Is this study guide free?

Yes. All Courseiva study guides and practice questions are free to use with no signup required.

CCNA VLANs and 802.1Q Trunking: Study Guide + Practice Questions

Q: What Are VLANs and Why Do You Need Them?

This is covered in detail in the "What Are VLANs and Why Do You Need Them?" section of this guide. It is an important concept for the CCNA exam.

Quick answer: VLANs segment a physical network into multiple logical broadcast domains, improving security and reducing congestion. 802.1Q trunking allows multiple VLANs to traverse a single link by tagging frames. The native VLAN carries untagged traffic by default, and VTP simplifies VLAN management but can cause network-wide issues if misconfigured. Inter-VLAN routing requires a Layer 3 device, such as a router or Layer 3 switch. This guide covers configuration examples and 12 practice questions to solidify your CCNA exam readiness.

What Are VLANs and Why Do You Need Them?

VLANs (Virtual Local Area Networks) logically divide a switch into separate broadcast domains without requiring additional physical hardware. By default, all ports on a switch belong to VLAN 1, creating a single flat network. This causes unnecessary broadcast traffic and security risks—any device can communicate directly with any other.

With VLANs, you group users by function (e.g., VLAN 10 for Engineering, VLAN 20 for Sales) or security level. Broadcasts stay within their VLAN, and inter-VLAN traffic must pass through a router or Layer 3 switch. This reduces network load and contains potential threats. For the CCNA exam, you must know that VLANs operate at Layer 2 and are identified by a VLAN ID (1–4094), with VLANs 1 and 1002–1005 reserved.

Example: A company with 200 devices in one broadcast domain experiences 200 broadcast frames per second. Splitting into four VLANs of 50 devices each reduces broadcasts to 50 per segment—a 75% reduction.

802.1Q Trunking: The Standard for VLAN Tagging

When you need to carry multiple VLANs between switches, a trunk port is required. The IEEE 802.1Q standard inserts a 4-byte tag into the Ethernet frame, identifying the VLAN ID. This tag includes a 12-bit VLAN ID (0–4095) and a 3-bit Priority Code Point (PCP) for QoS.

Key points for the exam:

802.1Q is the only trunking protocol you need to know—ISL is legacy and not on the current exam.
The native VLAN (default VLAN 1) carries untagged traffic. Frames from the native VLAN are sent without a tag, and switches assume they belong to that VLAN.
Both ends of a trunk must agree on the native VLAN; mismatches cause connectivity issues.
Trunk ports are configured with switchport mode trunk on Cisco switches.

Configuration example:

Switch(config)# interface gigabitEthernet0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 99
Switch(config-if)# switchport trunk allowed vlan 10,20,30

This sets the trunk to allow only VLANs 10, 20, and 30, with VLAN 99 as the native VLAN.

Native VLAN: Common Misconfigurations and Best Practices

The native VLAN is often misunderstood. On an 802.1Q trunk, the native VLAN is the VLAN to which untagged frames belong. If a switch receives an untagged frame on a trunk port, it assumes it belongs to the native VLAN configured on that port.

Critical pitfalls:

Native VLAN mismatch: If Switch A has native VLAN 99 and Switch B has native VLAN 1, control traffic (CDP, DTP) may fail, and frames may be misclassified.
Security risk: Attackers can inject frames into the native VLAN to bypass VLAN segmentation. Always change the native VLAN from the default (VLAN 1) to an unused VLAN.
VLAN 1 best practice: Avoid using VLAN 1 for user traffic. It carries management protocols like VTP and CDP by default.

Verification command:

Switch# show interfaces trunk

This displays the native VLAN and allowed VLANs per trunk.

VTP: Simplify VLAN Management—But Tread Carefully

VLAN Trunking Protocol (VTP) propagates VLAN information across trunk links, reducing manual configuration. VTP operates in three modes: Server, Client, and Transparent.

VTP Mode	Can Create/Delete VLANs	Propagates VLANs	Stores VLAN Database
Server	Yes	Yes	In NVRAM
Client	No	Yes	No (learns from server)
Transparent	Yes	No	In NVRAM (local only)

Exam essentials:

VTP advertisements are sent every 5 minutes or when a change occurs.
A higher configuration revision number overrides lower ones—this can wipe out your entire VLAN database if you connect a switch with a high revision number.
VTP version 3 adds support for extended VLANs (1006–4094) and private VLANs.
Best practice: Use VTP transparent mode or disable VTP entirely (vtp mode transparent or vtp mode off) to prevent accidental VLAN deletions.

