Configuring 802.1Q Trunks on Cisco Catalyst Switches

J
Configuring 802.1Q Trunks on Cisco Catalyst Switches

Master 802.1Q trunk configuration between Catalyst switches, including VLAN pruning, native VLAN setup, and comprehensive troubleshooting techniques.

Trunk links form the backbone of multi-VLAN networks on Cisco Catalyst switches. Understanding how to configure, verify, and troubleshoot 802.1Q trunks is essential for building scalable switched networks. This guide walks through configuring trunks across your lab topology and includes realistic show command output and troubleshooting scenarios.

The standard lab topology includes three trunk links:

  • ACC-SW1 Gi1/0/23 ↔ DIST-SW1 Gi1/0/24 (Access to Distribution)
  • ACC-SW2 Gi1/0/23 ↔ DIST-SW2 Gi1/0/24 (Access to Distribution)
  • DIST-SW1 Gi1/0/1 ↔ CORE-SW1 Gi1/0/2 (Distribution to Core)
  • DIST-SW2 Gi1/0/1 ↔ CORE-SW1 Gi1/0/3 (Distribution to Core)

All trunks use 802.1Q encapsulation with native VLAN 99 and allowed VLANs pruned to the set actually in use.

Configuring 802.1Q Trunks: Access to Distribution

Configure the trunk link from ACC-SW1 to DIST-SW1:

ACC-SW1# configure terminal

ACC-SW1(config)# interface GigabitEthernet 1/0/23
ACC-SW1(config-if)# description Trunk-to-DIST-SW1-Gi1/0/24
ACC-SW1(config-if)# switchport mode trunk
ACC-SW1(config-if)# switchport trunk encapsulation dot1q
ACC-SW1(config-if)# switchport trunk allowed vlan 10,20,30,40,50,99
ACC-SW1(config-if)# switchport trunk native vlan 99
ACC-SW1(config-if)# switchport nonegotiate
ACC-SW1(config-if)# no shutdown
ACC-SW1(config-if)# exit

ACC-SW1(config)# interface GigabitEthernet 1/0/24
ACC-SW1(config-if)# description Trunk-to-ACC-SW2-Gi1/0/24-EtherChannel-Po10
ACC-SW1(config-if)# switchport mode trunk
ACC-SW1(config-if)# switchport trunk encapsulation dot1q
ACC-SW1(config-if)# switchport trunk allowed vlan 10,20,30,40,50,99
ACC-SW1(config-if)# switchport trunk native vlan 99
ACC-SW1(config-if)# switchport nonegotiate
ACC-SW1(config-if)# no shutdown
ACC-SW1(config-if)# exit

ACC-SW1(config)# end
ACC-SW1# write memory

Now configure the matching trunk on DIST-SW1:

DIST-SW1# configure terminal

DIST-SW1(config)# interface GigabitEthernet 1/0/24
DIST-SW1(config-if)# description Trunk-to-ACC-SW1-Gi1/0/23
DIST-SW1(config-if)# switchport mode trunk
DIST-SW1(config-if)# switchport trunk encapsulation dot1q
DIST-SW1(config-if)# switchport trunk allowed vlan 10,20,30,40,50,99
DIST-SW1(config-if)# switchport trunk native vlan 99
DIST-SW1(config-if)# switchport nonegotiate
DIST-SW1(config-if)# no shutdown
DIST-SW1(config-if)# exit

DIST-SW1(config)# end
DIST-SW1# write memory

Repeat this configuration on ACC-SW2 Gi1/0/23 ↔ DIST-SW2 Gi1/0/24, adjusting interface numbers as needed.

Configuring 802.1Q Trunks: Distribution to Core

Configure the trunk from DIST-SW1 to CORE-SW1:

DIST-SW1# configure terminal

DIST-SW1(config)# interface GigabitEthernet 1/0/1
DIST-SW1(config-if)# description Trunk-to-CORE-SW1-Gi1/0/2
DIST-SW1(config-if)# switchport mode trunk
DIST-SW1(config-if)# switchport trunk encapsulation dot1q
DIST-SW1(config-if)# switchport trunk allowed vlan 10,20,30,40,50,99
DIST-SW1(config-if)# switchport trunk native vlan 99
DIST-SW1(config-if)# switchport nonegotiate
DIST-SW1(config-if)# no shutdown
DIST-SW1(config-if)# exit

DIST-SW1(config)# end
DIST-SW1# write memory

Configure the matching trunk on CORE-SW1:

CORE-SW1# configure terminal

CORE-SW1(config)# interface GigabitEthernet 1/0/2
CORE-SW1(config-if)# description Trunk-to-DIST-SW1-Gi1/0/1
CORE-SW1(config-if)# switchport mode trunk
CORE-SW1(config-if)# switchport trunk encapsulation dot1q
CORE-SW1(config-if)# switchport trunk allowed vlan 10,20,30,40,50,99
CORE-SW1(config-if)# switchport trunk native vlan 99
CORE-SW1(config-if)# switchport nonegotiate
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit

CORE-SW1(config)# interface GigabitEthernet 1/0/3
CORE-SW1(config-if)# description Trunk-to-DIST-SW2-Gi1/0/1
CORE-SW1(config-if)# switchport mode trunk
CORE-SW1(config-if)# switchport trunk encapsulation dot1q
CORE-SW1(config-if)# switchport trunk allowed vlan 10,20,30,40,50,99
CORE-SW1(config-if)# switchport trunk native vlan 99
CORE-SW1(config-if)# switchport nonegotiate
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit

CORE-SW1(config)# end
CORE-SW1# write memory

Understanding VLAN Pruning

The switchport trunk allowed vlan command limits which VLANs traverse a trunk. In the configuration above, only VLANs 10, 20, 30, 40, 50, and 99 are allowed:

ACC-SW1# show interfaces GigabitEthernet 1/0/23 trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi1/0/23    on           802.1q         trunking      99

Port        Vlans allowed on trunk
Gi1/0/23    10,20,30,40,50,99

Port        Vlans allowed and active in management domain
Gi1/0/23    10,20,30,40,50,99

Port        Vlans in spanning-tree forwarding state and not pruned
Gi1/0/23    10,20,30,40,50,99

All allowed VLANs are active (they exist on the switch) and not pruned by Spanning Tree Protocol (STP). If a VLAN existed but was not in the "allowed" list, it would not appear on the trunk. For example, if you added VLAN 200 to the switch but didn't add it to the allowed list, traffic for VLAN 200 would not cross this trunk:

! Add VLAN 200 but don't add it to allowed list
ACC-SW1(config)# vlan 200
ACC-SW1(config-vlan)# name Test-VLAN
ACC-SW1(config-vlan)# exit
ACC-SW1(config)# end

! Check trunk status
ACC-SW1# show interfaces GigabitEthernet 1/0/23 trunk

Port        Vlans allowed on trunk
Gi1/0/23    10,20,30,40,50,99

Port        Vlans allowed and active in management domain
Gi1/0/23    10,20,30,40,50,99,200

! VLAN 200 exists (active) but is not in the allowed list

Notice that "Vlans allowed and active in management domain" shows 200, but "Vlans allowed on trunk" does not. VLAN 200 traffic is blocked on this trunk link.

To enable VLAN 200, add it to the allowed list:

ACC-SW1(config)# interface GigabitEthernet 1/0/23
ACC-SW1(config-if)# switchport trunk allowed vlan add 200
ACC-SW1(config-if)# end

ACC-SW1# show interfaces GigabitEthernet 1/0/23 trunk

Port        Vlans allowed on trunk
Gi1/0/23    10,20,30,40,50,99,200

Adding, Removing, and Resetting the Allowed VLAN List

Three commands modify the allowed VLAN list:

! Add a VLAN to the existing allowed list
switchport trunk allowed vlan add 200

! Remove a VLAN from the allowed list
switchport trunk allowed vlan remove 50

! Replace the entire allowed list (all others are removed)
switchport trunk allowed vlan 10,20,30,40,50,99,200,201

Be careful with the base command (no add/remove); it replaces the entire list. To avoid accidentally removing VLANs, use add and remove.

Native VLAN Configuration and Mismatch Detection

The native VLAN is transmitted untagged on trunks. Ensure both ends of a trunk use the same native VLAN:

! Both sides must match
ACC-SW1(config-if)# switchport trunk native vlan 99
DIST-SW1(config-if)# switchport trunk native vlan 99

Detecting Native VLAN Mismatches

If the native VLANs differ, Cisco Discovery Protocol (CDP) detects the mismatch and issues a warning:

! DIST-SW1 accidentally configured with native VLAN 1
DIST-SW1(config-if)# switchport trunk native vlan 1
DIST-SW1(config-if)# end

! Check ACC-SW1
ACC-SW1# show interfaces GigabitEthernet 1/0/23 trunk

%Native VLAN mismatch detected on Port Gi1/0/23 (Native VLAN 99), with Port DIST-SW1 Gi1/0/24 (Native VLAN 1).

Even though the warning appears, frames still pass (they're just untagged on one side and tagged on the other, which can cause issues). Fix this immediately by making the native VLANs match.

Trunk Verification: Complete Show Output

Here's comprehensive trunk verification across the lab topology:

CORE-SW1# show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi1/0/2     on           802.1q         trunking      99
Gi1/0/3     on           802.1q         trunking      99

Port        Vlans allowed on trunk
Gi1/0/2     10,20,30,40,50,99
Gi1/0/3     10,20,30,40,50,99

Port        Vlans allowed and active in management domain
Gi1/0/2     10,20,30,40,50,99
Gi1/0/3     10,20,30,40,50,99

Port        Vlans in spanning-tree forwarding state and not pruned
Gi1/0/2     10,20,30,40,50,99
Gi1/0/3     10,20,30,40,50,99

For individual port details, use show interfaces <port> trunk:

ACC-SW1# show interfaces GigabitEthernet 1/0/23 trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi1/0/23    on           802.1q         trunking      99

Port        Vlans allowed on trunk
Gi1/0/23    10,20,30,40,50,99

Port        Vlans allowed and active in management domain
Gi1/0/23    10,20,30,40,50,99

Port        Vlans in spanning-tree forwarding state and not pruned
Gi1/0/23    10,20,30,40,50,99

Verification and Troubleshooting

Cause: Physical cable issue, port shutdown, or speed/duplex mismatch.

