Networking - Trunking (IEEE 802.1Q)
Trunking, specifically defined under the IEEE 802.1Q standard, is a networking method used to carry multiple VLANs (Virtual Local Area Networks) over a single physical link between network devices such as switches, routers, or servers.
It enables communication between different VLANs while maintaining logical separation of network traffic, which is essential in large, segmented networks.
1. Definition
Trunking (802.1Q) is a VLAN tagging protocol that allows multiple VLANs to be transmitted across a single network link by inserting a special tag (VLAN ID) into Ethernet frames.
In simpler terms:
Trunking enables a single network cable or port to carry traffic for multiple VLANs by adding a VLAN identifier to each frame.
2. Purpose of Trunking
In a network with multiple VLANs, each VLAN normally operates as a separate broadcast domain. Without trunking, you would need a dedicated physical link between switches for each VLAN — which is inefficient and impractical.
Trunking solves this by multiplexing traffic from all VLANs over one link.
Example Without Trunking
-
VLAN 10 connects through one cable.
-
VLAN 20 connects through another cable.
You would need multiple cables and ports between switches — one per VLAN.
Example With Trunking
-
VLAN 10 and VLAN 20 share one trunk link.
-
Each Ethernet frame is tagged with a VLAN ID so that switches can identify which VLAN it belongs to.
This drastically reduces cabling complexity and improves scalability.
3. IEEE 802.1Q Standard Overview
IEEE 802.1Q is the official Ethernet standard for VLAN tagging.
It defines how Ethernet frames are tagged and transmitted over trunk links.
Developed by: IEEE (Institute of Electrical and Electronics Engineers)
Standard Name: IEEE 802.1Q
Introduced: 1998
4. How 802.1Q Works
When a switch sends traffic over a trunk link:
-
The switch adds a 4-byte VLAN tag to the Ethernet frame.
-
The tag identifies which VLAN the frame belongs to.
-
The receiving switch reads the tag and forwards the frame to the appropriate VLAN.
-
Before sending frames to end devices (access ports), the tag is removed.
4.1 VLAN Tag Structure (802.1Q Tag Format)
The 802.1Q VLAN tag is inserted into the Ethernet frame between the Source MAC Address and EtherType fields.
Original Ethernet Frame:
| Destination MAC | Source MAC | EtherType | Data | FCS |
Tagged Frame (802.1Q):
| Destination MAC | Source MAC | 802.1Q Tag (4 bytes) | EtherType | Data | FCS |
4.2 VLAN Tag Fields (4 bytes total)
| Field | Size | Description |
|---|---|---|
| TPID (Tag Protocol Identifier) | 16 bits (2 bytes) | Always 0x8100 – indicates the frame is VLAN-tagged. |
| TCI (Tag Control Information) | 16 bits (2 bytes) | Contains VLAN-related information. |
The TCI field is divided into:
| Subfield | Size | Purpose |
|---|---|---|
| Priority Code Point (PCP) | 3 bits | Used for QoS (Quality of Service). |
| DEI (Drop Eligible Indicator) | 1 bit | Indicates frame drop eligibility during congestion. |
| VLAN ID | 12 bits | Identifies the VLAN (range 0–4095). |
4.3 VLAN ID Range
| Range | Usage |
|---|---|
| 0 & 4095 | Reserved values |
| 1–1001 | Standard VLANs |
| 1002–1005 | Reserved for legacy Token Ring & FDDI VLANs |
| 1006–4094 | Extended VLAN range (supported by newer switches) |
5. Types of Switch Ports
In VLAN configuration, switch ports are classified into two main types:
| Port Type | Description | Carries VLANs |
|---|---|---|
| Access Port | Connects to end devices (PCs, printers, IP phones). | Only one VLAN (untagged) |
| Trunk Port | Connects to other switches or routers. | Multiple VLANs (tagged) |
5.1 Access Port
-
Belongs to only one VLAN.
-
Does not add VLAN tags to frames.
-
Used to connect end-user devices.
Example:
A PC connected to VLAN 10 through an access port — all traffic is untagged and associated with VLAN 10.
5.2 Trunk Port
-
Carries traffic from multiple VLANs simultaneously.
-
Tags each frame with its VLAN ID using 802.1Q.
-
Used for inter-switch links, switch-to-router links, and switch-to-server connections.
6. Native VLAN
-
Defined by IEEE 802.1Q to handle untagged traffic on trunk ports.
-
By default, VLAN 1 is the native VLAN on Cisco switches.
-
Frames belonging to the native VLAN are sent without a VLAN tag.
Example:
If two switches share a trunk link with VLANs 10, 20, and 30 — and VLAN 1 is native:
-
Frames from VLAN 10/20/30 → Tagged
-
Frames from VLAN 1 → Untagged
Important: Both sides of the trunk must have the same native VLAN ID to avoid VLAN leaks and misconfigurations.
7. Example Scenario
Network Setup
Switch A -------- Switch B
-
VLAN 10 → Sales
-
VLAN 20 → HR
-
VLAN 30 → IT
Without trunking:
Each VLAN requires its own physical link.
With trunking (802.1Q):
-
One cable carries VLAN 10, VLAN 20, and VLAN 30 traffic.
-
Each frame has a VLAN tag to identify its VLAN membership.
-
Switch B removes the tag and forwards frames to the correct VLAN ports.
8. Configuration Example (Cisco IOS)
On Switch A
SwitchA(config)# interface gig0/1
SwitchA(config-if)# switchport mode trunk
SwitchA(config-if)# switchport trunk allowed vlan 10,20,30
SwitchA(config-if)# switchport trunk native vlan 1
On Switch B
SwitchB(config)# interface gig0/1
SwitchB(config-if)# switchport mode trunk
SwitchB(config-if)# switchport trunk allowed vlan 10,20,30
SwitchB(config-if)# switchport trunk native vlan 1
Explanation:
-
switchport mode trunk— Enables trunking on the interface. -
switchport trunk allowed vlan— Specifies which VLANs can traverse the trunk. -
switchport trunk native vlan— Defines which VLAN sends untagged frames.
9. Advantages of Trunking (802.1Q)
| Advantage | Description |
|---|---|
| Efficient Use of Links | Multiple VLANs share a single physical link. |
| Scalability | Easily add new VLANs without additional cabling. |
| Simplified Management | Easier VLAN extension between switches. |
| Inter-Switch Communication | Enables VLAN consistency across multiple switches. |
| Supports QoS | Priority bits (PCP) allow better traffic management. |
10. Disadvantages of Trunking
| Disadvantage | Description |
|---|---|
| Misconfiguration Risk | Mismatched VLAN settings can cause loops or VLAN leaks. |
| Security Concerns | VLAN hopping attacks can exploit native VLANs. |
| Bandwidth Sharing | All VLANs share the same trunk bandwidth. |
| Debugging Complexity | Harder to troubleshoot tagged vs untagged traffic. |
11. Trunking Protocols
| Protocol | Description | Vendor |
|---|---|---|
| IEEE 802.1Q | Industry-standard VLAN tagging protocol. | Open Standard |
| ISL (Inter-Switch Link) | Cisco proprietary VLAN tagging protocol (older, obsolete). | Cisco Systems |
Note:
ISL adds a 30-byte header, while 802.1Q only adds 4 bytes, making it more efficient and widely adopted.
12. VLAN Trunking Protocol (VTP)
Although different from trunking, VTP (VLAN Trunking Protocol) works alongside trunking to manage VLAN information across multiple switches.
-
Automatically propagates VLAN configurations.
-
Works only over trunk links.
-
Cisco proprietary protocol.
13. Security Considerations
-
Avoid using VLAN 1 as the native VLAN — assign a dedicated, unused VLAN instead.
-
Disable unused trunk ports to prevent unauthorized access.
-
Limit VLANs allowed on trunks to only those needed.
-
Use Private VLANs (PVLANs) and ACLs for added security.
14. Real-World Example
Imagine a university with different VLANs for Students (VLAN 10), Faculty (VLAN 20), and Administration (VLAN 30).
Each building has switches connected by trunk links carrying all three VLANs.
This setup allows:
-
Centralized VLAN management.
-
Segmented traffic for each department.
-
Efficient use of network cabling and bandwidth.
15. Summary
| Feature | Description |
|---|---|
| Standard | IEEE 802.1Q |
| Purpose | Carry multiple VLANs over one link |
| Tag Size | 4 bytes (Inserted into Ethernet frame) |
| Port Types | Access Port (single VLAN), Trunk Port (multiple VLANs) |
| Native VLAN | Handles untagged frames (default VLAN 1) |
| VLAN Range | 1–4094 |
| Use Case | Inter-switch, switch-to-router, switch-to-server links |
16. Conclusion
Trunking (802.1Q) is a cornerstone of modern switched networks, enabling efficient VLAN communication, scalability, and flexible design. By tagging Ethernet frames with VLAN identifiers, 802.1Q ensures that traffic remains logically separated even while sharing the same physical infrastructure.
In essence, 802.1Q trunking simplifies VLAN management, conserves physical resources, and supports dynamic, multi-VLAN environments — making it a key component in enterprise and data center networking.