Cisco CCNP SWITCH 642-813

VLANs: In-Depth Trunking

by Jeremy Cioara

Start your 7-day free trial today.

This video is only available to subscribers.

A free trial includes:

  • Unlimited 24/7 access to our entire IT training video library.
  • Ability to train on the go with our mobile website and iOS/Android apps.
  • Note-taking, bookmarking, speed control, and closed captioning features.

Welcome to Cisco Switch: Watch Me First!

The Switches Domain: Core Concepts and Design

VLANs: Configuration and Verification

VLANs: In-Depth Trunking

00:00:00 - So I'm going to continue on in our VLAN subseries here, as we
00:00:04 - talk about in-depth trunking. I don't know why that just sounded
00:00:09 - funny to me. Sounded like something you would do on the weekend.
00:00:11 - I'm going to go trunking this weekend. Trunking is the process
00:00:16 - of connecting your switches together, and allowing them to send
00:00:20 - VLAN information between each other. We'll start off by talking
00:00:23 - about a review of that concept, as in how it actually happens.
00:00:27 - And then we'll get a little bit more in depth in the CCNA days
00:00:30 - and explore an ISL, an 802.1Q frame, and see what is better about
00:00:37 - one or the other, and why 802.1Q is currently the standard. Then
00:00:41 - we'll look at native VLANs. You've probably seen on the Cisco
00:00:45 - switch at some point, native VLAN mismatch. We'll talk about
00:00:48 - what that is, and why we would use native VLANs today. Then of
00:00:52 - course, we'll go into the live interface and set up a trunk between
00:00:55 - our two switches. Let's get going.
00:00:59 - To make sure we're all on the same page, let's do a little bit
00:01:02 - of review about the foundations of trunking. The fact is this:
00:01:07 - Computers have no idea what VLAN they belong to. We just finished
00:01:12 - talking about VLANs, but this is not a computer thing. You don't
00:01:16 - go to each PC and say you are part of VLAN 3. Rather, you go
00:01:20 - to the switch and you say that port belongs to VLAN 3. So whenever
00:01:25 - a device, let's add another computer here, let's say a device
00:01:29 - over here on VLAN 3 sends a broadcast. It comes into the situation,
00:01:33 - and inside of the switch it says okay, let me put a little tag
00:01:37 - on this this packet, this frame, to say this belongs to VLAN
00:01:41 - 3. But before that broadcast ever gets sent out, it strips the
00:01:46 - tag off. So that when this computer gets it, it just sees that
00:01:49 - it's another frame. It doesn't realize, oh, that was originally
00:01:52 - tagged as belonging to VLAN 3. Because if the tag was left on,
00:01:57 - the computer would drop it. It would say that's that's not a
00:01:59 - good packet because there's this little you know, tag that I
00:02:03 - don't know what that is. So when you think about trunking, trunking
00:02:08 - is just support that leaves the tag on. Think of it this way.
00:02:13 - If you go in the trunk of your car well, maybe yours isn't as
00:02:16 - bad as mine, if you were to go in the trunk of my car, you know
00:02:19 - what you'd find? Everything. Burgers from like two years ago
00:02:24 - that I I got stuffed into some corner and I forgot about them.
00:02:27 - Blankets, emergency kits, some tow cables, some battery charging
00:02:32 - cables, all just stuff is in my trunk. Can never fit anything
00:02:37 - in there, because everything is in there. And that's what this
00:02:39 - trunk does, is it passes everything, all VLAN traffic crosses
00:02:44 - that trunk, and it crosses it without removing the tag. So when
00:02:48 - this blue computer in VLAN 3 sends a broadcast, it comes out
00:02:52 - this port untagged, but moves across the trunk with the tag still
00:02:56 - on it. So that when switch B gets it, it's able to look and go
00:03:00 - oh, that belongs to VLAN 3. Let's go ahead and remove the tag
00:03:04 - and just send it out to this blue computer down here, because
00:03:07 - it's part of the same VLAN. Trunking, I think I mentioned this
00:03:11 - before, trunking is a Cisco term. No other vendor calls those
00:03:15 - links trunks. Everybody else seems to call them tagged ports.
00:03:19 - Which, in my opinion, is a little more accurate, because that's
00:03:23 - the only thing that happens is the tags are not removed when
00:03:27 - it's sent across. Now, this is trunking is solely a layer 2 feature.
00:03:32 - This is not anything dealing with inter-VLAN routing, there's
00:03:36 - no layer 3 tags that are put in place. This is all done down
00:03:40 - at the data link layer.
00:03:43 - So now we know what a trunk is, let's talk about the two ways
00:03:47 - that we can set them up. The two tagging flavors, spelled with
00:03:51 - an o-u for my friends out there in Great Britain. First one is
00:03:56 - ISL. ISL is Cisco's way of tagging a packet, or, more accurately
00:04:02 - said, encapsulating a packet before it's sent across the trunk.
00:04:06 - Now, the way the history goes is that Cisco was one of the first
00:04:09 - vendors to the game with VLANs, and they were the first to implement
00:04:13 - VLAN technology in their switches, before there was really a
00:04:16 - good industry standard language. There was 802.1Q back then,
00:04:21 - but it just wasn't that good. So Cisco created their own, called
00:04:24 - ISL, and anytime you create something that's your own it is proprietary,
00:04:28 - that only works between Cisco switches. Now, the difference
00:04:32 - between ISL and dot 1Q is that ISL encapsulates the entire frame
