Understanding VLANs and Trunk Ports: A CCNA Configuration Guide

Introduction: Why VLANs Matter

Virtual Local Area Networks, universally known as VLANs, are one of the most fundamental and frequently tested concepts on the Cisco CCNA 200-301 exam. If you have ever worked in a real enterprise network, you have encountered VLANs. They are everywhere, from small office setups to sprawling campus networks, and understanding them deeply is not optional for any aspiring network engineer.

At their core, VLANs solve a critical problem: how do you logically segment a single physical network into multiple isolated broadcast domains without buying separate hardware for each group? Before VLANs existed, if you wanted to separate the accounting department's traffic from the engineering department's traffic, you needed entirely separate switches and cabling. VLANs eliminate that requirement by allowing a single physical switch to behave as if it were multiple independent switches.

This guide walks you through everything you need to know about VLANs and trunk ports for the CCNA exam, from the conceptual foundations through hands-on Cisco IOS configuration, and into the troubleshooting commands that will save you on both the exam and the job.

What Are VLANs and Why Do They Exist?

A VLAN is a logical grouping of switch ports that creates a separate broadcast domain at Layer 2 of the OSI model. Devices in one VLAN cannot communicate directly with devices in another VLAN without the intervention of a Layer 3 device such as a router or a Layer 3 switch. This separation happens entirely in software and switch configuration, not in physical cabling.

The Three Pillars of VLAN Benefits

VLANs provide three major advantages that every CCNA candidate must understand:

Security. By isolating sensitive traffic into its own VLAN, you prevent unauthorized users on other VLANs from seeing or accessing that traffic. For example, placing all management interfaces on a dedicated management VLAN means that regular user traffic never shares a broadcast domain with switch and router management sessions. If an attacker compromises a workstation on the user VLAN, they cannot directly sniff management traffic or attempt to access switch consoles at Layer 2.

Performance. Every device in a broadcast domain receives every broadcast frame sent by any other device in that domain. In a flat, unsegmented network with hundreds or thousands of hosts, broadcast traffic can consume a significant portion of available bandwidth. ARP requests, DHCP discoveries, NetBIOS announcements, and other broadcast protocols multiply rapidly as the network grows. VLANs shrink broadcast domains to manageable sizes, reducing unnecessary traffic and improving overall network performance.

Management. VLANs allow network administrators to group users by function, department, project, or security requirement regardless of their physical location. An accountant on the third floor and an accountant working remotely through a VPN can both be placed in the Accounting VLAN. When the accountant moves to a different desk, the administrator simply reassigns the new switch port to the Accounting VLAN instead of re-cabling to a different physical switch.

Key Concept: Broadcast Domains

A broadcast domain is the set of all devices that will receive a Layer 2 broadcast frame sent by any member of that set. Without VLANs, all ports on a switch belong to a single broadcast domain. Each VLAN you create establishes a new, independent broadcast domain. Traffic does not cross VLAN boundaries at Layer 2.

How VLANs Work at Layer 2

VLANs operate at Layer 2, the Data Link layer, of the OSI model. When a switch receives a frame on a port assigned to VLAN 10, it will only forward that frame out of other ports that also belong to VLAN 10. The switch maintains a separate MAC address table per VLAN, which means it tracks which MAC addresses have been learned on which ports within each VLAN independently.

Consider a switch with 24 ports. Ports 1 through 12 are assigned to VLAN 10 (Sales), and ports 13 through 24 are assigned to VLAN 20 (Engineering). When a device on port 3 sends a broadcast ARP request, the switch floods that frame out of ports 1, 2, and 4 through 12 only. Ports 13 through 24 never see that broadcast because they belong to a different VLAN. From the perspective of the devices, it is as if two completely separate switches exist, even though all 24 ports are on the same physical chassis.

By default, all ports on a Cisco switch belong to VLAN 1, which is known as the default VLAN. While you can use VLAN 1, Cisco best practices strongly recommend creating new VLANs and migrating user traffic off of VLAN 1 for security reasons. VLAN 1 has special properties that make it harder to secure, including the fact that certain control plane protocols like CDP and VTP use VLAN 1 by default.

Access Ports vs. Trunk Ports

Cisco switches use two fundamental port types for VLAN operations: access ports and trunk ports. Understanding the difference between these two port types is essential for the CCNA exam and for real-world network configuration.

