VLANs Explained — Trunks, Access Ports, Native VLANs (CCNA Tutorial)
Free CCNA-level VLAN tutorial for US networking learners. Trunks, access ports, 802.1Q tagging, and native VLAN gotchas — the mental model that makes it click in 15 minutes.
If VLANs feel mushy, it’s because most courses dive into the commands before they explain the idea. Let’s flip that.
The one-line definition
A VLAN is a way to pretend one switch is several switches.
That’s it. Everything else — trunks, tagging, native VLANs — is plumbing to make that pretense work across more than one physical switch.
The four pieces, in order
You only need four concepts. Learn them in this order or you’ll get lost.
1. Access port
An access port belongs to exactly one VLAN. The device plugged in (a laptop, a printer) has no idea VLANs exist. The switch tags traffic on the way in, strips the tag on the way out.
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10
That port is “in VLAN 10.” Done.
2. Trunk port
A trunk port carries multiple VLANs between switches. Tags stay on the frame as it crosses the link, so the next switch knows which VLAN each frame belongs to.
interface GigabitEthernet0/24
switchport mode trunk
switchport trunk allowed vlan 10,20,30
That port can carry VLANs 10, 20, and 30 to the next switch.
3. The 802.1Q tag
The tag is just 4 bytes of header inserted into the Ethernet frame on a trunk. It says “I belong to VLAN N.” Access ports don’t have tags on the wire — only trunks do.
4. The native VLAN
The native VLAN is the one VLAN on a trunk whose frames travel untagged. By default it’s VLAN 1, and that’s the first foot-gun.
If both ends of a trunk don’t agree on the native VLAN, frames get dropped or — worse — leak between VLANs.
The safe habit: set the native VLAN to something unused on both sides, and never put real devices in VLAN 1.
interface GigabitEthernet0/24
switchport trunk native vlan 999
A 30-second worked example
Two switches, two VLANs (10 and 20), one trunk between them:
PC-A (VLAN 10) ---- [SW1] ====trunk==== [SW2] ---- PC-B (VLAN 10)
PC-C (VLAN 20) ---- [SW1] PC-D (VLAN 20) ---- [SW2]
- PC-A’s frame hits SW1’s access port → SW1 tags it “VLAN 10.”
- It crosses the trunk with the tag intact.
- SW2 sees the tag, sends it out the port assigned to VLAN 10.
- SW2 strips the tag at the access port, hands the plain frame to PC-B.
PC-C → PC-D works the same way, just with VLAN 20 tags.
Why people get tripped up
Three traps, in order of frequency:
- Forgetting to allow the VLAN on the trunk. The VLAN exists; the access ports exist; but the trunk doesn’t carry that VLAN ID, so traffic dies at the first switch.
- Native VLAN mismatch. SW1’s native is VLAN 1, SW2’s is VLAN 99 — silent broken state.
- Forgetting that VLAN ≠ subnet, but they should match. Routers (or SVIs on Layer-3 switches) route between VLANs. Two devices in different VLANs cannot talk without a router, period — even if you put them in the same IP subnet.
What to lab tonight
In Packet Tracer or CML:
- Two switches, four PCs, two VLANs.
- Confirm PC-A can ping PC-B (same VLAN, different switch).
- Confirm PC-A cannot ping PC-C (different VLAN).
- Add a router-on-a-stick or an SVI; confirm PC-A can now ping PC-C.
- Break the trunk on purpose — change the native VLAN on one side. Watch what happens to your CDP/LLDP neighbors and Spanning-Tree messages.
That last step is where the concept actually moves into your bones. Don’t skip it.
Next up: ACLs: The Mental Model That Makes Them Click. If you want it the day it drops, grab the roadmap below.
Get posts like this by email.
One short, opinionated tutorial per week. Unsubscribe in one click.
We respect your inbox. One email per week, max. Unsubscribe any time.