VLANs & Trunking: Logical Separation on Physical Hardware
One switch. Multiple broadcast domains. Zero extra hardware.
HR and Engineering share the same physical switch. HR complains they are seeing Engineering's broadcast traffic.
VLANs fix this by creating logical segmentation without touching a single cable.
Without VLANs, every device on a switch is in the same broadcast domain.
No VLANs — one flat network
All ports in VLAN 1
Fa0/1HR-PC1
Fa0/2HR-PC2
Fa0/3ENG-PC1
Fa0/4ENG-PC2
Every broadcast (ARP, DHCP) hits every port. HR can see Engineering's traffic noise.
→
With VLANs — segmented
Two broadcast domains
Fa0/1VLAN 10 — HR
Fa0/2VLAN 10 — HR
Fa0/3VLAN 20 — ENG
Fa0/4VLAN 20 — ENG
Broadcasts stay inside each VLAN. HR and Engineering are isolated at Layer 2.
Key concept: A VLAN is a logical broadcast domain. Devices in different VLANs cannot communicate
directly — they need a Layer 3 device (router or L3 switch) to route between them.
Slide 3 of 10
Access Ports vs Trunk Ports
Two port types with completely different jobs.
Access Port
Connects end devices
An access port belongs to exactly one VLAN. Traffic leaving the port is untagged —
the end device (PC, printer, phone) has no awareness of VLANs. The switch does the tagging
internally. If a device sends a broadcast, it stays within that VLAN only.
Trunk Port
Carries multiple VLANs
A trunk port carries traffic for multiple VLANs simultaneously. Frames are tagged
with the 802.1Q tag so the receiving device knows which VLAN they belong to. Trunks
are used between switches, and between switches and routers or L3 switches.
Switch A
Fa0/1Access — VLAN 10 (HR)
Fa0/2Access — VLAN 20 (ENG)
Gi0/1Trunk — VLAN 10, 20
⟷ Trunk
Switch B
Fa0/3Access — VLAN 10 (HR)
Fa0/4Access — VLAN 20 (ENG)
Gi0/1Trunk — VLAN 10, 20
Exam tip: Access ports assign devices to a VLAN. Trunk ports extend VLANs across network devices.
A misconfigured access port on the wrong VLAN is one of the most common switch troubleshooting issues.
Slide 4 of 10
802.1Q — The 4-Byte Tag
How does a switch know which VLAN a frame belongs to on a trunk link?
Dst MAC
6 bytes
Src MAC
6 bytes
802.1Q Tag
4 bytes
EtherType
2 bytes
Payload
46–1500 bytes
FCS
4 bytes
TPID — 0x8100
Tag Protocol ID
2-byte identifier that signals this is an 802.1Q-tagged frame. Receiving devices look for this value.
PCP — 3 bits
Priority Code Point
Quality of Service bits (0-7). Voice VLAN traffic is marked high priority here to reduce jitter.
VID — 12 bits
VLAN Identifier
12 bits = 4096 possible VLAN IDs (0 and 4095 reserved). Valid range: 1–4094. This is the core VLAN number.
When HR-PC1 sends a frame to HR-PC3 on a different switch: the originating switch inserts the 802.1Q tag
(VLAN 10) before sending it across the trunk. The receiving switch reads the tag, strips it, and delivers
the untagged frame to the correct access port in VLAN 10.
The 4-byte tag is inserted between the Source MAC and EtherType fields. This makes the frame slightly larger
than a standard Ethernet frame — which is why older devices that do not understand 802.1Q see tagged frames as oversized.
Slide 5 of 10
Native VLAN & Voice VLAN
Two special VLAN assignments with distinct purposes.
Native VLAN
Untagged traffic on a trunk
The native VLAN is the one VLAN on a trunk link whose traffic travels untagged.
Default is VLAN 1. Both sides of a trunk must agree on the native VLAN or a native VLAN mismatch error occurs
and traffic is misdelivered. Best practice: change native VLAN away from 1 to an unused VLAN to prevent VLAN hopping attacks.
Voice VLAN
QoS separation for VoIP
An access port can carry both a data VLAN and a voice VLAN simultaneously. The IP phone connects to
the switch port; the PC connects to the phone's built-in switch. Voice frames are 802.1Q-tagged with the
voice VLAN ID and CoS (Class of Service) priority set to 5 to minimize jitter.
Security: VLAN Hopping Attack
An attacker can send double-tagged frames — an outer tag matching the native VLAN (stripped by the first switch)
and an inner tag for a target VLAN. This "hops" the attacker into a VLAN they should not reach.
Mitigation: change the native VLAN to an unused ID, disable DTP, and do not put user devices on the native VLAN.
Exam tip: Native VLAN mismatch is a trunk misconfiguration that causes CDP/LLDP warnings and unexpected
traffic delivery. Confirm with show interfaces trunk — the native VLAN column must match on both sides.
Slide 6 of 10
Creating VLANs — Config & Database
VLANs must exist in the switch database before you can assign ports to them.
VLAN database: On Cisco switches, VLANs 1–1005 are stored in flash:vlan.dat.