Access Ports

Belong to exactly one VLAN
Connect to end devices (PCs, printers, phones)
Frames sent and received are untagged
The switch adds/removes VLAN info internally
End devices are unaware they are in a VLAN

Trunk Ports

Carry traffic for multiple VLANs simultaneously
Connect switches to switches, or switches to routers
Frames are tagged with a VLAN ID (802.1Q)
Use a native VLAN for untagged traffic
Essential for multi-switch VLAN environments

An access port is the simpler of the two. It is assigned to a single VLAN, and any device connected to that port becomes a member of that VLAN. The connected device, whether it is a laptop, a printer, or a server, has no idea that VLANs exist. It sends and receives normal Ethernet frames. The switch handles all VLAN assignment internally.

A trunk port, on the other hand, is designed to carry frames from multiple VLANs across a single physical link. Trunks are used between switches, between a switch and a router, and between a switch and a virtualization host that needs access to multiple VLANs. Without trunk ports, you would need a separate physical cable between switches for every VLAN you create, which defeats much of the purpose of VLANs in the first place.

802.1Q Tagging Explained

IEEE 802.1Q is the industry standard protocol for VLAN tagging on trunk links. When a frame travels across a trunk port, the switch inserts a 4-byte 802.1Q tag into the Ethernet frame header between the Source MAC Address field and the EtherType/Length field. This tag identifies which VLAN the frame belongs to so the receiving switch can forward it to the correct ports.

Anatomy of the 802.1Q Tag

Field	Size	Purpose
Tag Protocol Identifier (TPID)	16 bits	Set to 0x8100 to identify the frame as 802.1Q tagged
Priority Code Point (PCP)	3 bits	Used for Class of Service (CoS) for QoS prioritization
Drop Eligible Indicator (DEI)	1 bit	Indicates whether the frame can be dropped during congestion
VLAN Identifier (VID)	12 bits	Identifies the VLAN (0-4095; usable range 1-4094)

The 12-bit VLAN Identifier field gives us a theoretical range of 4,096 VLANs (0 through 4095). However, VLAN 0 and VLAN 4095 are reserved, giving a practical range of 1 through 4094. Cisco further divides these into the normal range (1-1005) and the extended range (1006-4094). The normal range VLANs can be used with VTP, while the extended range requires VTP version 3 or VTP transparent mode.

Important: Frame Size Change

Because the 802.1Q tag adds 4 bytes to the frame, a standard 1518-byte maximum Ethernet frame becomes 1522 bytes on a trunk link. This is sometimes referred to as a "baby giant" frame. All modern switches handle this seamlessly, but it is worth knowing for the exam and for troubleshooting MTU-related issues in complex environments.

The Native VLAN: Concept and Security Implications

The native VLAN is a unique concept specific to 802.1Q trunk ports. It designates which VLAN's traffic is sent across the trunk link without an 802.1Q tag. By default, the native VLAN is VLAN 1 on all Cisco switches. When a trunk port receives an untagged frame, it assigns that frame to the native VLAN. When a trunk port sends a frame that belongs to the native VLAN, it strips the 802.1Q tag and sends it untagged.

The native VLAN must match on both ends of a trunk link. If Switch A has its native VLAN set to VLAN 1 and Switch B has its native VLAN set to VLAN 99 on the same trunk link, frames will be misplaced between VLANs. Cisco switches will detect this mismatch and generate CDP error messages, but the misconfiguration can still cause connectivity problems and security vulnerabilities.

Security Warning: VLAN Hopping

The native VLAN is at the center of a well-known attack called VLAN hopping. In a double-tagging attack, an attacker crafts a frame with two 802.1Q tags. The outer tag matches the native VLAN, and the inner tag specifies the target VLAN. The first switch strips the outer tag (because it matches the native VLAN) and forwards the frame, still carrying the inner tag, across the trunk. The second switch reads the inner tag and delivers the frame to the target VLAN. To mitigate this attack:

Change the native VLAN to an unused VLAN (not VLAN 1)
Tag the native VLAN on trunk ports with switchport trunk native vlan tag
Never assign user traffic to the native VLAN

Step-by-Step VLAN Configuration with Cisco IOS

Now that you understand the concepts, it is time to configure VLANs on a Cisco switch. These commands are critical for the CCNA exam, particularly for simulation and simlet questions where you must type commands directly.

