Network Access Foundational

VLANs

Definitive CCNA-level VLAN guide — broadcast domains, access vs trunk ports, 802.1Q tagging, native VLAN, voice VLANs, VTP, VLAN design, the 6-step trunk debug, security pitfalls, and 7 worked exam scenarios.

TL;DR

A VLAN lets one physical switch pretend to be several separate switches — every VLAN is its own broadcast domain.
Access ports belong to one VLAN. Trunk ports carry many VLANs with 802.1Q tags (4 bytes inserted into each frame).
Devices in different VLANs cannot talk without a router (or L3 switch SVI) — even if they're on the same physical switch.
VLAN 1 is the default + management VLAN — never put real users in it, and never leave it as the native VLAN on trunks.

Two physical switches, two logical VLANs. The trunk between them tags each frame so SW2 knows which VLAN it belongs to.

Mental model

A VLAN is a way to pretend one physical switch is several separate switches.

That’s the whole concept. Everything else — trunks, tagging, native VLANs, VTP, voice VLANs — is plumbing to make that pretense work consistently across more than one physical switch.

When you put a port in VLAN 10, that port is electrically connected to the same VLAN-10 broadcast domain as every other VLAN-10 port across every switch in your network. A port in VLAN 20 is a completely different broadcast domain — as if you’d unplugged the cable between them.

Three facts that follow from this and that the CCNA exam tests endlessly:

Each VLAN = one broadcast domain. Broadcasts from VLAN 10 never reach VLAN 20.
Each VLAN = one IP subnet. You can’t put 192.168.10.0/24 hosts on both VLAN 10 and VLAN 20 and expect them to talk.
VLANs only carry traffic between themselves through a router or L3 switch. No exceptions in a pure Layer-2 network.

Why VLANs exist

Before VLANs, every broadcast domain needed its own physical switch. To separate “users” from “servers” from “phones,” you bought three switches and three sets of cables. Expensive, inflexible, hard to change.

VLANs let you take one switch (or, with trunking, a campus full of switches) and logically split it into as many broadcast domains as you want. Common uses:

User vs server segmentation — broadcast storms on the user VLAN don’t melt the server VLAN.
Security boundaries — guest Wi-Fi traffic isolated from corporate Wi-Fi.
Voice prioritization — IP phones live on a dedicated VLAN with QoS marking applied uniformly.
Department / tenant segregation — HR can’t see Finance broadcasts.
Multi-tenant data centers — each customer in their own VLAN(s).
IoT containment — security cameras and badge readers locked in a separate VLAN with strict ACLs.

Topology

In a typical CCNA topology:

PC1 and PC3 are both in VLAN 10 but on different physical switches (SW1 and SW2). They can ping each other — frames cross the trunk between SW1 and SW2 with an 802.1Q tag identifying VLAN 10.
PC1 (VLAN 10) and PC2 (VLAN 20) are connected to the same physical switch but in different VLANs. They cannot ping each other — to the network they’re on different switches.

The trunk between SW1 and SW2 carries both VLAN 10 and VLAN 20 simultaneously. Each frame on the trunk has a 4-byte 802.1Q tag identifying which VLAN it belongs to.

Access ports vs trunk ports

Every switch port operates in exactly one of two main modes:

Port mode	Belongs to	Frames on the wire	Used for
Access	One VLAN	Untagged	End devices (PCs, printers, APs, phones via voice VLAN)
Trunk	Many VLANs	Tagged with 802.1Q (except native VLAN)	Switch-to-switch links, switch-to-router for sub-interfaces, switch-to-hypervisor

When a frame enters an access port in VLAN 10, the switch tags it internally with VLAN 10. When that frame exits another access port in VLAN 10, the switch strips the tag back off. The end device never sees the tag.

When a frame enters a trunk port, the switch reads the existing tag to know which VLAN it belongs to. When the frame exits a trunk port, the switch leaves the tag in place — so the next switch knows the VLAN, too. Exception: traffic in the native VLAN travels untagged across the trunk (more on this below).

Configure an access port

SW1(config)# interface GigabitEthernet0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 10
SW1(config-if)# spanning-tree portfast
SW1(config-if)# spanning-tree bpduguard enable

The last two lines aren’t required for VLAN function but are best practice on every host-facing access port. PortFast skips STP’s state machine for host ports (no risk of a host generating BPDUs); BPDU Guard err-disables the port if a BPDU does arrive (someone plugged in a rogue switch).

