NetworkingCCNANetwork+

VLANs and Trunking Explained for CCNA and Network+

Without VLANs, every device on a switch is in the same broadcast domain. A single broadcast from a printer reaches every workstation, every IP phone, and every server on the floor. VLANs let you carve a single physical switch into multiple logical networks. Devices in VLAN 10 cannot see broadcasts from VLAN 20 unless a router carries the traffic between them. This is fundamental to how modern networks are designed, and the CCNA exam tests both the concept and the configuration with questions about trunk links, native VLANs, and inter-VLAN routing.

8 min

3 sections · 7 exam key points

5 practice questions

VLANs and access ports

A VLAN is a logical grouping of switch ports that share a broadcast domain. Ports assigned to the same VLAN act as if they are on the same physical switch, even if they span multiple physical switches. Ports in different VLANs cannot exchange frames directly. Only a Layer 3 device, a router or a multilayer switch, can carry traffic between VLANs.

Access ports carry traffic for a single VLAN. When a PC is plugged into an access port, frames arrive and leave untagged. The switch handles the VLAN assignment internally. The connected device has no idea it is on a VLAN. This is the normal configuration for workstations, printers, and IP phones.

VLANs are configured locally on each switch and must be created consistently across all switches in the network. The VLAN Trunking Protocol (VTP) can automate this propagation in Cisco environments, but it can also accidentally wipe VLAN databases if a switch with a higher revision number is added to the network. Many engineers use VTP transparent mode or simply configure VLANs manually.

Trunk links and 802.1Q tagging

A trunk link carries traffic for multiple VLANs between switches. When a switch sends a frame across a trunk, it inserts a 4-byte 802.1Q tag into the Ethernet frame that identifies which VLAN the frame belongs to. The receiving switch reads the tag, removes it, and forwards the frame out the correct access port for that VLAN.

The native VLAN is the one VLAN on a trunk that is not tagged. Frames arriving untagged on a trunk port are assumed to belong to the native VLAN. The default native VLAN is VLAN 1 on Cisco switches, and it must match on both ends of the trunk. A native VLAN mismatch causes CDP warnings and can result in traffic being placed in the wrong VLAN, which is a security risk.

The allowed VLANs list on a trunk controls which VLANs are permitted to traverse that link. By default, all active VLANs are allowed. Restricting this list improves security and reduces unnecessary broadcast traffic crossing trunk links that connect to areas where those VLANs have no presence.

Inter-VLAN routing and how to choose the correct answer

Since VLANs are separate broadcast domains, a Layer 3 device is needed to move traffic between them. Router-on-a-stick uses a single router interface with subinterfaces, one per VLAN, each tagged for its VLAN. Traffic from VLAN 10 that needs to reach VLAN 20 goes up to the router on one subinterface and comes back down on another. It works but the physical trunk link becomes a bottleneck for all inter-VLAN traffic.

A multilayer switch (Layer 3 switch) is the better solution for campus networks. Each VLAN gets a Switched Virtual Interface (SVI), which is a virtual Layer 3 interface on the switch itself. The switch routes between VLANs internally at wire speed without the traffic having to leave the chassis.

Access port vs trunk port: end device (PC, printer, phone) = access port, one VLAN, no tagging. Switch-to-switch or switch-to-router link carrying multiple VLANs = trunk port, 802.1Q tagging.

Native VLAN mismatch: both ends must use the same native VLAN or traffic gets placed in the wrong VLAN. Check with show interfaces trunk.

Access port vs trunk port

Attribute	Access port	Trunk port
VLANs carried	One	Multiple
Frame tagging	None (untagged)	802.1Q tagged (native VLAN untagged)
Connected to	End hosts (PCs, phones)	Other switches, routers
Native VLAN applies?	No	Yes (untagged frames use native VLAN)

Key exam facts — CCNA / Network+

VLAN = logical broadcast domain. Devices in different VLANs need a router to communicate.
Access port: one VLAN, no tagging, for end hosts.
Trunk port: multiple VLANs, 802.1Q tagging between switches.
Native VLAN: the one untagged VLAN on a trunk. Default VLAN 1. Must match on both ends.
Router-on-a-stick: single physical link with subinterfaces per VLAN for inter-VLAN routing.
SVI (Layer 3 switch): virtual interface per VLAN, routes traffic internally at wire speed.
VTP transparent mode: switch stores VLANs locally, forwards VTP messages but does not apply them.

Common exam traps

Devices in different VLANs on the same switch can communicate without a router.

VLANs are isolated Layer 2 broadcast domains. Communication between VLANs requires a Layer 3 device, either a router or a Layer 3 switch. No amount of switch configuration allows cross-VLAN Layer 2 forwarding.

The native VLAN must always be VLAN 1.

The native VLAN can be changed to any VLAN. Best practice is to change it from the default VLAN 1 and use a dedicated, unused VLAN as the native VLAN. The critical requirement is that it matches on both ends of the trunk.

802.1Q tagging adds significant overhead to every frame.

The 802.1Q tag adds exactly 4 bytes to the Ethernet frame. This is negligible overhead and has no meaningful performance impact.

Practice questions — VLANs & Trunking

These questions are representative of what you will see on CCNA, Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A network administrator wants devices in VLAN 10 to communicate with devices in VLAN 20 on the same switch. What is required?

