JT
JT Exams
Log inStart Free Trial
NetworkingCCNA

CCNA VLAN Types: Access Ports, Trunk Ports, Voice VLANs & Native VLAN

VLANs are one of the most heavily tested topics on the CCNA 200-301 exam. Virtual LANs partition a single physical switch into multiple logical Layer 2 networks, separating broadcast domains, improving security, and enabling traffic segmentation. The exam tests access ports, trunk ports, the native VLAN, voice VLANs, and the default VLAN — along with common misconfigurations. This guide covers all of these with the exam-critical details.

9 min
4 sections · 6 exam key points
5 practice questions

What VLANs do and why they matter

A broadcast domain is a group of devices that receive each other's broadcast frames. On a flat network with no VLANs, every switch port is in the same broadcast domain — every broadcast reaches every device. As networks grow, this creates performance problems and security risks.

VLANs solve this by logically grouping ports into separate broadcast domains on the same physical switch. Ports in VLAN 10 only receive broadcasts from other VLAN 10 ports. Traffic between VLANs requires a router or Layer 3 switch — the VLAN boundary acts exactly like a router interface boundary.

Common VLAN designs: data VLAN for user workstations, voice VLAN for IP phones, management VLAN for switch management, native VLAN for untagged trunk traffic. Separating these prevents voice traffic from competing with data traffic, and keeps management access separate from user traffic.

Access ports and trunk ports

An access port belongs to exactly one VLAN and carries untagged frames. End devices (PCs, printers, IP phones in data mode) connect to access ports. The switch assigns all frames arriving on that port to the configured VLAN without adding any VLAN tag. When the switch sends frames out an access port, it strips the VLAN tag before forwarding.

A trunk port carries traffic from multiple VLANs simultaneously. Frames are tagged with an 802.1Q tag — a 4-byte header inserted into the Ethernet frame that identifies the VLAN (the 12-bit VLAN ID). Trunk ports connect switches to other switches, switches to routers (for router-on-a-stick), and switches to Layer 3 switches for inter-VLAN routing.

802.1Q trunk configuration on Cisco: `switchport mode trunk` sets the port to trunk mode. `switchport trunk allowed vlan` controls which VLANs are permitted on the trunk. Restricting allowed VLANs is a best practice — there's no reason for every VLAN to traverse every trunk.

DTP (Dynamic Trunking Protocol) is a Cisco proprietary protocol that can automatically negotiate trunk formation between switches. For security, disable DTP on ports connecting to end devices: `switchport nonegotiate` or `switchport mode access` prevents a rogue device from negotiating a trunk.

Native VLAN

The native VLAN is the VLAN assigned to untagged frames arriving on a trunk port. By default, the native VLAN is VLAN 1 on Cisco switches. If a switch receives an untagged frame on a trunk port, it assigns it to the native VLAN. When a switch sends frames from the native VLAN out a trunk port, it sends them untagged.

Native VLAN mismatch is a common misconfiguration: if one end of a trunk is configured with native VLAN 1 and the other end uses native VLAN 10, traffic gets placed in the wrong VLAN. CDP warnings about native VLAN mismatch appear in `show interfaces trunk` output and Syslog.

Security best practice: change the native VLAN from the default VLAN 1 to an unused VLAN, and avoid using that VLAN for any real traffic. This prevents VLAN hopping attacks where a crafted double-tagged frame can be forwarded into another VLAN via the native VLAN.

Voice VLAN and the default VLAN

IP phones require special treatment: they need to be in a separate VLAN for QoS (voice traffic must be prioritized over data) and they connect to the same switch port as a PC (the phone has a built-in 3-port switch). Cisco switch ports solve this with a voice VLAN configuration.

When you configure `switchport voice vlan 10` on an access port, the port carries two VLANs: the access VLAN (for the PC connected through the phone) and the voice VLAN (for the phone itself). The phone tags its own voice traffic with VLAN 10; the PC's traffic remains untagged (access VLAN). The switch handles both simultaneously on one physical port.

The default VLAN is VLAN 1, which exists on all Cisco switches and cannot be deleted. All switch ports are in VLAN 1 by default. Best practice is to move all active devices off VLAN 1 and disable unused ports, leaving VLAN 1 as an empty administrative VLAN — this reduces attack surface.

VLAN normal range is 1–1005; extended range is 1006–4094. Extended VLANs are stored in the VLAN database in flash (vlan.dat) and require VTP version 3 or VTP transparent mode to use.

Access port vs trunk port

CharacteristicAccess PortTrunk Port
VLANs carriedOneMultiple
Frame taggingUntagged (strip/add on ingress/egress)802.1Q tagged (except native VLAN)
Connected deviceEnd host (PC, printer, phone)Switch, router, Layer 3 switch
Cisco commandswitchport mode accessswitchport mode trunk
VLAN configswitchport access vlan <id>switchport trunk allowed vlan <list>

Key exam facts — CCNA

  • Access port: one VLAN, untagged frames, for end devices
  • Trunk port: multiple VLANs, 802.1Q tagged (native VLAN is untagged)
  • Native VLAN default is VLAN 1 — change it to a non-default VLAN for security
  • Native VLAN mismatch on a trunk causes frames to land in the wrong VLAN
  • Voice VLAN: access port carries both data VLAN (untagged) and voice VLAN (tagged by IP phone)
  • VLAN 1 is the default VLAN — cannot be deleted; best practice is to move traffic off it

Common exam traps

Trunk ports only carry traffic for VLANs in the allowed list if they are tagged

The native VLAN traverses trunk ports untagged. All other VLANs must be tagged. If a VLAN is not in the allowed list, its traffic is dropped on that trunk regardless of tagging.

VLAN 1 should be used as the management VLAN

VLAN 1 is the default and is widely known. Using a different, non-default VLAN for management makes the management interface less obvious to attackers and reduces the risk of management traffic being mixed with user data.

A voice VLAN requires a separate physical port for the IP phone

The voice VLAN feature on a Cisco switch allows a single port to carry both the PC's data traffic (in the access VLAN, untagged) and the IP phone's voice traffic (in the voice VLAN, tagged by the phone) simultaneously.

Practice questions — VLAN Types

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.Which port type carries traffic from multiple VLANs and uses 802.1Q tagging?

A.Access port
B.Trunk port
C.Voice port
D.PortFast port

Explanation: A trunk port carries multiple VLANs simultaneously using 802.1Q tags embedded in Ethernet frames to identify the VLAN. Access ports carry a single VLAN and use untagged frames.

Q2.A switch trunk port has native VLAN 1 on one end and native VLAN 100 on the other. What is the result?

A.The trunk does not form
B.Untagged frames from VLAN 1 on one side land in VLAN 100 on the other side
C.Both switches use VLAN 1 automatically
D.All frames are dropped until the mismatch is resolved

Explanation: A native VLAN mismatch causes untagged frames from the native VLAN on one side to be placed into the native VLAN of the other side. This can cause traffic to appear in unexpected VLANs. The trunk itself still forms, but traffic is mis-forwarded.

Q3.An IP phone is connected to a switch port configured with `switchport access vlan 10` and `switchport voice vlan 20`. Which VLAN carries the PC traffic connected through the phone?

A.VLAN 1 (default)
B.VLAN 10
C.VLAN 20
D.Both VLAN 10 and 20

Explanation: The access VLAN (VLAN 10) carries PC traffic arriving untagged through the phone's built-in switch. The voice VLAN (VLAN 20) carries the phone's own voice traffic, which the phone tags with VLAN 20.

Q4.Which Cisco command prevents a switch port from automatically negotiating a trunk with a connected device?

A.switchport mode trunk
B.switchport nonegotiate
C.switchport trunk allowed vlan none
D.no switchport

Explanation: switchport nonegotiate disables DTP (Dynamic Trunking Protocol), preventing the port from negotiating a trunk. This is a security best practice for access ports connecting to end devices.

Q5.What is the VLAN normal range on Cisco switches?

A.1–512
B.1–1005
C.1–4094
D.100–1000

Explanation: The normal VLAN range is 1–1005. VLANs 1006–4094 are the extended range, which requires VTP transparent mode or VTP version 3. VLAN 1 is the default and cannot be deleted.

Frequently asked questions — VLAN Types

What is the difference between an access port and a trunk port?

An access port belongs to one VLAN and carries untagged frames — used for end devices. A trunk port carries multiple VLANs simultaneously using 802.1Q tags — used for switch-to-switch, switch-to-router connections. The native VLAN on a trunk is the only VLAN that is untagged.

What is the native VLAN and why does it matter?

The native VLAN is the VLAN assigned to untagged frames received on a trunk port. By default it's VLAN 1. Mismatched native VLANs between trunk ends cause frames to land in the wrong VLAN. For security, change the native VLAN to an unused VLAN to prevent VLAN hopping attacks.

How does a voice VLAN work on a Cisco switch?

When you configure a voice VLAN on an access port, the port carries two VLANs: the access VLAN for the PC (untagged frames) and the voice VLAN for the IP phone (frames tagged by the phone with the voice VLAN ID). The switch handles QoS prioritization of the voice VLAN traffic automatically.

Can VLAN 1 be deleted on a Cisco switch?

No, VLAN 1 is the default VLAN and cannot be deleted on Cisco switches. Best practice is to move all active devices off VLAN 1 and use a different VLAN for data and management — this reduces VLAN 1 to an empty default VLAN with no active traffic.

What is DTP and should it be disabled?

DTP (Dynamic Trunking Protocol) is a Cisco protocol that allows switch ports to automatically negotiate whether to form a trunk. On ports connecting to end devices, DTP should be disabled with `switchport nonegotiate` and `switchport mode access` to prevent rogue devices from negotiating a trunk and potentially accessing all VLANs.

Practice this topic

CCNApractice questions

Test yourself on VLAN Types

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

Spanning Tree Protocol

CCNA

Inter-VLAN Routing

CCNA

Network Components

CCNA

Device Management

CCNA