How to configure trunk on Cisco Catalyst Switch

Dynamic is dangerous ? If some malicious switch comes with dynamic mode then it will automatically sync with it ?

This what I listen from YouTube lesson .

Hello Abdul

DTP is a protocol that is used for convenience. When you use it ports can negotiate to function as either access or trunks based on what they perceive at the other end of the link. The danger here occurs when a malicious user is connected to an access port of a switch that is configured to operate with DTP. The user can “trick” the switch into thinking the computer is a switch, and it can create a trunk between the switch and the computer. This will give the computer access to other VLANs that it is not allowed to have.

For this reason, it is always a good idea to disable DTP on the ports of switches. DTP should not be confused with VTP which is a different protocol.

I hope this has been helpful!


So Administrative Mode Should only be set as 802.1q for switches and operational mode should be set as manually : switchport mode trunk ? & Switchport no negotiate ?

and access ports should manually configured

with this threats can be minimized in the network ?

do we really need dynamic desirable or dynamic auto in real life networks ? or it’s just in lab environment ? if yes where its used ?

Hello Abdul

It is considered best practice to disable DTP on a trunk using the switchport nonegotiate command. This will ensure that the interface will only enter the mode that you manually configure, either trunk or access. This way, you can avoid any security issues.

The only situation in which DTP would be useful is if you constantly rearrange your network topology, connecting and disconnected switches and hosts. If this is the case, you would connect a PC to a port on the switch, and it will automatically become an access port, or if you connect one switch to another, it will automatically become a trunk. This way you can avoid the need to constantly manually configure ports.

But it is rare to have a production network where this is the case, so outside of a lab environment, DTP in the vast majority of cases can be more harmful than good.

I hope this has been helpful!


Can you help me to understand this configuration?

Switch#show running-config | section interface GigabitEthernet0/1
interface GigabitEthernet0/1
 switchport access vlan 10
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport mode trunk

Why the switch allow me to configure a port in trunk mode and in access mode at the same time??

In this example, vlan 10 is configured on access mode, but the native vlan is doing the same thing, in fact when vlan 10 is configured as native vlan, it is be able to receive all NON-Tagged traffic as a normal access port. Am I Right? Why the switch allow to configure both?

Thank you as always

Hello Giovanni

Actually, this interface is configured as a trunk. It is the switchport mode command that tells you the mode of the interface. You can have either switchport mode trunk, or switchport mode access. You will never have both trunk and access configured on the same interface, because when you issue this command, it overwrites the previous configuration.

When you have switchport mode trunk, as you have in this case, the switchport access vlan 10 command is ignored.

But because you have the switchport trunk native vlan 10 command, any untagged frames arriving at this port will go to VLAN 10. So the interface behaves as if it is an access port on VLAN 10 simply because the native VLAN is set up that way.

So to summarize:

  • this interface is indeed a trunk and not an access port
  • the switchport access VLAN 10 command is ignored
  • the native VLAN of 10 makes the interface act as if it is an access port on VLAN 10, although it is not.

I hope this has been helpful!



Thank you
Another question.
I have occasionally configured, on Dell Switches, a port in general mode.

In Dell, the behavior of trunk and general modes are like the following scheme.



They told me that General mode is not a Dell proprietary protocol, but it exists also in other manufacturers.

Can you tell me more information about this mode…I saw talking about it in Cisco community too, but I can’t understand why is needed ( on not Dell switches)…


Hello Giovanni

General mode is indeed available on switches of other vendors as well, including the Cisco small business series of switches. General mode causes ports to function differently for egress and ingress traffic.

  • For egress, general mode allows a switch to send untagged frames out of an interface, that come from multiple VLANs.
  • For ingress, all untagged frames must go to the configured native VLAN. This is because, regardless of which VLAN these frames originated from, there is no way to distinguish to which VLAN they belong since they have no tags. By definition, the configured native VLAN is the VLAN on which all incoming untagged frames must be placed.

This means that untagged frames originating from multiple VLANs on SW1 will all end up on the configured native VLAN of the port on SW2.

Now to be honest, after doing some additional research, I find no obvious benefit to the general mode for an interface. There may be an obscure use case where it is beneficial, but I haven’t found anything myself. Cisco IOS doesn’t support it, but the small office devices do.

I hope this has been helpful!


1 Like

Thanks for your reply, I saw that in Dell switches the native vlan not work properly between switches of other manufactures, so I think that General mode is developed as a workaround of this problem.

1 Like

Hello Rene i want to know what diffrent between trk1-2 in hp and cisco trunk for example when i want to trunk a uplink in hp aruba switch i do this comannd trunk port2 trk3 trunk and tagged in vlan20 tagged trk3

 vlan 20
   name "IT"
   tagged Trk1-Trk3
   no ip address

and i want to know how to tagged a port in a vlan in cisco switch can you answer me please?
or at cisco system we do this command

switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1,20

Hello Mohamad

I am not familiar with the CLI of HP/Aruba, however I did some research and found the following.