A.Create a trunk link between the two VLANs on the switch

B.Configure a Layer 3 device such as a router or multilayer switch to route between them

C.Assign all ports to the native VLAN

D.Enable VTP to synchronize VLAN tables across VLANs

Explanation: VLANs are isolated Layer 2 broadcast domains. Communication between VLANs requires a Layer 3 routing function — either a router (with subinterfaces, 'router-on-a-stick') or a multilayer switch with SVIs. No switch-only configuration allows inter-VLAN forwarding.

Q2.A trunk link between two Cisco switches shows CDP warning messages about a native VLAN mismatch. Switch A uses VLAN 1 and Switch B uses VLAN 99 as native. What is the impact?

A.All trunk traffic is blocked until the mismatch is resolved

B.Untagged frames from Switch A will be placed in VLAN 99 by Switch B, causing traffic to reach the wrong VLAN

C.Only VoIP traffic is affected by the native VLAN mismatch

D.The trunk link will automatically negotiate to a common native VLAN

Explanation: A native VLAN mismatch causes untagged frames from one switch to be interpreted as belonging to a different VLAN on the other switch. A frame sent as native VLAN 1 on Switch A arrives untagged; Switch B places it in VLAN 99. This misroutes traffic and creates a security risk. The trunk link itself stays up but traffic is misdelivered.

Q3.Which command verifies which VLANs are allowed and active on a trunk link on a Cisco switch?

A.show vlan brief

B.show interfaces trunk

C.show interfaces status

D.show spanning-tree

Explanation: 'show interfaces trunk' displays trunking interfaces, the encapsulation type (802.1Q), allowed VLANs, VLANs in spanning tree forwarding, and VLANs active in management domain. 'show vlan brief' shows VLANs and their assigned access ports but does not display trunk information.

Q4.A host connected to a switch access port sends a frame. How does the switch handle VLAN tagging for this frame?

A.The switch adds an 802.1Q tag before forwarding to any port

B.The switch adds an 802.1Q tag only when forwarding across a trunk link

C.The switch never adds tags to frames from access ports

D.The host adds the VLAN tag before sending

Explanation: Access ports connect to end hosts that have no VLAN awareness. The host sends untagged frames. The switch handles VLAN internally — when forwarding out a trunk port, the switch adds the 802.1Q tag for the source VLAN. When receiving a tagged frame from a trunk and forwarding to an access port, the switch removes the tag.

Q5.What is the purpose of router-on-a-stick inter-VLAN routing?

A.To allow multiple VLANs to share a single physical trunk link to a router using subinterfaces

B.To eliminate the need for a router by routing directly on the switch

C.To block inter-VLAN traffic at the router

D.To allow access ports to carry multiple VLANs

Explanation: Router-on-a-stick uses a single physical interface on a router connected to a trunk port. The router interface is divided into subinterfaces — one per VLAN — each configured with an IP address for that VLAN's gateway and tagged with the VLAN ID. Traffic arriving from VLAN 10 on one subinterface is routed out through another subinterface toward VLAN 20.

Frequently asked questions — VLANs & Trunking

What is a VLAN and why would I use one?

A VLAN (Virtual Local Area Network) is a logical grouping of switch ports that share a broadcast domain, regardless of physical location. VLANs are used to separate traffic between departments (HR vs Engineering), isolate sensitive devices, reduce broadcast domain size, and improve security. Devices in different VLANs cannot communicate at Layer 2 — a router or Layer 3 switch is required.

What is the difference between an access port and a trunk port?

An access port carries traffic for exactly one VLAN and connects to end hosts (PCs, printers, IP phones). Frames are untagged going to and from end hosts. A trunk port carries traffic for multiple VLANs between switches or to a router. Frames are tagged with 802.1Q VLAN identifiers on trunk links, except for the native VLAN which remains untagged.

What is the native VLAN and why does it need to match on both ends?

The native VLAN is the single VLAN on a trunk whose frames travel untagged. When a switch receives an untagged frame on a trunk port, it assigns the frame to the native VLAN. If the two switches have different native VLANs configured, untagged frames will be placed in the wrong VLAN on the receiving switch, causing traffic misdelivery and a potential security hole (VLAN hopping). Cisco default native VLAN is 1; best practice is to change it to an unused VLAN.

What is the difference between router-on-a-stick and an SVI for inter-VLAN routing?

Router-on-a-stick uses a physical router with one trunk link and multiple subinterfaces (one per VLAN). It's simple to implement but the single physical link becomes a bottleneck for all inter-VLAN traffic. An SVI (Switched Virtual Interface) on a Layer 3 switch is a virtual interface representing a VLAN. The switch routes between SVIs internally at hardware speed, making it far more scalable and performant for campus networks.

How are VLANs tested on CCNA and Network+?

Both exams test VLAN concepts and configuration. CCNA covers access port configuration, trunk port configuration (802.1Q, native VLAN), inter-VLAN routing (router-on-a-stick and SVIs), VTP modes, and troubleshooting. Expect questions about identifying why two hosts can't communicate (missing VLAN, wrong access port assignment, native VLAN mismatch) and inter-VLAN routing configuration.

Practice this topic

CCNApractice questions Network+practice questions

Test yourself on VLANs & Trunking

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime