CCNA Cisco Switching VLAN: Study Guide

Q: What's the difference between access ports and trunk ports?

Access ports belong to a single VLAN and do not tag frames. They are suitable for end devices like computers and printers. Trunk ports carry tagged frames for multiple VLANs and connect switches or switches to routers. An access port configured for VLAN 10 only processes traffic from that VLAN. A trunk port simultaneously carries traffic from many VLANs with VLAN tags. Use switchport mode access to configure access ports and specify the VLAN. Use switchport mode trunk for trunk ports. Trunk ports require encapsulation specification (802.1Q or ISL) and must have matching native VLANs on both ends. Mismatched native VLANs prevent VLAN hopping vulnerabilities but also break connectivity. The CCNA exam heavily tests identifying which port type should be used in different scenarios.

Q: How do I determine which switch becomes the root bridge in Spanning Tree Protocol?

The root bridge is elected based on the lowest bridge priority value. Priority ranges from 0 to 65535 in increments of 4096, with a default of 32768. If all switches have default priority, the switch with the lowest MAC address becomes root. Force a specific switch to be root by lowering its priority. Use the spanning-tree vlan priority command. For example, spanning-tree vlan 1 priority 0 guarantees that switch becomes the root for VLAN 1. The root bridge is critical because all path cost calculations reference it. This directly determines which ports block and which forward. Practice calculating root bridge selection by examining multiple switch topologies and bridge priorities. Understanding this concept is essential for predicting STP behavior on the CCNA exam.

Q: What is the native VLAN and why does it matter on trunk ports?

The native VLAN is the untagged VLAN on a trunk port. Both switches on a trunk must configure matching native VLANs to prevent connectivity issues and security vulnerabilities. By default, native VLAN is VLAN 1, but change it with switchport trunk native vlan. When traffic from the native VLAN is sent on a trunk, it is not tagged. The receiving switch interprets untagged frames as belonging to its configured native VLAN. If native VLANs mismatch, untagged traffic destined for one VLAN is interpreted as belonging to the other, breaking connectivity. VLAN hopping attacks exploit native VLAN mismatches by injecting tagged frames that get untagged and retagged into a sensitive VLAN. Always verify that native VLANs match on both ends of a trunk. Consider setting native VLAN to an unused VLAN number as a security best practice. The CCNA exam tests your understanding of native VLAN configuration and troubleshooting.

Q: How does inter-VLAN routing work, and when should I use router-on-a-stick versus a multilayer switch?

Inter-VLAN routing requires a Layer 3 device to forward packets between VLANs because VLANs are separate broadcast domains. Router-on-a-stick uses a single physical link configured with multiple subinterfaces. Each subinterface represents a VLAN with its own IP address serving as the default gateway. Router-on-a-stick works but creates a bottleneck. All inter-VLAN traffic crosses a single link, limiting throughput. A multilayer switch (Layer 3 switch) performs routing internally, offering superior throughput and lower latency. For small networks with light inter-VLAN traffic, router-on-a-stick is cost-effective. For larger networks or high-traffic environments, multilayer switches are preferable. The CCNA exam expects you to configure both scenarios. Router-on-a-stick requires trunk configuration and subinterface encapsulation. Multilayer switches need SVIs created with interface vlan commands and IP routing enabled with ip routing.

By FluentFlash Research Team·Updated 2026-04-30

CCNA cisco switching and VLAN technology is one of the most critical exam topics. These concepts cover essential networking infrastructure that every network administrator needs to master.

VLANs (Virtual Local Area Networks) enable you to segment physical networks into logical groups. This improves security, reduces congestion, and simplifies network management. Devices in different VLANs cannot communicate without a Layer 3 device like a router.

Understanding switching fundamentals prepares you for real-world network configuration. You will learn spanning tree protocol, VLAN trunking, inter-VLAN routing, and security features. These hands-on skills combine perfectly with flashcard-based learning and active recall practice.

This guide helps you master the VLAN and switching concepts tested on the CCNA exam. You will build the knowledge to configure secure, scalable networks and pass your certification test.