In the CLI of HP/Aruba, you are able to define trunk groups. These are groups of interfaces that can then be used to configure those interfaces with tagged and untagged VLANs. For example, you can create the following trunk group and call it Trk1 like so:

trunk b23-b24 Trk1 Trunk

You can then reference Trk1 within the VLAN configuration and state that that particular VLAN should be tagged on all ports within the Trk1 group. This can be done like so:

vlan 20
    tagged Trk1

This means that VLAN 20 will be tagged on interfaces b23 and b24 since they belong to the Trk1 group.

Now Cisco doesn’t have this hierarchical configuration method. You must apply the allowed VLANs on the interface itself rather than referencing the interfaces via trunk groups under the VLAN configuration.

For this reason, you would use the commands you have stated above. For each interface, you must state if it will process tagged frames (trunk mode) and if so, which VLAN tags will be allowed on the port (trunk allowed vlan command).

I hope this has been helpful!


1 Like

The trunking lesson says "Technically the interfaces between the two switches can also be in access mode right now because I only have a single vlan.

This only works in lab when the access port between both switches is assigned to the host vlan on both switches or am I missing something?

Hi Rene,
I am, using WS-C2960S-24PD-L switch.
I got % Unrecognized command error message when I was going to config a trunk at interface Gi1/0/14.

CW2960#config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
CW2960(config)#interface gi1/0/14
CW2960(config-if)#switchport trunk encapsulation ?
% Unrecognized command
CW2960(config-if)#switchport trunk encapsulation ▒

I would appreciate very much if you would explain the reason why?
Thank you.

Hello Charles

Cisco devices have traditionally supported two encapsulation methods: ISL and dot1q. Newer switches no longer support ISL, so there is only one encapsulation method available. For this reason, the switchport trunk encapsulation command was removed. This is the reason you don’t have that option in your device.

Is everything else working correctly in your topology or are you facing other difficulties as well? Let us know…

I hope this has beenhelpful!


Switch A - vlan 50 and vlan 1
Switch B - vlan 50 and vlan 1
PCA is in vlan 50 on Switch A
PCB is in vlan 50 on switch B.
Both switches are connected by an access link.
They are only able to communicate if the access link is assigned to vlan 50
I was testing to see if it actually worked in EVE-NG
I would create a trunk link as best practice though if I were on a LAN without assigning it to a
specific vlan since trunk links have access to all vlans.
This works fine as long as you specify the access vlan as 50 on both switches for the access link G0/0 between them with - Switch(config-if)# switchport access vlan 50

Found the answer I was looking for in a post by
wilder7bc Brian C in
Introduction to VLANs

1 Like

Hello Donald

What Rene is saying in the lesson is that for this particular topology that has only one VLAN being sent over the trunk (i.e. VLAN 50), you can technically achieve the same thing either using trunk ports or access ports.

You can either make both ports on both switches access ports on VLAN 50, or make them both trunk ports and allow VLAN 50 on both of them. The result is that frames belonging to VLAN 50 will traverse the link in both cases.

Now if you want to pass more than one VLAN across the link, this can only be achieved using a trunk link.

I hope this has been helpful!


Kindly tell me someone what is work of Dynamic auto and dynamic desirable mode for making trunk port.


One might wonder what the “Limited connectivity” means. This is probably explained by Wendell Odom in his official CCNA textbook (the OCG, or Official Cert Guide). On page 18 of Vol 1.'s Chapter “Appendix P: LAN Troubleshooting,” he says the following:

“A different incorrect trunking configuration results in one switch with an operational state of “trunk,” while the other switch has an operational state of “static access.” When this combination of events happens, the interface works a little. The status on each end will be up/up or connected. Traffic in the native VLAN will actually cross the link successfully. However, traffic in all the rest of the VLANs will not cross the link.”

This is an interesting setup though. For example, if switch SWT’s interface is configured as a trunk, and switch SWA’s interface is configured as an access link, then these are the possibilities:

a) When traffic goes from SWA to SWT: only traffic in the native VLAN will cross the link. That’s because SWA will send only untagged (native VLAN) traffic.

b) When traffic goes from SWT to SWA (and there’s no switchport trunk allowed vlan command configured on SWT): all tagged traffic from SWT is going to get untagged by SWA and received by the hosts in SWA’s native VLAN. This means that hosts on SWA that shouldn’t get broadcast traffic from the VLANs that reside on SWT are going to get the traffic. These hosts on SWA are going to be all hosts in SWA’s native VLAN. So every single broadcast traffic on SWT (from every single VLAN that exists on SWT: which means all VLANs from 1 to 4094) is going to be received by the hosts in SWA’s native VLAN.

I’m sure someone can correct me if I made a mistake.


Hello Ajeet

Take a look at this lesson which talks about trunking and the various options that you can configure for your ports, including dynamic auto and dynamic desirable:

You may also find this lesson concerning DTP helpful as well:

@molnarattila1221 kindly shared with you Cisco’s official description as well, which is also very helpful. If you have more questions about this topic, feel free to ask!

I hope this has been helpful!


1 Like