Trunk Port
802.1Q VLAN Trunk
A switch port configured to carry traffic from multiple VLANs simultaneously — each frame is tagged with a 4-byte 802.1Q header identifying its VLAN. Trunk ports interconnect switches, connect switches to routers, and link to hypervisors hosting VMs on multiple VLANs.
Without trunk ports, extending a VLAN across multiple switches would require a dedicated physical cable per VLAN. With 802.1Q trunking, a single cable carries all VLANs: the switch inserts a 4-byte tag between the source MAC address and the EtherType field of each Ethernet frame, encoding the VLAN ID (0–4094). The receiving switch reads the tag, identifies the VLAN, strips the tag, and delivers the frame to the appropriate VLAN. Access ports (for end devices) never see these tags — the switch handles tagging transparently.
Trunk port vs access port
| Property | Access port | Trunk port |
|---|---|---|
| VLANs carried | One | Multiple (all or selected) |
| Frame tagging | Untagged (tag stripped) | 802.1Q tagged |
| Typical connection | End device (PC, phone, camera) | Switch, router, hypervisor |
| Native VLAN | N/A (single VLAN) | Untagged VLAN (default VLAN 1) |
| Device awareness | Device unaware of VLANs | Device must understand 802.1Q |
Trunk port security
Misconfigured trunk ports are a common attack vector. VLAN hopping exploits a trunk port with a poorly set native VLAN — an attacker sends double-tagged frames (tagged with the native VLAN on the outer tag, target VLAN on the inner) that survive one tag strip and reach the target VLAN. Mitigations: set the native VLAN to an unused VLAN ID on all trunks; disable DTP (Dynamic Trunking Protocol) on access ports (switchport nonegotiate); explicitly specify which VLANs are allowed on each trunk (switchport trunk allowed vlan) rather than permitting all. Never leave VLAN 1 as the native VLAN on production trunk links.
Frequently Asked Questions
What is the difference between a trunk port and an access port?
Access ports carry one VLAN — frames are untagged, end devices see normal Ethernet. Trunk ports carry multiple VLANs with 802.1Q tags on each frame. Trunk ports connect switches to switches, routers, or hypervisors; access ports connect to end devices like PCs, printers, and cameras.
What is the native VLAN on a trunk port?
The VLAN whose frames travel untagged across the trunk. Default is VLAN 1. Native VLAN must match on both ends; a mismatch causes VLAN hopping. Best practice: set native VLAN to an unused ID (e.g., 999) on all trunk ports to prevent untagged frame misassignment.
How does router-on-a-stick inter-VLAN routing work?
One physical router port connects to a switch trunk, divided into subinterfaces — one per VLAN, each with a gateway IP. Traffic between VLANs goes up the trunk to the router, gets routed between subinterfaces, and returns down the same trunk. A Layer 3 switch with SVIs does the same in hardware without leaving the switch.