Fix: Verify physical port status:

ACC-SW1# show interfaces GigabitEthernet 1/0/23 status

Interface    Name                 Status       Vlan       Duplex Speed Type
Gi1/0/23     Trunk-to-DIST-SW1    notconnect   routed     auto   auto  10/100/1000BaseTX

! Ensure the port is not shut down
ACC-SW1# show interfaces GigabitEthernet 1/0/23 | include shutdown

  Encapsulation ARPA, loopback not set
  keepalive set (10 sec)
  Full-duplex, 1000Mb/s
  Encapsulation ARPA

! The "shutdown" line is absent, meaning it's enabled. Check the cable.

If the cable is connected and verified on both ends, check speed and duplex:

ACC-SW1# show interfaces GigabitEthernet 1/0/23 | include duplex

Full-duplex, 1000Mb/s

! If one side shows "half-duplex" and the other "full-duplex", fix it
ACC-SW1(config)# interface GigabitEthernet 1/0/23
ACC-SW1(config-if)# speed 1000
ACC-SW1(config-if)# duplex full
ACC-SW1(config-if)# end

Cause: The VLAN is not in the allowed list on the trunk, or Spanning Tree Protocol is blocking the VLAN.

Fix: Verify the VLAN is in the allowed list and active:

ACC-SW1# show interfaces GigabitEthernet 1/0/23 trunk | include Vlans allowed

Port        Vlans allowed on trunk
Gi1/0/23    10,20,30,40,50,99

! If the VLAN is missing, add it
ACC-SW1(config)# interface GigabitEthernet 1/0/23
ACC-SW1(config-if)# switchport trunk allowed vlan add 100
ACC-SW1(config-if)# end

Check if the VLAN is pruned by STP:

ACC-SW1# show interfaces GigabitEthernet 1/0/23 trunk | include pruned

Port        Vlans in spanning-tree forwarding state and not pruned
Gi1/0/23    10,20,30,40,50,99

! If a VLAN is in "allowed" but not in "forwarding state and not pruned",
! it's blocked by STP. Check STP on that VLAN
ACC-SW1# show spanning-tree vlan 100

VLAN0100
  Spanning tree enabled protocol rstp
  Root ID    Priority    32868
              Address     aabb.cc00.0100
              Cost        19
              Port        23 (GigabitEthernet1/0/23)
              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
...

Symptom: Native VLAN mismatch warning

Cause: The native VLAN differs between the two ends of the trunk.

Fix: Ensure both trunk ends use the same native VLAN. Find the mismatch:

ACC-SW1# show interfaces GigabitEthernet 1/0/23 trunk | include Native

Native vlan
Native vlan

! Check the remote switch
DIST-SW1# show interfaces GigabitEthernet 1/0/24 trunk | include Native

Native vlan

! If they don't match, reconfigure one side
DIST-SW1(config)# interface GigabitEthernet 1/0/24
DIST-SW1(config-if)# switchport trunk native vlan 99
DIST-SW1(config-if)# end

! Verify the mismatch is gone
ACC-SW1# show interfaces GigabitEthernet 1/0/23 trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi1/0/23    on           802.1q         trunking      99

Cause: The neighboring switch has the port in access mode or shutdown.

Fix: Verify the neighboring port configuration:

! From ACC-SW1
ACC-SW1# show cdp neighbors detail | include Device ID|Interface|Native VLAN|Management address

! Use SSH to connect to DIST-SW1 and check
DIST-SW1# show interfaces GigabitEthernet 1/0/24 switchport

Name: Gi1/0/24
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Access Mode VLAN: 1 (default)

! The port is in access mode! Reconfigure it
DIST-SW1(config)# interface GigabitEthernet 1/0/24
DIST-SW1(config-if)# no switchport mode access
DIST-SW1(config-if)# switchport mode trunk
DIST-SW1(config-if)# switchport nonegotiate
DIST-SW1(config-if)# end

! Verify it's now trunking
DIST-SW1# show interfaces GigabitEthernet 1/0/24 switchport

Name: Gi1/0/24
Switchport: Enabled
Administrative Mode: static trunk
Operational Mode: trunk

Key Takeaways

  • Configure 802.1Q trunks with switchport mode trunk, switchport trunk native vlan 99, and switchport nonegotiate on all switch-to-switch links
  • Use switchport trunk allowed vlan to prune unnecessary VLANs and reduce bandwidth waste
  • Always match native VLANs on both ends of a trunk; CDP will detect and warn of mismatches
  • Verify trunks with show interfaces trunk and show interfaces <port> trunk to confirm VLAN lists and native VLAN configuration
  • Troubleshoot physical connectivity issues (cable, speed, duplex) before investigating VLAN or STP problems
#VLAN #catalyst-9000 #configuration
You might also like
Great! Next, complete checkout for full access to Ping Labz
Welcome back! You've successfully signed in
You've successfully subscribed to Ping Labz
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated
© 2025 Ping Labz. All rights reserved.