VLAN trunking is the mechanism that lets a single physical network link carry traffic for multiple VLANs simultaneously.
Let’s see it in action. Imagine you have two switches, SW1 and SW2, and you want to connect them so they can exchange traffic for VLAN 10 and VLAN 20.
SW1
| (GigabitEthernet0/1)
|
| (GigabitEthernet0/1)
SW2
On SW1, you’d configure the interface connecting to SW2 as a trunk port, allowing both VLANs:
SW1(config)# interface GigabitEthernet0/1
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport trunk allowed vlan add 10,20
SW1(config-if)# no shutdown
On SW2, you’d do the same:
SW2(config)# interface GigabitEthernet0/1
SW2(config-if)# switchport mode trunk
SW2(config-if)# switchport trunk allowed vlan add 10,20
SW2(config-if)# no shutdown
Now, devices connected to SW1’s access ports in VLAN 10 can communicate with devices connected to SW2’s access ports in VLAN 10, and the same for VLAN 20, all over that single link between SW1 and SW2.
The problem VLAN trunking solves is the inefficient use of physical cabling. Without it, you’d need a separate physical link for each VLAN you wanted to extend between switches. If you had 50 VLANs and needed to connect two switches, you’d need 50 cables. That’s clearly not scalable. Trunking consolidates this, allowing a single cable to carry all those VLANs.
Internally, how does a switch know which traffic belongs to which VLAN when it’s all on one link? It uses tagging. The most common trunking protocol is IEEE 802.1Q. When a frame from a specific VLAN needs to traverse a trunk link, the switch inserts a small header (a tag) into the Ethernet frame. This tag contains a VLAN ID, which is a number between 1 and 4094 that identifies the VLAN the frame belongs to. The receiving switch reads this tag and knows exactly which VLAN that frame should be processed for.
There’s also a concept called "native VLAN." When you configure a trunk port, one VLAN is designated as the native VLAN. Traffic belonging to this native VLAN is not tagged as it traverses the trunk. This can be a security consideration and a potential source of misconfiguration if not handled carefully. By default, the native VLAN is usually VLAN 1. You can change this:
SW1(config)# interface GigabitEthernet0/1
SW1(config-if)# switchport trunk native vlan 50
This tells SW1 that frames for VLAN 50 on this trunk should not be tagged. Both ends of the trunk must agree on the native VLAN for proper operation. If they don’t, traffic for the native VLAN might be dropped or misdirected.
The core levers you control are the switchport mode trunk command, which enables trunking on an interface, and switchport trunk allowed vlan, which specifies which VLANs are permitted to cross the trunk. You can also explicitly define the native VLAN and control which trunking protocol (like 802.1Q or the older Cisco-proprietary ISL, though ISL is largely obsolete) is used. Most modern switches default to 802.1Q.
What most people don’t realize is how critical the switchport trunk allowed vlan command is for both security and network segmentation. By default, many switches allow all VLANs to traverse a trunk. If a new VLAN is created on one switch, it’s automatically allowed on all existing trunks. This can inadvertently bridge traffic between VLANs that were intended to be separate. Explicitly defining allowed VLANs, and regularly auditing them, is a crucial security practice. For instance, if you only need VLAN 10 and 20 to cross a specific link, you should explicitly configure: switchport trunk allowed vlan 10,20.
The next step is understanding how to route traffic between these VLANs using a Layer 3 device.