Key Takeaways

•VLANs create logical network segments within physical infrastructure, improving security and manageability by creating separate broadcast domains
•Trunk ports carry multiple VLAN traffic using IEEE 802.1Q or ISL encapsulation and require matching native VLANs on both ends to prevent connectivity issues
•Inter-VLAN routing is necessary for communication between VLANs and can be achieved via router-on-a-stick or multilayer switches, each with different performance characteristics
•Spanning Tree Protocol prevents network loops in redundant topologies by electing a root bridge and blocking redundant paths while maintaining backup connectivity
•Switch security features including port security, storm control, and BPDU guard protect network infrastructure from unauthorized access and attacks
•Mastering VLAN configuration commands, troubleshooting methodology, and understanding port roles in STP are essential for passing the CCNA exam and deploying production networks

Understanding VLANs and Network Segmentation

Virtual Local Area Networks are logical subdivisions of a physical network. VLANs operate independently even though devices share the same physical switch infrastructure.

How VLANs Work

VLANs use VLAN ID tagging to mark frames with a logical group number. Switches process traffic based on these logical groupings, not just physical port assignments. Each VLAN creates a separate broadcast domain, meaning devices in different VLANs cannot communicate without a router or multilayer switch.

Key Benefits of VLANs

Improved security by isolating sensitive departments
Reduced broadcast traffic congestion
Simplified network management and flexibility
Easy device assignment regardless of physical location

VLAN Assignment Methods

Static VLANs assign ports manually to specific VLAN numbers. This is the most common approach for the CCNA exam. Dynamic VLANs use protocols like VMPS to automatically assign ports based on MAC addresses or usernames.

VLAN Numbering Rules

VLANs 1-1005 store in the VLAN database on the switch. VLANs 1006-4094 store only in the running configuration. VLAN 1 is the default VLAN and cannot be deleted. This distinction matters for the CCNA exam.

Access Ports vs. Trunk Ports

Access ports belong to a single VLAN and carry only traffic for that VLAN. Use these for end devices like computers and printers. Trunk ports carry traffic for multiple VLANs simultaneously. Use these for switch-to-switch connections. Understanding when to use each port type is crucial for exam success and real networking.

VLAN Trunking Protocol and Configuration

VLAN trunks are connections between switches that carry traffic for multiple VLANs. Trunking protocols add special headers to identify which VLAN each frame belongs to.

Trunking Protocols

IEEE 802.1Q is the industry standard protocol. It is widely supported across vendors and adds a 4-byte VLAN tag to each frame. ISL (Inter-Switch Link) is Cisco proprietary and encapsulates the entire frame, adding more overhead than 802.1Q. The CCNA exam focuses heavily on 802.1Q.

Native VLAN Concept

The native VLAN is the untagged VLAN on a trunk port. Both switches must configure matching native VLANs, or connectivity breaks. By default, native VLAN is VLAN 1, but you can change it. Mismatched native VLANs cause VLAN hopping vulnerabilities and dropped frames.

Essential Trunk Configuration Commands

switchport mode trunk (enables trunking)
switchport trunk encapsulation dot1q (specifies 802.1Q)
switchport trunk allowed vlan (defines which VLANs traverse the trunk)
switchport trunk native vlan (sets the untagged VLAN)

Dynamic Trunking Protocol (DTP)

DTP automatically negotiates trunk formation between switches. The modes are on (always forms trunks), off (never forms trunks), desirable (attempts to form), and auto (passively accepts). DTP mismatches cause trunks to fail. The CCNA exam tests troubleshooting trunks that fail due to DTP or encapsulation conflicts.

Practice configuring multiple VLAN scenarios on switch simulators. This helps you internalize trunk configuration and troubleshoot real issues.

Inter-VLAN Routing and Communication

Devices in different VLANs cannot communicate by default because each VLAN is a separate broadcast domain. Inter-VLAN routing enables communication between VLANs using a Layer 3 device.

Router-on-a-Stick Method

This approach uses a single physical link between the switch and router. The link is configured as a trunk carrying multiple VLAN subinterfaces. Each subinterface represents a different VLAN with its own IP address serving as the default gateway.

