VLANs & Trunking (802.1Q)
Virtual LANs separate broadcast domains at Layer 2. Trunking allows multiple VLANs to traverse a single physical link.
1. The 802.1Q Frame Format
802.1Q inserts a 4-byte tag into the original Ethernet frame, between the Source MAC and the EtherType/Length field.
Tag Fields Breakdown
| Field | Size | Description |
|---|---|---|
| TPID | 16 bits | Tag Protocol Identifier. Always 0x8100. Identifies the frame as tagged. |
| PCP (Priority) | 3 bits | Class of Service (CoS). Used for Layer 2 QoS (0-7). Voice is usually 5. |
| DEI | 1 bit | Drop Eligible Indicator. Can be dropped during congestion. |
| VID (VLAN ID) | 12 bits | Identifies the VLAN (1-4094). |
Because the tag adds 4 bytes, the maximum frame size increases from 1518 to 1522 bytes. Switches process this automatically, but some very old NICs might drop them as "Baby Giants".
2. The Native VLAN
Every 802.1Q trunk has exactly one Native VLAN. Frames belonging to this VLAN are sent untagged.
- Default: VLAN 1.
- Rule: Both ends of the trunk MUST agree on the Native VLAN.
- Mismatch Risk: If Switch A uses VLAN 1 as Native, and Switch B uses VLAN 10, traffic will "hop" VLANs (VLAN 1 -> VLAN 10), causing connectivity issues and potential security leaks.
3. DTP (Dynamic Trunking Protocol)
Cisco proprietary protocol to negotiate trunking automatically. It is generally recommended to disable DTP and hardcode trunks for security (VLAN Hopping prevention).
| Mode | Description |
|---|---|
| Dynamic Auto | "I'll trunk if you ask me." (Default on many switches). |
| Dynamic Desirable | "I actively want to trunk. Please trunk with me." |
| Trunk | Hardcoded trunk. Sends DTP frames to negotiate. |
| Access | Hardcoded access. Never trunks. |
Recommendation: Use switchport mode trunk + switchport nonegotiate.
4. VTP (VLAN Trunking Protocol)
Used to sync the VLAN database (vlan.dat) across switches. Dangerous if misconfigured.
- Server: Creates/Deletes VLANs. Syncs to clients.
- Client: Cannot create VLANs. Syncs from server.
- Transparent: Does not sync. Forwards VTP advertisements. Creates local VLANs only.
If you plug a VTP Server/Client into the network with a higher Revision Number than the existing domain, it will overwrite the VLAN database of ALL other switches, potentially deleting all your VLANs instantly. Always set VTP to Transparent or reset Revision Number (chang domain name) before adding an old switch.
References
- IEEE 802.1Q Standard - Bridges and Bridged Networks (VLAN Tagging).
- Cisco Inter-Switch Link (ISL) and 802.1Q Frame Format - Detailed comparison of frame headers.