VLANs work fine on a single switch. The minute you have two switches and want VLAN 10 on both, you need a trunk: a port that carries traffic for multiple VLANs and tags each frame with its VLAN ID so the receiving switch knows which broadcast domain it belongs to. This lab takes the three-switch triangle, looks at the existing 802.1Q trunks between them, and walks through VTP, the protocol Cisco invented to synchronize VLAN configurations across switches.
This is the second of five free preview labs in the library, and the highest-leverage Pillar 2 search target.
What you will learn
- What an 802.1Q trunk is and how it differs from an access port
- The role of the native VLAN and why moving it off VLAN 1 is a hardening best practice
- How to configure a trunk on Cisco IOSvL2 switches
- The output of
show interfaces trunkand how to read all four columns - What VTP is, the three modes (server, client, transparent), and why transparent is the modern default
What this lab does NOT cover
- DTP (Dynamic Trunking Protocol) - that is the next lab, na-04
- VLAN pruning beyond a quick mention
- VTP version 3 in depth - we show version 1, the version on by default
Topology
Download the STP+VLAN Reference Lab .yaml
Drop this into CML's Import dialog. Three IOSvL2 switches in a triangle with VLANs 10/20/99, dot1q trunks, rapid-PVST root election, and an LACP EtherChannel between SW1 and SW2.
Step 1: Examine an existing trunk
The three switches are already trunked. Look at SW1's view:
SW1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/0 on 802.1q trunking 99
Gi0/1 on 802.1q trunking 99
Po1 on 802.1q trunking 99
Port Vlans allowed on trunk
Gi0/0 10,20,99
Gi0/1 10,20,99
Po1 10,20,99
Port Vlans allowed and active in management domain
Gi0/0 10,20,99
Gi0/1 10,20,99
Po1 10,20,99
Port Vlans in spanning tree forwarding state and not pruned
Gi0/0 10,20,99
Gi0/1 10,20,99
Po1 10,20This output has four sub-tables. Read them carefully:
- Top - Mode, Encapsulation, Status, Native VLAN. Native VLAN 99 (not VLAN 1 - that is the hardening choice).
- Vlans allowed on trunk - what you configured with
switchport trunk allowed vlan - Vlans allowed and active in management domain - VLANs from the allowed list that also exist on this switch
- Vlans in spanning tree forwarding state and not pruned - VLANs that are actually forwarding right now. The Po1 column shows VLAN 99 missing - STP is blocking VLAN 99 on Po1 because Gi0/0 is the preferred path for that VLAN. This is normal multipath behavior.
Step 2: Configure a trunk from scratch
To prove you can configure trunking yourself, take Gi0/2 (currently access mode) and convert it to a trunk:
SW1#configure terminal
SW1(config)#interface GigabitEthernet0/2
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#switchport trunk native vlan 99
SW1(config-if)#switchport trunk allowed vlan 10,20,99
SW1(config-if)#endFive commands - all important:
switchport trunk encapsulation dot1q- explicitly 802.1Q (older switches negotiated ISL or dot1q; modern is always dot1q)switchport mode trunk- hardcode trunk mode, do not negotiateswitchport trunk native vlan 99- hardening: never use the default VLAN 1 as nativeswitchport trunk allowed vlan 10,20,99- explicit allow-list - only these VLANs cross the trunk
Step 3: Native VLAN - the hardening point
Frames that arrive on a trunk WITHOUT a VLAN tag get placed in the native VLAN. Default native is VLAN 1. The hardening best practice is to:
- Change the native VLAN to something other than VLAN 1 (we use VLAN 99 throughout PingLabz labs)
- Never use the native VLAN as a data VLAN
- Match the native VLAN on both ends of every trunk
Why? Because a malicious host on the native VLAN could send untagged frames that the trunk treats as native, bypassing tag-based security. Native VLAN 99 with no hosts on it eliminates that attack surface.
Step 4: VTP - the VLAN database synchronization protocol
VTP (VLAN Trunking Protocol) lets a switch act as a "server" advertising its VLAN database to "clients" that copy it. Sounds useful. In practice it has caused so many production outages (a wiped VTP server can wipe every client's VLAN database) that modern best practice is to use VTP transparent mode on every switch, which means each switch maintains its own VLANs locally and ignores incoming VTP advertisements.