Example configuration: Router(config-subif)# encapsulation dot1q 10 assigns VLAN 10 to that subinterface. This method is cost-effective for small networks but creates a bandwidth bottleneck since all inter-VLAN traffic crosses a single link.

Multilayer Switch Approach

Multilayer switches (Layer 3 switches) route traffic between VLANs internally at Layer 3. They contain both switching ASICs for Layer 2 and routing engines for Layer 3 operations. This approach provides superior performance and eliminates the bandwidth bottleneck.

SVI Configuration

Multilayer switches use Switched Virtual Interfaces (SVIs) to represent the Layer 3 presence of a VLAN. Create SVIs with the interface vlan command and enable IP routing globally with ip routing. SVIs are logical interfaces, while physical interfaces operate at Layer 2.

Choosing Between Methods

Use router-on-a-stick for small networks with light inter-VLAN traffic. Use multilayer switches for larger networks or high-traffic environments. The CCNA exam expects you to configure both scenarios and understand the trade-offs. Practice both methods on simulators to reinforce your understanding.

Spanning Tree Protocol and Preventing Network Loops

Spanning Tree Protocol (STP) prevents logical loops in redundant network topologies. When multiple switches connect in a mesh for redundancy, frames can circulate indefinitely and destabilize the network. STP automatically detects and blocks redundant paths.

How STP Works

STP uses Bridge Protocol Data Units (BPDUs) to communicate topology information. The protocol elects a root bridge based on bridge priority and MAC address. Each switch then calculates its root port (lowest cost to reach root) and designated ports (ports that forward on each segment). All other ports are blocked to prevent loops.

STP Port States

Disabled: Administratively shut down
Blocking: Does not forward frames, listens for BPDUs (20 seconds)
Listening: Hears BPDUs and prepares to forward (15 seconds)
Learning: Learns MAC addresses but doesn't forward data (15 seconds)
Forwarding: Actively forwards data frames and BPDUs

Total convergence time is typically 30-50 seconds (20 + 15 + 15). Only listening and learning states last their full duration.

Improvements to STP

Rapid Spanning Tree Protocol (RSTP) improves convergence to just a few seconds by introducing new port roles. Multiple Spanning Tree Protocol (MSTP) enables different spanning trees for different VLAN groups, providing better load balancing.

Exam Preparation Tips

Practice calculating path costs and identifying the root bridge in various topologies. Use network simulators to observe STP convergence in real-time. Understand how topology changes affect the spanning tree and port state transitions.

Switch Security, Port Security, and VLAN Best Practices

Switch security protects network infrastructure from unauthorized access and attacks. Understanding these features is essential for production network deployment.

Port Security Configuration

Port security limits the MAC addresses allowed on a specific port. Use the switchport port-security command to enable the feature. Specify allowed MAC addresses with switchport port-security mac-address. Set the maximum number of addresses with switchport port-security maximum.

Violation modes determine what happens when a port security limit is exceeded:

Shutdown (default): Disables the port completely
Restrict: Drops packets without logging
Protect: Only drops packets, logs nothing

Sticky MAC addresses combine static and dynamic learning. They remember learned addresses even after a reboot.

Additional Security Features

Access Control Lists (ACLs) protect sensitive VLANs by controlling traffic flow between network segments. Storm control prevents broadcast storms by limiting bandwidth percentage used by broadcast traffic. BPDU guard blocks ports that receive BPDUs, preventing unauthorized switch insertion.

VLAN Best Practices

Avoid using VLAN 1 for production traffic
Use proper VLAN numbering schemes for organization
Configure management VLANs for administrative access
Implement VLAN pruning to prevent unnecessary VLAN flooding
Ensure native VLANs match on all trunk ports
Use BPDU guard and root guard on access port edges

Understanding how these security features interact with spanning tree and VLAN operations ensures comprehensive network protection. Configure these features on practice switches and test how they respond to violations.

Start Studying CCNA Cisco Switching and VLANs

Ace your CCNA exam by mastering switching and VLAN concepts with intelligent, spaced-repetition flashcards. Our study tool helps you retain complex networking configurations, protocol behaviors, and troubleshooting scenarios through active recall practice.

