VLAN, STP, Trunk, Native VLAN, and ACL Issues
Key Takeaways
- VLAN problems commonly involve wrong access VLANs, missing VLANs on trunks, native VLAN mismatch, or incorrect tagging.
- STP prevents Layer 2 loops, but blocked ports, root bridge changes, and protection features can affect connectivity.
- Trunk troubleshooting should verify allowed VLAN lists, encapsulation, native VLAN, and both ends of the link.
- ACL issues can look like routing or application failures because traffic is intentionally filtered.
- Layer 2 troubleshooting requires checking both switch configuration and the actual path a frame takes.
VLAN, STP, Trunks, and ACLs
Switching problems often create selective failures. One desk jack cannot reach printers. One VLAN cannot get DHCP. A server works on one switch but not another. A guest SSID bridges users into the wrong subnet. These clues point toward VLAN, trunk, spanning tree, or filtering issues.
VLAN Assignment Problems
| Symptom | Likely issue |
|---|---|
| Device receives address from wrong subnet | Access port in wrong VLAN or wrong SSID-to-VLAN mapping |
| New VLAN works on one switch but not another | VLAN not created, not allowed, or not trunked across path |
| Voice phone works but attached PC does not | Data VLAN, voice VLAN, or port configuration issue |
| DHCP fails only on one VLAN | VLAN path, relay, scope, or ACL issue |
| Device works in one jack but not another | Port VLAN, port security, cabling, or switch configuration difference |
Always verify the port where the device actually connects. Documentation may be stale, and patch panels may not map to the expected switch port.
Trunk and Native VLAN Issues
Trunks carry multiple VLANs between switches, routers, firewalls, hypervisors, or access points. A trunk must agree on tagging behavior and allow the required VLANs.
| Trunk check | Why it matters |
|---|---|
| Both sides configured as trunk where required | Prevents one side from treating tagged frames incorrectly |
| Allowed VLAN list includes the needed VLAN | Missing VLAN blocks that subnet across the link |
| Native VLAN matches | Untagged traffic may land in the wrong VLAN if mismatched |
| VLAN exists and is active | Some platforms do not forward inactive or missing VLANs |
| AP or hypervisor tagging matches switch | Wireless or virtual networks can map clients to wrong VLANs |
A native VLAN mismatch may not break every flow, which makes it dangerous. It can create unexpected untagged traffic placement and confusing reachability.
STP Issues
Spanning Tree Protocol prevents Layer 2 loops by blocking redundant paths. STP is protective, but its state matters during troubleshooting.
| STP clue | Meaning |
|---|---|
| Port blocking | STP is preventing a loop on that path |
| Root bridge changed unexpectedly | Traffic path may shift and create congestion or suboptimal forwarding |
| BPDU guard err-disabled a port | Edge port received a BPDU and was shut down for protection |
| Loop guard or root guard triggered | Protection feature detected unexpected topology behavior |
| Broadcast storm | Loop prevention may be missing, disabled, or overwhelmed |
Do not simply disable STP to "fix" a blocked link. Find why the topology or port role changed.
ACL Filtering
Access control lists can be placed on routers, Layer 3 switches, firewalls, wireless controllers, and sometimes switch ports. An ACL can make a healthy route look broken because the packet is dropped after a forwarding decision.
| ACL symptom | Likely clue |
|---|---|
| Ping works but application port fails | ICMP permitted, TCP or UDP port denied |
| One subnet reaches server but another cannot | Source network missing from permit rule |
| Return traffic fails | Stateless ACL missing reverse direction rule |
| New VLAN cannot reach DNS or DHCP relay | Infrastructure services not permitted |
| Logs show deny entries | Policy is dropping traffic intentionally |
Practical Troubleshooting Flow
| Step | Action |
|---|---|
| 1 | Identify source port, VLAN, IP subnet, and destination |
| 2 | Verify access VLAN or SSID-to-VLAN mapping |
| 3 | Check trunk allowed VLANs and native VLAN on every hop |
| 4 | Review STP role, state, and protection events |
| 5 | Test gateway and routed path |
| 6 | Review ACLs and logs for denied traffic |
Exam Focus
For N10-009, a wrong subnet after plugging in usually points to VLAN assignment. A VLAN that works locally but not across switches points to a trunk or allowed VLAN issue. A blocked redundant link may be normal STP behavior. A selective service failure can be an ACL rather than a route problem.
A new VLAN works on one access switch but cannot reach the distribution switch. Other VLANs on the same trunk work. What should be checked first?
A port connected to an unmanaged switch is err-disabled after receiving BPDUs. Which protection feature is most likely involved?
Which items should be verified when troubleshooting a trunk carrying multiple VLANs? Select three.
Select all that apply