Configure a trunk port

SW1(config)# interface GigabitEthernet0/24
SW1(config-if)# switchport trunk encapsulation dot1q
SW1(config-if)# switchport mode trunk
SW1(config-if)# switchport nonegotiate
SW1(config-if)# switchport trunk allowed vlan 10,20,30,99
SW1(config-if)# switchport trunk native vlan 999

encapsulation dot1q — only needed on platforms that historically supported ISL (Cisco proprietary, dead). Modern Catalysts skip this line; older 3750-era still needs it.
mode trunk — explicitly trunk, not auto-negotiate.
nonegotiate — disable DTP (Dynamic Trunking Protocol). DTP is a security risk (can be exploited to trunk-attach a rogue switch) and explicit beats implicit.
allowed vlan — list which VLANs cross this trunk. Default is all VLANs (1–4094), which is rarely what you want.
native vlan 999 — frames in VLAN 999 travel untagged. Critical to set this to an unused VLAN (not VLAN 1, ever).

802.1Q tagging — what’s actually on the wire

A standard Ethernet frame:

| Dest MAC (6) | Src MAC (6) | Type (2) | Payload | FCS (4) |

The same frame with 802.1Q tagging:

| Dest MAC (6) | Src MAC (6) | TPID (2)=0x8100 | TCI (2) | Type (2) | Payload | FCS (4) |

A 4-byte tag is inserted after the source MAC:

TPID (2 bytes) — Tag Protocol Identifier, always 0x8100 for 802.1Q.
TCI (2 bytes) — Tag Control Information, which contains:
- PCP (3 bits) — Priority Code Point (CoS / Class of Service, 0–7, used by QoS)
- DEI (1 bit) — Drop Eligible Indicator
- VID (12 bits) — VLAN ID (0–4095, but 0 and 4095 reserved, so practically 1–4094)

12 bits of VLAN ID = 4,094 usable VLANs. That’s why CCNA tests “VLAN ID range 1–4094.”

The frame’s MTU effectively grows by 4 bytes. Modern switches handle this transparently. Older gear may need a higher MTU on trunk ports (called “jumbo frames” or “baby giants”) — usually system mtu 1504 or higher.

The native VLAN — the #1 trunk gotcha

On a trunk, exactly one VLAN is the native VLAN — its frames travel untagged. By default this is VLAN 1.

Why does this exist? Historical compatibility with hubs and unmanaged switches that don’t understand tags. If a tagged frame in VLAN 1 hit a dumb device, the dumb device would see a weird 4-byte payload and drop it. Untagged native frames just look like normal Ethernet.

In modern networks the native VLAN is a vulnerability and a source of bugs:

Security: an attacker can perform a double-tagging attack — wrap a frame in two 802.1Q tags. The first tag (matching the trunk’s native VLAN) is stripped by the first switch; the inner tag survives and the frame lands in the wrong VLAN.
Bugs: if SW1 has native VLAN 1 and SW2 has native VLAN 99, untagged frames from one side land in the wrong VLAN on the other.

Best practice in 2026: set the native VLAN to an explicit unused VLAN (e.g., 999) on both ends of every trunk, and tag the native VLAN explicitly with vlan dot1q tag native so nothing travels untagged.

SW1(config)# vlan 999
SW1(config-vlan)# name UNUSED-NATIVE

SW1(config)# vlan dot1q tag native

SW1(config-if)# switchport trunk native vlan 999

When configured this way, all traffic on the trunk is tagged, including the native VLAN. No untagged frame surprises.

Voice VLANs

IP phones plug into an access port but need to be in a different VLAN from the PC daisy-chained behind them. Cisco’s solution is the voice VLAN — a special concept where one port is in two VLANs:

Data VLAN — for the PC behind the phone, untagged.
Voice VLAN — for the phone itself, 802.1Q tagged with CoS 5 (high priority).

SW1(config)# interface Gi1/0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 10        ! data VLAN
SW1(config-if)# switchport voice vlan 110         ! voice VLAN
SW1(config-if)# mls qos trust cos                 ! preserve phone's QoS markings

The phone gets its VLAN assignment via CDP / LLDP-MED from the switch and tags voice traffic accordingly. PC behind the phone runs untagged on VLAN 10.

This is technically not a “real” trunk port — it’s an access port with one extra VLAN exception. CCNA exam calls this out specifically.

Allowed-VLAN list on trunks

By default a trunk allows all VLANs (1–4094). In most production networks you want to restrict this:

SW1(config-if)# switchport trunk allowed vlan 10,20,30,99,999

Why restrict?

Smaller broadcast scope — VLAN 30’s broadcast only reaches switches where VLAN 30 exists.
Smaller failure domain — STP topology changes only ripple through VLANs that actually need to be present.
Security — even if a VLAN exists in the database, it cannot cross trunks where it’s not in the allowed list.
Easier troubleshooting — show interfaces trunk shows you exactly what’s supposed to be there.

Adding to the list later:

SW1(config-if)# switchport trunk allowed vlan add 40

Crucial: the word add. Without it, you overwrite the list and may lose 10, 20, 30 in the process. Common production outage.

VTP — VLAN Trunking Protocol

VTP synchronizes the VLAN database across switches. Set up VLAN 50 on one switch; VTP propagates it to every other switch in the same VTP domain.

VTP mode	What it does
Server	Can add/edit/delete VLANs; advertises changes
Client	Receives advertisements; can’t change VLANs locally
Transparent	Manages its own VLANs locally; just forwards advertisements through

VTP sounds useful but has a notorious failure mode: a switch with a higher VTP revision number wipes the VLAN database of every other switch when added to the domain. Catastrophic outages have resulted from plugging in a lab switch that had been used in a domain with a higher revision number.

2026 best practice: disable VTP, or run VTP v3 in transparent mode. Most modern shops manage VLANs via configuration management (Ansible / NetBox) instead of VTP.

See VTP for the full picture.

VLAN design — how to actually choose VLAN IDs

A clean VLAN design saves operations pain forever. Some conventions that work in real enterprises:

VLAN ID range	Use
1	Never use — Cisco default + management. Quarantine.
2–9	Reserved for special purposes (management VLAN, native VLAN — pick separate IDs from data)
10–99	User VLANs (10 = USERS, 20 = SALES, 30 = ENG, etc.)
100–199	Voice VLANs (110 = USER-VOICE, 120 = SALES-VOICE)
200–299	Server / DC VLANs
300–399	Guest, BYOD, untrusted
400–499	DMZ, public-facing
999	Native VLAN on trunks (unused for any host)
1002–1005	Never use — reserved by Cisco for FDDI/Token Ring (legacy)

The pattern doesn’t matter as much as picking one and sticking to it. A new engineer should be able to look at VLAN 120 and immediately know “it’s voice for the Sales department” without checking docs.

Name every VLAN — name USERS, name SALES-VOICE. CCNA exam loves to test that you remember to do this.

Verification commands

SW1# show vlan brief
SW1# show vlan id 10
SW1# show interfaces trunk
SW1# show interfaces Gi1/0/1 switchport
SW1# show interfaces status vlan 10
SW1# show mac address-table vlan 10
SW1# show spanning-tree vlan 10

show vlan brief confirms each VLAN exists and which ports belong. show interfaces trunk confirms which trunks are formed and which VLANs they carry. show interfaces Gi1/0/1 switchport shows the full operational state of a single port — mode, access VLAN, voice VLAN, allowed VLANs if trunk, native VLAN, etc. This is the daily-driver troubleshooting command.

The 6-step trunk debug workflow

When a host in VLAN X can’t reach another host in VLAN X across a trunk:

Is the trunk actually a trunk? show interfaces Gi0/24 switchport | include Mode on both ends. Both must say Operational Mode: trunk. If one says dynamic auto or static access, fix it.
Is VLAN X in the trunk’s allowed list? show interfaces trunk — check the “Vlans allowed” column.
Does VLAN X exist in the VLAN database on both switches? show vlan brief — VLAN X must appear as active.
Is VTP pruning it? show vtp status — if pruning is enabled and there’s no active access port in VLAN X downstream, VTP may skip it. Add a placeholder port or disable pruning.
Native VLAN matches? show interfaces trunk | include Native on both ends. Mismatch = CDP errors in the log + frames landing in wrong VLAN.
Physical layer? show interfaces Gi0/24 status should say connected. If notconnect or err-disabled, fix the cable / port-security / BPDU Guard config first.

This catches 95% of cases. The blog post trunk-not-passing-vlan walks each step in detail.

Security pitfalls

1. VLAN hopping via double-tagging

Attacker on VLAN 1 (which is also the trunk’s native VLAN) sends a frame with two 802.1Q tags. First switch strips the outer tag (since it matches the native VLAN — untagged). Inner tag says “I’m in VLAN 20.” Frame is now in VLAN 20 illegally.

Mitigation: never use VLAN 1 as a host VLAN OR as a native VLAN. Tag the native VLAN explicitly (vlan dot1q tag native).

2. DTP (Dynamic Trunking Protocol) abuse

DTP is the protocol that auto-negotiates whether a port becomes a trunk. An attacker can send DTP frames and convince a switch port to become a trunk — gaining access to all VLANs.

Mitigation: switchport nonegotiate on every port. Explicitly configure access or trunk; never auto.

3. Rogue switch attaches via PortFast

If a user-facing port has PortFast (skip STP) and an attacker plugs in a malicious switch, that switch joins the network as a forwarding peer and can sniff VLAN traffic.

Mitigation: BPDU Guard on every PortFast port. If a BPDU arrives, the port goes err-disabled.

4. Private VLANs vs regular VLANs

For environments where you need many hosts in one subnet but isolated from each other (hotel Wi-Fi, multi-tenant), use Private VLANs instead of regular VLANs. See Private VLANs.

Worked exam scenarios

Scenario 1. SW1 has VLAN 10 with ports Gi0/1, Gi0/2 in it. SW1’s trunk to SW2 has allowed-vlan 1,20,30. PC on Gi0/1 (VLAN 10) wants to ping a PC in VLAN 10 on SW2. Will it work?

Answer: No. VLAN 10 is not in the trunk’s allowed list. Frames are silently dropped at the trunk. Fix: switchport trunk allowed vlan add 10 on SW1’s trunk.

Scenario 2. Two switches have trunks between them. SW1 native VLAN = 1. SW2 native VLAN = 99. CDP is enabled. What happens?

Answer: CDP logs a %CDP-4-NATIVE_VLAN_MISMATCH error on both. Untagged frames from SW1 land in VLAN 99 on SW2; untagged frames from SW2 land in VLAN 1 on SW1. Possible silent VLAN leak. Fix: align native VLAN on both ends to the same unused VLAN ID.

Scenario 3. A user complains their VoIP phone works but their PC behind the phone gets no IP. The port has switchport access vlan 10 and switchport voice vlan 110. The data VLAN’s DHCP server is configured. What’s broken?

Answer: Most likely cause: VLAN 10 isn’t on the trunk uplink to the DHCP server’s network. The phone has its own VLAN 110 trunked correctly. Check show interfaces trunk for VLAN 10. (Also check DHCP relay / ip helper-address on the VLAN 10 SVI.)

Scenario 4. SW1, SW2, SW3 are in a triangle. All three trunks have allowed VLAN list 10,20. VLAN 20 has 0 active hosts. Why might show spanning-tree vlan 20 still be running?

Answer: STP runs for every VLAN that exists in the database and is allowed on a trunk, regardless of host count. To skip STP for VLAN 20 you’d need to either remove it from the allowed list or enable VTP pruning (or both).

Scenario 5. You configure a new VLAN 50 on SW1 only. PC on SW2 in VLAN 50 (assigned to Gi0/3 with switchport access vlan 50) can’t reach a PC on SW1 in VLAN 50. Why?

Answer: VLAN 50 doesn’t exist in SW2’s VLAN database. The port command switchport access vlan 50 puts the port in VLAN 50 logically, but without a corresponding vlan 50 entry in the database, SW2 may show “VLAN does not exist” or silently drop traffic. Run vlan 50 then name USERS-50 on SW2.

Scenario 6. A switch reboots and all VLAN configuration is gone. Why?

Answer: The VLAN database lives in vlan.dat in flash, separate from running-config and startup-config. If you only saved running-config with copy run start but didn’t save the VLAN database (which on most platforms saves automatically), the VLANs vanish on reboot. Modern IOS handles this transparently, but VTP-transparent and certain backup/restore patterns can lose vlan.dat.

Scenario 7. Why can’t a host in VLAN 10 ping a host in VLAN 20 on the same switch, even though both are in subnet 192.168.10.0/24?

Answer: Same subnet doesn’t matter. Different VLAN = different broadcast domain = different L2 world. The host in VLAN 10 ARPs for the target IP; the ARP request never reaches VLAN 20. The host gets no reply. This is the most common conceptual mistake in CCNA — VLAN ≠ subnet, but each VLAN must have its own unique subnet.

