Why VLANs exist — the three reasons
How VLANs work — the basics
Without VLANs, every device connected to a switch is in the same network — they can all talk to each other and they all receive each other's broadcast traffic. As networks grow, this becomes a performance and security problem.
A managed switch lets you assign each port to a VLAN. Port 1–8 might be VLAN 10 (Staff), ports 9–16 might be VLAN 20 (Servers), and ports 17–24 might be VLAN 30 (Guest Wi-Fi). Devices on VLAN 10 can only send traffic to other devices on VLAN 10. Traffic between VLANs has to be routed — it must leave the switch, pass through a router or Layer 3 switch, and return.
Access ports vs trunk ports
This is one of the most tested VLAN concepts on Network+. The two port types serve completely different purposes and the exam regularly asks you to identify which one should be used in a given scenario.
| Port Type | Carries | Connects to | Frame tagging |
|---|---|---|---|
| Access port | One VLAN only | End devices — PCs, printers, phones, APs | Untagged — the device doesn't know about VLANs |
| Trunk port | Multiple VLANs | Other switches, routers, or Layer 3 switches | Tagged with 802.1Q — each frame carries its VLAN ID |
If the scenario describes a connection to an end user device (PC, laptop, printer, IP phone, wireless AP) → access port.
If the scenario describes a connection between two switches, or between a switch and a router → trunk port.
The end device on an access port has no idea VLANs exist — it just sees a normal network connection. The switch handles the VLAN assignment silently.
802.1Q tagging
802.1Q is the IEEE standard that makes VLANs work across trunk links. When a frame crosses a trunk port, the switch inserts a 4-byte 802.1Q tag into the Ethernet frame header. This tag contains the VLAN ID (0–4094), allowing the receiving switch to know which VLAN the frame belongs to and forward it to the correct ports.
Standard Ethernet frame: [ Dest MAC ] [ Src MAC ] [ EtherType ] [ Payload ] [ FCS ] 802.1Q tagged frame (trunk link): [ Dest MAC ] [ Src MAC ] [ 802.1Q Tag (4 bytes) ] [ EtherType ] [ Payload ] [ FCS ] ↳ TPID (0x8100) ↳ PCP (priority bits) ↳ VLAN ID (12 bits = 0–4094)
The native VLAN is the one VLAN on a trunk port whose traffic is sent untagged. By default this is VLAN 1. If a switch receives an untagged frame on a trunk port, it assigns it to the native VLAN.
Security note: A known attack called VLAN hopping can exploit mismatched native VLANs between switches. Best practice is to change the native VLAN to an unused VLAN ID and not assign any user devices to VLAN 1.
Inter-VLAN routing
Devices on different VLANs cannot communicate directly — that's the whole point of VLANs. But sometimes you need them to. Inter-VLAN routing is how traffic moves between VLANs, and there are three common ways to implement it:
| Method | How it works | When to use |
|---|---|---|
| Router on a stick | One physical router port configured as a trunk — router uses sub-interfaces, one per VLAN | Small networks, when a dedicated Layer 3 switch isn't available |
| Layer 3 switch (SVI) | Switch performs routing in hardware using Switch Virtual Interfaces — one SVI per VLAN | Most enterprise networks — faster and more scalable than router-on-a-stick |
| Separate router interfaces | Each VLAN gets its own dedicated physical router interface | Very small networks only — doesn't scale, wastes router ports |
"Router on a stick" is the classic Network+ inter-VLAN routing scenario. The setup: one trunk link connects a switch to a router. The router has sub-interfaces (e.g. Gi0/0.10 for VLAN 10, Gi0/0.20 for VLAN 20), each configured with an IP address that becomes the default gateway for devices in that VLAN.
The name comes from the fact that all inter-VLAN traffic flows through a single physical link — the "stick."
Exam scenarios
Ready to pass Network+?
The N10-009 study guide, Dion Training practice exams, and Professor Messer's free course.