VLAN, Trunk, Router-on-a-Stick, and Firewall Rule Lab

Key Takeaways

A VLAN design is incomplete until trunks, access ports, gateways, DHCP scopes, and security rules agree.
802.1Q trunks carry multiple VLANs between switches, routers, firewalls, and access points.
Router-on-a-stick uses subinterfaces with VLAN tags to route between VLANs.
Firewall policy should be written as source, destination, service, action, and logging requirements.
PBQ troubleshooting should compare symptoms against VLAN membership, trunk allowed lists, native VLANs, gateways, and rules.

Last updated: April 2026

VLAN and Firewall Design Lab

This lab combines Layer 2 segmentation, Layer 3 gateways, and security policy. In a performance-based question, you may have to place switchports into VLANs, mark a trunk, choose subinterfaces, and build firewall rules that allow only required traffic.

Scenario

A small office has one router or firewall connected to a switch. The switch also connects to access points, phones, users, and servers.

VLAN	Name	Subnet	Default gateway	Purpose
10	Users	172.20.10.0/24	172.20.10.1	Employee workstations
20	Voice	172.20.20.0/24	172.20.20.1	IP phones
30	Servers	172.20.30.0/24	172.20.30.1	File, print, and application servers
40	Guest	172.20.40.0/24	172.20.40.1	Internet-only wireless guests
99	Management	172.20.99.0/24	172.20.99.1	Switches, APs, and firewall management

Switch Port Plan

Port type	Example ports	Required setting
User access	1-20	Access VLAN 10
Phone plus PC	21-28	Data VLAN 10 and voice VLAN 20
Server access	29-34	Access VLAN 30
AP uplink	35-38	Trunk allowing VLANs 10, 40, and 99 if AP management is tagged
Router or firewall uplink	48	802.1Q trunk allowing VLANs 10, 20, 30, 40, and 99

Access ports carry one data VLAN. Trunks carry multiple VLANs with tags. A trunk allowed list that omits VLAN 40 would explain why the guest SSID broadcasts but clients cannot reach the guest gateway.

Router-on-a-Stick Map

Subinterface	Encapsulation	IP address
g0/0.10	802.1Q VLAN 10	172.20.10.1/24
g0/0.20	802.1Q VLAN 20	172.20.20.1/24
g0/0.30	802.1Q VLAN 30	172.20.30.1/24
g0/0.40	802.1Q VLAN 40	172.20.40.1/24
g0/0.99	802.1Q VLAN 99	172.20.99.1/24

If the physical interface is up but a specific VLAN cannot route, focus on that VLAN tag, the trunk allowed list, the subinterface IP address, and the host default gateway.

Firewall Rule Table

Order	Source	Destination	Service	Action	Log
1	Users	Servers	SMB, HTTPS, DNS as required	Allow	Yes
2	Voice	Call manager or voice gateway	SIP, RTP, DHCP, DNS, NTP as required	Allow	Yes
3	Guest	Internet	HTTP, HTTPS, DNS	Allow	Yes
4	Guest	Internal RFC1918 networks	Any	Deny	Yes
5	Management	Network devices	SSH, HTTPS, SNMP, syslog as required	Allow	Yes
6	Any	Any	Any	Deny	Yes

Rules are evaluated in order on many firewalls and ACL systems. A broad deny above an allow can break a service. A broad allow above a deny can defeat segmentation.

Troubleshooting Prompts

Symptom	Likely check
User gets an APIPA address	DHCP scope, DHCP relay, access VLAN, trunk path to DHCP server
Guest can browse Internet but can also reach file server	Guest-to-internal deny rule missing or ordered too low
Voice phones boot but cannot register	Voice VLAN, DHCP options, call manager reachability, firewall ports
AP management is unreachable	AP management VLAN tag, trunk allowed list, management gateway
Only one VLAN works across trunk	Native VLAN or allowed VLAN mismatch, missing subinterface

Common PBQ Traps

Marking the router uplink as an access port instead of a trunk.
Allowing the guest VLAN to reach internal networks.
Forgetting DHCP relay when the DHCP server is in a different VLAN.
Configuring the host gateway as an address from the wrong subnet.
Allowing a VLAN on the switch trunk but not creating the matching routed interface.
Creating firewall rules without a final deny or without logging where the scenario asks for auditing.

Test Your Knowledge

A router-on-a-stick design needs to route VLAN 30. Which interface component is required?

A subinterface tagged for VLAN 30 with an IP address in the VLAN 30 subnet

A crossover cable on every workstation

A duplicate default gateway from VLAN 10

A guest SSID using no encryption

Test Your Knowledge

Guest wireless clients can reach internal file servers. Which firewall rule is most directly missing or misordered?

Deny Guest to internal RFC1918 networks

Allow Management to switches using SSH

Allow Voice to the call manager

Allow Users to DNS

Test Your KnowledgeMulti-Select

Which items must align for a VLAN to work across a trunk to a router or firewall? Select three.

Select all that apply

The VLAN is allowed on the trunk

The routed subinterface uses the correct 802.1Q tag

The client default gateway is in the correct subnet

The client uses the same MAC address as the gateway

The VLAN number equals the TCP port number

Up Next

Wireless Deployment and Troubleshooting Lab

Continue learning

CompTIA Network+

1Introduction & Exam Overview

2Domain 1: Networking Concepts (23%)

3Domain 1: Media, Connectors, Transceivers, and Network Architectures

4Domain 1: IP Addressing and Subnetting Mastery

5Domain 2: Network Implementation - Routing

6Domain 2: Network Implementation - Switching

7Domain 2: Network Implementation - Wireless and Physical Implementation

8Domain 2: Network Implementation - Services Implementation

9Domain 3 Part A: Network Operations Documentation and Governance

10Domain 3 Part B: Monitoring, Remote Access, and Resilience

11Domain 4: Logical Security and Secure Access (14%)

12Domain 4: Segmentation, Risk, and Network Attacks (14%)

13Domain 4: Security Controls and Hardening (14%)

14Domain 5: Troubleshooting Methodology and Tools (24%)

15Domain 5: Physical, Interface, and Wireless Troubleshooting (24%)

16Domain 5: Network Services, Switching, Routing, and Performance Troubleshooting (24%)

17Performance-Based Question Labs

18High-Yield Reference and Final Study Plan

19Final Synthesis: Strategy, Remediation, and Readiness