VLAN implementation is a core Network+ N10-009 topic spanning both networking concepts and implementation domains. You must understand how VLANs are created, how access and trunk ports work, how inter-VLAN routing is achieved, and common VLAN security concerns. Network+ tests the conceptual understanding of VLAN design and operation, not CLI syntax — though understanding the configuration intent helps answer scenario questions.
Practice this topic
VLANs logically segment a physical switch into multiple broadcast domains using IEEE 802.1Q tagging. Each VLAN is a separate Layer 2 network — devices in different VLANs cannot communicate without a router or Layer 3 switch. Common VLAN designs: Data VLAN (user workstations), Voice VLAN (VoIP phones — separate for QoS), Management VLAN (switch and router management traffic), Native VLAN (untagged traffic on trunk ports).
Access ports connect end devices (PCs, printers, phones) and carry traffic for a single VLAN. The port is untagged — the device doesn't know it's on a VLAN. When a frame arrives on an access port, the switch adds the 802.1Q VLAN tag internally. When forwarding to an access port, the tag is stripped.
Voice VLANs: IP phones often connect to a switch port with both data and voice VLANs — the phone is on the voice VLAN while a connected PC uses the data VLAN through the phone's built-in switch. The switch port uses auxiliary VLAN configuration to support both simultaneously.
Trunk ports carry multiple VLANs between switches, between switches and routers, or between switches and servers. Frames on a trunk port include an 802.1Q tag (4 bytes added to the Ethernet header) containing the VLAN ID (12-bit field — supports VLANs 1–4094). The receiving device uses the VLAN tag to identify which VLAN the frame belongs to.
Native VLAN on trunk ports: frames from the native VLAN are sent untagged on the trunk. If a switch receives an untagged frame on a trunk, it assigns it to the native VLAN. Default native VLAN is VLAN 1 — change it as a security best practice. Both ends of a trunk must agree on the native VLAN, or native VLAN mismatch causes connectivity and security issues.
Since VLANs are separate broadcast domains, routing between them requires Layer 3. Three methods: (1) Router-on-a-stick: a single router interface with 802.1Q subinterfaces, one per VLAN. The trunk port connects to the router which routes between VLANs. Simple but the single trunk link is a bottleneck. (2) Layer 3 switch with SVIs: a multilayer switch creates a virtual interface (SVI — Switch Virtual Interface) for each VLAN and routes between them at wire speed. Most common in modern enterprise. (3) Separate router interface per VLAN: one physical interface per VLAN on the router — limited by the number of interfaces, not scalable.
VLAN management: VLANs can be configured locally on each switch or distributed via VTP (VLAN Trunking Protocol) in Cisco environments. VTP allows VLAN database synchronization across multiple switches — VTP server pushes VLAN information to VTP clients. VTP transparent mode does not participate in VTP but forwards VTP messages.
VLANs provide routing between networks
VLANs create separate Layer 2 segments — routing between VLANs requires a router or Layer 3 switch. VLANs segment at Layer 2; routing happens at Layer 3
Native VLAN traffic is always secure
Traffic on the native VLAN is sent untagged on trunk ports — VLAN hopping attacks exploit native VLAN mismatches to inject traffic into other VLANs. Always change the native VLAN from VLAN 1 and ensure consistency across trunk links
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
A network administrator connects two switches with a link that must carry traffic for VLANs 10, 20, and 30. How should the inter-switch link be configured?
Explanation: A trunk port with 802.1Q tagging allows a single physical link to carry traffic for multiple VLANs simultaneously. Each frame is tagged with its VLAN ID. Three separate access ports would require three physical cables — impractical and wasteful. An access port on VLAN 1 would only carry one VLAN.
A native VLAN mismatch occurs when the two ends of a trunk port are configured with different native VLANs. Frames sent untagged by Switch A (native VLAN 10) arrive at Switch B and are placed into Switch B's native VLAN (VLAN 1). This cross-VLAN frame delivery breaks connectivity and creates a security vulnerability where traffic from one VLAN can leak into another.
Try free VLAN Implementation practice questions with explanations, topic links and progress tracking.