Extended range VLANs (1006–4094) require VTP transparent mode or VTP version 3 and are stored in running-config.
If you delete vlan.dat, all standard VLANs are wiped.
Slide 7 of 10
Inter-VLAN Routing — Layer 3 Required
Devices in different VLANs cannot talk without routing. Two ways to provide it.
Router-on-a-Stick (ROAS)
One physical link, multiple sub-interfaces
A single trunk link runs from the switch to a router. The router creates logical sub-interfaces
(one per VLAN), each configured with an IP address that becomes the default gateway for that VLAN.
The router routes between VLANs in software. Simple to configure but the single uplink can become a bottleneck.
SVI — Layer 3 Switch
Switched Virtual Interface
A Layer 3 switch creates an SVI (a virtual interface) for each VLAN. Each SVI gets an IP address and
acts as the default gateway for that VLAN. Routing happens in hardware (ASICs) — much faster than ROAS.
This is the enterprise standard. Requires ip routing enabled on the switch.
Router-on-a-Stick config (router side)
R1(config)# interface gi0/0.10
R1(config-subif)# encapsulation dot1q 10
R1(config-subif)# ip address 10.10.10.1 255.255.255.0
R1(config)# interface gi0/0.20
R1(config-subif)# encapsulation dot1q 20
R1(config-subif)# ip address 10.10.20.1 255.255.255.0
SVI config (L3 switch)
SW1(config)# ip routing
SW1(config)# interface vlan 10
SW1(config-if)# ip address 10.10.10.1 255.255.255.0
SW1(config-if)# no shutdown
SW1(config)# interface vlan 20
SW1(config-if)# ip address 10.10.20.1 255.255.255.0
SW1(config-if)# no shutdown
Slide 8 of 10
VTP — VLAN Trunking Protocol
Cisco-proprietary protocol to propagate VLAN database changes across a domain.
Server Mode
Creates and propagates
Can create, modify, and delete VLANs. Sends VTP advertisements to all switches in the domain.
Changes here replicate everywhere. Default mode on Cisco switches.
Client Mode
Receives and forwards
Cannot create or delete VLANs locally. Synchronizes its VLAN database from VTP advertisements
received from a server. Forwards advertisements to other switches.
Transparent Mode
Local only — forwards
Does not participate in VTP synchronization. Maintains its own VLAN database independently.
Forwards VTP advertisements from other switches without applying them. Safest for extended VLANs.
VTP Risk — The Revision Number Bomb
VTP uses a revision number to determine which database is authoritative. If you add a switch that previously
had a higher revision number to your domain, it can overwrite your entire VLAN database and take down the network.
Always reset the revision number (change VTP domain or set transparent mode) before adding a used switch.
Modern practice: Many engineers avoid VTP entirely and manage VLANs manually or via automation.
VTP version 3 adds MD5 authentication and primary server concept, which reduces the revision bomb risk.
Slide 9 of 10
Troubleshooting VLANs & Trunks
Two commands answer almost every VLAN troubleshooting question.
show vlan brief — verify VLAN assignment
SW1# show vlan brief
VLAN Name Status Ports
---- ------------ --------- -------------------
1 default active Fa0/5, Fa0/6
10 HR active Fa0/1, Fa0/2
20 Engineering active Fa0/3, Fa0/4
1002 fddi-default act/unsup
Fa0/5 and Fa0/6 still on VLAN 1 — unassigned ports default here
show interfaces trunk — verify trunk state
SW1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 99
Port VLANs allowed on trunk
Gi0/1 10,20
Port VLANs in spanning tree forwarding state
Gi0/1 10,20
Common Issues & Root Causes
Symptom
Device cannot communicate
Access port assigned to wrong VLAN. Check show vlan brief — confirm the port is listed under the correct VLAN.
Symptom
VLAN traffic not crossing switches
VLAN not in the allowed list on the trunk. Run show interfaces trunk and add the VLAN with switchport trunk allowed vlan add X.
Symptom
Native VLAN mismatch warning
CDP reports mismatched native VLANs on a trunk. Both sides must use the same native VLAN ID. Check both switches and align them.
Slide 10 of 10 | N10-009 Obj 2.3
VLANs: Logical Walls on Physical Wire
HR stopped seeing Engineering's broadcasts. You created VLAN 10 (HR) and VLAN 20 (Engineering),
assigned the right access ports, and configured a trunk between the switches. For inter-VLAN routing,
you set up SVIs on the L3 switch — ip routing enabled, one IP per VLAN acting as
the default gateway. The physical switch never changed. Only the software configuration did.
5 Facts to Carry Out of This Presentation
1VLANs create separate broadcast domains on the same physical switch — no extra hardware needed.
2Access ports belong to one VLAN (untagged). Trunk ports carry multiple VLANs using 802.1Q 4-byte tags.
3Inter-VLAN routing requires Layer 3: router-on-a-stick (sub-interfaces) or an L3 switch with SVIs and ip routing.
4Native VLAN travels untagged on trunks. Mismatch = CDP warning + misdelivered traffic. Change from default VLAN 1.
5Troubleshoot with show vlan brief (port assignments) and show interfaces trunk (trunk state, native VLAN, allowed VLANs).