Try our training for free.

Gain instant access to our entire IT training library for 1 week. Train anytime on your desktop, tablet, or mobile devices.

Employers know that CCNP-certified job applicants have a real-world knowledge of networking.  They also know that Cisco awards big discounts to companies that hire Cisco-certified staff. 

After watching Jeremy Cioara's new CCNP 642-813 SWITCH training, you'll be a master-level consultant on Cisco switched networks. You'll also have brighter career prospects and be an important step closer to CCNP certification.

Jeremy covers everything you ever wanted to know about switching in this update to his existing BCMSN course.  In no time, you'll be designing your network for maximum uptime and preparing it for advanced services like WiFi, VoIP and Video over IP. 

Jeremy's training maps to Cisco CCNP certification exam 642-813....
Employers know that CCNP-certified job applicants have a real-world knowledge of networking.  They also know that Cisco awards big discounts to companies that hire Cisco-certified staff. 

After watching Jeremy Cioara's new CCNP 642-813 SWITCH training, you'll be a master-level consultant on Cisco switched networks. You'll also have brighter career prospects and be an important step closer to CCNP certification.

Jeremy covers everything you ever wanted to know about switching in this update to his existing BCMSN course.  In no time, you'll be designing your network for maximum uptime and preparing it for advanced services like WiFi, VoIP and Video over IP. 

Jeremy's training maps to Cisco CCNP certification exam 642-813.
1. Welcome to Cisco Switch: Watch Me First! (17 min)
2. The Switches Domain: Core Concepts and Design (42 min)
3. VLANs: Configuration and Verification (13 min)
4. VLANs: In-Depth Trunking (35 min)
5. VLANs: VLAN Trunking Protocol (33 min)
6. STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1 (23 min)
7. STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2 (34 min)
8. STP: Rapid Spanning Tree Concepts and Configuration (24 min)
9. EtherChannel: Aggregating Redundant Links (24 min)
10. L3 Switching: InterVLAN Routing Extraordinaire (28 min)
11. L3 Switching: Understanding CEF Optimization (16 min)
12. Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1 (43 min)
13. Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2 (23 min)
14. Campus Security: Basic Port Security and 802.1x (32 min)
15. Campus Security: VLAN and Spoofing Attacks (31 min)
16. Campus Security: STP Attacks and Other Security Considerations (15 min)
17. Campus VoIP: Overview, Considerations, and AutoQoS (44 min)
18. Wireless LAN: Foundation Concepts and Design Part 1 (26 min)
19. Wireless LAN: Foundation Concepts and Design Part 2 (22 min)
20. Wireless LAN: Frequencies and 802.11 Standards (34 min)
21. Wireless LAN: Understanding the Hardware (30 min)
22. The Switches Domain: Additional Life-Saving Technology (22 min)
23. Monitoring: Your Pulse on the Network (45 min)
24. Campus Security: VACLs (14 min)

Welcome to Cisco Switch: Watch Me First!

The Switches Domain: Core Concepts and Design

VLANs: Configuration and Verification

VLANs: In-Depth Trunking


So I'm going to continue on in our VLAN subseries here, as we talk about in-depth trunking. I don't know why that just sounded funny to me. Sounded like something you would do on the weekend. I'm going to go trunking this weekend. Trunking is the process


of connecting your switches together, and allowing them to send VLAN information between each other. We'll start off by talking about a review of that concept, as in how it actually happens. And then we'll get a little bit more in depth in the CCNA days and explore an ISL, an 802.1Q frame, and see what is better about one or the other, and why 802.1Q is currently the standard. Then we'll look at native VLANs. You've probably seen on the Cisco


switch at some point, native VLAN mismatch. We'll talk about what that is, and why we would use native VLANs today. Then of course, we'll go into the live interface and set up a trunk between our two switches. Let's get going. To make sure we're all on the same page, let's do a little bit of review about the foundations of trunking. The fact is this:


Computers have no idea what VLAN they belong to. We just finished talking about VLANs, but this is not a computer thing. You don't go to each PC and say you are part of VLAN 3. Rather, you go to the switch and you say that port belongs to VLAN 3. So whenever a device, let's add another computer here, let's say a device over here on VLAN 3 sends a broadcast. It comes into the situation, and inside of the switch it says okay, let me put a little tag on this this packet, this frame, to say this belongs to VLAN 3. But before that broadcast ever gets sent out, it strips the tag off. So that when this computer gets it, it just sees that


it's another frame. It doesn't realize, oh, that was originally tagged as belonging to VLAN 3. Because if the tag was left on, the computer would drop it. It would say that's that's not a good packet because there's this little you know, tag that I don't know what that is. So when you think about trunking, trunking


is just support that leaves the tag on. Think of it this way. If you go in the trunk of your car well, maybe yours isn't as bad as mine, if you were to go in the trunk of my car, you know what you'd find? Everything. Burgers from like two years ago that I I got stuffed into some corner and I forgot about them.


Blankets, emergency kits, some tow cables, some battery charging cables, all just stuff is in my trunk. Can never fit anything in there, because everything is in there. And that's what this trunk does, is it passes everything, all VLAN traffic crosses that trunk, and it crosses it without removing the tag. So when


this blue computer in VLAN 3 sends a broadcast, it comes out this port untagged, but moves across the trunk with the tag still on it. So that when switch B gets it, it's able to look and go oh, that belongs to VLAN 3. Let's go ahead and remove the tag and just send it out to this blue computer down here, because it's part of the same VLAN. Trunking, I think I mentioned this


before, trunking is a Cisco term. No other vendor calls those links trunks. Everybody else seems to call them tagged ports. Which, in my opinion, is a little more accurate, because that's the only thing that happens is the tags are not removed when it's sent across. Now, this is trunking is solely a layer 2 feature. This is not anything dealing with inter-VLAN routing, there's no layer 3 tags that are put in place. This is all done down at the data link layer.


So now we know what a trunk is, let's talk about the two ways that we can set them up. The two tagging flavors, spelled with an o-u for my friends out there in Great Britain. First one is ISL. ISL is Cisco's way of tagging a packet, or, more accurately said, encapsulating a packet before it's sent across the trunk.


Now, the way the history goes is that Cisco was one of the first vendors to the game with VLANs, and they were the first to implement VLAN technology in their switches, before there was really a good industry standard language. There was 802.1Q back then, but it just wasn't that good. So Cisco created their own, called


ISL, and anytime you create something that's your own it is proprietary, that only works between Cisco switches. Now, the difference between ISL and dot 1Q is that ISL encapsulates the entire frame before it goes out of the trunk. So imagine this. You've got


in VLAN 3 packet or broadcast that came in, and the Cisco switch realizes, oh, I go across the trunk. So it creates a brand new header, puts it on the front. A brand new trailer, puts it on the very end. And sends the frame unchanged, outside of the new


stuff that it just added to the front and added to the end, across the trunk link to the other side. Now, let's compare that to the 802.1Q, which nowadays is known as a tagging solution, rather than an encapsulation solution. The frame comes in, the switch


says, oh, you're in VLAN 3 and you've got to go across the trunk. So instead of putting on a brand new setter it just swish, inserts a little shim. That's what I call it, anyway. A little tag, right behind the source MAC address field in the header. We'll look


at this a little bit more in a bit. And then just recalculates the CRC on the end of the packet to reflect that new tag that it put in there. Because of how 802.1Q tags the packet, it is now considered the better method. Meaning back in the day when it was first developed, it wasn't good, it was a lot of overhead, it didn't support that many features. But nowadays it's been


revised, or revised to where it is just way better than ISL. And because of that, Cisco said okay, ISL has done its job, let's get it out of here. And they are phasing it out of all their switches. As a matter of fact, if you buy a brand new 2950 switch, you don't even have the option to do ISL anymore. It just does


that 1Q. Some of the bigger switches, like 3500 or 3750 or 6500, those kind of switches, still support both languages, so it can kind of bridge in the legacy technology. Let me dig a little deeper into the standards and show you just how much better 802.1Q is. Take a look at this. We've got ISL encapsulation, right? And as I mentioned before, we've got our ethernet frame over here where that was the original one, it is totally unchanged, layer 2, layer 3, all this stuff is just as it was sent originally from the PC. As it's going across the


switch link, or trunk link, between two switches like this, right before it's sent, the switch will slap on this 26 byte header. Now, the VLAN tag is only 16 bits. Really small, two bytes of information, right? Of 26 bytes. And if you were to look inside of here, you would see in a packet trace a ton of junk in that header, followed by a little two byte VLAN tag, and then another ton of junk right behind it. When ISL was developed, Cisco had


a lot of other intentions for it. They have junk that includes like the source MAC address of the switch, destination MAC address of the other switch, there's some CDP stuff in there, there's some BPDU stuff, you know, the language that switches use to negotiate spanning tree protocol is in there. They just had a


lot of intentions for ISL, and they were like this thing is going to really be able to do a lot. But eventually, ISL evolved to just a tagging language, and we don't need all that junk. But it's still on there. It follows it up with a brand new 4 byte CRC. That's in addition to the normal CRC that's on the end of


this frame. A lot of people call it the frame check sequence, but that's that's unchanged, it just gets encapsulated. Now let's look down here. Oh, so much better. 802.1Q just slides in a little 4 byte shim. This is what I was talking about. By the way, if you haven't heard of a shim, they're great


things. You get from Home Depot. They're just a little chunk of wood like this, you buy them in packs of like 20 shims. And those things are great, you know, your refrigerator, that kind of rocks back and forth, you just slide a shim under it, and it fixes it. You just that's why I call these things shim, you


just slide these shims everywhere. I've got like 20 of them just sitting around my house, random places. Filing cabinets, my car has a shim under it, there's all kind of stuff. So when you're talking about shims, that's what I mean, is it kind of slides a little shim into the existing frame. It doesn't add a new header,


doesn't add a new trailer. What it does is it slides in a little 4 byte tag now, you might be might be thinking well, I thought the VLAN tag was just 2 bytes. It is. Inside of there is the VLAN information, there's your 2 bytes, there's also a 3 bit PRI value. Priority value. Now, a lot of people call that the


class of service field, or COS. That's used for quality of service markings across the trunk, and that is a very valuable field that we need. There's some other stuff in there, too, it's not really junk, I would say, but, you know, it ends up comprising 4 bytes total. There's some stuff in there that allows it to support token ring VLANs and things like that. But it does not


add any new headers, it just, right after the original destination and source MAC address, whoosh, there's the shim. And that is inserted as it goes across the trunk, and removed as soon as it gets to the other side, before it's sent out to the actual clients receiving those frames.


Okay. So you get your trunks set up with 802.1Q, it's the better tagging language, and all of a sudden you get these messages. They're coming across your Cisco switch, and they're saying native VLAN mismatch detected on port dat, dat, dat. Native V it just


keeps happing, native VLAN mismatch, native VLAN mismatch. You won't have to be in Cisco long, give it a few months, of just working with switches, before you're guaranteed to eventually see a message that says native VLAN mismatch. So what is the deal with the native VLAN? What does this mean? Well, this is a concept that they created for 802.1Q. You won't run into this problem with ISL, because there is no such thing as the native VLAN over there. Native


VLANs are good if you use them correctly. Here's the idea behind the native VLAN, the way it was originally designed. Over on the left we've got a couple computers in VLAN 15, and a computer in VLAN 1. Over on the right we've got a switch with a couple of computers in VLAN 15, and a computer in VLAN 1. And because we're talking technology of 10 years ago or so, in the middle here we have these two switches connected through a hub. That's


what this mystical device in the middle is. Now, this was this was a reality back then. I know you're thinking, well, we don't use hubs nowadays, or I would never use one. But this was a common reality that we had to deal with, is that switches were trunked through a hub, and maybe there were some devices on that on that hub. Well, these computers are sending in packets, just like


they always do, that's what computers do. And they're being received on the trunk links of these switches. Well, trunk links, by definition, should only send tagged packets. That's what they do, when they put their little shims in before they send it. So what's a trunk


link to do when it receives an untagged packet, that's these guys, on a trunk link? That's what the native VLAN is for. It is a configuration that you can apply to a trunk port that says if I do happen to receive an untagged packet on this link, then I will assign it automatically to VLAN, blah, and that's the native VLAN. Now, when you plug


in switches together and they have mismatched native VLANs, one maybe is native VLAN 10 and the other is native VLAN 1, that's where you get that message. It's going to say native VLAN mismatch on dat, dat, dat, dat. So that's what the native VLAN is for.


Now, I know you might be thinking, well, okay, I get what a native VLAN does now, it just takes untagged packets and puts them in a VLAN, so if it was in VLAN 1, then these guys would be assigned to the same VLAN as these guys, even though they're connected to a hub in the middle of the trunk link. But Jeremy, why on


earth would I put a hub in our networks nowadays? The answer is you wouldn't. But this concept has been brilliantly applied to voice over IP. Here's the world. We've got the switch now able to connect to a phone, right? And the phone has a switchboard in the back of it that connects it to a computer. This is a common


configuration in the voice over IP world, because it keeps you from having to run two ethernet drops to every single cubicle in your environment. I mean, you only have one for the computer, why would I want to rewire my company to have a second for the phone. But the problem is, you don't ever want your phone and


your PC on the same VLAN. That's not only a huge performance concern, because if people start doing heavy file transfers or something like that, in the middle of a phone call, it could end up degrading the service. But also, it is a problem with security. There's already programs out there that allow you to


sniff voice packets and convert them to wave files, so you want to separate these two devices on to separate VLANs. Maybe put VLAN 10, and VLAN 20. But how is that possible? Well, the way it works is is you run kind of a small version of a trunk from that switch to the phone. Of course, you're using Cisco


IP phones, because they're the best, and that phone has the ability to understand and send tagged packets. So you're sitting there on the phone, right? Imagine yourself, you're talking into the phone saying hi, mom, how are you doing. And the phone automatically,


as your voice that's the voice, aaah enters that handset and sends it on to the wire, it is tagging each one of those voice packets with VLAN 10. So since this switchboard is configured as the trunk, it's saying oh, great. I'll go ahead and put those packets, that are tagged into VLAN 10, into VLAN 10, and send them on their way with appropriate quality of service. Now, what


about the computer, is it tagging its packets? No way. Computers can't tag packets. They don't even know what a tag is. So it's just sending packets untagged. Ah. So the trunk port is now receiving untagged packets. Hm. That sure sounds like this setup up here. Where we had a hub


in the middle, and these computers were sending untagged packets, and it would make them a member of the native VLAN. And that's how it applies today. We use the native VLAN in this kind of situation. The computer doesn't know it's part of VLAN 20. We just set the native VLAN on the trunk to be VLAN 20, so whenever the computer sends packets that are untagged, it's received by the switch and it assigns them to the appropriate VLAN for the data computers. Isn't


that cool? I love that. That's one of my that's one of my favorite voice over IP topics. It really is an excellent way to separate devices even though they're plugged into the same switch port. All right, let's get into the real meat of trunking, and then we'll get into the configure. Cisco and just about every other


vendor use a protocol that negotiates trunk links called the dynamic trunking protocol, or DTP. This allows you to have multiple switches connected together that will be able to recognize each other and say oh, you're a switch. Well, let's just get a trunk going on. And they'll


auto-negotiate a trunk between them. Now, DTP goes against every fiber of my being. First off, because I have a rule with switches. Anything that's auto-negotiated, you "auto" not use it. Because it causes problems. For example, if you dealt with Cisco switches, or any vendor switches for awhile, you probably know about auto-negotiate speed and duplex.


There's a lot of problems that happen with that. And the same thing with this, auto-negotiate auto-negotiating trunks is just a bad idea. It's confusing, number one. But number two, it provides huge security worries and problems in a network environment.


Let me explain. There's five different modes that you can set a port into as it deals with trunking. If you set it to access mode, you will have a diagram that looks something like this. If I were to set a port to an access port, then whatever device that's plugged into it is considered an access layer device.


It is not a trunk, it can only access a single VLAN. So if I assign that port to VLAN 50, then that device is on VLAN 50. Now, what if somebody took that off and plugged in a switch? Well, no problem. Because it's on VLAN 50. Every port on that switch is part of VLAN 50. It is not a trunk, and there is no way for it to become a trunk, even if the other side wanted to.


The danger, in my opinion, is that every single switch, when you pull it out of the box, fresh from Cisco, is in a mode known as dynamic desirable. What that means is that this port is not a trunk, necessarily, and it's not an access port, necessarily, but it will negotiate with whatever you plug into the other side and either become an access port, if you plug in an NPC, or become a trunk if you plug in a switch. Yikes. Every port is dynamic desirable out


of the box, which Cisco's intentions were good, that allows it to just work when you pull it out of the box. If you plug it into another switch, it's a trunk. If you plug it into a PC it's an access port. But here's the problem. What if somebody in their


cubicle decides to pull out a Cisco switch, and they're like hey, let's just plug it in and see what happens. Well, if they plug it into their cubicle wall, it then becomes a trunk link, allowing them to assign whatever ports they have on that switch to whatever VLAN your organization has. So that totally undermines


all securities that VLANs provide. They can just add them self to the server VLAN and have direct access to the servers without any sort of access list or firewall between them. That is an enormous security violation. So let me first off show you this. I want to show you how you can determine what mode the port is in on a switch. I'm sitting on a switch right here, I'm going


to get into privileged mode and I'll do a show CDP neighbors, and you can see I've got this switch which is connected to a whole bunch of Catalyst 2950 switches. Now, you might be saying well, Jeremy, do you need that many switches for this? No. I just wanted to hook them all up because it's it's kind of fun, and I had to upgrade the IOS on them anyway, so why not. So if


I wanted to view what mode we'll say this port is in on my switch, which is connected to another switch, I can type in show interface, fast ethernet 0/21, and you follow that up with a command switchport. Not many people know about that little modifier there. And when you hit enter,


you'll see the administrative mode that it's in, that's what you've set it to as an administrator, which by default is dynamic desirable, and then operational mode will tell you what it's negotiated with the other side. Right now I've got it connected to another switch, so it negotiated a trunk port. That's the


danger. So you can see that if we hardcode them as access ports, they will only belong to one VLAN, and that is what I highly recommend you do for every switch port that connects to a PC or a router or anything that's not going to be a trunk. If we leave it as the default, it will be set to dynamic desirable.


Which means it will dynamically change modes, and it desires to be a trunk. Now, what if it's set to dynamic auto? What that means is it will automatically change between a trunk port or an access port, but it's not going to try to be a trunk. Meaning it's not going to send any DTP packets saying please make me a trunk. So what that means is if you, excuse me, have


both sides set to auto, on a switch, they will not become a trunk together. And that to me is why this is just confusing. Dynamic desirable means that they desire to be a trunk, and they will be a trunk if they detect another switch attached. But if they're


auto on both sides, then that means neither one is going to send a packet saying I'd like to be a trunk, so they'll both stay as access ports. So what does that mean if one side is auto and the other side is desirable? Well, if that's the case, it will become a trunk. Because this side will say I'd like to be a trunk,


and since this is set to auto, it will say oh, well, I'm in auto, so I'll be a holy cow, I just threw my pen across the room. It says I will be auto with you. Or I will be a trunk with you. So it will negotiate a trunk with the other side, and that will end up be a trunk. So what's the trunk mode, then, right? Well,


with all of these different modes, trunk is where it will be a trunk, it is set I am trunking, I am set to on, if a computer plugs in I will not be able to communicate with it because I am a trunk, and I am set to on. And here's the big difference I am sending DTP packets. Meaning I am a trunk,


and I'm set to on, and I will tell the other side I want to be a trunk, so if it's set to auto, if it's set to desirable, if it's set to trunk, it doesn't matter, we will become a trunk. So if you set it to trunk mode and the other side is any one of those, it will become a trunk. The last one is non-negotiate.


Non-negotiate is where you've set it to be a trunk, and it will not send out DTP packets. In my opinion, that is the most efficient mode that you want to put it in, because you want remember, auto, not use it, don't use auto-negotiate, auto equals bad. I would


recommend you set these to be trunk non-negotiate. That means that you know exactly where your other switches are attached. That means if you've got a switch, and you do a show CDP neighbors, I'm going to hit the up arrow, you can see this is a switch, this is a switch, this you can go down that list, and determine exactly what your switch ports are. You hardcode them to be trunk


ports and then you set them to non-negotiate, so you don't waste any overhead by sending out these DTP packets. Likewise, the other reason I prefer and I should also mention Cisco prefers the non-negotiate mode, is if somebody were to mistakenly and let me go choop, choop plug in a computer into that trunk port, the switch is not going to send DTP packets to the computer.


Because, guess what, DTP can be spoofed. The dynamic trunking protocol, you can engineer a packet, if you were a malicious intruder and you plug into a port that's set to trunk mode, all you need to do is open your packet sniffer, ethereal or something like that, and see that DTP packets are being sent. And you go


aha, DTP packets are being sent, let me go out and set mine to mirror these DTP packets, and your computer can start trying to emulate those, and negotiate a trunk with the other side. And it's only a matter of time before somebody hacks into the network. So non-negotiate is the most secure, and the most I


guess you could say solid way to do this, because you know exactly what ports are set to trunking, and only those ports will negotiate a trunk. Difficulty of trunks is mainly in the concepts. Because they're really not too bad to configure. Let's set up a trunk


I'm going to do my show CDP neighbors, again, just to show you the different devices that I have. The first one I want to set it up on is a 3550. Because you'll see the configure is slightly different than the 2950 that I'm sitting on right now. The reason why is because the 3550 supports both I SL and 802.1Q. So let me just telnet over to the 3550, and I can see the 3550 is connected to me, this switch that I was on right here, on its fast ethernet 0/15. So let's get in there. Fast ethernet 0/15. What I'm going to do is type in switch port, trunk, encapsulation, and then you get to choose what kind of encapsulation would you like to use.


And you can see that I have dot 1Q and ISL at my disposal. You can also negotiate the encapsulation with the other side, but again, you "auto" not do that. So I'm going to type in dot 1Q, which is the 802.1Q standard. Once I do that, I can then type in switch port, mode, and then follow that up with trunk.


As soon as I do that, it is now hard coded to be a trunk unconditionally. Now, remember, that will start sending the DTP packets, it will still try to negotiate it with the other side, if it is in an auto sort of mode. But the trunk is hard-coded and the good news


about that is if I plug in a PC it's not going to work. This means that it is dedicated to go to a switch. You can also see some of the other ones, like an access port, that's how you set it to be an access port. Dynamic, which dynamically negotiates, that's our dynamic desirable, or dynamic auto that we can set up on our switch, with the other side. And then we have the trunk.


So those are all of our options, except for the non-negotiate, I haven't set that yet. Now, you can see I'm hesitating on actually typing that command in, and the reason why is I'm actually telnetted to the 3550, so I don't want to set it from that side, because I'll lose my telnet connection. But I do want to set up the trunk


on this side. I am on the 2950 switch, which is connected to that 3550 on fast ethernet 0/24. Now that I showed you the one minor difference between those two, let's get into that interface. And let me first off show you, I'll type in switchport trunk, and hit the question mark. Notice there is no encapsulation command.


