports?
show vlan brief
No, it only shows access port VLAN assignments. Use show interfaces trunk for trunk information.
What is Router on a Stick (ROAS)?
Inter-VLAN routing method using a single physical router interface divided into logical subinterfaces, each assigned to a different VLAN.
How do you enter subinterface configuration mode?
interface g0/0.{subinterface-number} (e.g., interface g0/0.10)
interface g0/0.{subinterface-number}
What command assigns a VLAN to a router subinterface?
encapsulation dot1q {vlan-id}
Does the subinterface number have to match the VLAN number?
No, but it's best practice to match them for clarity.
What must be done to the physical interface for subinterfaces to work?
Enable it with no shutdown (router interfaces are disabled by default)
In ROAS, how does the router know which subinterface received a frame?
By the 802.1Q VLAN tag - frames tagged with VLAN 10 are treated as arriving on the subinterface configured with encapsulation dot1q 10
What does PCP (Priority Code Point) do?
Used for Class of Service (CoS) to prioritize important traffic in congested networks. 3 bits in length.
What does DEI (Drop Eligible Indicator) do?
Indicates frames that can be dropped during network congestion. 1 bit in length.
What is another name for trunk port? Access port?
Trunk port = Tagged port; Access port = Untagged port
Why would you limit allowed VLANs on a trunk?
Security (control traffic flow) and performance (prevent unnecessary broadcast traffic from other VLANs)
What is the security best practice for native VLAN?
Change it to an unused VLAN (not VLAN 1) to prevent VLAN hopping attacks.
If VLAN 10 is allowed on a trunk but doesn't appear in "VLANs allowed and active," why?
VLAN 10 doesn't exist on the switch. The VLAN must be created for it to be "active."
What is the default setting for VLANs allowed on a trunk?
All VLANs (1-4094) are allowed by default.
In show interfaces trunk output, what does "Mode: on" mean?
The interface was manually configured as a trunk using switchport mode trunk.
Write the complete ROAS subinterface configuration for VLAN 20 with IP 10.0.20.1/24.
ip address 10.0.20.1 255.255.255.0
Zuletzt geändertvor 23 Tagen