Configuration example (Server mode):

Switch(config)# vtp domain CourseivaLab
Switch(config)# vtp mode server
Switch(config)# vtp password MySecret

Inter-VLAN Routing: Connecting VLANs

VLANs are isolated at Layer 2. To allow communication between VLANs, you need a Layer 3 device. There are two common methods:

Router-on-a-stick (ROAS): A router with a single physical interface connects to a switch trunk port. Subinterfaces are created for each VLAN, each with a different IP address in the VLAN's subnet.
Layer 3 switch: Configure a Switch Virtual Interface (SVI) for each VLAN, and enable IP routing.

ROAS configuration example:

Router(config)# interface gigabitEthernet0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 192.168.10.1 255.255.255.0

Router(config)# interface gigabitEthernet0/0.20
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# ip address 192.168.20.1 255.255.255.0

The switch port connected to the router must be a trunk.

Layer 3 switch example:

Switch(config)# ip routing
Switch(config)# interface vlan 10
Switch(config-if)# ip address 192.168.10.1 255.255.255.0
Switch(config)# interface vlan 20
Switch(config-if)# ip address 192.168.20.1 255.255.255.0

SVIs are virtual interfaces that route between VLANs internally.

12 CCNA VLANs Practice Questions

Test your understanding with these questions. Answers and explanations follow.

Which VLAN is the default native VLAN on a Cisco switch?
A. VLAN 0
B. VLAN 1
C. VLAN 1002
D. VLAN 4094
What is the purpose of the 802.1Q tag in a trunk link?
A. Encrypts the frame
B. Identifies the source MAC address
C. Carries the VLAN ID
D. Sets the MTU size
A switch trunk port receives an untagged frame. To which VLAN does it belong?
A. VLAN 1
B. The native VLAN configured on the port
C. The lowest allowed VLAN
D. It is dropped
Which VTP mode allows a switch to create VLANs locally but not propagate them?
A. Server
B. Client
C. Transparent
D. Off
How many bits are used for the VLAN ID in an 802.1Q tag?
A. 8
B. 12
C. 16
D. 32
What command configures a switch port as a trunk?
A. switchport mode access
B. switchport mode trunk
C. switchport trunk enable
D. trunk mode on
Which device is required for inter-VLAN routing?
A. A Layer 2 switch only
B. A hub
C. A router or Layer 3 switch
D. A bridge
In router-on-a-stick, how are subinterfaces associated with VLANs?
A. Using the vlan command
B. Using the encapsulation dot1Q command
C. Using the ip vlan command
D. Automatically via CDP
What is a common security risk of using VLAN 1 as the native VLAN?
A. It cannot carry data traffic
B. It is susceptible to VLAN hopping attacks
C. It requires a separate trunk
D. It reduces bandwidth by 50%
Which command displays the native VLAN on a trunk link?
A. show vlan brief
B. show interfaces trunk
C. show running-config
D. show vtp status
What happens if two switches have mismatched native VLANs on a trunk?
A. The trunk fails to form
B. Control traffic is misclassified, and data may be dropped
C. All VLANs are allowed
D. The native VLAN automatically changes
A Layer 3 switch is configured with SVIs for VLANs 10 and 20. What command enables routing between them?
A. ip routing
B. routing enable
C. vlan routing
D. interface vlan 10

Answers and Explanations

B – VLAN 1 is the default native VLAN on all Cisco switches.
C – The 802.1Q tag carries the 12-bit VLAN ID to identify which VLAN the frame belongs to.
B – Untagged frames are assigned to the native VLAN configured on the trunk port.
C – Transparent mode allows local VLAN creation but does not propagate changes.
B – The VLAN ID field is 12 bits, allowing values 0–4095 (though 0 and 4095 are reserved).
B – switchport mode trunk sets the interface as a trunk.
C – Only a Layer 3 device (router or Layer 3 switch) can route between VLANs.
B – encapsulation dot1Q vlan-id binds the subinterface to a specific VLAN.
B – VLAN 1 is often used for management, making it a target for VLAN hopping attacks.
B – show interfaces trunk displays native VLAN and allowed VLANs per trunk.
B – Mismatched native VLANs cause control traffic (e.g., CDP, DTP) to be misclassified, potentially dropping data frames.
A – ip routing globally enables Layer 3 forwarding on the switch.

Key Takeaways for CCNA Success

Mastering VLANs and 802.1Q trunking is non-negotiable for the CCNA exam. Focus on these core concepts:

VLANs isolate broadcast domains at Layer 2.
802.1Q tags frames on trunk links; the native VLAN carries untagged traffic.
VTP can simplify management but introduces risk—use transparent mode or disable it.
Inter-VLAN routing requires a Layer 3 device; know both ROAS and SVI configurations.
Always verify trunk settings with show interfaces trunk.

Practice these concepts in a lab environment—GNS3, Packet Tracer, or real gear—to build muscle memory. For more hands-on practice, check out Courseiva's full set of CCNA practice questions and labs. You've got this.