Courseiva
VLANCCNA 200-301

Access Port Assigned to Wrong VLAN — Users in Wrong Segment

Presenting Symptom

Users in a specific department cannot communicate with other devices in the same VLAN, but they can reach devices in other VLANs.

Network Context

A small branch office with a single Cisco Catalyst 2960 switch (IOS 15.0) connecting 50 users across multiple departments. The switch is configured with several VLANs (10, 20, 30) and a trunk link to a router-on-a-stick for inter-VLAN routing. The problem occurs for users connected to port FastEthernet 0/10, which should be in VLAN 10 (Engineering) but is actually in VLAN 20 (Marketing).

Diagnostic Steps

1

Check the access VLAN assigned to the port

show interfaces fastEthernet 0/10 switchport
Name: Fa0/10
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 20 (Marketing)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

The output shows the port is in access mode and assigned to VLAN 20. If the expected VLAN is 10, this indicates a misconfiguration.

2

Verify the VLAN configuration on the switch

show vlan brief
The output shows VLAN 10 exists and is active, but port Fa0/10 is not listed under VLAN 10. Instead, it is listed under VLAN 20 (if the port were correctly assigned). This confirms the port is in the wrong VLAN.
3

Check the MAC address table for the port

show mac address-table interface fastEthernet 0/10
The MAC address of the connected device is learned in VLAN 20, confirming the device is in the wrong VLAN.
4

Verify the trunk configuration and native VLAN

show interfaces trunk
The trunk is correctly configured and allows VLANs 10, 20, and 30. This rules out trunk issues as the cause.

Root Cause

The access port FastEthernet 0/10 is statically assigned to VLAN 20 instead of VLAN 10. This misconfiguration causes the connected device to be placed in the wrong broadcast domain, preventing communication with other devices in VLAN 10.

Resolution

Reassign the port to the correct VLAN using the following commands: interface fastEthernet 0/10 switchport mode access switchport access vlan 10 end This sets the port to access mode and assigns it to VLAN 10.

Verification

Run 'show interfaces fastEthernet 0/10 switchport' and verify that 'Access Mode VLAN' shows '10 (Engineering)'. Also run 'show vlan brief' to confirm Fa0/10 appears under VLAN 10. Finally, test connectivity by pinging a device in VLAN 10 from the connected host.

Prevention

1. Use VLAN management best practices: document VLAN assignments and use consistent naming conventions. 2. Implement port security or 802.1X to dynamically assign VLANs based on user identity. 3. Regularly audit switch configurations using scripts or network management tools to detect mismatches.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears as a troubleshooting question where you must identify why a host cannot communicate within its VLAN. The exam tests your ability to interpret 'show interfaces switchport' and 'show vlan brief' output. Key fact: An access port can only belong to one VLAN, and misassignment isolates the host from its intended VLAN.

Exam Tips

1.

Memorize the 'show interfaces switchport' command and focus on the 'Access Mode VLAN' field.

2.

Remember that 'show vlan brief' shows which ports are assigned to each VLAN; if a port is missing from the expected VLAN, it's likely misconfigured.

3.

Be aware that the native VLAN on a trunk can also cause issues if mismatched, but in this scenario the problem is purely access VLAN assignment.

Commands Used in This Scenario

show interfaces switchport

Displays the administrative and operational status of a switch port, including VLAN membership, trunking mode, and access VLAN, used to verify VLAN configuration and port security settings.

show mac address-table

Displays the MAC address table (also known as CAM table) on a switch, showing which MAC addresses are learned on which VLAN and port, used to verify Layer 2 forwarding and detect issues like MAC flooding or incorrect port assignments.

show vlan brief

Displays a summary of all VLANs configured on the switch, including VLAN ID, name, status, and ports, used to quickly verify VLAN configuration and port assignments.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions