VLAN, STP, Trunk, Native VLAN, and ACL Issues
Key Takeaways
- VLAN faults are usually a wrong access VLAN, a VLAN missing from a trunk's allowed list, a native VLAN mismatch, or bad SSID-to-VLAN mapping.
- 802.1Q tags frames with a 12-bit VLAN ID (1-4094); the native VLAN is the single untagged VLAN on a trunk and must match both ends.
- STP blocks redundant ports to break loops; BPDU guard err-disables an edge port that unexpectedly receives a BPDU.
- ACLs can make a healthy route look broken because the packet is dropped after the forwarding decision.
- Layer 2 troubleshooting checks both switch configuration and the actual path a frame takes hop by hop.
VLAN, STP, Trunks, and ACLs
Switching problems create selective failures, and that selectivity is the clue. One desk jack cannot reach printers, one VLAN never gets DHCP, a server works on one switch but not another, or a guest SSID drops users into the wrong subnet. These narrow symptoms point at VLAN assignment, trunking, Spanning Tree Protocol (STP), or filtering rather than a whole-site outage.
VLAN Assignment Problems
A Virtual LAN (VLAN) is a Layer 2 broadcast domain identified by a 12-bit ID from 1 to 4094 (VLAN 1 is the default; 0 and 4095 are reserved). An access port carries exactly one VLAN untagged toward the endpoint.
| Symptom | Likely issue |
|---|---|
| Device gets an address from the wrong subnet | Access port in wrong VLAN or bad SSID-to-VLAN mapping |
| New VLAN works on one switch, not another | VLAN not created, not active, or not trunked across the path |
| Phone works but attached PC does not | Voice VLAN configured, data VLAN missing on the port |
| DHCP fails only on one VLAN | VLAN path, relay, scope, or ACL on that VLAN |
| Works in one jack but not another | Port VLAN, port security, cabling, or config drift |
Verify the actual port the device lands on. Documentation goes stale and patch panels rarely map cleanly to the expected switch port. Confirm with show interface status and show vlan brief before changing anything. A common trap: a phone passes a tagged voice VLAN and an untagged data VLAN on one port, so if only the data VLAN is missing from the port config the phone registers fine but the daisy-chained PC gets no address. Treat "phone works, PC does not" as a port-VLAN clue, not a cabling fault.
Trunk and Native VLAN Issues
A trunk carries multiple VLANs between switches, routers, firewalls, hypervisors, or access points using IEEE 802.1Q tagging, which inserts a 4-byte tag holding the VLAN ID. The native VLAN is the one VLAN sent untagged across a trunk; both ends must agree on its number or untagged frames land in the wrong VLAN.
| Trunk check | Why it matters |
|---|---|
| Both sides trunking where required | A static-access side drops or mis-handles tagged frames |
| Allowed VLAN list includes the needed VLAN | A pruned VLAN is blocked across that link |
| Native VLAN matches on both ends | Untagged traffic lands in the wrong VLAN if mismatched |
| VLAN exists and is active | Some platforms will not forward an absent/inactive VLAN |
| AP/hypervisor tagging matches the switch | Virtual or wireless clients map to the wrong VLAN |
A native VLAN mismatch is dangerous precisely because it does not break every flow; tagged VLANs keep working while untagged management or voice traffic crosses into the wrong domain, which can also raise security alerts. Cisco logs this as a CDP/native-VLAN mismatch.
STP Issues
Spanning Tree Protocol prevents Layer 2 loops by electing a root bridge (lowest bridge ID) and blocking redundant links. Blocking is normal and protective.
| STP clue | Meaning |
|---|---|
| A redundant port is blocking | STP is preventing a loop on that path |
| Root bridge changed unexpectedly | A lower-priority switch joined; traffic paths shift |
| Port err-disabled after a BPDU on an edge | BPDU guard shut it down for protection |
| Loop guard / root guard triggered | Protection feature saw an unexpected topology |
| Broadcast storm, MAC table instability | A loop exists where STP is missing or disabled |
Never "fix" a blocked link by disabling STP. Find why the role or topology changed first; PortFast plus BPDU guard belong on edge ports facing endpoints, not on inter-switch links.
ACL Filtering
An Access Control List (ACL) lives on routers, Layer 3 switches, firewalls, and wireless controllers. Because the drop happens after the forwarding decision, a perfectly good route can look broken. ACLs are evaluated top-down with an implicit deny any at the end, so rule order matters.
| ACL symptom | Likely clue |
|---|---|
| Ping works but the app port fails | ICMP permitted, TCP/UDP port denied |
| One subnet reaches a server, another cannot | Source network missing from a permit rule |
| Return traffic fails | Stateless ACL lacks the reverse-direction rule |
| New VLAN cannot reach DNS or the DHCP relay | Infrastructure services not permitted |
| Logs show deny hits | Policy is dropping traffic by design |
Practical Troubleshooting Flow
- Identify source port, VLAN, IP subnet, and the destination.
- Verify the access VLAN or SSID-to-VLAN mapping on the real port.
- Check trunk allowed VLANs and native VLAN on every hop.
- Review STP role, state, and protection events (
show spanning-tree). - Test the gateway and the routed path.
- Read ACLs and hit-counters for denied traffic.
Exam Focus
For N10-009: a wrong subnet right after plugging in is usually VLAN assignment; a VLAN that works locally but not across switches is a trunk or allowed-VLAN issue; a blocked redundant link is normal STP; and a selective service failure on an otherwise routable path is frequently an ACL, not a route.
A new VLAN works on one access switch but cannot reach the distribution switch. Other VLANs on the same trunk work fine. What should be checked first?
An access port connected to an unmanaged switch goes err-disabled immediately after receiving BPDUs. Which protection feature is most likely involved?
Which items should be verified when troubleshooting an 802.1Q trunk carrying multiple VLANs? Select three.
Select all that apply