This chapter covers Virtual LANs (VLANs) and the IEEE 802.1Q trunking standard, a core topic for the CompTIA Network+ N10-009 exam under Objective 1.6 (Explain the concepts and purposes of routing and switching). VLANs are fundamental to modern network design, enabling logical segmentation of broadcast domains without additional hardware. Expect 3-5 exam questions on VLAN concepts, 802.1Q tagging, trunking, and VLAN membership types. Mastery of this topic is essential for understanding switching, routing, and network troubleshooting.
Jump to a section
Imagine a large office building with multiple departments: Sales, Engineering, and HR. Each department occupies different desks but shares the same physical floor and network cabling. To separate their network traffic, you issue color-coded security badges: Sales gets blue, Engineering gets red, HR gets green. When someone enters a meeting room, they tap their badge, and the room's network port is dynamically assigned to that department's VLAN. The badge color is like an IEEE 802.1Q tag inserted into every frame. The network switches act as door guards: they look at the tag color and only forward frames to ports authorized for that color. If an Engineering employee sends a broadcast, it only reaches other red-badge ports, not blue or green. Without VLANs, all departments would share the same broadcast domain, causing congestion and security risks. The tag (color) is stripped when the frame exits a trunk link to an access port, just like removing a badge when leaving the building. This allows multiple logical networks to share the same physical infrastructure, improving security and performance.
What is a VLAN and Why Does It Exist?
A Virtual LAN (VLAN) is a logical grouping of devices within the same broadcast domain, regardless of their physical location on the network. VLANs solve the problem of flat Layer 2 networks where all devices share the same broadcast domain, leading to excessive broadcast traffic, security risks, and inefficient use of bandwidth. By segmenting a switch into multiple VLANs, you create separate broadcast domains that do not forward broadcasts to each other. This improves performance (less broadcast overhead), enhances security (devices in different VLANs cannot communicate directly without a router), and simplifies management (moves, adds, and changes are easier).
How VLANs Work Internally
VLANs operate at Layer 2 (Data Link Layer) of the OSI model. Each VLAN is identified by a 12-bit VLAN ID (VID) ranging from 1 to 4094, per the IEEE 802.1Q standard. VLANs 0 and 4095 are reserved; VLAN 1 is the default VLAN on most switches. Frames within a VLAN are switched only among ports that belong to that VLAN. When a frame needs to traverse a trunk link (a link carrying multiple VLANs), an 802.1Q tag is inserted into the Ethernet frame. The tag is 4 bytes long and contains:
Tag Protocol Identifier (TPID): 2 bytes, fixed value 0x8100 to indicate an 802.1Q frame.
Tag Control Information (TCI): 2 bytes, which includes:
Priority Code Point (PCP): 3 bits for Class of Service (CoS), values 0-7.
Drop Eligible Indicator (DEI): 1 bit, used for congestion management.
VLAN ID (VID): 12 bits, identifying the VLAN (1-4094).
The tag is inserted between the source MAC address and the EtherType/Length field. The original EtherType is shifted. The Frame Check Sequence (FCS) is recalculated. On the receiving end, the tag is removed (if the port is an access port) or preserved (if the port is a trunk port).
VLAN Membership Types
Ports can be assigned to VLANs in two primary ways: - Static VLAN: Port is manually assigned to a VLAN. This is common and easy to manage. - Dynamic VLAN: Port is assigned based on the MAC address of the connected device using a VMPS (VLAN Membership Policy Server). This is rare on N10-009.
Trunking and 802.1Q
A trunk port is a switch port configured to carry traffic for multiple VLANs. Trunk ports use 802.1Q tagging to identify which VLAN a frame belongs to. Key points:
Native VLAN: Frames on the native VLAN are sent untagged on a trunk. By default, native VLAN is VLAN 1. Mismatched native VLANs on both ends of a trunk can cause VLAN hopping and security issues.
Allowed VLAN list: By default, all VLANs are allowed on a trunk. Administrators can restrict which VLANs are allowed using the switchport trunk allowed vlan command.
DTP (Dynamic Trunking Protocol): Cisco-proprietary protocol that negotiates trunking between switches. Not required for 802.1Q but commonly used. Exam tip: DTP can be a security risk if left on; best practice is to set switchport mode trunk and switchport nonegotiate.