Like I typed in right there. Switchport trunk encapsulation. Because the 2950 only supports 802.1Q. So when I want to enable the trunking on this switch, I just type in switchport mode trunk, enter. That's all I have to do if I don't want to do the non-negotiate. You can see that the


other side went down, and went up. It will bounce the interface when you configure the trunking mode. Now, the other side is set to the default, which is dynamic desirable. So this did negotiate a trunk with the other side because the switch port mode trunk still sends the DTP packets. The one mode that I haven't showed


you yet is the non-negotiate. And the way we do that is we type in switch port, and it's just a command right after that, non-negotiate. Which says this will not engage in the negotiation protocol in this interface. Enter. At that point, it stops sending the DTP


packets to the other side. So if you have one of the auto modes configured on the other side, it's not going to work, it's not going to be able to negotiate a trunk relationship. So my point in saying this is if you choose to do non-negotiate, you have to do it everywhere on all your switch connections. Native VLAN,


let's talk about that. I'm going to type in switch port trunk, and you can see one of my options is native. Native will set the native VLAN that this interface will belong to. So whenever it says when it's in trunking mode, it says when I'm receiving an untagged packet on this port, I will assign it to, blah. go


ahead and type your VLAN right there, and that will hard code the native VLAN for this interface, if it were to receive untagged packets. So let's see, I've got so the encapsulation I showed you. The mode, setting switchport mode trunk. I showed you the


switchport non-negotiate. Oh, one more. Now, this one is a bonus for you. A lot of times you will be in environments that you set up trunks between your switches, but you don't want all the VLANs to flow between them. Now, on other vendor switches, like


I said, there is no concept of trunking. You actually have to set tagged ports. For instance, I just set up an HP switch this last weekend, and I had to go in there into the interface and say I want to tag VLAN 10, I want to tag VLAN 20, I want to tag VLAN 30. I had to set a tag on that port for every single VLAN that I wanted to send across it. Now, for me that was kind of


annoying because there was I think there was 10 or 12 different VLANs I had to do that for, on all these different switches. Tag this, tag that, tag this, hit the up arrow, change my argument. The trunk would have been handy because I could just say trunk them all, send them all across. But on the flip side, setting


tags is kind of good because you only set the tags for VLANs that you want to flow between switches. For example I have no switch here. Let me draw one up. If I had a switch up here, and the switch down here, and the switch up here maybe had VLANs 10, 20 and 30, and the switch down here only had VLAN 30, well then, there's no use in me sending or tagging VLANs 10 and 20 across that trunk port, because there is no VLANs down at the bottom. This kind of leads into a discussion of VLAN pruning,


but if you wanted to manually remove certain VLANs from crossing the trunk, then what I could do is I could just type in switch port trunk, and follow it up with allowed. And I could say the allowed VLANs to cross that trunk, and you can just type in, you know, using these arguments, what VLANs you want to send across. And it all depends on your environment. You want to send


them all, go ahead and send them all. If you want to send them all except you can use that except keyword. If I don't want to send any, then add them in individually, you can use none, and then you see where it says word, you can just type in a list like I just want to send VLANs 10, 20, 30, across that trunk link, and it filters those out. That is in an environment where


you manually control what VLANs cross what links. Again, that would be the way that I would recommend doing it, versus using a concept called VLAN pruning, which we're going to talk about in just a few moments. Actually, I think we'll talk about that in the next video, because I've been talking for a little while.