00:04:38 - before it goes out of the trunk. So imagine this. You've got
00:04:42 - in VLAN 3 packet or broadcast that came in, and the Cisco switch
00:04:45 - realizes, oh, I go across the trunk. So it creates a brand new
00:04:51 - header, puts it on the front. A brand new trailer, puts it on
00:04:55 - the very end. And sends the frame unchanged, outside of the new
00:04:59 - stuff that it just added to the front and added to the end, across
00:05:02 - the trunk link to the other side. Now, let's compare that to
00:05:06 - the 802.1Q, which nowadays is known as a tagging solution, rather
00:05:10 - than an encapsulation solution. The frame comes in, the switch
00:05:14 - says, oh, you're in VLAN 3 and you've got to go across the trunk.
00:05:18 - So instead of putting on a brand new setter it just swish, inserts
00:05:22 - a little shim. That's what I call it, anyway. A little tag, right
00:05:27 - behind the source MAC address field in the header. We'll look
00:05:31 - at this a little bit more in a bit. And then just recalculates
00:05:35 - the CRC on the end of the packet to reflect that new tag that
00:05:38 - it put in there. Because of how 802.1Q tags the packet, it is
00:05:44 - now considered the better method. Meaning back in the day when
00:05:48 - it was first developed, it wasn't good, it was a lot of overhead,
00:05:50 - it didn't support that many features. But nowadays it's been
00:05:53 - revised, or revised to where it is just way better than ISL.
00:05:58 - And because of that, Cisco said okay, ISL has done its job, let's
00:06:03 - get it out of here. And they are phasing it out of all their
00:06:06 - switches. As a matter of fact, if you buy a brand new 2950 switch,
00:06:10 - you don't even have the option to do ISL anymore. It just does
00:06:14 - that 1Q. Some of the bigger switches, like 3500 or 3750
00:06:21 - or 6500, those kind of switches, still support both languages,
00:06:25 - so it can kind of bridge in the legacy technology.
00:06:28 - Let me dig a little deeper into the standards and show you just
00:06:32 - how much better 802.1Q is. Take a look at this. We've got ISL
00:06:38 - encapsulation, right? And as I mentioned before, we've got our
00:06:41 - ethernet frame over here where that was the original one, it
00:06:44 - is totally unchanged, layer 2, layer 3, all this stuff is just
00:06:48 - as it was sent originally from the PC. As it's going across the
00:06:52 - switch link, or trunk link, between two switches like this, right
00:06:57 - before it's sent, the switch will slap on this 26 byte header.
00:07:02 - Now, the VLAN tag is only 16 bits. Really small, two bytes of
00:07:07 - information, right? Of 26 bytes. And if you were to look inside
00:07:11 - of here, you would see in a packet trace a ton of junk in that
00:07:16 - header, followed by a little two byte VLAN tag, and then another
00:07:20 - ton of junk right behind it. When ISL was developed, Cisco had
00:07:24 - a lot of other intentions for it. They have junk that includes
00:07:28 - like the source MAC address of the switch, destination MAC address
00:07:32 - of the other switch, there's some CDP stuff in there, there's
00:07:35 - some BPDU stuff, you know, the language that switches use to
00:07:39 - negotiate spanning tree protocol is in there. They just had a
00:07:42 - lot of intentions for ISL, and they were like this thing is going
00:07:46 - to really be able to do a lot. But eventually, ISL evolved to
00:07:51 - just a tagging language, and we don't need all that junk. But
00:07:54 - it's still on there. It follows it up with a brand new 4 byte
00:08:00 - CRC. That's in addition to the normal CRC that's on the end of
00:08:03 - this frame. A lot of people call it the frame check sequence,
00:08:06 - but that's that's unchanged, it just gets encapsulated.
00:08:11 - Now let's look down here. Oh, so much better. 802.1Q
00:08:17 - just slides in a little 4 byte shim. This is what I was talking
00:08:21 - about. By the way, if you haven't heard of a shim, they're great
00:08:25 - things. You get from Home Depot. They're just a little chunk
00:08:28 - of wood like this, you buy them in packs of like 20 shims. And
00:08:31 - those things are great, you know, your refrigerator, that kind
00:08:34 - of rocks back and forth, you just slide a shim under it, and
00:08:37 - it fixes it. You just that's why I call these things shim, you
00:08:42 - just slide these shims everywhere. I've got like 20 of them just
00:08:44 - sitting around my house, random places. Filing cabinets, my car
00:08:48 - has a shim under it, there's all kind of stuff. So when you're
00:08:51 - talking about shims, that's what I mean, is it kind of slides
00:08:54 - a little shim into the existing frame. It doesn't add a new header,
00:08:59 - doesn't add a new trailer. What it does is it slides in a little
00:09:03 - 4 byte tag now, you might be might be thinking well, I thought
00:09:05 - the VLAN tag was just 2 bytes. It is. Inside of there is the
00:09:10 - VLAN information, there's your 2 bytes, there's also a 3 bit
00:09:14 - PRI value. Priority value. Now, a lot of people call that the
00:09:19 - class of service field, or COS. That's used for quality of service
00:09:23 - markings across the trunk, and that is a very valuable field
00:09:27 - that we need. There's some other stuff in there, too, it's not
00:09:30 - really junk, I would say, but, you know, it ends up comprising
00:09:33 - 4 bytes total. There's some stuff in there that allows it to
00:09:37 - support token ring VLANs and things like that. But it does not
00:09:42 - add any new headers, it just, right after the original destination