Create Free Flashcards

Frequently Asked Questions

What's the difference between access ports and trunk ports?

Access ports belong to a single VLAN and do not tag frames. They are suitable for end devices like computers and printers. Trunk ports carry tagged frames for multiple VLANs and connect switches or switches to routers.

An access port configured for VLAN 10 only processes traffic from that VLAN. A trunk port simultaneously carries traffic from many VLANs with VLAN tags. Use switchport mode access to configure access ports and specify the VLAN. Use switchport mode trunk for trunk ports.

Trunk ports require encapsulation specification (802.1Q or ISL) and must have matching native VLANs on both ends. Mismatched native VLANs prevent VLAN hopping vulnerabilities but also break connectivity. The CCNA exam heavily tests identifying which port type should be used in different scenarios.

How do I determine which switch becomes the root bridge in Spanning Tree Protocol?

The root bridge is elected based on the lowest bridge priority value. Priority ranges from 0 to 65535 in increments of 4096, with a default of 32768. If all switches have default priority, the switch with the lowest MAC address becomes root.

Force a specific switch to be root by lowering its priority. Use the spanning-tree vlan priority command. For example, spanning-tree vlan 1 priority 0 guarantees that switch becomes the root for VLAN 1.

The root bridge is critical because all path cost calculations reference it. This directly determines which ports block and which forward. Practice calculating root bridge selection by examining multiple switch topologies and bridge priorities. Understanding this concept is essential for predicting STP behavior on the CCNA exam.

What is the native VLAN and why does it matter on trunk ports?

The native VLAN is the untagged VLAN on a trunk port. Both switches on a trunk must configure matching native VLANs to prevent connectivity issues and security vulnerabilities. By default, native VLAN is VLAN 1, but change it with switchport trunk native vlan.

When traffic from the native VLAN is sent on a trunk, it is not tagged. The receiving switch interprets untagged frames as belonging to its configured native VLAN. If native VLANs mismatch, untagged traffic destined for one VLAN is interpreted as belonging to the other, breaking connectivity.

VLAN hopping attacks exploit native VLAN mismatches by injecting tagged frames that get untagged and retagged into a sensitive VLAN. Always verify that native VLANs match on both ends of a trunk. Consider setting native VLAN to an unused VLAN number as a security best practice. The CCNA exam tests your understanding of native VLAN configuration and troubleshooting.

How does inter-VLAN routing work, and when should I use router-on-a-stick versus a multilayer switch?

Inter-VLAN routing requires a Layer 3 device to forward packets between VLANs because VLANs are separate broadcast domains. Router-on-a-stick uses a single physical link configured with multiple subinterfaces. Each subinterface represents a VLAN with its own IP address serving as the default gateway.

Router-on-a-stick works but creates a bottleneck. All inter-VLAN traffic crosses a single link, limiting throughput. A multilayer switch (Layer 3 switch) performs routing internally, offering superior throughput and lower latency.

For small networks with light inter-VLAN traffic, router-on-a-stick is cost-effective. For larger networks or high-traffic environments, multilayer switches are preferable. The CCNA exam expects you to configure both scenarios. Router-on-a-stick requires trunk configuration and subinterface encapsulation. Multilayer switches need SVIs created with interface vlan commands and IP routing enabled with ip routing.

What are the five Spanning Tree Protocol port states, and how long does each last?

STP port states control how ports transition from blocking to forwarding and prevent loops during convergence. Disabled ports are administratively shut down. Blocking ports do not forward frames and listen for BPDUs, lasting 20 seconds (max age timer). Listening ports hear BPDUs and prepare to forward but don't learn MAC addresses, lasting 15 seconds (forward delay). Learning ports forward BPDUs and learn MAC addresses but don't forward data frames, also lasting 15 seconds. Forwarding ports actively forward data frames and BPDUs.

Total convergence time from blocking to forwarding is typically 30-50 seconds (20 + 15 + 15). RSTP improves this by eliminating listening and learning as separate states, reducing convergence to just seconds. Memorize these states for the CCNA exam. Understand that only listening and learning states count toward the forward delay timing. This knowledge helps you troubleshoot connectivity delays after network topology changes.