So that is your way of pruning out manually what VLANs will cross the link. Okay, last thing I'll mention is how we can verify what we've just done. I'm going to jump back out to privilege mode. Whoops, I accidentally entered that command. By the way, this is a huge


gotcha. I've been in environments where I've typed a command, I'm like oh, no, and I want to exit out. If you hit control-Z, it will execute whatever command you had typed in before the control-Z. Which has devastated me in more than one case. So I'm back in privilege mode. If I want to verify this, first off


the easy way is just to do a show run interface, and what you want to see. And I can see from the running configure, there's my interface, and exactly the commands I've typed under it, to configure the trunk. Now, I can also type in that command, show interface, and focus on the interface that I want to see, and type in switch port after it. And that will show me what mode


it's in. You can see administrative mode, trunk. Operational mode, trunk. So it is hard-coded to trunk over to the other side. Now, I will mention that the other side is set to dynamic, it is it is one of those ones that negotiates the trunk. Which I've


set this side to non-negotiate. So that leads the question of why is it a trunk? I thought non-negotiate wouldn't negotiate, and they both had to be that way. Well, before I had the opportunity to type in non-negotiate, I did type in switchport mode trunk. Which sent those DTP packets through the


other side, and the other side said oh, you want to be a trunk, click, and I switched over. Now, if I were to reboot the other switch, it would come up and not negotiate, meaning it would fail, and end up becoming an access port. And this trunk would fail, which leads to a big point of make sure you do that non-negotiate on both sides, if you want to do it. The last command isn't as


handy, in my opinion. It is show interface, and you can type in fast ethernet 0/24, followed by trunk. And you'll be able to see right there what VLANs are allowed on that trunk, that's what we filtered it out. And what encapsulation it's using, what your native VLAN is. The reason I would say that's not as handy


for me is I usually like the show run interface, output to show me this. It's a little bit more concise and easy for me to quickly see. All right, a lot of good stuff about trunking. Let's hit the high points. We saw a trunk is simply a port between two


switches that leaves the VLAN tag on rather than stripping it before it sends it out. The access ports are the ones that strip it, so that the computers don't get confused that there's still a tag in their frame. We saw the two different flavors of tagging,


ISL and 802.1Q. ISL being deprecated, it's going away, Cisco is removing that from all future IOS trains. It's the older one that is in no way anywhere near as efficient as 802.1Q. Just look at the size. 26 bytes versus 4. We then looked at native VLANs, and native VLANs are the concept of receiving an untagged packet on a trunked port. It's used if you have a hub in between them, which who


has that. But it's primarily used for dual VLAN, or multi VLAN access ports, which is typically used in IP telephony. Last thing we did was walk through the configuration line-by-line and set up a trunk port between two switches. I hope this has been informative

VLANs: VLAN Trunking Protocol

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 1

STP: Foundation Per-VLAN Spanning Tree Concepts, Part 2

STP: Rapid Spanning Tree Concepts and Configuration

EtherChannel: Aggregating Redundant Links

L3 Switching: InterVLAN Routing Extraordinaire

L3 Switching: Understanding CEF Optimization

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 1

Redundancy in the Campus: HSRP, VRRP, and GLBP Part 2

Campus Security: Basic Port Security and 802.1x

Campus Security: VLAN and Spoofing Attacks

Campus Security: STP Attacks and Other Security Considerations

Campus VoIP: Overview, Considerations, and AutoQoS

Wireless LAN: Foundation Concepts and Design Part 1

Wireless LAN: Foundation Concepts and Design Part 2

Wireless LAN: Frequencies and 802.11 Standards

Wireless LAN: Understanding the Hardware

The Switches Domain: Additional Life-Saving Technology

Monitoring: Your Pulse on the Network

Campus Security: VACLs

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
Intermediate 11 hrs 24 videos


Basic Plan Features

Speed Control
Included in this course
Play videos at a faster or slower pace.

Included in this course
Pick up where you left off watching a video.

Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Included in this course
Follow what the trainers are saying with ease.

Files/materials that supplement the video training

Premium Plan Features

Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Included in this course
Our mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Included in this course
Develop and maintain a study plan with assistance from coaches.
Jeremy Cioara
Nugget trainer since 2003