www.cisconetsolutions.

com

Switch Trunking Operation

The purpose of a switch trunk is to forward multiple VLANs between switches. The
switch port must be configured for trunk mode to enable forwarding of multiple
VLANs. That allows communication between hosts assigned to the same VLAN that
spans switches. Forwarding multiple VLANs across a switch link requires trunk
mode to enable the VLAN tagging feature.

switch(config-if)# switchport mode trunk

The following show commands list configuration information for all trunk interfaces.

switch# show interfaces trunk

switch# show interface switchport

The following trunk operational and configuration settings are displayed:

 trunk operational status
 switch port members
 VLANs allowed
 native VLAN
 encapsulation type
 trunk mode

Configuring a switch port as a trunk requires enabling trunk mode and 802.1q
encapsulation. The following trunk is static and DTP trunk negotiation is not used.

switch(config)# interface fastethernet0/1

switch(config-if)# switchport mode trunk
switch(config-if)# encapsulation dot1q
switch(config-if)# end

Native VLAN
The native VLAN forwards control traffic across switch trunks. Changing the native
VLAN from VLAN 1 to an available nondefault VLAN is a Cisco security best
practice. There are security vulnerabilities associated with the default VLAN 1. STP
issues are minimized as well by selecting a nondefault VLAN instead of VLAN 1.

Control traffic (CDP, PAgP, VTP, STP and DTP) always uses VLAN 1 and travel on
the native VLAN (untagged traffic) by default. The trunk tags all data VLANs for
identification purposes. The untagged traffic is separated from data traffic as a
result. STP and DTP are management protocols that must be untagged across
trunk links.
 www.cisconetsolutions.com

The following command changes native VLAN from default VLAN 1 to VLAN 999.
switch(config-if)# switchport trunk native vlan 999

The native VLAN configured on a trunk link must match between switches to
forward untagged packets across the trunk correctly. VLAN hopping is a security
vulnerability caused by native VLAN mismatch. STP and DTP can detect native
VLAN mismatches.

VLAN Pruning
The purpose of VLAN pruning is to permit or deny VLANs across a switch trunk.
The Cisco default is to allow all VLANs across the trunk. The switch configured for
VLAN pruning won't forward specific VLANs across a switch trunk. The local switch
alerts the neighbor switch of all local VLANs that are not active (not configured).

Any VLANs that are not configured are pruned by the neighbor switch to minimize
unicast, broadcast and multicast traffic across the trunk. The Cisco default
configuration is to allow all VLANs from the range 1 - 4094 across the trunk.

The administrator can add or remove VLANs after that IOS command is issued
based on requirements. Specify multiple non-consecutive VLANs with commas or a
hyphen to specify a range of consecutive VLANs. The following interface command
will only allow VLAN 10, VLAN 11 and VLAN 12 across the trunk.

switch(config-if)# switchport trunk allowed vlan 10-12

The add | remove keyword only applies after pruning has already occurred on the
trunk interface to limit the VLANs allowed from the range 1-4094.

switch(config-if)# switchport trunk allowed vlan add [vlan id, vlan id, ...]

The following interface command will remove VLAN 10 from the trunk. That will filter
all traffic from that VLAN so it cannot traverse the trunk link between switches.

switch(config-if)# switchport trunk allowed vlan remove 10

The following interface command will add VLAN 12 to the trunk interface. That will
permit all traffic from that VLAN so it can traverse the trunk link between switches.

switch(config-if)# switchport trunk allowed vlan add 12

 www.cisconetsolutions.com

Dynamic Trunking Protocol (DTP)

 DTP enables dynamic negotiation of a trunk between two switches
 DTP is Cisco proprietary protocol only
 DTP modes are nonegotiate, desirable and auto.
 DTP auto mode is enabled by default on switch ports
 There is no trunk created with the default DTP mode setting

DTP request frames are sent to the neighbor switch to negotiate the trunk setup.
Cisco switches use the default auto mode. The switch port configured with
desirable or auto mode listen for DTP requests. The switch port configured with
desirable mode actively send DTP frames to negotiate trunk with neighbor switch.

DTP provides dynamic negotiation based on the mode setting where at least one of
the interfaces is configured with desirable mode. The switch interface configured
with the command switchport mode trunk is a static trunk with on mode and does
not send DTP frames to negotiate.

The following describe the operation of each switch port configuration:

 switchport mode access = access port only (no trunk)
 switchport mode trunk = trunk statically formed and no DTP frames sent
 switchport mode dynamic auto = listens for DTP requests
 switchport mode dynamic desirable = listens and sends DTP requests
 switchport nonegotiate = disable DTP

The following describes how each switch mode affects trunk setup between local
and remote switches.

Table 1 Dynamic Trunking Protocol Modes

Switch-1 Switch-2 Result

auto auto access port

auto desirable trunk

auto on trunk

desirable on trunk

nonegotiate nonegotiate access port

 www.cisconetsolutions.com

DTP auto mode supported access mode or trunk mode operation. The neighbor
incoming negotiation would determine whether the switch port mode is access or
trunk. The nonegotiate mode is configured on both switch interfaces that do not
support DTP mode or should not establish trunking. DTP frames are sent at one
second intervals during negotiation and every 30 seconds after that.

