Category Archives: 1.4 Configure and verify trunking

SWITCH 300-115 1.4 Configure and verify trunking

1.4.a VTPv1, VTPv2, VTPv3, VTP pruning

1.4.d Manual pruning

Before I get to manual pruning, VTP version 3 deserves a mention.

VTP version 3 comes with a bit of an upgrade that sets itself apart from earlier versions, to wit:

Version 3 now supports extended range vlans and private vlans.
The vtp database can support other formats, ie, MST.
Precautions against database hijacking, ie, inserting a switch with a higher revision number
   can’t whack the existing database because only the primary vtp domain server may make
Hidden and secret passwords are available, not just plain text
Version 3 can be configured per port instead of only globally as in earlier versions.

Version 3  offers optimized resource handling and more efficient information transfer, whatever that means. (Sounds like marketing)

Let’s look at vtp version 3.

From enable mode make the vtp server the primary vtp server. See below:
Then continue as for the earlier versions, except for the password. Hidden and secret are now
SW1(config)#vtp password ccie secret
VTP secret has to be 32 characters in length
SW1(config)#vtp password ccie hidden
Setting device VTP password
As discussed earlier in the VTP section, VTP pruning in my estimation is about the only good thing to come from the whole VTP mess.
Manual pruning is what it says; manual. If you are not using VTP pruning to limit unnecessary broadcasts then you will want to prune vlans that are not in use, by hand.

SWITCH 300-115 1.4 Configure and verify trunking

1.4.d Manual pruning

from switch flg pg 66

On trunk links, it is recommended to manually prune the VLANs that are not used.
You can use VTP pruning if VTP is in use, but manual pruning (using a switch-
port trunk allowed VLAN) is a secure way of allowing only those VLANs that are
expected and allowed on the link. In addition to this, it is also a good practice to
have an unused VLAN as a native VLAN on the trunk links to prevent DTP spoof-

SWITCH 300-115 1.4 Configure and verify trunking

1.4.c Native VLAN

from switch flg pg 50

When configuring an 802.1Q trunk, a matching native VLAN must be defined on each
end of the trunk link. A trunk link is inherently associated with tagging each frame with
a VID. The purpose of the native VLAN is to enable frames that are not tagged with a
VID to traverse the trunk link.

SWITCH 300-115 1.4 Configure and verify trunking

1.4.b dot1Q

There is no RFC for 802.1q as it was developed by the IEEE, but the standard is available at  There have been many iterations through the years and I warn you it is not easy reading.

There is however this nice slide show (only 77 slides) that can be found here. This might be a little friendlier:

To give Cisco its due, dot1q originally came along as a response to ISL, or better yet, as a mechanism to put ISL to bed. The greatest difference between dot1q and ISL is that ISL encapsulates the frame between an ISL header and  an ISL FCS footer or trailer after the original frame FCS, whereas dot1q inserts a 4 byte field  to identify the vlan within the frame, sandwiched between the source mac and ether type fields. Happy New Year 2018 Quotes Both methods create a longer frame as a result and dot1q also has the extra overhead caused by the recalculation of the FCS field due to the frame manipulation, however, it is ultimately a difference of 30 bytes with ISL compared to 4 bytes for dot1q. And, of course, ISL is Cisco proprietary

802.1q is referred to as internal tagging, or just tagging. The 4-byte 8021.Q tag is comprised of 2 bytes of Tag Protocol Identifier and always has a value of 0x8100 to indicate 802.1q. The other 2 bytes are used as a Tag Control Information field. The TCI information contains a 3-bit Priority Code Point field used to implement Class of Service  functions in the IEEE 802.1p standard, followed by a 1-bit Canonical Format Indicator, 0 indicates ethernet and 1 indicates token ring. The next 12-bits are the  VLAN Identifier  field used to indicate the source VLAN of the frame.

The VID can have values from 0 to 4095, but VLANs 0 and 4095  are reserved for system use and not available.


The above diagram is a nice reference illustrating the tag’s placement in the frame.

Also, I recently performed a capture with my switches to further illustrate this placement using Wireshark.