VLAN, Trunk, Router-on-a-Stick, and Firewall Rule Lab
Key Takeaways
- A VLAN design is incomplete until trunks, access ports, gateways, DHCP scopes, and security rules all agree.
- IEEE 802.1Q trunks carry multiple tagged VLANs between switches, routers, firewalls, and access points.
- Router-on-a-stick uses subinterfaces with matching 802.1Q tags to route between VLANs over one physical link.
- Firewall policy should be written as source, destination, service, action, and logging, evaluated top-down.
- PBQ troubleshooting compares symptoms against VLAN membership, trunk allowed lists, native VLAN, gateways, and rule order.
VLAN and Firewall Design Lab
This lab combines Layer 2 segmentation, Layer 3 gateways, and security policy. In a PBQ you may place switchports into VLANs, mark a trunk, choose subinterfaces, and build firewall rules that allow only required traffic. CompTIA exam objective 2.3 (VLANs and trunking) and 4.x (security) both surface here, so a single scenario can test multiple objectives at once.
A VLAN (Virtual Local Area Network) is a Layer 2 broadcast domain defined in switch software. Devices in different VLANs cannot talk without a Layer 3 device (router or firewall) routing between them.
Scenario
A small office has one router or firewall connected to a switch. The switch also connects to access points, phones, users, and servers.
| VLAN | Name | Subnet | Gateway | Purpose |
|---|---|---|---|---|
| 10 | Users | 172.20.10.0/24 | 172.20.10.1 | Employee workstations |
| 20 | Voice | 172.20.20.0/24 | 172.20.20.1 | IP phones |
| 30 | Servers | 172.20.30.0/24 | 172.20.30.1 | File, print, application servers |
| 40 | Guest | 172.20.40.0/24 | 172.20.40.1 | Internet-only wireless guests |
| 99 | Management | 172.20.99.0/24 | 172.20.99.1 | Switches, APs, firewall management |
Switch Port Plan
| Port type | Example ports | Required setting |
|---|---|---|
| User access | 1-20 | Access VLAN 10 |
| Phone plus PC | 21-28 | Data VLAN 10, voice VLAN 20 |
| Server access | 29-34 | Access VLAN 30 |
| AP uplink | 35-38 | Trunk allowing VLANs 10, 40, 99 |
| Router/firewall uplink | 48 | 802.1Q trunk allowing 10, 20, 30, 40, 99 |
An access port carries one untagged data VLAN (a phone-plus-PC port adds a tagged voice VLAN). A trunk port carries multiple tagged VLANs. The frame format adds a 4-byte 802.1Q tag containing a 12-bit VLAN ID (1-4094). A trunk allowed list that omits VLAN 40 explains why the guest SSID broadcasts but clients cannot reach the guest gateway.
Router-on-a-Stick Map
| Subinterface | Encapsulation | IP address |
|---|---|---|
| g0/0.10 | 802.1Q VLAN 10 | 172.20.10.1/24 |
| g0/0.20 | 802.1Q VLAN 20 | 172.20.20.1/24 |
| g0/0.30 | 802.1Q VLAN 30 | 172.20.30.1/24 |
| g0/0.40 | 802.1Q VLAN 40 | 172.20.40.1/24 |
| g0/0.99 | 802.1Q VLAN 99 | 172.20.99.1/24 |
If the physical interface is up but one VLAN cannot route, focus on that VLAN's tag, the trunk allowed list, the subinterface IP, and the host default gateway. The native VLAN (untagged on the trunk) must match on both ends or you see a mismatch and inter-switch leakage.
Firewall Rule Table
Most firewalls and access control lists evaluate rules top-down and stop at the first match. Order is therefore part of the answer.
| Order | Source | Destination | Service | Action | Log |
|---|---|---|---|---|---|
| 1 | Users | Servers | SMB, HTTPS, DNS as required | Allow | Yes |
| 2 | Voice | Call manager / voice gateway | SIP, RTP, DHCP, DNS, NTP | Allow | Yes |
| 3 | Guest | Internet | HTTP, HTTPS, DNS | Allow | Yes |
| 4 | Guest | Internal RFC1918 | Any | Deny | Yes |
| 5 | Management | Network devices | SSH, HTTPS, SNMP, syslog | Allow | Yes |
| 6 | Any | Any | Any | Deny (implicit) | Yes |
A broad deny above an allow breaks a service; a broad allow above a deny defeats segmentation. The final implicit deny should log so you can audit what was dropped.
Troubleshooting Matrix
| Symptom | Likely check |
|---|---|
| User gets an APIPA (169.254.x.x) address | DHCP scope, DHCP relay, access VLAN, trunk path |
| Guest can browse but also reaches a file server | Guest-to-internal deny missing or ordered too low |
| Voice phones boot but cannot register | Voice VLAN, DHCP option 150, call manager reachability |
| AP management unreachable | AP mgmt VLAN tag, trunk allowed list, mgmt gateway |
| Only one VLAN works across a trunk | Native VLAN or allowed-VLAN mismatch, missing subinterface |
An APIPA address (169.254.0.0/16) means the client found no DHCP server - a strong signal that the DHCP relay (IP helper) or trunk path is wrong, not that DHCP itself crashed.
DHCP Relay Detail
DHCP discovery is a broadcast that does not cross a router by default. When the DHCP server sits in VLAN 30 but clients are in VLAN 10, configure an IP helper-address on the VLAN 10 gateway pointing to the server. Without it, VLAN 10 clients self-assign APIPA while VLAN 30 clients (same broadcast domain as the server) lease normally.
Common PBQ Traps
- Marking the router uplink as an access port instead of a trunk.
- Allowing the guest VLAN to reach internal RFC1918 networks.
- Forgetting DHCP relay when the server is in a different VLAN.
- Setting a host gateway to an address from the wrong subnet.
- Allowing a VLAN on the trunk but never creating the matching routed subinterface.
- Writing firewall rules without a final deny, or without logging where auditing is required.
A router-on-a-stick design must route VLAN 30. Which interface component is required?
VLAN 10 users receive 169.254.x.x APIPA addresses while VLAN 30 users (same broadcast domain as the DHCP server) lease normally. What is the most likely fix?
Guest wireless clients can reach internal file servers. Which firewall rule is most directly missing or misordered?
Which items must align for a VLAN to route across a trunk to a router or firewall? Select three.
Select all that apply