Without VLANs, every device on a switch is in the same broadcast domain. A single broadcast from a printer reaches every workstation, every IP phone, and every server on the floor. VLANs let you carve a single physical switch into multiple logical networks. Devices in VLAN 10 cannot see broadcasts from VLAN 20 unless a router carries the traffic between them. This is fundamental to how modern networks are designed, and the CCNA exam tests both the concept and the configuration with questions about trunk links, native VLANs, and inter-VLAN routing.
Practice this topic
A VLAN is a logical grouping of switch ports that share a broadcast domain. Ports assigned to the same VLAN act as if they are on the same physical switch, even if they span multiple physical switches. Ports in different VLANs cannot exchange frames directly. Only a Layer 3 device, a router or a multilayer switch, can carry traffic between VLANs.
Access ports carry traffic for a single VLAN. When a PC is plugged into an access port, frames arrive and leave untagged. The switch handles the VLAN assignment internally. The connected device has no idea it is on a VLAN. This is the normal configuration for workstations, printers, and IP phones.
VLANs are configured locally on each switch and must be created consistently across all switches in the network. The VLAN Trunking Protocol (VTP) can automate this propagation in Cisco environments, but it can also accidentally wipe VLAN databases if a switch with a higher revision number is added to the network. Many engineers use VTP transparent mode or simply configure VLANs manually.
A trunk link carries traffic for multiple VLANs between switches. When a switch sends a frame across a trunk, it inserts a 4-byte 802.1Q tag into the Ethernet frame that identifies which VLAN the frame belongs to. The receiving switch reads the tag, removes it, and forwards the frame out the correct access port for that VLAN.
The native VLAN is the one VLAN on a trunk that is not tagged. Frames arriving untagged on a trunk port are assumed to belong to the native VLAN. The default native VLAN is VLAN 1 on Cisco switches, and it must match on both ends of the trunk. A native VLAN mismatch causes CDP warnings and can result in traffic being placed in the wrong VLAN, which is a security risk.
The allowed VLANs list on a trunk controls which VLANs are permitted to traverse that link. By default, all active VLANs are allowed. Restricting this list improves security and reduces unnecessary broadcast traffic crossing trunk links that connect to areas where those VLANs have no presence.
Since VLANs are separate broadcast domains, a Layer 3 device is needed to move traffic between them. Router-on-a-stick uses a single router interface with subinterfaces, one per VLAN, each tagged for its VLAN. Traffic from VLAN 10 that needs to reach VLAN 20 goes up to the router on one subinterface and comes back down on another. It works but the physical trunk link becomes a bottleneck for all inter-VLAN traffic.
A multilayer switch (Layer 3 switch) is the better solution for campus networks. Each VLAN gets a Switched Virtual Interface (SVI), which is a virtual Layer 3 interface on the switch itself. The switch routes between VLANs internally at wire speed without the traffic having to leave the chassis.
Access port vs trunk port: end device (PC, printer, phone) = access port, one VLAN, no tagging. Switch-to-switch or switch-to-router link carrying multiple VLANs = trunk port, 802.1Q tagging.
Native VLAN mismatch: both ends must use the same native VLAN or traffic gets placed in the wrong VLAN. Check with show interfaces trunk.
| Attribute | Access port | Trunk port |
|---|---|---|
| VLANs carried | One | Multiple |
| Frame tagging | None (untagged) | 802.1Q tagged (native VLAN untagged) |
| Connected to | End hosts (PCs, phones) | Other switches, routers |
| Native VLAN applies? | No | Yes (untagged frames use native VLAN) |
Devices in different VLANs on the same switch can communicate without a router.
VLANs are isolated Layer 2 broadcast domains. Communication between VLANs requires a Layer 3 device, either a router or a Layer 3 switch. No amount of switch configuration allows cross-VLAN Layer 2 forwarding.
The native VLAN must always be VLAN 1.
The native VLAN can be changed to any VLAN. Best practice is to change it from the default VLAN 1 and use a dedicated, unused VLAN as the native VLAN. The critical requirement is that it matches on both ends of the trunk.
802.1Q tagging adds significant overhead to every frame.
The 802.1Q tag adds exactly 4 bytes to the Ethernet frame. This is negligible overhead and has no meaningful performance impact.
These questions are representative of what you will see on CCNA, Network+ exams. The correct answer and explanation are shown immediately below each question.
A network administrator wants devices in VLAN 10 to communicate with devices in VLAN 20 on the same switch. What is required?
Explanation: VLANs are isolated Layer 2 broadcast domains. Communication between VLANs requires a Layer 3 routing function — either a router (with subinterfaces, 'router-on-a-stick') or a multilayer switch with SVIs. No switch-only configuration allows inter-VLAN forwarding.
A trunk link between two Cisco switches shows CDP warning messages about a native VLAN mismatch. Switch A uses VLAN 1 and Switch B uses VLAN 99 as native. What is the impact?
Explanation: A native VLAN mismatch causes untagged frames from one switch to be interpreted as belonging to a different VLAN on the other switch. A frame sent as native VLAN 1 on Switch A arrives untagged; Switch B places it in VLAN 99. This misroutes traffic and creates a security risk. The trunk link itself stays up but traffic is misdelivered.
Which command verifies which VLANs are allowed and active on a trunk link on a Cisco switch?
Explanation: 'show interfaces trunk' displays trunking interfaces, the encapsulation type (802.1Q), allowed VLANs, VLANs in spanning tree forwarding, and VLANs active in management domain. 'show vlan brief' shows VLANs and their assigned access ports but does not display trunk information.
A host connected to a switch access port sends a frame. How does the switch handle VLAN tagging for this frame?
Explanation: Access ports connect to end hosts that have no VLAN awareness. The host sends untagged frames. The switch handles VLAN internally — when forwarding out a trunk port, the switch adds the 802.1Q tag for the source VLAN. When receiving a tagged frame from a trunk and forwarding to an access port, the switch removes the tag.
What is the purpose of router-on-a-stick inter-VLAN routing?
Explanation: Router-on-a-stick uses a single physical interface on a router connected to a trunk port. The router interface is divided into subinterfaces — one per VLAN — each configured with an IP address for that VLAN's gateway and tagged with the VLAN ID. Traffic arriving from VLAN 10 on one subinterface is routed out through another subinterface toward VLAN 20.
A VLAN (Virtual Local Area Network) is a logical grouping of switch ports that share a broadcast domain, regardless of physical location. VLANs are used to separate traffic between departments (HR vs Engineering), isolate sensitive devices, reduce broadcast domain size, and improve security. Devices in different VLANs cannot communicate at Layer 2 — a router or Layer 3 switch is required.
An access port carries traffic for exactly one VLAN and connects to end hosts (PCs, printers, IP phones). Frames are untagged going to and from end hosts. A trunk port carries traffic for multiple VLANs between switches or to a router. Frames are tagged with 802.1Q VLAN identifiers on trunk links, except for the native VLAN which remains untagged.
The native VLAN is the single VLAN on a trunk whose frames travel untagged. When a switch receives an untagged frame on a trunk port, it assigns the frame to the native VLAN. If the two switches have different native VLANs configured, untagged frames will be placed in the wrong VLAN on the receiving switch, causing traffic misdelivery and a potential security hole (VLAN hopping). Cisco default native VLAN is 1; best practice is to change it to an unused VLAN.
Router-on-a-stick uses a physical router with one trunk link and multiple subinterfaces (one per VLAN). It's simple to implement but the single physical link becomes a bottleneck for all inter-VLAN traffic. An SVI (Switched Virtual Interface) on a Layer 3 switch is a virtual interface representing a VLAN. The switch routes between SVIs internally at hardware speed, making it far more scalable and performant for campus networks.
Both exams test VLAN concepts and configuration. CCNA covers access port configuration, trunk port configuration (802.1Q, native VLAN), inter-VLAN routing (router-on-a-stick and SVIs), VTP modes, and troubleshooting. Expect questions about identifying why two hosts can't communicate (missing VLAN, wrong access port assignment, native VLAN mismatch) and inter-VLAN routing configuration.
Try free VLANs & Trunking practice questions with explanations, topic links and progress tracking.