VLANs, Access Ports, Trunks, and Native VLAN
Key Takeaways
- VLANs create separate Layer 2 broadcast domains on switches.
- Access ports carry traffic for one VLAN and are used for endpoint connections.
- Trunk ports carry multiple VLANs using tags, commonly 802.1Q.
- The native VLAN is carried untagged on an 802.1Q trunk and should be configured consistently.
- VLAN implementation questions often combine switchport mode, allowed VLAN lists, native VLANs, and default gateway settings.
Switching is a major part of Domain 2, Network Implementation, which is 20% of the CompTIA Network+ N10-009 exam. VLANs are one of the most common implementation topics because they affect segmentation, broadcast scope, addressing, gateways, trunks, and troubleshooting.
The current 2026 Network+ domain weights are:
| Domain | Weight |
|---|---|
| Networking Concepts | 23% |
| Network Implementation | 20% |
| Network Operations | 19% |
| Network Security | 14% |
| Network Troubleshooting | 24% |
VLAN Purpose
A VLAN is a logical Layer 2 network. Devices in the same VLAN can communicate at Layer 2 if switch policy allows it. Devices in different VLANs need Layer 3 routing through a router, multilayer switch, or firewall.
| VLAN concept | Meaning | Common clue |
|---|---|---|
| VLAN ID | Numeric identifier for the logical network | VLAN 10 users, VLAN 20 voice, VLAN 30 servers |
| Broadcast domain | Scope of Layer 2 broadcasts | ARP broadcast stays inside the VLAN |
| Access port | Untagged endpoint port assigned to one VLAN | PC, printer, camera, access point management |
| Trunk port | Link carrying multiple VLANs | Switch-to-switch, switch-to-router, switch-to-AP |
| Allowed VLAN list | VLANs permitted across a trunk | Missing VLAN causes only that VLAN to fail |
| Native VLAN | Untagged VLAN on an 802.1Q trunk | Mismatch can cause leakage or management problems |
Access vs Trunk
| Feature | Access port | Trunk port |
|---|---|---|
| Number of VLANs | Usually one data VLAN, sometimes voice plus data | Multiple VLANs |
| Tagging | Frames are normally untagged toward endpoint | Frames are tagged except native VLAN |
| Typical device | Workstation, printer, phone, camera | Switch, router, firewall, hypervisor, AP |
| Misconfiguration symptom | Endpoint lands in wrong subnet | One or more VLANs fail across uplink |
IP phones are a common exception. A switchport may support a data VLAN for the attached PC and a voice VLAN for the phone. The exam may describe this as separate voice and data VLAN handling on the same access edge port.
Native VLAN
On an 802.1Q trunk, the native VLAN is untagged. Both sides of the trunk should agree on the native VLAN.
| Native VLAN issue | Result |
|---|---|
| Native VLAN mismatch | Untagged traffic may be placed into different VLANs on each end |
| Using a production user VLAN as native | Raises risk if untagged traffic appears |
| Missing VLAN from allowed list | Tagged traffic for that VLAN is not forwarded |
| One side access and one side trunk | Unpredictable connectivity or one VLAN only |
Inter-VLAN Routing
Switching alone does not route between VLANs. Hosts in VLAN 10 and VLAN 20 need a Layer 3 gateway.
| Design | Description |
|---|---|
| Router-on-a-stick | Router subinterfaces use 802.1Q tags for each VLAN |
| Multilayer switch | Switch virtual interfaces route between VLANs |
| Firewall gateway | Firewall interfaces or subinterfaces route and enforce policy |
PBQ Guidance
A PBQ may show these requirements:
| Requirement | Switchport choice |
|---|---|
| User PC in VLAN 10 | Access port VLAN 10 |
| IP phone with attached PC | Voice VLAN plus data access VLAN |
| Link between two switches | Trunk allowing required VLANs |
| Link to router-on-a-stick | Trunk allowing routed VLANs |
| Management interface for switch | Management VLAN and correct default gateway |
If only one department is down after a trunk change, compare allowed VLAN lists and native VLAN settings. If a single endpoint receives the wrong DHCP scope, check its access VLAN assignment.
Common Traps
| Trap | Better reasoning |
|---|---|
| Put every endpoint port in trunk mode | Edge endpoint ports should normally be access ports |
| Forget the allowed VLAN list | A trunk can be up while one VLAN is blocked |
| Treat VLANs as routers | VLANs separate Layer 2; routing needs a Layer 3 gateway |
| Ignore native VLAN consistency | Native VLAN mismatch can break untagged traffic behavior |
| Fix DHCP before checking VLAN assignment | Wrong VLAN often causes wrong DHCP results |
Which switchport mode is normally used for a workstation connected to a single user VLAN?
A trunk link is up, but VLAN 30 traffic does not cross it. What should be checked first?
Which statements about VLANs are correct? Select two.
Select all that apply