Step 1: Create the VLANs

First, you must create the VLANs in the switch's VLAN database. Until a VLAN is created, you cannot assign ports to it.

Switch> enable Switch# configure terminal Switch(config)# vlan 10 Switch(config-vlan)# name Sales Switch(config-vlan)# exit Switch(config)# vlan 20 Switch(config-vlan)# name Engineering Switch(config-vlan)# exit Switch(config)# vlan 99 Switch(config-vlan)# name Management Switch(config-vlan)# exit

Step 2: Assign Ports to VLANs (Access Ports)

Next, configure individual switch ports as access ports and assign them to the appropriate VLAN. You can configure ports individually or in ranges.

! Assign a single port to VLAN 10 Switch(config)# interface GigabitEthernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 Switch(config-if)# exit ! Assign a range of ports to VLAN 20 Switch(config)# interface range GigabitEthernet0/5 - 10 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan 20 Switch(config-if-range)# exit ! Assign the management VLAN interface an IP address Switch(config)# interface vlan 99 Switch(config-if)# ip address 192.168.99.2 255.255.255.0 Switch(config-if)# no shutdown Switch(config-if)# exit Switch(config)# ip default-gateway 192.168.99.1

CCNA Exam Tip

Always issue switchport mode access before switchport access vlan. While some switches will auto-negotiate the port mode, explicitly setting it to access prevents the port from being tricked into becoming a trunk through a DTP negotiation attack. This is also a Cisco security best practice that may appear in exam scenarios.

Step 3: Verify VLAN Configuration

Switch# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/11, Gi0/12, Gi0/13, Gi0/14 Gi0/15, Gi0/16, Gi0/17, Gi0/18 Gi0/19, Gi0/20, Gi0/21, Gi0/22 Gi0/23, Gi0/24 10 Sales active Gi0/1, Gi0/2, Gi0/3, Gi0/4 20 Engineering active Gi0/5, Gi0/6, Gi0/7, Gi0/8 Gi0/9, Gi0/10 99 Management active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

Trunk Port Configuration with Cisco IOS

When you have VLANs configured on multiple switches, you need trunk ports to carry VLAN traffic between them. Here is the complete process for configuring and securing a trunk link.

Basic Trunk Configuration

Switch(config)# interface GigabitEthernet0/24 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport trunk native vlan 99 Switch(config-if)# switchport trunk allowed vlan 10,20,99 Switch(config-if)# exit

Let us break down each command:

switchport mode trunk -- Forces the port into trunking mode rather than relying on DTP auto-negotiation.
switchport trunk encapsulation dot1q -- Specifies 802.1Q as the trunking protocol. On newer switches that only support 802.1Q (not the legacy Cisco ISL), this command may not be required or available.
switchport trunk native vlan 99 -- Changes the native VLAN from the default of VLAN 1 to VLAN 99. This is a critical security hardening step.
switchport trunk allowed vlan 10,20,99 -- Restricts the trunk to only carry the specified VLANs. By default, a trunk carries all VLANs (1-4094). Pruning the allowed list reduces unnecessary traffic and limits the attack surface.

Securing the Trunk

For production networks and for exam scenarios focused on security, you should also disable DTP negotiation on trunk ports to prevent unauthorized devices from establishing trunk links.

Switch(config)# interface GigabitEthernet0/24 Switch(config-if)# switchport nonegotiate Switch(config-if)# exit

Verifying Trunk Configuration

Switch# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi0/24 on 802.1q trunking 99 Port Vlans allowed on trunk Gi0/24 10,20,99 Port Vlans allowed and active in management domain Gi0/24 10,20,99 Port Vlans in spanning tree forwarding state and not pruned Gi0/24 10,20,99

CCNA Exam Tip

The show interfaces trunk command is your single most important troubleshooting tool for trunk issues. It shows four key pieces of information: the trunking mode and status, the native VLAN, the allowed VLANs, and which VLANs are actually active and forwarding. If a VLAN does not appear in the "allowed and active" section, traffic for that VLAN will not cross the trunk.

Inter-VLAN Routing Concepts

Because VLANs create separate broadcast domains, devices in different VLANs cannot communicate with each other at Layer 2. To enable communication between VLANs, you need a Layer 3 device to route traffic between them. The CCNA exam covers two primary methods for inter-VLAN routing.

Method 1: Router-on-a-Stick (ROAS)

Router-on-a-stick uses a single physical router interface connected to the switch via a trunk link. The router interface is divided into logical subinterfaces, each assigned to a different VLAN and configured with the default gateway IP address for that VLAN.

! Router configuration for Router-on-a-Stick Router(config)# interface GigabitEthernet0/0 Router(config-if)# no shutdown Router(config-if)# exit ! Subinterface for VLAN 10 (Sales) Router(config)# interface GigabitEthernet0/0.10 Router(config-subif)# encapsulation dot1Q 10 Router(config-subif)# ip address 192.168.10.1 255.255.255.0 Router(config-subif)# exit ! Subinterface for VLAN 20 (Engineering) Router(config)# interface GigabitEthernet0/0.20 Router(config-subif)# encapsulation dot1Q 20 Router(config-subif)# ip address 192.168.20.1 255.255.255.0 Router(config-subif)# exit ! Subinterface for VLAN 99 (Management) - native VLAN Router(config)# interface GigabitEthernet0/0.99 Router(config-subif)# encapsulation dot1Q 99 native Router(config-subif)# ip address 192.168.99.1 255.255.255.0 Router(config-subif)# exit

The encapsulation dot1Q [vlan-id] command on each subinterface tells the router which VLAN tag to expect and apply for traffic on that subinterface. Notice the native keyword on the VLAN 99 subinterface, which tells the router that VLAN 99 is the native VLAN and its traffic will be untagged on the trunk.

Method 2: Switch Virtual Interfaces (SVIs)

A more modern and higher-performance approach uses a Layer 3 switch with Switch Virtual Interfaces. An SVI is a virtual interface on the switch itself that acts as the default gateway for a VLAN. Because the routing happens in hardware ASICs on the switch rather than on an external router, SVIs provide significantly better throughput.

! Enable IP routing on the Layer 3 switch L3Switch(config)# ip routing ! Create SVI for VLAN 10 L3Switch(config)# interface vlan 10 L3Switch(config-if)# ip address 192.168.10.1 255.255.255.0 L3Switch(config-if)# no shutdown L3Switch(config-if)# exit ! Create SVI for VLAN 20 L3Switch(config)# interface vlan 20 L3Switch(config-if)# ip address 192.168.20.1 255.255.255.0 L3Switch(config-if)# no shutdown L3Switch(config-if)# exit

SVI vs. Router-on-a-Stick: When to Use Each

Router-on-a-stick is suitable for small networks with limited inter-VLAN traffic. It uses equipment many organizations already have, but the single trunk link to the router can become a bottleneck.

SVIs on a Layer 3 switch are the preferred solution for enterprise networks. Routing is performed in hardware at wire speed, there is no single-link bottleneck, and the configuration is simpler to manage. The CCNA exam expects you to know both methods.

Common VLAN Troubleshooting Commands

Troubleshooting VLAN issues is a critical skill tested on the CCNA exam. The following commands should be committed to memory, as you will use them in simulation questions and in every real network you ever manage.

show vlan brief

This command displays all VLANs configured on the switch, their status, and which ports are assigned to each VLAN. It is your first stop when a device cannot communicate, because it immediately tells you whether the port is in the correct VLAN.

Switch# show vlan brief

Look for: Is the VLAN created? Is the correct port assigned to it? Is the VLAN in an active state? Note that trunk ports do not appear in this output, which is a common source of confusion.

show interfaces trunk

This command shows all active trunk ports, their encapsulation type, the native VLAN, allowed VLANs, and VLANs that are active and forwarding. If VLAN traffic is not crossing between switches, this command will almost always reveal the problem.

Switch# show interfaces trunk

show interfaces switchport

When applied to a specific interface, this command reveals whether the port is in access or trunk mode, the assigned access VLAN, the native VLAN if trunking, and the administrative and operational mode of the interface.

Switch# show interfaces GigabitEthernet0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative Mode: static access Operational Mode: static access Administrative Trunking Encapsulation: dot1q Negotiation of Trunking: Off Access Mode VLAN: 10 (Sales) Trunking Native Mode VLAN: 1 (default) ...

