30 Essential VLAN Interview Questions & Answers (Most Network Engineers Miss #7)

A VLAN is a logical segmentation construct implemented in switching ASICs to divide a Layer 2 broadcast domain into multiple isolated networks. At the hardware level, VLAN identifiers are used as part of forwarding lookups—frame ingress VLAN assignment determines the CAM population, rewriting operations, and STP instance mapping. VLANs do not inherently route traffic; routing occurs through SVIs or routed interfaces.

Key reasons:

• Segmentation – Reduces scope of broadcast storms and isolates traffic.
• Security – Provides L2 separation of sensitive departments (PCI, Finance, HR).
• Performance – Reduces unnecessary flooding and optimizes CAM table utilization.
• Logical grouping – VLANs allow network engineers to group users without physical constraints.
• Policy enforcement – VLANs connect with ACLs, VRFs, PVLANs, and QoS marking.

VLAN 1 is default. It is important because:

• Many control-plane protocols (CDP, VTP, PAgP) originally ran untagged on VLAN 1.
• Keeping VLAN 1 unused and isolated is a widely accepted security best practice.

The ASIC forwards broadcasts only within the VLAN’s hardware forwarding table entries. STP, MAC learning, ARP, and DHCP broadcasts stay inside the VLAN. No L3 boundary crossing occurs without routing.

A trunk port is a Layer 2 port configured to carry frames for multiple VLANs. Inside the ASIC:

• Each ingress frame is evaluated for 802.1Q tag presence.
• The VLAN ID is extracted and passed into the forwarding pipeline.
• Egress logic applies tagging or untagging based on port mode configuration.

Trunks preserve VLAN separation across multiple switches by encapsulating Layer 2 frames with a VLAN tag.

An access port assigns a single VLAN ID to all ingress traffic. Frames are forwarded untagged. The switch associates the port’s VLAN ID in hardware for CAM population, ensuring that MAC entries include VLAN context.

IEEE 802.1Q tagging inserts a 4-byte header in the Ethernet frame between the source MAC address and the EtherType field. Components:

• TPID (Tag Protocol Identifier) – 0x8100
• PCP (Priority Code Point) – 3 bits (QoS)
• DEI (Drop Eligible Indicator) – 1 bit
• VID (VLAN Identifier) – 12 bits (1–4094)

At ASIC level, the tag is parsed by the ingress MACsec/Ethernet parser, and the VLAN ID becomes an index into the L2 forwarding database.

Most engineers do not know that the switch removes the tag before forwarding the frame out an access port. This is a real interview differentiator.

The VLAN whose frames are sent untagged via a trunk. Cisco defaults this to VLAN 1, but best practice is to use a dedicated, unused VLAN due to security concerns.

It exposes the environment to VLAN hopping attacks, untagged protocol leakage, and possible convergence anomalies.

The list of VLANs permitted across a trunk. They restrict broadcast propagation and reduce STP instance overhead.

VTP (VLAN Trunking Protocol) is a Cisco L2 control protocol that synchronizes VLAN databases across switches. It sends advertisements containing:

• VLAN IDs
• VLAN names
• VLAN status
• Revision number

This protocol has historically led to many enterprise-wide outages when a switch with a higher revision number overwrites VLAN data.

• Server – Stores VLANs in vlan.dat. Generates updates.
• Client – Cannot create VLANs; stores VLANs in RAM only.
• Transparent – Does not learn from VTP; forwards advertisements.
• Off (IOS XE) – Completely disables VTP.

A trivial trunk connection to a test switch with a higher revision can wipe enterprise VLANs. This is a classic CCIE troubleshooting lab scenario.

Occurs via:

• Router-on-a-stick
• Multilayer switches with SVIs

On a Catalyst or Nexus switch:

• SVI MAC is installed in hardware
• ASIC handles L3 lookup based on VLAN + MAC
• ARP tables enable host reachability
• Routing occurs at line rate (except special cases)

An SVI (Switched Virtual Interface) provides L3 termination for a VLAN. It is essentially a VLAN interface that participates in L3 routing.

Hardware flow:

1. Frame ingresses into VLAN X
2. MAC is matched within VLAN X
3. If destination MAC matches SVI MAC → punt to L3 pipeline
4. Routing decision made
5. Frame is rewritten with new MAC and VLAN tag

DTP negotiates trunking using frames sent to multicast MAC 01:00:0c:cc:cc:cc. Attackers can spoof DTP desirable mode and force port mode to trunk — gaining access to multiple VLANs. Therefore, disable DTP on all user-facing ports.

PVLANs break a single primary VLAN into:

• Isolated – Only talk to promiscuous ports
• Community – Talk among each other and to promiscuous
• Promiscuous – Typically router or firewall

ASIC-level handling requires maintaining separate mapping tables for primary/secondary VLANs. Broadcasts are restricted based on community.

Two attack types:

1. Switch Spoofing – Using DTP to trick the switch
2. Double Tagging – Insert two tags (outer native VLAN, inner victim VLAN)

Defense:

• disable DTP
• tag native VLAN
• use unused VLAN for native
• hardcode all ports to access mode

QinQ (802.1ad) stacks two VLAN tags:

• Outer tag (Service Provider VLAN – S-VLAN)
• Inner tag (Customer VLAN – C-VLAN)

Used for Metro Ethernet and large-scale L2 VPN services.

1–4094. IDs 1002–1005 are reserved for legacy technologies (Token Ring, FDDI), though modern switches replicate this for backward compatibility.

VTP pruning restricts VLANs on trunks dynamically based on need. Only VLANs with active ports are forwarded across trunks. Reduces unnecessary broadcasts.

• ISL (Cisco proprietary, adds 30 bytes, obsolete)
• 802.1Q (industry standard, adds 4 bytes)

802.1Q supports native VLAN; ISL does not.

• up/up – VLAN exists and has active ports
• down/down – No ports assigned or VLAN shutdown
• administratively down – Interface manually disabled

SVIs depend on spanning-tree state; blocked VLANs cannot forward traffic.

Voice VLAN allows a switch port to have:

• Data VLAN (untagged)
• Voice VLAN (tagged)

Phones use LLDP-MED or CDP to learn voice VLAN ID. ASIC applies CoS trusting and queue assignment per tag.

Occurs when trunk ends have different native VLAN configurations. Results in:

• Traffic leaks
• STP topology inconsistencies
• Double-tagging vulnerabilities

Avoid:

• VLAN 1 – security risk
• VLAN 1002–1005 – legacy, unnecessary
• VLANs used for management should be isolated

MAC address appears on two ports due to:

• Layer 2 loops
• Misconfigured trunk
• MLAG/vPC failure
• Mismatched links

Deep troubleshooting requires checking CAM table aging times and spanning-tree topology.