Scenario:

There are two switches connected together that need to carry traffic for multiple vlans across the common uplink connection. This is an attempt to not only show how to configure vlan trunking, but to also follow best practices.

Explanation:

If you have managed switches in a network, chances are there are vlans configured to divide the traffic up logically. Even though logical vlans exist, most of the time you will need to use common uplink ports to carry the traffic from multiple vlans back to some type of distribution area. In order to carry more than one vlan over a single physical connection, vlan trunking is required.

Compatibility:

In general, there are a couple of options as far as the protocol used to accomplish vlan trunking. There is ISL encapsulation and 802.1q encapsulation. The first is a Cisco proprietary solution and the latter is the standards based option. There aren’t many reasons to use ISL, as I really can’t think of a really good one worth mentioning at the moment. Even Cisco is using 802.1Q in places where ISL is not supported. Cisco will eventually replace ISL all together with 802.1Q, which makes even a better reason not to use something that is already on the ‘to be retired’ list.

Implementation:

In general, most Cisco switches that are connected together with default port configurations, will try to negotiate trunking parameters in order to become a trunk link automatically. This in itself is a great reason for not connecting two switches together before configuring the switchports. Always configure switchports for trunking manually, never allow trunk negotiation. When configuring a port with the command switchport mode trunk , the switchport is told that trunking should be performed. Before configuring this command, there is a minimum of one parameter that needs to be set first, which is the encapsulation type. Assuming the encapsulation type is 802.1q, the command used would be: switchport trunk encapsulation dot1q . If the switchport mode trunk command is issued before the encapsulation type is configured, an error message will be produced and the command rejected.

Tuning:

This section is partially about traffic optimization over trunks and partially about security.

Every trunk has a ‘native’ vlan that carries untagged traffic. By default the native vlan on a trunk link is vlan1. As a best practice, Vlan1 should never be used as the native vlan on a trunk link. Vlan1 is used internally for management traffic, such as: spanning tree, CDP, etc… Nothing should interfere with this traffic, so it is best to configure everything else to use other vlans – including the native vlan on all trunk links. The command for carrying the native vlan traffic over vlan 999 would be: switchport trunk native vlan 999 .

By default, a switch will allow a trunk port to carry traffic for all vlans configured on a switch. This default behavior is not always desired. As another best practice, only allow the vlans that you specifically want on the trunk by applying an access control. Let’s say there are 10 vlans configured on the network – however, you only want vlan2 and vlan3 carried on the trunk. The command for this would be: switchport trunk allowed vlan 2,3 . All other vlans will not be allowed to traverse the trunk port.

Here is a complete configuration of everything discussed previously:

Interface GigabitEthernet0/1
Description Uplink to Data Center Distribution
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 2,3
switchport mode trunk