The following are methods for disabling DTP frames on a switch link:
 switchport nonegotiate
 switchport mode access
 static trunk

Troubleshooting Trunking
Refer to the drawing. Hosts assigned to VLAN 11 and VLAN 12 on switch-1 cannot
communicate with hosts in the same VLAN on switch-2.

switch-1# show running-config

<output omitted>
interface gigabitethernet1/1
switchport mode access
switchport access vlan 10

switch-1# show vlan brief

VLAN Name Status Ports

10 data active Gi1/1, Gi1/2, Gi1/3
11 server active Gi1/4, Gi1/5, Gi1/6
12 wireless active Gi1/7, Gi1/8, Gi1/9

Gi1/1 Gi1/1
Switch-1 Switch-2

VLAN 10 VLAN 10
VLAN 11 VLAN 11
VLAN 12 VLAN 12
 www.cisconetsolutions.com

The trunk enables forwarding of multiple VLANs between switches. That allows
communication between hosts assigned to the same VLAN that spans switches.
Configure a trunk link to enable forwarding of multiple VLANs. That allows hosts
assigned to the same VLAN to communicate between switches. Switch-1 interface
Gi1/1 is configured as an access port and assigned to VLAN 10. That enables hosts
from VLAN 10 only to communicate with hosts in VLAN 10 on Switch-2 provided
Gi1/1 on Switch-2 is assigned to VLAN 10 as well.

The interface level IOS command switchport mode trunk is required on port Gi1/1
of Switch-1 and Switch-2 to enable all VLANs between the switches. It is best
practice to remove PortFast from any trunk interfaces as well. PortFast is only
recommended on switch access mode ports.

1. How do you configure trunking on a Cisco switch port interface?

Answer
The switch port interface is configured with trunk mode to enable trunking. There is
dynamic trunk protocol and 802.1q encapsulation enabled by default.

switch(config)# interface [interface]

switch(config-if)# switchport mode trunk
switch(config-if)# end

2. What configuration feature on a switch trunk interface optimizes network design

and security for the switching infrastructure?

Answer
There are requirements and best practices for trunking between switches.

 The native VLAN configured on a trunk link must match between each
switch. That is required to forward untagged packets across the trunk.

 Change the native VLAN from default VLAN 1 for security. Layer 2 loops are
minimized as well when STP traffic is sent across the native VLAN.

 VLAN 1 is used to forward control traffic (CDP, VTP, PAgP etc.) between
switches and should not be assigned to data traffic.
 www.cisconetsolutions.com

3. The network administrator has configured a trunk between two switches. The
configuration must prune VLANs to allow only VLAN 10, 11 and 12 across the
trunk. What is the correct IOS command to accomplish that?

Answer
The default trunk configuration allows all VLANs from the range 1-4094 across the
trunk link. The following IOS command will allow only VLAN 10, VLAN 11 and
VLAN 12 across the trunk. The network administrator can add or remove VLANs
after that IOS command is issued.

switch(config-if)# switchport trunk allowed vlan 10-12

4. Refer to the network topology drawing. What switch port mode must be
configured on a switch interface/s to enable proper forwarding of VLAN traffic
between all network devices?

Router-1

Gi1/3

Switch-3
Gi1/1 Gi1/2

Gi1/1 Gi1/1

Switch-1 Switch-2

VLAN 10 VLAN 10
VLAN 11 VLAN 11
VLAN 12 VLAN 12

Answer
Any switch with multiple VLANs will require an uplink to be configured as a trunk.
Switch-1 and Switch-2 have multiple VLANs with uplinks to Switch-3. In addition
switch port Gi1/1 and Gi1/2 for Switch-3 must be configured as trunks. The trunk
enabled switch port tags the VLAN membership of each frame before forwarding to
the neighbor switch. Configuring trunk mode on Switch-3 port Gi1/3 enables
trunking to Router-1 as well.
 www.cisconetsolutions.com

5. What IOS interface level command will remove VLAN 10 from a trunk where only
VLAN 10, VLAN 11 and VLAN 12 are allowed?

Answer
The following IOS command will remove VLAN 10 from the trunk. That will filter all
traffic from that VLAN so it cannot traverse the trunk link between switches. To
remove a range of consecutive VLANs such as from VLAN 1 to VLAN 100
inclusive, use a hyphen (1-100). For a non-consecutive list such as VLAN 1 and
VLAN 10,11,12 use commas and hyphens (1,10-12).

switch(config-if)# switchport trunk allowed vlan remove 10

6. What IOS interface level command will add VLAN 12 to a trunk interface where
only VLAN 10 and VLAN 11 are allowed?

Answer
The following IOS interface command will add VLAN 12 to the trunk interface. That
will permit all traffic from that VLAN so it can traverse the trunk link between
switches. To add a range of consecutive VLANs such as from VLAN 1 to VLAN 100
inclusive, use a hyphen (1-100). For the example where there is a non-consecutive
list such as VLAN 1 and VLAN 10,11,12 use commas and hyphens (1,10-12).

switch(config-if)# switchport trunk allowed vlan add 12

The add/remove keyword only applies after pruning has already occurred on the
trunk interface to limit the number of VLANs allowed from the default (1-4094). That
IOS interface level command is switchport trunk allowed vlan [list].

The default is to allow all VLANs across a trunk enabled switch link. Configure the
following IOS command to allow only specific VLANs. Cisco switches permit
assigning a range of VLANs as well.