00:09:45 - and source MAC address, whoosh, there's the shim. And that is
00:09:49 - inserted as it goes across the trunk, and removed as soon as
00:09:52 - it gets to the other side, before it's sent out to the actual
00:09:56 - clients receiving those frames.
00:09:59 - Okay. So you get your trunks set up with 802.1Q, it's the better
00:10:04 - tagging language, and all of a sudden you get these messages.
00:10:08 - They're coming across your Cisco switch, and they're saying native
00:10:11 - VLAN mismatch detected on port dat, dat, dat. Native V it just
00:10:15 - keeps happing, native VLAN mismatch, native VLAN mismatch. You
00:10:18 - won't have to be in Cisco long, give it a few months, of just
00:10:22 - working with switches, before you're guaranteed to eventually
00:10:25 - see a message that says native VLAN mismatch. So what is the
00:10:30 - deal with the native VLAN? What does this mean? Well, this is
00:10:34 - a concept that they created for 802.1Q. You won't run into this
00:10:39 - problem with ISL, because there is no such thing as the native
00:10:42 - VLAN over there. Native
00:10:44 - VLANs are good if you use them correctly. Here's the idea behind
00:10:50 - the native VLAN, the way it was originally designed. Over on
00:10:53 - the left we've got a couple computers in VLAN 15, and a computer
00:10:57 - in VLAN 1. Over on the right we've got a switch with a couple
00:11:00 - of computers in VLAN 15, and a computer in VLAN 1. And because
00:11:05 - we're talking technology of 10 years ago or so, in the middle
00:11:09 - here we have these two switches connected through a hub. That's
00:11:14 - what this mystical device in the middle is. Now, this was this
00:11:18 - was a reality back then. I know you're thinking, well, we don't
00:11:22 - use hubs nowadays, or I would never use one. But this was a common
00:11:27 - reality that we had to deal with, is that switches were trunked
00:11:30 - through a hub, and maybe there were some devices on that on that
00:11:35 - hub. Well, these computers are sending in packets, just like
00:11:38 - they always do, that's what computers do. And they're being received
00:11:42 - on the trunk links of these switches. Well, trunk links, by definition,
00:11:48 - should only send tagged packets. That's what they do, when they
00:11:52 - put their little shims in before they send it. So what's a trunk
00:11:56 - link to do when it receives an untagged packet, that's these
00:11:59 - guys, on a trunk link? That's
00:12:03 - what the native VLAN is for. It is a configuration that you can
00:12:06 - apply to a trunk port that says if I do happen to receive an
00:12:11 - untagged packet on this link, then I will assign it automatically
00:12:16 - to VLAN, blah, and that's the native VLAN. Now, when you plug
00:12:22 - in switches together and they have mismatched native VLANs, one
00:12:27 - maybe is native VLAN 10 and the other is native VLAN 1, that's
00:12:31 - where you get that message. It's going to say native VLAN mismatch
00:12:34 - on dat, dat, dat, dat. So that's what the native VLAN is for.
00:12:40 - Now, I know you might be thinking, well, okay, I get what a native
00:12:43 - VLAN does now, it just takes untagged packets and puts them in
00:12:47 - a VLAN, so if it was in VLAN 1, then these guys would be assigned
00:12:51 - to the same VLAN as these guys, even though they're connected
00:12:53 - to a hub in the middle of the trunk link. But Jeremy, why on
00:12:56 - earth would I put a hub in our networks nowadays? The
00:13:00 - answer is you wouldn't. But this concept has been brilliantly
00:13:05 - applied to voice over IP. Here's the world. We've got the switch
00:13:11 - now able to connect to a phone, right? And the phone has a switchboard
00:13:17 - in the back of it that connects it to a computer. This is a common
00:13:21 - configuration in the voice over IP world, because it keeps you
00:13:24 - from having to run two ethernet drops to every single cubicle
00:13:28 - in your environment. I mean, you only have one for the computer,
00:13:31 - why would I want to rewire my company to have a second for the
00:13:34 - phone. But the problem is, you don't ever want your phone and
00:13:40 - your PC on the same VLAN. That's not only a huge performance
00:13:45 - concern, because if people start doing heavy file transfers or
00:13:48 - something like that, in the middle of a phone call, it could
00:13:51 - end up degrading the service. But also, it is a problem with
00:13:55 - security. There's already programs out there that allow you to
00:13:58 - sniff voice packets and convert them to wave files, so you want
00:14:02 - to separate these two devices on to separate VLANs. Maybe put
00:14:06 - VLAN 10, and VLAN 20. But how is that possible?
00:14:12 - Well, the way it works is is you run kind of a small version
00:14:16 - of a trunk
00:14:18 - from that switch to the phone. Of course, you're using Cisco
00:14:23 - IP phones, because they're the best, and that phone has the ability
00:14:27 - to understand and send tagged packets. So you're sitting there
00:14:33 - on the phone, right? Imagine yourself, you're talking into the
00:14:35 - phone saying hi, mom, how are you doing. And the phone automatically,
00:14:39 - as your voice that's the voice, aaah enters that handset and
00:14:44 - sends it on to the wire, it is tagging each one of those voice
00:14:48 - packets with VLAN 10. So since this switchboard is configured
00:14:52 - as the trunk, it's saying oh, great. I'll go ahead and put those
00:14:56 - packets, that are tagged into VLAN 10, into VLAN 10, and send
00:14:59 - them on their way with appropriate quality of service. Now, what
00:15:02 - about the computer, is it tagging its packets? No way. Computers
00:15:07 - can't tag packets. They don't even know what a tag is. So it's
00:15:10 - just sending packets untagged.
00:15:13 - Ah. So the trunk port is now receiving untagged packets. Hm.
00:15:20 - That sure sounds like this setup up here. Where we had a hub
00:15:24 - in the middle, and these computers were sending untagged packets,
00:15:27 - and it would make them a member of the native VLAN. And that's
00:15:31 - how it applies today. We use the native VLAN in this kind of
00:15:35 - situation. The computer doesn't know it's part of VLAN 20. We
00:15:39 - just set the native VLAN on the trunk to be VLAN 20, so whenever
00:15:43 - the computer sends packets that are untagged, it's received by
00:15:46 - the switch and it assigns them to the appropriate VLAN for the
00:15:50 - data computers. Isn't
00:15:52 - that cool? I love that. That's one of my that's one of my favorite
00:15:56 - voice over IP topics. It really is an excellent way to separate
00:16:01 - devices even though they're plugged into the same switch port.
00:16:05 - All right, let's get into the real meat of trunking, and then
00:16:09 - we'll get into the configure. Cisco and just about every other
00:16:13 - vendor use a protocol that negotiates trunk links called the
00:16:18 - dynamic trunking protocol, or DTP.
00:16:21 - This allows you to have multiple switches connected together
00:16:24 - that will be able to recognize each other and say oh, you're
00:16:27 - a switch. Well, let's just get a trunk going on. And they'll
00:16:30 - auto-negotiate a trunk between them. Now, DTP goes against every
00:16:37 - fiber of my being. First off, because I have a rule with switches.
00:16:42 - Anything that's auto-negotiated,
00:16:45 - you "auto" not use it. Because it causes problems. For example,
00:16:50 - if you dealt with Cisco switches, or any vendor switches for
00:16:52 - awhile, you probably know about auto-negotiate speed and duplex.
00:16:56 - There's a lot of problems that happen with that. And the same
00:16:59 - thing with this, auto-negotiate auto-negotiating trunks is just
00:17:04 - a bad idea. It's confusing, number one. But number two, it provides
00:17:11 - huge security worries and problems in a network environment.
00:17:16 - Let me explain. There's five different modes that you can set
00:17:20 - a port into as it deals with trunking. If you set it to access
00:17:24 - mode, you will have a diagram that looks something like this.
00:17:28 - If I were to set a port to an access port, then whatever device
00:17:33 - that's plugged into it is considered an access layer device.
00:17:36 - It is not a trunk, it can only access a single VLAN. So if I
00:17:41 - assign that port to VLAN 50, then that device is on VLAN 50.
00:17:47 - Now, what if somebody took that off and plugged in a switch?
00:17:50 - Well, no problem. Because it's on VLAN 50. Every port on that
00:17:54 - switch is part of VLAN 50. It is not a trunk, and there is no
00:17:59 - way for it to become a trunk, even if the other side wanted to.
00:18:03 - The danger, in my opinion,
00:18:07 - is that every single switch, when you pull it out of the box,
00:18:11 - fresh from Cisco, is in a mode known as dynamic desirable.
00:18:18 - What that means is that this port is not a trunk, necessarily,
00:18:23 - and it's not an access port, necessarily, but it will negotiate
00:18:28 - with whatever you plug into the other side and either become
00:18:31 - an access port, if you plug in an NPC, or become a trunk if you
00:18:36 - plug in a switch. Yikes. Every port is dynamic desirable out
00:18:42 - of the box, which Cisco's intentions were good, that allows it
00:18:45 - to just work when you pull it out of the box. If you plug it
00:18:47 - into another switch, it's a trunk. If you plug it into a PC it's
00:18:50 - an access port. But here's the problem. What if somebody in their
00:18:56 - cubicle decides to pull out a Cisco switch, and they're like
00:19:00 - hey, let's just plug it in and see what happens. Well, if they
00:19:04 - plug it into their cubicle wall, it then becomes a trunk link,
00:19:08 - allowing them to assign whatever ports they have on that switch
00:19:13 - to whatever VLAN your organization has. So that totally undermines
00:19:19 - all securities that VLANs provide. They can just add them self
00:19:23 - to the server VLAN and have direct access to the servers without
00:19:27 - any sort of access list or firewall between them. That is an
00:19:31 - enormous security violation. So let me first off show you this.
00:19:37 - I want to show you how you can determine what mode the port is
00:19:41 - in on a switch. I'm sitting on a switch right here, I'm going
00:19:45 - to get into privileged mode and I'll do a show CDP neighbors,
00:19:48 - and you can see I've got this switch which is connected to a
00:19:51 - whole bunch of Catalyst 2950 switches. Now, you might be saying
00:19:55 - well, Jeremy, do you need that many switches for this? No. I
00:19:58 - just wanted to hook them all up because it's it's kind of fun,
00:20:01 - and I had to upgrade the IOS on them anyway, so why not. So if
00:20:05 - I wanted to view what mode we'll say this port is in on my switch,
00:20:09 - which is connected to another switch, I can type in show interface,
00:20:13 - fast ethernet 0/21,
00:20:17 - and you follow that up with a command switchport. Not many people
00:20:21 - know about that little modifier there. And when you hit enter,