VLAN Configuration Examples (Cisco IOS)
To create a VLAN and assign ports:
! Create VLAN 10
Switch(config)# vlan 10
Switch(config-vlan)# name Sales
! Assign interface to VLAN 10 as access port
Switch(config-if)# interface gigabitethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
! Configure trunk port
Switch(config-if)# interface gigabitethernet0/24
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 99
Switch(config-if)# switchport trunk allowed vlan 10,20,30Verification Commands
show vlan brief – Displays VLAN IDs, names, and ports assigned.
show interfaces trunk – Shows trunk ports, native VLAN, and allowed VLANs.
show interfaces switchport – Detailed per-port VLAN and trunk status.
VLAN Trunking Protocol (VTP)
VTP is a Cisco-proprietary protocol that propagates VLAN information across a switched network. VTP has three modes: Server, Client, and Transparent. N10-009 expects you to know that VTP is not required and can cause issues if misconfigured (e.g., VTP domain mismatch or revision number conflicts). VTP pruning reduces unnecessary broadcast traffic on trunks.
VLANs and Routing
VLANs are Layer 2 constructs. For devices in different VLANs to communicate, a Layer 3 device (router or Layer 3 switch) is required. This is called inter-VLAN routing. Common methods:
Router-on-a-stick: One physical router interface connected to a trunk port, with subinterfaces each assigned a VLAN.
Layer 3 switch: Uses switched virtual interfaces (SVIs) – a virtual interface per VLAN that can route traffic.
VLAN Security Considerations
VLAN Hopping: An attack where a device sends frames with 802.1Q tags to access a VLAN it shouldn't. Mitigation: disable DTP, set native VLAN to an unused VLAN, and use dedicated trunk ports.
Private VLANs: Isolate ports within the same VLAN (e.g., in a DMZ). Not heavily tested on N10-009.
Voice VLAN: A separate VLAN for VoIP traffic, often configured with QoS trust.
Key Defaults and Values
Default VLAN: VLAN 1 (cannot be deleted).
Default native VLAN: 1.
Maximum VLANs per switch: Typically 4094 (limited by 12-bit VID).
802.1Q tag size: 4 bytes.
DTP modes: Dynamic desirable, dynamic auto, trunk, access.
Create VLANs on Switch
On a Cisco switch, use the global configuration command `vlan <vlan-id>` to create a VLAN. Optionally assign a name with `name <name>`. The VLAN is now stored in the running-config and, if VTP is used, propagated to other switches. Without VTP, you must create the VLAN on each switch. The VLAN ID must be between 1 and 4094 (excluding reserved). The switch automatically creates VLAN 1. After creation, the VLAN is inactive until at least one access port is assigned to it.
Assign Access Ports to VLAN
On each switch port that connects to end devices (PCs, printers), set the port mode to access using `switchport mode access`. Then assign it to a VLAN with `switchport access vlan <vlan-id>`. The port becomes a member of that VLAN, and all untagged frames received on that port are classified into that VLAN. The switch will only forward frames from that VLAN to other ports in the same VLAN. The port's PVID (Port VLAN ID) is set to the assigned VLAN.
Configure Trunk Ports
On links between switches (or to routers), configure trunk ports. Set the interface to trunk mode with `switchport mode trunk`. Optionally set the native VLAN with `switchport trunk native vlan <vlan-id>` (best practice: use an unused VLAN). Restrict allowed VLANs with `switchport trunk allowed vlan <vlan-list>`. The trunk port will tag frames with the 802.1Q header for all VLANs except the native VLAN. Both ends must match in trunking mode and native VLAN to avoid errors.
Verify VLAN Configuration
Use `show vlan brief` to list all VLANs and their associated ports. Use `show interfaces trunk` to confirm trunk ports, native VLAN, and allowed VLANs. Use `show interfaces switchport` for detailed per-port status. Verify that access ports show the correct VLAN and that trunk ports show 'trunk' mode. If VLANs are missing, check if they were created on all switches. If trunk is not operational, check for mismatched native VLANs or DTP negotiation issues.
Implement Inter-VLAN Routing
To allow communication between VLANs, configure a router or Layer 3 switch. For router-on-a-stick, create subinterfaces on the router: `interface gigabitethernet0/0.10`, `encapsulation dot1Q 10`, `ip address 192.168.10.1 255.255.255.0`. For a Layer 3 switch, create an SVI: `interface vlan 10`, `ip address 192.168.10.1 255.255.255.0`, `no shutdown`. Enable IP routing globally with `ip routing`. Ensure the router or SVI is on a trunk port to the switch.
