VLANs, Access Ports, Trunks, and Native VLAN
Key Takeaways
- A VLAN (Virtual Local Area Network) is a logical Layer 2 broadcast domain; one switch can host many VLANs.
- Access ports carry one untagged data VLAN (plus an optional voice VLAN) and face endpoints.
- Trunk ports carry many VLANs using IEEE 802.1Q tags, with one VLAN sent untagged as the native VLAN.
- The native VLAN must match on both ends of an 802.1Q trunk or untagged traffic can land in the wrong VLAN.
- Switching is pure Layer 2; communication between different VLANs always needs a Layer 3 gateway.
Switching in Domain 2
Switching sits inside Domain 2, Network Implementation, which is 20% of the CompTIA Network+ N10-009 exam (launched June 2024, active through roughly 2027). The exam delivers a maximum of 90 questions in 90 minutes; the passing score is 720 on a 100-900 scale. VLAN, trunk, and native-VLAN logic shows up in both multiple-choice items and performance-based questions (PBQs), so it is worth deep mastery.
The current 2026 domain weights are:
| Domain | Weight |
|---|---|
| 1.0 Networking Concepts | 23% |
| 2.0 Network Implementation | 20% |
| 3.0 Network Operations | 19% |
| 4.0 Network Security | 14% |
| 5.0 Network Troubleshooting | 24% |
What a VLAN Actually Does
A VLAN (Virtual Local Area Network) is a logical Layer 2 segment defined in switch software. Every VLAN is its own broadcast domain: an ARP request or DHCP discover sent in VLAN 10 never reaches VLAN 20 at Layer 2. VLANs are identified by a 12-bit ID, so the usable range is 1-4094 (VLAN 0 and 4095 are reserved). VLAN 1 is the default and should be avoided for production traffic.
| VLAN concept | Meaning | Common exam clue |
|---|---|---|
| VLAN ID | 1-4094 numeric tag for the segment | VLAN 10 data, 20 voice, 30 servers |
| Broadcast domain | Scope of Layer 2 broadcast/flooding | ARP/DHCP stays inside the VLAN |
| Access port | One untagged data VLAN toward an endpoint | PC, printer, camera |
| Trunk port | Carries many tagged VLANs | switch-to-switch, switch-to-router |
| Allowed VLAN list | VLANs permitted on a trunk | a missing VLAN fails alone |
| Native VLAN | Untagged VLAN on an 802.1Q trunk | mismatch causes leakage |
Access vs Trunk Ports
An access port belongs to a single data VLAN and strips/adds no tag toward the endpoint. A trunk port carries multiple VLANs and inserts a 4-byte 802.1Q tag (containing the VLAN ID and a 3-bit priority field) into each frame, except for the native VLAN.
| Feature | Access port | Trunk port |
|---|---|---|
| VLANs carried | One data VLAN (+ optional voice) | Many VLANs |
| Tagging | Untagged toward endpoint | 802.1Q tagged except native |
| Typical neighbor | PC, phone, printer, camera, AP | switch, router, firewall, hypervisor |
| Failure symptom | Endpoint in wrong subnet | one or more VLANs fail on uplink |
Worked example: A VoIP phone with a PC daisy-chained behind it uses one physical access port configured with a data VLAN (e.g., 10) for the PC and a voice VLAN (e.g., 20) for the phone. The phone tags its own traffic with VLAN 20 while the PC frames stay untagged in VLAN 10 - this is the one common case where a single access edge port effectively handles two VLANs without being a full trunk.
The Native VLAN
On an 802.1Q trunk, exactly one VLAN is sent untagged - the native VLAN (default VLAN 1). Both ends must agree on which VLAN is native.
| Native VLAN issue | Result |
|---|---|
| Native mismatch (VLAN 1 vs VLAN 99) | Untagged frames land in different VLANs per end - VLAN hopping risk |
| Production user VLAN as native | Untagged attacker traffic could reach users |
| VLAN missing from allowed list | Tagged traffic for that VLAN is dropped, trunk still up |
| One side access, one side trunk | Only the matching VLAN works, others fail |
A security best practice the exam rewards: set the native VLAN to an unused, dedicated ID on both ends so no production traffic is ever untagged.
Inter-VLAN Routing
Switching never forwards between VLANs by itself - that is a Layer 3 function. A host in VLAN 10 reaching a host in VLAN 20 must traverse a router, multilayer switch, or firewall.
| Design | How it routes |
|---|---|
| Router-on-a-stick | One physical link as a trunk; router subinterfaces tag each VLAN |
| Multilayer (Layer 3) switch | Switch Virtual Interfaces (SVIs) act as each VLAN's gateway |
| Firewall gateway | Firewall interfaces/subinterfaces route and enforce policy |
If VLANs are configured correctly but cross-VLAN traffic fails, look for a missing or misconfigured default gateway on the host or a missing SVI/subinterface.
PBQ Decision Table
| Requirement | Correct switchport choice |
|---|---|
| User PC, single subnet | Access port, that VLAN |
| IP phone + attached PC | Voice VLAN + data access VLAN |
| Link between two switches | Trunk, allow required VLANs |
| Link to router-on-a-stick | Trunk, allow all routed VLANs |
| Switch management | Management VLAN + correct gateway |
Troubleshooting Logic and Traps
Scope the problem first. If one endpoint lands in the wrong subnet, suspect that port's access VLAN - not DHCP. If one whole VLAN fails across an uplink while others work, suspect the trunk allowed list or native VLAN, not the physical cable.
| Trap | Better reasoning |
|---|---|
| Put every port in trunk mode | Edge ports should be access ports |
| Forget the allowed VLAN list | A trunk can be up while one VLAN is blocked |
| Treat a VLAN as a router | VLANs separate Layer 2; routing needs Layer 3 |
| Ignore native VLAN consistency | Mismatch breaks untagged traffic and risks hopping |
| Fix DHCP before VLAN | Wrong VLAN usually causes the wrong DHCP scope |
Which switchport mode is normally used for a workstation connected to a single user VLAN?
A trunk link is up, but VLAN 30 traffic does not cross it while other VLANs work. What should be checked first?
Which statements about VLANs are correct? Select two.
Select all that apply