Skip to main content
VLAN trunking is a method that allows multiple VLANs to traverse a single physical link between switches or between a switch and another network device. It’s defined under the IEEE 802.1Q standard and is foundational in modern LANs, hypervisors, and cloud networking.

Key Concepts

TermDescription
VLAN (Virtual LAN)A logical segmentation of a Layer 2 network
Access PortBelongs to a single VLAN; used for end devices
Trunk PortCarries traffic for multiple VLANs simultaneously
Native VLANThe VLAN used for untagged frames on a trunk (default = VLAN 1)
802.1Q TagA 4-byte header inserted into Ethernet frames to identify the VLAN ID
Allowed VLANsVLANs permitted on a trunk (others are filtered)

Why Trunking?

Without trunking, each VLAN would need its own physical cable between switches. Trunking allows VLAN tagging, enabling multiple VLANs to share one link.
Example: A single fibre uplink between two switches can carry VLANs 10, 20, and 30 using 802.1Q tagging.

Cisco Configuration Examples

Switch to Switch Trunk Link
SwitchA(config)# interface GigabitEthernet0/1
SwitchA(config-if)# switchport mode trunk
SwitchA(config-if)# switchport trunk allowed vlan 10,20,30
SwitchA(config-if)# switchport trunk native vlan 99
SwitchA(config-if)# description Trunk_to_SwitchB
Verification:
SwitchA# show interfaces trunk
SwitchA# show interface GigabitEthernet0/1 switchport
SwitchA# show vlan brief
Explanation:
  • switchport mode trunk enables 802.1Q tagging
  • allowed vlan defines which VLANs are permitted
  • native vlan defines which VLAN is untagged (commonly changed from VLAN 1 for security)

Native VLAN Security

Security Risks and Mitigations
RiskMitigation
VLAN hopping attacksAvoid VLAN 1 for native VLAN
Untagged frames being misinterpretedUse a dedicated, unused VLAN as native (e.g. VLAN 99)
Management traffic exposureIsolate management VLANs from user VLANs

802.1Q Frame Structure

FieldSize (bytes)Description
Destination MAC6Target host address
Source MAC6Sender address
TPID (Tag Protocol ID)20x8100 identifies 802.1Q
TCI (Tag Control Info)2Contains VLAN ID (12 bits) + Priority bits
EtherType2Identifies payload type
Payload46–1500Frame contents
FCS4Frame Check Sequence

Linux VLAN Trunking Configuration

Create VLAN interfaces using ip command
# Create VLAN interfaces
ip link add link eth0 name eth0.10 type vlan id 10
ip link add link eth0 name eth0.20 type vlan id 20

# Bring them up
ip link set eth0.10 up
ip link set eth0.20 up

# Assign IP addresses
ip addr add 192.168.10.1/24 dev eth0.10
ip addr add 192.168.20.1/24 dev eth0.20

Proxmox / Virtualised Lab Example

In homelabs or hypervisors like Proxmox VE, VLAN trunking allows VMs to connect to multiple VLANs through tagged interfaces.

Proxmox Bridge Configuration

Example /etc/network/interfaces: 
auto vmbr0
iface vmbr0 inet static
    address 192.168.99.10/24
    gateway 192.168.99.1
    bridge-ports eno1
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
In VM settings:
  • Assign vmbr0 as the network bridge
  • Set VLAN tag under “Hardware → Network Device → VLAN Tag”

VLANs in AWS VPCs (Analogy)

While AWS doesn’t expose VLANs directly, similar isolation concepts exist:
ConceptCisco EquivalentPurpose
VPCVLAN / VRFLogical network isolation
SubnetVLAN segmentIP range within a VPC
Route TableL3 RoutingDetermines inter-subnet connectivity
AWS uses software-defined networking rather than traditional VLANs, but the isolation principles are similar.

Lab Exercise

1

Setup Topology

Use two switches (physical or virtual)
2

Create VLANs

Create VLANs 10, 20, and 99
3

Configure Trunk

Configure GigabitEthernet0/1 as a trunk between them
4

Assign Access Ports

Assign ports:
  • 0/10–0/12 as VLAN 10
  • 0/13–0/15 as VLAN 20
5

Verify Configuration

Use show interfaces trunk and show vlan brief to verify
6

Test Isolation

Test inter-VLAN isolation (ping between VLANs should fail unless routed)

Troubleshooting Commands

# Display VLAN membership
show vlan brief

# List trunked ports and allowed VLANs
show interfaces trunk

# Detailed port mode and VLAN config
show interfaces switchport

# Verify MAC addresses learned per VLAN
show mac address-table

Best Practices

Change Native VLAN

Use a dedicated unused VLAN (not VLAN 1) as native VLAN

Limit Allowed VLANs

Only allow necessary VLANs on trunk ports

Document Configuration

Maintain clear documentation of VLAN assignments

Use Descriptive Names

Add descriptions to all trunk and access ports

Isolate Management

Keep management VLAN separate from user VLANs

Monitor Trunk Utilization

Monitor trunk links for congestion

Further Reading

Build docs developers (and LLMs) love

Get started for freeTalk to us