00:20:24 - you'll see the administrative mode that it's in, that's what
00:20:27 - you've set it to as an administrator, which by default is dynamic
00:20:31 - desirable, and then operational mode will tell you what it's
00:20:36 - negotiated with the other side. Right now I've got it connected
00:20:39 - to another switch, so it negotiated a trunk port. That's the
00:20:43 - danger. So you can see that if we hardcode them as access ports,
00:20:47 - they will only belong to one VLAN, and that is what I highly
00:20:50 - recommend you do for every switch port that connects to a PC
00:20:55 - or a router or anything that's not going to be a trunk. If we
00:21:00 - leave it as the default, it will be set to dynamic desirable.
00:21:04 - Which means it will dynamically change modes, and it desires
00:21:07 - to be a trunk. Now, what if it's set to dynamic auto?
00:21:13 - What that means is it will automatically change between a trunk
00:21:17 - port or an access port, but it's not going to try to be a trunk.
00:21:22 - Meaning it's not going to send any DTP packets saying please
00:21:27 - make me a trunk. So what that means is if you, excuse me, have
00:21:31 - both sides set to auto, on a switch, they will not become a trunk
00:21:37 - together. And that to me is why this is just confusing. Dynamic
00:21:41 - desirable means that they desire to be a trunk, and they will
00:21:44 - be a trunk if they detect another switch attached. But if they're
00:21:47 - auto on both sides, then that means neither one is going to send
00:21:51 - a packet saying I'd like to be a trunk, so they'll both stay
00:21:55 - as access ports. So what does that mean if one side is auto and
00:21:59 - the other side is desirable? Well, if that's the case, it will
00:22:05 - become a trunk. Because this side will say I'd like to be a trunk,
00:22:08 - and since this is set to auto, it will say oh, well, I'm in auto,
00:22:11 - so I'll be a holy cow, I just threw my pen across the room. It
00:22:15 - says I will be auto with you. Or I will be a trunk with you.
00:22:19 - So it will negotiate a trunk with the other side, and that will
00:22:23 - end up be a trunk. So what's the trunk mode, then, right? Well,
00:22:29 - with all of these different modes, trunk
00:22:32 - is where it will be a trunk, it is set I am trunking, I am set
00:22:36 - to on, if a computer plugs in I will not be able to communicate
00:22:39 - with it because I am a trunk, and I am set to on. And here's
00:22:43 - the big difference I am sending DTP packets. Meaning I am a trunk,
00:22:48 - and I'm set to on, and I will tell the other side I want to be
00:22:52 - a trunk, so if it's set to auto, if it's set to desirable, if
00:22:56 - it's set to trunk, it doesn't matter, we will become a trunk.
00:22:59 - So if you set it to trunk mode and the other side is any one
00:23:02 - of those, it will become a trunk. The last one is non-negotiate.
00:23:10 - Non-negotiate is where you've set it to be a trunk, and it will
00:23:13 - not send out DTP packets. In my opinion, that is the most efficient
00:23:18 - mode that you want to put it in, because you want remember, auto,
00:23:23 - not use it, don't use auto-negotiate, auto equals bad. I would
00:23:27 - recommend you set these to be trunk non-negotiate. That means
00:23:33 - that you know exactly where your other switches are attached.
00:23:37 - That means if you've got a switch, and you do a show CDP neighbors,
00:23:40 - I'm going to hit the up arrow, you can see this is a switch,
00:23:44 - this is a switch, this you can go down that list, and determine
00:23:47 - exactly what your switch ports are. You hardcode them to be trunk
00:23:51 - ports and then you set them to non-negotiate, so you don't waste
00:23:54 - any overhead by sending out these DTP packets. Likewise,
00:23:59 - the other reason I prefer and I should also mention Cisco prefers
00:24:03 - the non-negotiate mode, is if somebody were to mistakenly and
00:24:08 - let me go choop, choop plug in a computer into that trunk port,
00:24:14 - the switch is not going to send DTP packets to the computer.
00:24:19 - Because, guess what, DTP can be spoofed. The dynamic trunking
00:24:24 - protocol, you can engineer a packet, if you were a malicious
00:24:27 - intruder and you plug into a port that's set to trunk mode, all
00:24:30 - you need to do is open your packet sniffer, ethereal or something
00:24:35 - like that, and see that DTP packets are being sent. And you go
00:24:38 - aha, DTP packets are being sent, let me go out and set mine to
00:24:43 - mirror these DTP packets, and your computer can start trying
00:24:46 - to emulate those, and negotiate a trunk with the other side.
00:24:50 - And it's only a matter of time before somebody hacks into the
00:24:52 - network. So non-negotiate is the most secure, and the most I
00:24:57 - guess you could say solid way to do this, because you know exactly
00:25:01 - what ports are set to trunking, and only those ports will negotiate
00:25:05 - a trunk. Difficulty of trunks is mainly in the concepts. Because
00:25:11 - they're really not too bad to configure. Let's set up a trunk
00:25:15 - I'm going to do my show CDP neighbors,
00:25:18 - again, just to show you the different devices that I have. The
00:25:21 - first one I want to set it up on is a 3550.
00:25:25 - Because you'll see the configure is slightly different than the
00:25:27 - 2950 that I'm sitting on right now. The reason why is because
00:25:31 - the 3550 supports both I SL and 802.1Q.
00:25:36 - So let me just telnet over to the 3550,
00:25:42 - and I can see the 3550