Common mistakes

VLAN exists on SW1 but not on SW2. Frames get tagged VLAN 10 on the trunk, arrive at SW2, but SW2 doesn’t know what VLAN 10 is — frames get dropped silently. Always create the same VLAN database on both ends.
Forgetting to allow the VLAN on the trunk. Default is all VLANs allowed, but if someone previously restricted, the new VLAN won’t pass. Use switchport trunk allowed vlan add ..., not switchport trunk allowed vlan ... (which overwrites).
Native VLAN mismatch. SW1 says native is VLAN 1, SW2 says native is VLAN 99 — Spanning Tree complains via CDP, and untagged frames potentially leak between VLANs. Set both sides to the same unused VLAN.
Putting real devices in VLAN 1. VLAN 1 is the default management VLAN. Putting users or servers in VLAN 1 is a security anti-pattern. Use unused VLAN IDs starting at 10, 20, etc.
VLAN ≠ subnet, but they should align. Each VLAN is its own broadcast domain → each VLAN gets its own IP subnet. Two devices in different VLANs cannot talk without a router (or L3 switch SVI), even if you assigned them the same IP subnet.
PortFast on a switch-to-switch link. If anything other than a host plugs in, you’ve created a 1-second loop window. Pair with BPDU Guard always.
VTP misuse. Lab switch with high revision number wipes production VLANs. Disable VTP or run v3 transparent in 2026.
DTP left enabled on access ports. Default mode on many platforms is dynamic auto which can be exploited into trunking. Always switchport mode access + switchport nonegotiate.
Overwriting the allowed list with vlan instead of vlan add. Outage in one command.
Not tagging the native VLAN. Modern security best practice is vlan dot1q tag native so no frame travels untagged on a trunk.

Lab to try tonight

Two-switch basic VLAN — Drop two switches and four PCs in Packet Tracer. Create VLAN 10 and VLAN 20 on both switches. Assign PC1 + PC3 to VLAN 10; PC2 + PC4 to VLAN 20. Trunk between switches with native VLAN 999. Verify PC1↔PC3 (same VLAN cross-switch) works and PC1↔PC2 (different VLAN, same switch) does not.
Add inter-VLAN routing — Add a router on a stick (or L3 switch SVI). Configure VLAN 10 gateway + VLAN 20 gateway. Verify PC1↔PC2 now works through the router.
Break the trunk on purpose — Change native VLAN on one side. Watch show interfaces trunk and check log messages for CDP mismatch. Restore.
Allowed-list trap — Start with allowed list 10,20. Try switchport trunk allowed vlan 30. Observe — 10 and 20 are now gone. Restore with switchport trunk allowed vlan add syntax.
Voice VLAN — Add a Cisco IP phone in Packet Tracer between the PC and switch. Configure access VLAN 10 + voice VLAN 110. Verify the phone gets a VLAN-110 IP from a separate DHCP pool and the PC behind it gets VLAN-10 IP.
Security drills — Plug a second switch into a PortFast access port. Watch BPDU Guard err-disable the port instantly. Re-enable with shutdown / no shutdown after fixing.
Bonus: VLAN database survival — Reboot a switch with write erase first; confirm vlan.dat survives (it lives in flash, not NVRAM, on modern switches).

Cheat strip

Concept	Plain English
VLAN	One physical switch pretending to be N switches
Access port	Belongs to one VLAN, untagged on the wire
Trunk port	Carries many VLANs, frames tagged with 802.1Q (except native)
802.1Q tag	4-byte header inserted after src MAC. VID is 12 bits = 4094 usable VLAN IDs
Native VLAN	The one VLAN whose frames travel untagged on a trunk. Default is VLAN 1 — never leave this default
`vlan dot1q tag native`	Tag native VLAN too. Best practice in 2026
Voice VLAN	Access port + extra tagged voice VLAN. Phone tags voice; PC behind phone is untagged data
VLAN 1	Default + management. Never put hosts in it
VLANs 1002-1005	Reserved by Cisco for FDDI/Token Ring (legacy). Don’t use
VLAN database	Lives in `flash:vlan.dat`, separate from startup-config
Inter-VLAN routing	Needs a router or L3 switch SVI — pure L2 cannot cross VLANs
Allowed list	`switchport trunk allowed vlan ...` controls which VLANs cross a given trunk. Use `add` to extend
VTP	VLAN synchronization protocol. Risky — prefer transparent mode or disable
DTP	Dynamic Trunking Protocol — auto-negotiates trunks. Disable with `switchport nonegotiate`
Trunk gotchas	Allowed list, native VLAN, DB exists on both ends, VTP pruning, physical layer
VLAN hopping	Double-tagging attack. Mitigate by tagging native + not using VLAN 1
PortFast + BPDU Guard	Mandatory pair on host access ports

← Previous topic

TCP 3-Way Handshake

The three packets every TCP connection starts with — SYN, SYN-ACK, ACK. Covers sequence numbers, the half-open state, SYN floods, and why HTTPS connections feel slower than they should over high-latency links.

Next topic →

Trunks & 802.1Q Tagging

How switches carry multiple VLANs over a single link using 802.1Q tags. Includes DTP behavior, native VLAN gotchas, and the allowed-VLAN list.

Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.