NetworkingNetwork+

VLAN Implementation for CompTIA Network+ N10-009

VLAN implementation is a core Network+ N10-009 topic spanning both networking concepts and implementation domains. You must understand how VLANs are created, how access and trunk ports work, how inter-VLAN routing is achieved, and common VLAN security concerns. Network+ tests the conceptual understanding of VLAN design and operation, not CLI syntax — though understanding the configuration intent helps answer scenario questions.

9 min

3 sections · 7 exam key points

1 practice questions

VLAN Design and Access Ports

VLANs logically segment a physical switch into multiple broadcast domains using IEEE 802.1Q tagging. Each VLAN is a separate Layer 2 network — devices in different VLANs cannot communicate without a router or Layer 3 switch. Common VLAN designs: Data VLAN (user workstations), Voice VLAN (VoIP phones — separate for QoS), Management VLAN (switch and router management traffic), Native VLAN (untagged traffic on trunk ports).

Access ports connect end devices (PCs, printers, phones) and carry traffic for a single VLAN. The port is untagged — the device doesn't know it's on a VLAN. When a frame arrives on an access port, the switch adds the 802.1Q VLAN tag internally. When forwarding to an access port, the tag is stripped.

Voice VLANs: IP phones often connect to a switch port with both data and voice VLANs — the phone is on the voice VLAN while a connected PC uses the data VLAN through the phone's built-in switch. The switch port uses auxiliary VLAN configuration to support both simultaneously.

Trunk Ports and 802.1Q Tagging

Trunk ports carry multiple VLANs between switches, between switches and routers, or between switches and servers. Frames on a trunk port include an 802.1Q tag (4 bytes added to the Ethernet header) containing the VLAN ID (12-bit field — supports VLANs 1–4094). The receiving device uses the VLAN tag to identify which VLAN the frame belongs to.

Native VLAN on trunk ports: frames from the native VLAN are sent untagged on the trunk. If a switch receives an untagged frame on a trunk, it assigns it to the native VLAN. Default native VLAN is VLAN 1 — change it as a security best practice. Both ends of a trunk must agree on the native VLAN, or native VLAN mismatch causes connectivity and security issues.

Inter-VLAN Routing

Since VLANs are separate broadcast domains, routing between them requires Layer 3. Three methods: (1) Router-on-a-stick: a single router interface with 802.1Q subinterfaces, one per VLAN. The trunk port connects to the router which routes between VLANs. Simple but the single trunk link is a bottleneck. (2) Layer 3 switch with SVIs: a multilayer switch creates a virtual interface (SVI — Switch Virtual Interface) for each VLAN and routes between them at wire speed. Most common in modern enterprise. (3) Separate router interface per VLAN: one physical interface per VLAN on the router — limited by the number of interfaces, not scalable.

VLAN management: VLANs can be configured locally on each switch or distributed via VTP (VLAN Trunking Protocol) in Cisco environments. VTP allows VLAN database synchronization across multiple switches — VTP server pushes VLAN information to VTP clients. VTP transparent mode does not participate in VTP but forwards VTP messages.

Key exam facts — Network+

Access ports: single VLAN, untagged — for end devices
Trunk ports: multiple VLANs, 802.1Q tagged — between switches/routers
Native VLAN: untagged VLAN on trunk — change from default VLAN 1
Inter-VLAN routing: router-on-a-stick (subinterfaces) or Layer 3 switch (SVIs)
VLANs separate broadcast domains — devices in different VLANs cannot communicate without routing
Voice VLAN: separate VLAN for VoIP phones — enables QoS differentiation
802.1Q tag = 4 bytes; 12-bit VLAN ID field supports VLANs 1–4094

Common exam traps

VLANs provide routing between networks

VLANs create separate Layer 2 segments — routing between VLANs requires a router or Layer 3 switch. VLANs segment at Layer 2; routing happens at Layer 3

Native VLAN traffic is always secure

Traffic on the native VLAN is sent untagged on trunk ports — VLAN hopping attacks exploit native VLAN mismatches to inject traffic into other VLANs. Always change the native VLAN from VLAN 1 and ensure consistency across trunk links

Practice questions — VLAN Implementation

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A network administrator connects two switches with a link that must carry traffic for VLANs 10, 20, and 30. How should the inter-switch link be configured?

A.As three separate access ports, one per VLAN

B.As a trunk port with 802.1Q tagging

C.As an access port on VLAN 1

D.Using a crossover cable with no special configuration

Explanation: A trunk port with 802.1Q tagging allows a single physical link to carry traffic for multiple VLANs simultaneously. Each frame is tagged with its VLAN ID. Three separate access ports would require three physical cables — impractical and wasteful. An access port on VLAN 1 would only carry one VLAN.

Frequently asked questions — VLAN Implementation

What is a native VLAN mismatch and how does it cause problems?

A native VLAN mismatch occurs when the two ends of a trunk port are configured with different native VLANs. Frames sent untagged by Switch A (native VLAN 10) arrive at Switch B and are placed into Switch B's native VLAN (VLAN 1). This cross-VLAN frame delivery breaks connectivity and creates a security vulnerability where traffic from one VLAN can leak into another.

Practice this topic

Network+practice questions

Test yourself on VLAN Implementation

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime