Skip to main content
Your first session is free. Claim mine
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
LabsPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All posts
ccnaswitchingtroubleshootingvlanstrunks

'My Trunk Won't Pass VLAN 20' — A 6-Step Debug Workflow (CCNA)

Step-by-step troubleshooting for the classic CCNA-lab moment when you've configured the trunk but VLAN 20 traffic isn't reaching the other switch.

You configured a trunk between two switches. VLAN 10 hosts ping each other across it just fine. VLAN 20 hosts cannot. Same trunk. Same switches. What’s going on?

This is one of the most common debug moments in CCNA-level labs. It catches everyone the first time. Here’s the systematic workflow we use in the CCNA Career Track — it finds the cause in under 5 minutes 95% of the time.

Step 1 — confirm the trunk is actually a trunk

Run on both ends:

SW1# show interfaces Gi1/0/24 switchport | include Mode
Administrative Mode: trunk
Operational Mode: trunk

Both must say Mode: trunk. If either says static access or dynamic auto, the trunk failed to negotiate. Common cause: you set one side to mode trunk but left the other as default (which is dynamic auto) on a platform where both sides need to actively initiate.

Fix: set both ends explicitly:

SW1(config)# interface Gi1/0/24
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport nonegotiate

The nonegotiate disables DTP — explicit beats implicit. Configure the same on SW2’s matching port.

Step 2 — check the allowed-VLAN list

Even on a fully working trunk, only VLANs in the allowed list cross it.

SW1# show interfaces Gi1/0/24 trunk
Port      Mode       Encapsulation  Status     Native vlan
Gi1/0/24  on         802.1q         trunking   1

Port      Vlans allowed on trunk
Gi1/0/24  1-10

That’s the bug right there. 1-10 does not include VLAN 20. Even though VLAN 20 exists on the switch, the trunk is silently dropping it.

Fix: add VLAN 20 to the allowed list.

SW1(config-if)# switchport trunk allowed vlan add 20

The word add is important — without it, you overwrite the list and may lose VLAN 10.

Verify:

SW1# show interfaces Gi1/0/24 trunk
Port      Vlans allowed on trunk
Gi1/0/24  1-10,20

Step 3 — confirm VLAN 20 exists in the VLAN database

A subtle one. The VLAN must exist as a database entry, not just be referenced on an access port.

SW1# show vlan brief
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/0/1, Gi1/0/2, ...
10   USERS                            active    Gi1/0/3, Gi1/0/4
99   MGMT                             active    Gi1/0/23

VLAN 20 is missing. The trunk is allowing it but the switch doesn’t know what VLAN 20 is. Frames tagged with 20 get accepted at the trunk but then dropped because there’s no internal VLAN data structure.

Fix: create VLAN 20 in the database — on both switches.

SW1(config)# vlan 20
SW1(config-vlan)# name SERVERS
SW1(config-vlan)# exit

On SW2 too. Now show vlan brief shows VLAN 20.

Step 4 — check VTP isn’t pruning it

If you’re running VTP (older Cisco environments), the protocol can auto-prune VLANs from trunks where it thinks they’re not needed.

SW1# show vtp status
VTP Operating Mode: Server
VTP Pruning Mode: Enabled

If pruning is enabled and VLAN 20 has no active access ports on the other end, VTP might decide to skip flooding VLAN 20 over the trunk. Strange but it happens.

Fix: either disable VTP pruning (no vtp pruning) or add an access port in VLAN 20 on the receiving switch (gives VTP the signal that VLAN 20 is “wanted”).

In 2026 most environments disable VTP entirely or use VTP v3 in transparent mode. See the VTP library topic for the full picture.

Step 5 — native VLAN mismatch

Less common but devastating when it happens. The native VLAN on a trunk is the one that travels untagged. If SW1’s native VLAN is 1 and SW2’s is 99, every untagged frame gets interpreted as the wrong VLAN.

SW1# show interfaces Gi1/0/24 trunk | include Native
Port      Native vlan
Gi1/0/24  1

SW2# show interfaces Gi1/0/24 trunk | include Native
Port      Native vlan
Gi1/0/24  99

CDP / DTP will log this mismatch — check show log for messages like:

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on interface ...

Fix: make both ends agree. Best practice: don’t use VLAN 1 as native (it’s also the management VLAN by default in old labs — security risk). Use an explicit unused VLAN like 999.

SW1(config-if)# switchport trunk native vlan 999
SW2(config-if)# switchport trunk native vlan 999

Make sure VLAN 999 exists in the database on both.

Step 6 — confirm the physical layer

The least sexy step but the most common cause when steps 1–5 check out: bad cable, wrong patch, or a switchport that’s err-disabled and looks “up” in some quick views.

SW1# show interfaces Gi1/0/24 status
Port    Name   Status      Vlan   Duplex   Speed Type
Gi1/0/24        connected   trunk  a-full   1000  10/100/1000BaseTX

connected is what you want. notconnect, disabled, or err-disabled mean trouble. Recheck the cable, the patch, and the port-security configuration on user-facing ports (port security can err-disable trunks if it gets misapplied).

The 6-step workflow as a checklist

When VLAN traffic mysteriously isn’t crossing a trunk:

  1. Trunk mode confirmed both ends?
  2. VLAN in allowed list?
  3. VLAN exists in database?
  4. VTP pruning interfering?
  5. Native VLAN matches?
  6. Physical layer healthy?

This catches 95% of cases. The remaining 5% are spanning-tree blocking the trunk for that VLAN (rare), a port-channel misconfiguration (more common), or the destination host actually being in the wrong VLAN to begin with (don’t laugh — common with student labs).

How to get faster at this

The fastest way is doing it 50 times in our weekly 1:1 labs until you stop having to think about the checklist. The slower way is reading more articles like this one. Both work — but only one closes the gap from “I read about VLANs” to “I troubleshoot VLAN issues by reflex in front of a network outage.”

Free first session is on the house if you want to try the format.

More from the library

Get posts like this by email.

One short, opinionated tutorial per week. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.

Start typing — or browse popular topics below.

↑↓ navigate open Searches topics · labs · programs · pages