00:25:47 - is connected to me, this switch that I was on right here, on
00:25:50 - its fast ethernet 0/15.
00:25:54 - So let's get in there. Fast ethernet 0/15. What I'm going to
00:25:59 - do is type in switch port, trunk, encapsulation, and then you
00:25:59 - get to choose what kind of encapsulation would you like to use.
00:26:02 - And you can see that I have dot 1Q and ISL at my disposal. You
00:26:08 - can also negotiate the encapsulation with the other side, but
00:26:12 - again, you "auto" not do that. So I'm going to type in dot 1Q,
00:26:16 - which is the 802.1Q standard. Once I do that, I can then type
00:26:21 - in switch port, mode, and then follow that up with trunk.
00:26:27 - As soon as I do that, it is now hard coded to be a trunk unconditionally.
00:26:32 - Now, remember, that will start sending the DTP packets, it will
00:26:37 - still try to negotiate it with the other side, if it is in an
00:26:41 - auto sort of mode. But the trunk is hard-coded and the good news
00:26:46 - about that is if I plug in a PC it's not going to work. This
00:26:49 - means that it is dedicated to go to a switch. You can also see
00:26:52 - some of the other ones, like an access port, that's how you set
00:26:55 - it to be an access port. Dynamic, which dynamically negotiates,
00:26:59 - that's our dynamic desirable, or dynamic auto that we can set
00:27:03 - up on our switch, with the other side. And then we have the trunk.
00:27:07 - So those are all of our options, except for the non-negotiate,
00:27:10 - I haven't set that yet. Now, you can see I'm hesitating on actually
00:27:14 - typing that command in, and the reason why is I'm actually telnetted
00:27:18 - to the 3550, so I don't want to set it from that side, because
00:27:23 - I'll lose my telnet connection. But I do want to set up the trunk
00:27:28 - on this side. I am on the 2950 switch, which is connected to
00:27:32 - that 3550
00:27:34 - on fast ethernet 0/24. Now that I showed you the one minor difference
00:27:38 - between those two, let's get into that interface.
00:27:42 - And let me first off show you, I'll type in switchport trunk,
00:27:46 - and hit the question mark. Notice there is no encapsulation command.
00:27:51 - Like I typed in right there. Switchport trunk encapsulation.
00:27:54 - Because the 2950 only supports 802.1Q.
00:27:59 - So when I want to enable the trunking on this switch, I just
00:28:03 - type in switchport mode trunk, enter. That's all I have to do
00:28:09 - if I don't want to do the non-negotiate. You can see that the
00:28:12 - other side went down, and went up. It will bounce the interface
00:28:16 - when you configure the trunking mode. Now, the other side is
00:28:19 - set to the default, which is dynamic desirable. So this did negotiate
00:28:24 - a trunk with the other side because the switch port mode trunk
00:28:27 - still sends the DTP packets. The one mode that I haven't showed
00:28:31 - you yet is the non-negotiate. And the way we do that is we type
00:28:35 - in switch port, and it's just a command right after that, non-negotiate.
00:28:40 - Which says this will not engage in the negotiation protocol in
00:28:43 - this interface. Enter. At that point, it stops sending the DTP
00:28:48 - packets to the other side. So if you have one of the auto modes
00:28:52 - configured on the other side, it's not going to work, it's not
00:28:55 - going to be able to negotiate a trunk relationship. So my point
00:28:58 - in saying this is if you choose to do non-negotiate, you have
00:29:02 - to do it everywhere on all your switch connections. Native VLAN,
00:29:07 - let's talk about that. I'm going to type in switch port trunk,
00:29:11 - and you can see one of my options is native. Native will set
00:29:15 - the native VLAN that this interface will belong to. So whenever
00:29:19 - it says when it's in trunking mode, it says when I'm receiving
00:29:23 - an untagged packet on this port, I will assign it to, blah. go
00:29:28 - ahead and type your VLAN right there, and that will hard code
00:29:31 - the native VLAN for this interface, if it were to receive untagged
00:29:35 - packets. So let's see, I've got so the encapsulation I showed
00:29:40 - you. The mode, setting switchport mode trunk. I showed you the
00:29:46 - switchport non-negotiate. Oh, one more. Now, this one is a bonus
00:29:51 - for you. A lot of times you will be in environments that you
00:29:57 - set up trunks between your switches, but you don't want all the
00:30:00 - VLANs to flow between them. Now, on other vendor switches, like
00:30:05 - I said, there is no concept of trunking. You actually have to
00:30:09 - set tagged ports. For instance, I just set up an HP switch this
00:30:13 - last weekend, and I had to go in there into the interface and
00:30:16 - say I want to tag VLAN 10, I want to tag VLAN 20, I want to tag
00:30:20 - VLAN 30. I had to set a tag on that port for every single VLAN
00:30:25 - that I wanted to send across it. Now, for me that was kind of
00:30:29 - annoying because there was I think there was 10 or 12 different
00:30:33 - VLANs I had to do that for, on all these different switches.
00:30:35 - Tag this, tag that, tag this, hit the up arrow, change my argument.
00:30:39 - The trunk would have been handy because I could just say trunk
00:30:41 - them all, send them all across. But on the flip side, setting
00:30:46 - tags is kind of good because you only set the tags for VLANs
00:30:50 - that you want to flow between switches. For example
00:30:55 - I have no switch here. Let me draw one up. If I had a switch
