Part 13 – VLAN Trunk Links

VLAN Trunk Links

Table Of Contents
  1. VLAN Trunk Links
  2. Resources

Introduction

Welcome to Part 13 of the Network Fundamentals study notes! If you haven’t already, we recommend watching the video first.

In Part 12 we set up VLANs on a single switch. But networks grow — you’ll eventually need more switches. This part covers how to extend VLANs across multiple switches using trunk links, and introduces voice VLANs, VLAN 1, the native VLAN, and Router on a Stick.

The Problem: Connecting Multiple Switches

As a company grows, one switch won’t have enough ports. You buy another switch — but now you have VLANs configured on both and need them to talk to each other. Running a separate physical link between the switches for each VLAN would work, but it burns through ports fast and becomes completely unscalable as you add more VLANs and more switches.

The solution is a trunk link — a single link capable of carrying all VLANs at once.

Access Ports vs Trunk Ports

Switch ports operate in one of two main modes:

  • Access port (also called an untagged port) – connects to an end device like a workstation, printer, or server. It belongs to a single data VLAN (and optionally a voice VLAN). The end device never sees any VLAN information — frames arrive and leave untagged.
  • Trunk port (also called a tagged port) – connects switch to switch, or switch to router. It carries multiple VLANs simultaneously by adding a tag to each frame to identify which VLAN it belongs to.

A simple memory aid: an access port is how workstations access the network. A trunk is like the trunk of a tree — one trunk with many branches (VLANs) coming off it.

802.1Q Tagging

When a frame is sent over a trunk link, the switch inserts a 4-byte tag into the Ethernet header. The most important field in this tag is the VLAN ID. When the frame arrives at the other end, the receiving switch reads the tag, identifies the VLAN, strips the tag, and delivers the frame to the right port.

Two important points:

  • The tag contains the VLAN ID, not the VLAN name. VLAN names are locally significant — they exist only on each individual switch and don’t need to match between switches.
  • End devices never see the tag. It’s added and removed by the switches automatically.

Because the tag is added by the switch before the trunk and removed before delivery, VLANs remain completely separate even though their frames share the same physical cable. A trunk extends each VLAN’s broadcast domain across switches — so broadcasts and floods stay within their VLAN, but will travel over trunk links to reach all switches that carry that VLAN.

802.1Q vs ISL

There are two trunking standards. 802.1Q was developed by the IEEE and is supported by all vendors — it’s what you should use. ISL (Inter-Switch Link) is Cisco’s older proprietary trunking standard, rarely seen in production today. Stick with 802.1Q.

Voice VLANs

If your network includes IP phones, you’ll need a voice VLAN. IP phones typically have a small 3-port switch built in. The connection goes: switch → phone → workstation. The third port is internal, connecting to the phone hardware itself.

This arrangement has two benefits. It requires fewer switch ports and less cabling (one cable run handles both the phone and the workstation behind it). The link from the switch to the phone acts like a mini trunk, carrying both the data VLAN (for the workstation) and the voice VLAN (for the phone).

Configuration on the switch port sets both: switchport access vlan <data-vlan> and switchport voice vlan <voice-vlan>.

VLAN 1 and the Native VLAN

VLAN 1

VLAN 1 is special on Cisco switches. It always exists by default and cannot be deleted. All ports are in VLAN 1 by default before any configuration. More importantly, control traffic between Cisco switches (such as CDP messages) travels on VLAN 1. Best practice is to move your workstations and other devices to a different VLAN and leave VLAN 1 for this control traffic.

Native VLAN

The native VLAN exists to support devices that don’t understand VLAN tagging — like old hubs or simple unmanaged switches. Any untagged frames arriving on a trunk link are assumed to belong to the native VLAN. By default on Cisco switches, the native VLAN is VLAN 1.

The native VLAN must match on both ends of a trunk — a mismatch will cause problems. You can change the native VLAN under interface configuration with switchport trunk native vlan <id>. If there’s a mismatch, CDP will warn you.

CDP and LLDP

CDP (Cisco Discovery Protocol) is a Cisco-proprietary protocol that runs between connected devices. When two Cisco devices are connected, CDP lets them learn about each other — device type, IOS version, native VLAN, capabilities, and more. It’s enabled by default on most Cisco switches and uses VLAN 1.

CDP is great for troubleshooting and can detect native VLAN mismatches. Use show cdp neighbors and show cdp neighbors detail to see what’s connected. CDP can be disabled globally with no cdp run or per-interface with no cdp enable — sometimes done for security reasons.

LLDP (Link Layer Discovery Protocol) is the vendor-neutral equivalent. It does the same job as CDP but works between devices from any manufacturer. On Cisco switches it’s disabled by default, so you need to enable it with lldp run. LLDP commands and output are very similar to CDP.

Router on a Stick (ROAS)

In Part 12, we connected a separate router interface to each VLAN. But what if you have 10 or 30 VLANs? Routers don’t have that many interfaces. The solution is Router on a Stick — a single trunk link from the switch to the router, with virtual sub-interfaces on the router, one per VLAN.

The name comes from the topology: one cable (the “stick”) connecting the router to the switch, with all VLANs riding over it.

Configuration on the router:

  1. Bring up the physical interface with no shutdown — but don’t assign it an IP.
  2. Create a sub-interface: interface GigabitEthernet 0/1.10 (the number after the dot is typically set to match the VLAN ID).
  3. Set the encapsulation: encapsulation dot1q 10 (the number is the VLAN ID).
  4. Assign an IP address: ip address 192.168.10.254 255.255.255.0 — this becomes the default gateway for devices in that VLAN.
  5. Repeat for each additional VLAN.

On the switch side, the port connected to the router is configured as a trunk port. Each sub-interface on the router behaves like a regular interface and can route traffic between VLANs.

VLAN Pruning

By default, all VLANs are allowed over a trunk link. You can restrict this with switchport trunk allowed vlan <list>. This is called pruning — limiting which VLANs can travel across a particular trunk. It reduces unnecessary traffic on links where certain VLANs aren’t needed.

Resources

Test your knowledge with the Introduction to Networking quizzes.