In enterprise networks, VLANs are ubiquitous. Consider a medium-sized company with 500 employees across three departments: Engineering (200 users), Sales (150 users), and HR (50 users). Each department is assigned a separate VLAN: VLAN 10 (Engineering), VLAN 20 (Sales), VLAN 30 (HR). The network uses a collapsed core design with two distribution switches and multiple access switches on each floor. Each access switch port is statically assigned to the appropriate VLAN based on the connected user's department. Trunk links connect access switches to distribution switches using 802.1Q. The native VLAN is set to an unused VLAN (e.g., VLAN 999) to prevent VLAN hopping attacks. DTP is disabled on all trunk ports (switchport nonegotiate). Inter-VLAN routing is handled by a pair of Layer 3 switches in the core, using SVIs. A separate voice VLAN (VLAN 100) is configured for VoIP phones; phones are placed in a dedicated VLAN to simplify QoS and security policies.
Another scenario: A university campus with separate VLANs for students, faculty, and administrative staff. Wireless networks are also mapped to VLANs via SSID-to-VLAN mapping on the wireless LAN controller. The network team uses 802.1X authentication to dynamically assign VLANs based on user credentials. This reduces the need for static VLAN assignments and simplifies moves.
Common misconfigurations include: forgetting to create the VLAN on all switches (causing the trunk to block traffic for that VLAN), mismatched native VLANs (causing frames to be misclassified), and leaving DTP enabled (allowing an attacker to negotiate a trunk and perform VLAN hopping). Performance-wise, VLANs have negligible overhead; the 4-byte 802.1Q tag is minimal. However, excessive VLANs (thousands) can increase MAC address table size and CPU load on switches. Best practice is to use a consistent VLAN numbering scheme (e.g., department number + floor) and document all VLANs.
The N10-009 exam tests VLAN concepts under Objective 1.6 (Explain the concepts and purposes of routing and switching). Specifically, you must understand:
The purpose of VLANs (broadcast domain segmentation, security, flexibility).
The difference between access and trunk ports.
IEEE 802.1Q tagging: frame format, tag insertion, native VLAN.
VLAN membership types (static vs. dynamic).
Inter-VLAN routing basics (router-on-a-stick, Layer 3 switch).
VLAN security: VLAN hopping and mitigation (disable DTP, change native VLAN).
Common wrong answers: 1. 'VLANs separate collision domains.' Wrong – VLANs separate broadcast domains; collision domains are separated by switches (full-duplex) or routers. 2. 'The native VLAN is always VLAN 1.' Wrong – it defaults to VLAN 1 but can be changed. 3. '802.1Q adds 8 bytes to the frame.' Wrong – it adds 4 bytes (the tag). 4. 'Trunk ports can only carry one VLAN.' Wrong – trunk ports carry multiple VLANs; access ports carry one.
Exam trap: A question may describe a scenario where two switches are connected and PCs in VLAN 10 cannot communicate across the link. The likely cause is that VLAN 10 is not allowed on the trunk, or the native VLAN mismatch causes frames to be dropped. Another trap: 'Which IEEE standard defines VLAN tagging?' Answer: 802.1Q (not 802.1D, 802.1w, or 802.1x).
Key numbers: VLAN ID range 1-4094 (0, 4095 reserved). 802.1Q tag size 4 bytes. Default native VLAN 1. Maximum VLANs per switch 4094 (practical limit lower). DTP modes: dynamic desirable, dynamic auto, trunk, access.
To eliminate wrong answers, focus on the fundamental mechanism: VLANs are Layer 2 broadcast domain separators. Any answer that confuses broadcast/collision domains, tag size, or trunk vs. access is incorrect.
VLANs segment broadcast domains at Layer 2, improving performance and security.
IEEE 802.1Q is the standard for VLAN tagging, adding a 4-byte tag with a 12-bit VLAN ID (1-4094).
Access ports belong to one VLAN and send untagged frames; trunk ports carry multiple VLANs and send tagged frames.
The native VLAN on a trunk sends untagged frames; default is VLAN 1; change it to an unused VLAN for security.
Inter-VLAN routing requires a Layer 3 device (router-on-a-stick with subinterfaces or Layer 3 switch with SVIs).
VLAN hopping attacks can be mitigated by disabling DTP and setting the native VLAN to an unused ID.
