Trunking VLANS

As we know VLAN (Virtual LAN)s divide a switch into multiple logical switches. There by providing traffic separation and security. VLANs absolve the location constraint allowing the PCs at different locations to communicate without compromising the security and network isolation. This is accomplished through trunking VLANs between the switches.

Let’s examine a scenario. A company wants to network HR and Finance departments, at the same time isolate one another. Meaning HR PCs should be able talk to other HR PCs and should not be able to talk to PCs belong to Finance dept and vice-versa. This is exactly why we have VLAN.

The switch should be configured with two VLANs: one for HR and another for Finance. Depending on the number of PCs in each of the departments, appropriate number of switch ports are associated with each of the VLANs. With that, the PC connected to a port belonging to say HR VLAN can only talk to HR PCs; same thing for the Finance PCs. The topology looks as shown below:

Topology HR_Finance Different VLANs


The VLAN configuration has two steps:
1. Create the VLANs

Switch(config)#vlan 10      ! Creates vlan 10
Switch(config-vlan)#name HR ! name of the vlan

Switch(config)#vlan 20      ! Creates vlan 20
Switch(config-vlan)#name Finance

2. Associate the ports to VLANs

Switch(config)#int range fa0/1-3   ! associate ports fa0/1,0/2 & 0/3 to VLAN-10
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 10

Switch(config)#int range fa0/4-6   ! associate ports fa0/4,0/5 & 0/6 to VLAN-20
Switch(config-if-range)#switchport mode access
Switch(config-if-range)#switchport access vlan 20

The vlan configuration can be verified by running show vlan brief command.

Switch#sh vlan br

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                Fa0/11, Fa0/12, Fa0/13, Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17, Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gig0/1, Gig0/2
10   HR                               active    Fa0/1, Fa0/2, Fa0/3
20   Finance                          active    Fa0/4, Fa0/5, Fa0/6
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active

With IP addresses set, the PCs can ping only the other PCs in the same department even though all are connected to the same switch.


Now what if the company wants to extend the network to a branch office which has its own HR and Finance departments and allow both the departments to communicate with that in the main office? That my friend, is why we have something called trunks.

A trunk port on the switch by default is a member of all the VLANs. In other words, a trunk port can carry the traffic of all the VLANs without destroying the VLAN identification on the packets. So by connecting the trunk ports of two geographically apart switches, we can not only forward the traffic between them but also keep the VLAN tags intact. In our example HR PCs of both main office and branch office can talk to each other but not to Finance PCs in either of the offices and vice-versa.

The topology now looks as follows:


The Switch2 (Branch office) has the exact configuration as that of Switch1(Main office) and the PCs belong to HR and Finance have the IP address belonging to the same networks as that of Main office.

Now we should configure Fa0/7 port connecting both the switches as trunk port on both sides.

Switch1(config)#int fa0/7
Switch1(config-if)#switchport trunk encapsulation dot1q  ! VLAN tagging mechanism
Switch1(config-if)#switchport mode trunk ! Makes the port trunk

Switch2(config)#int fa0/7
Switch2(config-if)#switchport trunk encapsulation dot1q
Switch2(config-if)#switchport mode trunk

The trunk link configured can be verified using the show interfaces trunk command.

Switch2#sh interfaces trunk
Port        Mode         Encapsulation  Status        Native vlan
Fa0/7       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/7       1-1005

Port        Vlans allowed and active in management domain
Fa0/7       1,10,20

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/7       1,10,20

The mode should be on, which means the trunking is active.

Trunk encapsulation can be either 802.1q or ISL (Inter Switch Link). ISL is Cisco’s proprietary VLAN tagging mechanism whereas 802.1q is IEEE standard and is supported by all the vendors including Cisco. I’ll talk about them later. Now just know that 802.1q is the most widely used trunking encapsulation.

With the trunk port set on both the switches, the PCs don’t have any problem communicating between branch office and main office. Yet only Finance-to-Finance and HR-to-HR.


Note: Although I explained trunking switches between main office and branch office, this is not usually done in real-world scenarios. Trunking is usually done to connect switches in different floors or in neighboring buildings.

About Deepak Devanand

Seeker of knowledge
This entry was posted in Uncategorized, VLAN and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s