00:31:00 - up here, and the switch down here, and the switch up here maybe
00:31:03 - had VLANs 10, 20 and 30, and the switch down here only had VLAN
00:31:08 - 30, well then, there's no use in me sending or tagging VLANs
00:31:12 - 10 and 20 across that trunk port, because there is no VLANs down
00:31:16 - at the bottom. This kind of leads into a discussion of VLAN pruning,
00:31:19 - but if you wanted to manually remove certain VLANs from crossing
00:31:25 - the trunk, then what I could do is I could just type in switch
00:31:28 - port trunk, and follow it up with allowed. And I could say the
00:31:33 - allowed VLANs to cross that trunk, and you can just type in,
00:31:37 - you know, using these arguments, what VLANs you want to send
00:31:40 - across. And it all depends on your environment. You want to send
00:31:43 - them all, go ahead and send them all. If you want to send them
00:31:45 - all except you can use that except keyword. If I don't want to
00:31:48 - send any, then add them in individually, you can use none, and
00:31:52 - then you see where it says word, you can just type in a list
00:31:55 - like I just want to send VLANs 10, 20, 30, across that trunk
00:31:59 - link, and it filters those out. That is in an environment where
00:32:03 - you manually control what VLANs cross what links. Again, that
00:32:08 - would be the way that I would recommend doing it, versus using
00:32:11 - a concept called VLAN pruning, which we're going to talk about
00:32:14 - in just a few moments. Actually, I think we'll talk about that
00:32:17 - in the next video, because I've been talking for a little while.
00:32:20 - So that is your way of pruning out manually what VLANs will cross
00:32:25 - the link. Okay,
00:32:27 - last thing I'll mention is how we can verify what we've just
00:32:31 - done. I'm going to jump back out to privilege mode. Whoops, I
00:32:36 - accidentally entered that command. By the way, this is a huge
00:32:39 - gotcha. I've been in environments where I've typed a command,
00:32:41 - I'm like oh, no, and I want to exit out. If you hit control-Z,
00:32:44 - it will execute whatever command you had typed in before the
00:32:48 - control-Z. Which has devastated me in more than one case. So
00:32:53 - I'm back in privilege mode. If I want to verify this, first off
00:32:56 - the easy way is just to do a show run interface, and what you
00:33:00 - want to see. And I can see from the running configure, there's
00:33:04 - my interface, and exactly the commands I've typed under it, to
00:33:07 - configure the trunk. Now, I can also type in that command, show
00:33:12 - interface, and focus on the interface that I want to see, and
00:33:16 - type in switch port after it. And that will show me what mode
00:33:19 - it's in. You can see administrative mode, trunk. Operational
00:33:23 - mode, trunk. So it is hard-coded to trunk over to the other side.
00:33:28 - Now, I will mention that the other side is set to dynamic, it
00:33:32 - is it is one of those ones that negotiates the trunk. Which I've
00:33:36 - set this side to non-negotiate.
00:33:38 - So that leads the question of why is it a trunk? I thought non-negotiate
00:33:43 - wouldn't negotiate, and they both had to be that way. Well, before
00:33:47 - I had the opportunity to type in non-negotiate, I did type in
00:33:51 - switchport mode trunk. Which sent those DTP packets through the
00:33:55 - other side, and the other side said oh, you want to be a trunk,
00:33:58 - click, and I switched over. Now, if I were to reboot the other
00:34:01 - switch, it would come up and not negotiate, meaning it would
00:34:05 - fail, and end up becoming an access port. And this trunk would
00:34:09 - fail, which leads to a big point of make sure you do that non-negotiate
00:34:13 - on both sides, if you want to do it. The last command isn't as
00:34:17 - handy, in my opinion. It is show interface, and you can type
00:34:22 - in fast ethernet 0/24, followed by trunk. And you'll be able
00:34:26 - to see right there what VLANs are allowed on that trunk, that's
00:34:29 - what we filtered it out. And what encapsulation it's using, what
00:34:33 - your native VLAN is. The reason I would say that's not as handy
00:34:36 - for me is I usually like the show run interface, output to show
00:34:40 - me this. It's a little bit more concise and easy for me to quickly
00:34:43 - see. All right, a lot of good stuff about trunking. Let's hit
00:34:49 - the high points. We saw a trunk is simply a port between two
00:34:54 - switches that leaves the VLAN tag on rather than stripping it
00:34:58 - before it sends it out. The access ports are the ones that strip
00:35:01 - it, so that the computers don't get confused that there's still
00:35:04 - a tag in their frame. We saw the two different flavors of tagging,
00:35:09 - ISL and 802.1Q.
00:35:12 - ISL being deprecated, it's going away, Cisco is removing that
00:35:16 - from all future IOS trains. It's the older one that is in no
00:35:19 - way anywhere near as efficient as 802.1Q. Just look at the size.
00:35:24 - 26 bytes versus 4. We then looked at native VLANs, and native
00:35:30 - VLANs are the concept of receiving an untagged packet on a trunked
00:35:35 - port. It's used if you have a hub in between them, which who
00:35:38 - has that. But it's primarily used for dual VLAN, or multi VLAN
00:35:43 - access ports, which is typically used in IP telephony. Last thing
00:35:48 - we did was walk through the configuration line-by-line and set
00:35:51 - up a trunk port between two switches. I hope this has been informative
00:35:55 - for you, and I'd like to thank you for viewing.