SW1#show vtp status
VTP Version capable : 1 to 3
VTP version running : 1
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP Traps Generation : Disabled
Device ID : 5254.008b.8000
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Feature VLAN:
--------------
VTP Operating Mode : Transparent
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
Configuration Revision : 0
MD5 digest : 0xC1 0xB6 0x8B 0x58 0x57 0x8A 0xBC 0xCBTwo lines tell you what mode we are in:
- VTP version running: 1 - the lab is on VTP version 1 (the most common)
- VTP Operating Mode: Transparent - this switch ignores VTP advertisements from neighbors and only respects local VLAN configuration
The Configuration Revision number is the dangerous part of VTP server/client mode. Higher revision wins. If you ever plug in a switch with a higher revision number and the same domain, it overwrites the VLAN database on the rest of the network. Transparent mode avoids this entirely.
Step 5: VTP server/client mode (educational only)
If you want to see VTP server/client in action, change SW1 to server and SW2 to client:
SW1(config)#vtp domain PINGLABZ
SW1(config)#vtp mode server
SW1(config)#vtp version 2
SW2(config)#vtp domain PINGLABZ
SW2(config)#vtp mode client
SW2(config)#vtp version 2Then create a VLAN on SW1 - it propagates to SW2 automatically.
SW1(config)#vlan 40
SW1(config-vlan)#name TEMPORARY-DEMOWait 10 seconds, then on SW2:
SW2#show vlan brief | include 40
40 TEMPORARY-DEMO activeVLAN 40 appears on SW2 even though we never configured it there. That is VTP. For production, never do this. Set everyone to transparent mode and configure VLANs locally on each switch.
Verification
show interfaces trunkon SW1 shows Gi0/0, Gi0/1, Po1 as 802.1Q trunks with native VLAN 99- All trunks allow VLANs 10, 20, 99
show vtp statusshows VTP Operating Mode: Transparent- If you went through Step 5, VLAN 40 propagates from SW1 (server) to SW2 (client) - then revert
Troubleshooting matrix
| Symptom | Likely cause | Confirm with | Fix |
|---|---|---|---|
| Trunk shows "off" or "not-trunking" | switchport mode trunk missing on one end | show interfaces switchport on both ends | Hardcode switchport mode trunk on both |
| "Native VLAN mismatch" CDP log | One end has native VLAN 99, the other has native VLAN 1 | Compare show interfaces trunk on both ends | Match the native VLAN on both ends |
| VLAN exists on the switch but not in the trunk's "active in management domain" | VLAN not added to allowed list | show interfaces trunk "Vlans allowed on trunk" | switchport trunk allowed vlan add N |
| VLAN database wiped after restart | VTP client copied an empty server's database | show vtp status on every switch | Set everyone to transparent; rebuild VLANs locally |
Engineer's note: production reality
The single biggest cause of VLAN-related production outages is VTP. The protocol was designed for an era when networks were small and stable. Modern networks are large and dynamic; VTP server mode is a footgun. Every enterprise that has been bitten by a "rogue VTP server wiped our VLAN database" incident moves to transparent mode and stays there.
Trunks themselves are stable and well-understood. The most common operational issue is "allowed VLAN list drift" - someone adds a new VLAN to one switch but forgets to add it to the trunk's allowed list, so traffic for that VLAN never crosses. Automation that derives the allowed-VLAN list from the VLAN-to-port mapping prevents this.
Related reading on PingLabz
- VLANs and Layer 2 Switching: The Complete Guide
- Lab na-04: DTP and static trunking
- Lab na-12: Router-on-a-stick (inter-VLAN routing over a trunk)
Key takeaways
- A trunk carries multiple VLANs and tags each frame with its VLAN ID (using 802.1Q).
- Configure with
switchport mode trunk+switchport trunk allowed vlan N,M,...+switchport trunk native vlan X. - Native VLAN should never be VLAN 1 in production. Match the native VLAN on both ends.
- VTP synchronizes VLAN databases. Use transparent mode in production. Server/client mode is a known footgun.
show interfaces trunkhas four sub-tables; the last (forwarding state) tells you what VLANs are actually crossing right now.
Up next
Lab na-04: DTP and static trunking looks at the protocol that NEGOTIATES trunking (and why you should turn it off).
