802.1Q Trunking

1. Introduction to 802.1Q Trunking

You already know how to configure VLANs and assign ports.
But what happens when the same VLAN needs to span multiple switches?

Network topology demonstrating 802.1Q trunking between two switches, SW1 and SW2, connecting VLAN 10 and VLAN 20 devices.

In the diagram above, PC1 (VLAN 10) and PC3 (also VLAN 10) sit on different switches.
For them to communicate we need two things:

  1. A physical link between the switches.
  2. 802.1Q trunking on that link.
Network diagram showing two switches (SW1 and SW2) connected by a central trunk link, extending VLAN 10 (PC1, PC3) and VLAN 20 (PC2, PC4) across the network.

Let’s walk through an example. PC1 wants to send traffic to PC3.

Switch 1 (SW1) receives the frame on interface G0/1, which is an access port in VLAN 10. SW1 now needs to forward the frame to Switch 2 (SW2) over the trunk.

Network diagram illustrating VLAN 10 traffic (ETH frames with '10' tag) traversing a trunk link between two switches (SW1 and SW2), extending VLAN 10 and VLAN 20 connectivity for connected PCs.

SW2 receives the frame and finally hands it to PC3.

Okay, that sounds good, but how does it really work?

2. How Trunking Works

Let’s break down step by step how a tagged Ethernet frame travels from one switch to another over a trunk link.

802.1Q VLAN tagging and untagging process on a network trunk link between switches.
  1. Frame ingress on SW1
    PC1 belongs to VLAN 10, so the frame arrives on SW1’s G0/1 access port tagged internally as VLAN 10.
  2. Tagging for the trunk

Because the destination is on another switch, SW1 wraps the original Ethernet frame inside an 802.1Q frame. This encapsulation adds a 4‑byte header that carries the VLAN Identifier (VID).

Diagram illustrating the structure of an 802.1Q frame, detailing its components including the Ethernet frame fields and the expanded 4-byte 802.1Q tag, which contains the Ethertype, Priority, CFI, and VLAN Identifier (VID).

This tag is what tells the switch which VLAN the frame belongs to.

The protocol used for this tagging is called IEEE 802.1Q. It is an open standard supported by all vendors and is recommended over Cisco’s older ISL protocol.

The 802.1Q tag contains:

  • 12 bits for the VLAN ID (range: 1–4094; 0 and 4095 are reserved)
  • 3 bits for priority marking (802.1p QoS)
  • 1 bit called the CFI or DEI bit (not required at CCNA level)

SW1 sets the VID to 10:

Diagram illustrating an 802.1Q frame structure, showing the 4-byte tag explicitly set with VLAN 10 as the VLAN Identifier (VID), within the Ethernet frame components.
  1. Transit over the trunk
    The tagged frame travels across the trunk link, keeping its VID of 10 so every hop knows it belongs to VLAN 10.
802.1Q VLAN tagging, trunk transit, and untagging process on a network link between two switches.
  1. Frame egress on SW2

When the frame arrives on SW2’s trunk port, SW2 removes the 802.1Q header, restoring the original Ethernet frame. Because the tag indicated VLAN 10, SW2 forwards the frame out its G0/1 access port toward PC‑3.

That’s the entire journey: ingress, tagging, trunk transport, un‑tagging, and delivery.

3. Configuring 802.1Q Trunking

Now that you understand how trunking works, let’s see how to configure it on Cisco switches using the CLI.

Network diagram illustrating a two-switch topology (SW1 and SW2) connected by a trunk link, designed to extend VLAN 10 and VLAN 20 connectivity for PCs across both switches.

Configuring the Trunk Port on SW1

  1. Enter configuration mode and Select the interface between SW1 and SW2 (G0/0):
SW1# configure terminal
SW1(config)# interface G0/0

2. Set the encapsulation to 802.1Q:

SW1(config-if)# switchport trunk encapsulation dot1q

3. Set the port to trunk mode:

SW1(config-if)# switchport mode trunk

4. (Optional) Specify the allowed VLANs on the trunk:
If you want to restrict the trunk to only specific VLANs (example VLANs 10 and 20):

SW1(config-if)# switchport trunk allowed vlan 10,20

Verifying the Trunk Port Configuration

Use the show interfaces trunk command to verify that the trunk port is active and configured correctly:

SW1# show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
G0/0        on           802.1q         trunking      1

Port        Vlans allowed on trunk
G0/0        10,20

Port        Vlans in spanning tree forwarding state and not pruned
G0/0        10,20

Configuring the Trunk Port on SW2

Now, let’s configure the trunk port on SW2, which connects to the trunk on SW1.

  1. Enter configuration mode and Select the interface between SW1 and SW2 (G0/0):
SW2# configure terminal
SW2(config)# interface G0/0

2. Set the encapsulation to 802.1Q:

SW2(config-if)# switchport trunk encapsulation dot1q

3. Set the port to trunk mode:

SW2(config-if)# switchport mode trunk

4. (Optional) Specify the allowed VLANs on the trunk:

SW2(config-if)# switchport trunk allowed vlan 10,20

Verifying the Trunk Port Configuration

To ensure the trunk port is active and configured correctly, use the show interfaces trunk command on SW2:

SW2# show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
G0/0        on           802.1q        trunking      1

Port        Vlans allowed on trunk
G0/0        10,20

Port        Vlans in spanning tree forwarding state and not pruned
G0/0        10,20

Now that we’ve successfully configured a trunk port and ensured it’s functioning correctly, the next step is to explore Dynamic Trunking Protocol (DTP), its role in negotiation of trunking !

For more information about 802.1Q, refer to the official Cisco VLAN Trunking Documentation.