A university puts student devices on VLAN 200 and a file server on VLAN 300. Students report they cannot access the file server. What is most likely needed?
AThe file server's VLAN ID must be changed to 200 to match the student VLAN
BA router or Layer 3 switch must be configured to route traffic between VLAN 200 and VLAN 300
CThe trunk port connecting the switches must be reconfigured as an access port
DStudents' devices must have statically assigned IP addresses within the VLAN 300 subnet
VLANs are separate Layer 2 broadcast domains — devices in different VLANs cannot communicate at Layer 2 even if they share the same physical switch. Just as traffic between two physically separate networks requires a router, traffic between VLANs requires inter-VLAN routing: a router or Layer 3 switch must have an interface in both VLANs and forward packets between them. Changing VLAN IDs (option A) would break other things; trunk ports carry multiple VLANs but do not route between them; IP addressing alone (option D) does not enable routing.
Question 2 Multiple Choice
A network administrator says 'We put our accounting department on its own VLAN to keep their financial data secure from other users.' What is the most significant gap in this security model?
AVLANs are only available on expensive enterprise switches, making cost-effective implementations impractical
BVLAN segmentation is a Layer 2 control — a determined attacker with switch access could use VLAN-hopping techniques, and any inter-VLAN traffic is fully visible at the router where policy enforcement is needed anyway
CVLANs cannot be used for security because 802.1Q tags can be stripped in transit by any device
DThe accounting VLAN will have degraded performance because all traffic must traverse extra switches
VLANs provide Layer 2 isolation but not true security. VLAN-hopping attacks (exploiting misconfigured trunk ports) can let an attacker reach other VLANs. More fundamentally, any traffic that crosses between the accounting VLAN and other systems must pass through a router, which must apply access control lists and firewall rules to enforce security policy. Real security requires Layer 3 controls, not just VLAN assignment. VLANs are a segmentation and performance tool that complements security — they are not themselves a security boundary.
Question 3 True / False
A trunk port connecting two managed switches carries traffic for mainly the VLAN assigned to that port.
TTrue
FFalse
Answer: False
This describes an *access* port, not a trunk port. An access port belongs to exactly one VLAN and connects to end devices. A *trunk* port carries traffic for multiple VLANs simultaneously between switches, using 802.1Q VLAN tagging — each frame gets a header inserted that identifies its VLAN ID, allowing the receiving switch to correctly forward or filter it. Trunk ports are what make it possible to span a single VLAN across multiple physical switches and carry many VLANs over one physical link.
Question 4 True / False
Two computers assigned to the same VLAN but connected to different physical switches can communicate at Layer 2, provided a trunk port links the switches.
TTrue
FFalse
Answer: True
VLANs are logical, not physical. The trunk port carries 802.1Q-tagged frames for all configured VLANs. When a frame arrives at the second switch with the VLAN tag of the shared VLAN, the switch forwards it to ports belonging to that VLAN. This allows a single logical broadcast domain to span an entire campus network. The VLAN ID in the tag maintains isolation — frames tagged for VLAN 10 are never forwarded to ports assigned to VLAN 20.
Question 5 Short Answer
Why do VLANs reduce broadcast traffic in large networks, and why does this matter for performance?
Think about your answer, then reveal below.
Model answer: A broadcast frame (such as an ARP request) is forwarded to every port in the same broadcast domain. Without VLANs, a single large switch places all ports in one broadcast domain — every broadcast reaches every device, which must process and discard it. VLANs partition the switch into smaller broadcast domains, so a broadcast from a device on VLAN 10 reaches only other VLAN 10 devices. In large networks with hundreds of devices, unconstrained broadcasts consume significant bandwidth and CPU time on every endpoint. VLANs limit this blast radius, reducing unnecessary traffic and processing overhead.
Broadcast reduction was one of the original motivations for VLANs. Protocols like ARP, DHCP, and NetBIOS generate substantial broadcast traffic; containing them to logically relevant groups (one VLAN per subnet) is essential for network scalability at enterprise scale.