Additional Useful Commands

Command	Purpose
`show vlan id 10`	Display detailed information about a specific VLAN
`show mac address-table vlan 10`	Show MAC addresses learned on ports in VLAN 10
`show running-config interface Gi0/1`	View the full configuration of a specific interface
`show interfaces status`	Quick overview of all ports with VLAN assignment and status
`show ip interface brief`	Verify SVI interfaces are up/up for inter-VLAN routing

Common Pitfall

If you assign a port to a VLAN that does not exist on the switch, the port will be inactive and will not forward traffic. The VLAN must be created in the VLAN database first using the vlan [id] command in global configuration mode. The show vlan brief output will show the port listed under the nonexistent VLAN, but the VLAN will not appear in the VLAN list, indicating the problem.

CCNA Exam Tips for VLAN Questions

VLANs and trunking are heavily tested on the CCNA 200-301 exam under the "Network Access" domain, which accounts for approximately 20% of the total exam score. Here are the key areas to focus your study on.

Tip 1: Know the Default Behaviors

All ports start in VLAN 1. The native VLAN defaults to VLAN 1. DTP is enabled by default. A trunk allows all VLANs by default. Many exam questions test whether you know what happens when you do not explicitly configure something.

Tip 2: Native VLAN Mismatches

The exam frequently presents scenarios where a trunk is configured but traffic for one VLAN is not working. Check for native VLAN mismatches. Both ends of a trunk must agree on the native VLAN. CDP will report a native VLAN mismatch, but the trunk will still form.

Tip 3: Allowed VLAN Lists

If a VLAN is not in the trunk's allowed list, its traffic will not cross that trunk. The command switchport trunk allowed vlan add 30 adds VLAN 30 to the existing list without removing other VLANs. Forgetting the add keyword replaces the entire allowed list, which is a common mistake in both real life and on the exam.

Tip 4: VLAN Must Exist on Both Switches

A VLAN must be created on every switch where it is needed. If Switch A has VLAN 10 but Switch B does not, traffic tagged as VLAN 10 that arrives at Switch B will be dropped. Use show vlan brief on each switch to verify.

Tip 5: Subinterface Numbers Are Arbitrary

On a router-on-a-stick configuration, the subinterface number (e.g., Gi0/0.10) does not have to match the VLAN number. It is the encapsulation dot1Q command that binds the subinterface to a specific VLAN. However, best practice is to match them for readability, and most exam scenarios follow this convention.

Tip 6: The Physical Interface Must Be Up

For router-on-a-stick, the physical interface (e.g., Gi0/0) must be in the no shutdown state, even though you configure IP addresses only on the subinterfaces. If the physical interface is administratively down, all subinterfaces will also be down.

Quick Command Reference for VLAN Exam Questions

Create VLAN: vlan 10 + name Sales

Access port: switchport mode access + switchport access vlan 10

Trunk port: switchport mode trunk + switchport trunk allowed vlan 10,20,99

Native VLAN: switchport trunk native vlan 99

Disable DTP: switchport nonegotiate

ROAS subinterface: encapsulation dot1Q 10 + IP address

SVI: interface vlan 10 + IP address + ip routing

Verify: show vlan brief, show interfaces trunk, show interfaces switchport

Wrapping Up

VLANs and trunk ports form the backbone of modern switched networks, and they represent one of the most significant topic areas on the CCNA 200-301 exam. The concepts themselves are straightforward once you internalize the fundamental principle: VLANs segment broadcast domains at Layer 2, access ports connect end devices to a single VLAN, and trunk ports carry multiple VLANs between infrastructure devices using 802.1Q tagging.

Where most students struggle is not with the theory but with the practical details. Remembering that the native VLAN must match on both ends of a trunk, knowing that you need to use the add keyword when modifying an allowed VLAN list, understanding that a VLAN must exist in the database before ports can be assigned to it, and being comfortable with the verification commands are all skills that separate candidates who pass from candidates who do not.

Practice these configurations in a lab environment, whether that is physical hardware, Cisco Packet Tracer, GNS3, or the Network Simulator right here on this site. The muscle memory you build by typing these commands repeatedly will serve you well on exam day and throughout your networking career.

For a deeper dive into the Network Access domain, check out our full Network Access Study Guide, and test your knowledge with our Practice Questions.