Common verification commands: `show vlan brief`, `show interfaces trunk`, `show interfaces switchport`.
VLAN 1 is the default VLAN and cannot be deleted; best practice is to use VLAN 1 only for management if necessary.
Dynamic VLAN assignment uses VMPS (VLAN Membership Policy Server) based on MAC address, but static assignment is more common.
VTP (VLAN Trunking Protocol) is Cisco-proprietary and can propagate VLANs; use with caution to avoid revision number issues.
These come up on the exam all the time. Here's how to tell them apart.
Access Ports
Belongs to a single VLAN (access VLAN).
Sends and receives untagged frames.
Used to connect end devices (PCs, printers).
Does not use 802.1Q tagging.
Configuration: `switchport mode access` and `switchport access vlan <vlan-id>`.
Trunk Ports
Carries multiple VLANs simultaneously.
Sends tagged frames for all VLANs except native VLAN.
Used to connect switches, routers, or servers.
Uses 802.1Q tagging to identify VLAN membership.
Configuration: `switchport mode trunk` and optional allowed VLAN list.
Mistake
VLANs separate collision domains.
Correct
VLANs separate broadcast domains, not collision domains. Collision domains are eliminated by switches in full-duplex mode; each switch port is its own collision domain. VLANs control the propagation of broadcasts.
Mistake
The native VLAN cannot be changed from VLAN 1.
Correct
The native VLAN is configurable. On Cisco switches, use `switchport trunk native vlan <vlan-id>`. It is a security best practice to change it to an unused VLAN to prevent VLAN hopping.
Mistake
802.1Q adds 8 bytes to the Ethernet frame.
Correct
802.1Q adds exactly 4 bytes: a 2-byte TPID (0x8100) and a 2-byte TCI (including the 12-bit VLAN ID). The original EtherType field is shifted, not removed.
Mistake
A trunk port can carry only one VLAN.
Correct
A trunk port carries multiple VLANs (by default all VLANs). An access port carries only one VLAN (the access VLAN). Trunk ports are used for inter-switch links.
Mistake
VLANs can communicate without a router.
Correct
VLANs are isolated at Layer 2. Devices in different VLANs cannot communicate directly; they require a Layer 3 device (router or Layer 3 switch) for inter-VLAN routing.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An access port belongs to a single VLAN and sends/receives untagged frames. It is used to connect end devices like PCs. A trunk port carries multiple VLANs and uses 802.1Q tagging to identify each frame's VLAN. Trunk ports are used to connect switches or routers. On the exam, remember that access ports do not tag frames, while trunk ports do (except for the native VLAN).
The native VLAN is the VLAN that carries untagged traffic on a trunk port. By default, it is VLAN 1. Frames belonging to the native VLAN are sent without an 802.1Q tag. If the native VLAN mismatches on two ends of a trunk, frames may be misclassified, causing connectivity issues or security vulnerabilities (VLAN hopping). Best practice is to change the native VLAN to an unused VLAN.
The IEEE 802.1Q standard supports up to 4094 VLANs (VLAN IDs 1-4094, with 0 and 4095 reserved). However, the actual number is limited by the switch hardware and software. On the exam, the answer is 4094, but note that some switches may support fewer due to platform limitations.
No. VLANs create separate broadcast domains at Layer 2. Without a Layer 3 device (router or Layer 3 switch), devices in different VLANs cannot communicate. Inter-VLAN routing is required, typically using a router-on-a-stick or a Layer 3 switch with SVIs (Switched Virtual Interfaces).
VLAN hopping is an attack where an attacker sends frames with an 802.1Q tag to gain access to a VLAN they shouldn't. It can be prevented by: disabling DTP on trunk ports (`switchport nonegotiate`), changing the native VLAN to an unused VLAN, and using dedicated trunk ports (not allowing dynamic trunking).
The `show vlan brief` command displays a list of all VLANs on the switch, including VLAN ID, name, status, and the ports assigned to each VLAN. It is used to verify VLAN creation and port assignments. Note that trunk ports are not listed as members of VLANs; only access ports appear.
The 802.1Q tag is inserted into an Ethernet frame to identify which VLAN the frame belongs to. It allows multiple VLANs to traverse a single trunk link. The tag is 4 bytes and includes the VLAN ID (12 bits), priority (3 bits), and drop eligible indicator (1 bit).
You've just covered VLAN Concepts and IEEE 802.1Q — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?