VLANs: VLAN Trunking Protocol

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2

STP: Rapid Spanning Tree Concepts and Configuration

EtherChannel: Aggregating Redundant Links

L3 Switching: InterVLAN Routing Extraordinaire

L3 Switching: Understanding CEF Optimization

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

Campus Security: Basic Port Security and 802.1x

Campus Security: VLAN and Spoofing Attacks

Campus Security: STP Attacks and Other Security Considerations

Campus VoIP: Overview, Considerations, and AutoQoS

Wireless LAN: Foundation Concepts and Design Part 1

Wireless LAN: Foundation Concepts and Design Part 2

Wireless LAN: Frequencies and 802.11 Standards

Wireless LAN: Understanding the Hardware

The Switches Domain: Additional Life-Saving Technology

Monitoring: Your Pulse on the Network

Campus Security: VACLs

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus

Course Features

Speed Control

Play videos at a faster or slower pace.


Pick up where you left off watching a video.


Jot down information to refer back to at a later time.

Closed Captions

Follow what the trainers are saying with ease.

Premium Features

Transcender® Practice Exams

These practice tests help you review your knowledge and prepare you for exams.

Offline Training

Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching

Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara

Jeremy Cioara

CBT Nuggets Trainer

Cisco CCNA, CCDA, CCNA Security, CCNA Voice, CCNP, CCSP, CCVP, CCDP, CCIE R&S; Amazon Web Services CSA; Microsoft MCP, MCSE, Novell CNA, CNE; CompTIA A+, Network+, iNet+

Area Of Expertise:
Cisco network administration and development. Author or coauthor of numerous books, including: CCNA Voice 640-461 Official Cert Guide; CCNA Voice Official Exam Certification Guide (640-460 IIUC); CCENT Exam Prep (Exam 640-822); CCNA Exam Cram (Exam 640-802) 3rd Edition; and CCNA Voice 640-461 Official Cert Guide.

Stay Connected

Get the latest updates on the subjects you choose.

  © 2015 CBT Nuggets. All rights reserved. Licensing Agreement | Billing Agreement | Privacy Policy | RSS