Vlans¶
25 cards — 🟢 3 easy | 🟡 4 medium | 🔴 3 hard
🟢 Easy (3)¶
1. What is a VLAN and what problem does it solve?
Show answer
A VLAN (Virtual LAN) segments a physical switch into separate Layer 2 broadcast domains. It isolates traffic so hosts in different VLANs cannot communicate at Layer 2, improving security, performance, and organization.Remember: "VLAN = Virtual LAN." It segments a physical switch into multiple broadcast domains. VLAN 1 is the default (avoid for security).
2. What does an 802.1Q tag contain and how large is it?
Show answer
An 802.1Q tag is 4 bytes inserted into the Ethernet frame header. It contains a TPID (0x8100), a 12-bit VLAN ID (range 1-4094), a 3-bit Priority Code Point (PCP), and a 1-bit DEI field.Remember: "Trunk port carries multiple VLANs (tagged). Access port carries one VLAN (untagged)."
Gotcha: Misconfigured trunk ports are a top cause of inter-VLAN connectivity issues.
3. What is the difference between an access port and a trunk port?
Show answer
An access port carries traffic for one VLAN and sends/receives untagged frames (end devices are VLAN-unaware). A trunk port carries multiple VLANs simultaneously using 802.1Q tags and connects switches, routers, or VLAN-aware hosts.Remember: "802.1Q tag = 4-byte header inserted into the Ethernet frame." It contains the VLAN ID (12 bits = up to 4094 VLANs).
🟡 Medium (4)¶
1. What is the native VLAN and why is a mismatch dangerous?
Show answer
The native VLAN is the VLAN assigned to untagged traffic on a trunk port (default: VLAN 1). If the native VLAN differs on each end of a trunk, untagged frames cross VLAN boundaries unintentionally, causing connectivity issues and enabling VLAN hopping attacks.2. How do you create a VLAN interface on Linux using iproute2?
Show answer
Run `ip link add link eth0 name eth0.100 type vlan id 100`, then assign an IP with `ip addr add 10.100.0.5/24 dev eth0.100` and bring it up with `ip link set eth0.100 up`. The 8021q kernel module must be loaded.3. How does inter-VLAN routing work and what are the two common approaches?
Show answer
Since VLANs isolate Layer 2 domains, a Layer 3 device is needed to route between them. Router-on-a-stick uses a single router with sub-interfaces per VLAN on a trunk link. Layer 3 switches use SVIs (Switched Virtual Interfaces) to route at line rate in hardware.4. A host on VLAN 100 can reach other hosts on the same switch but not hosts on VLAN 100 on a different switch. What is the most likely cause?
Show answer
The trunk link between the switches does not have VLAN 100 in its allowed VLAN list. Verify with `show interface trunk` and add the VLAN with `switchport trunk allowed vlan add 100`.Remember: "Inter-VLAN routing requires a Layer 3 device." Either a router (router-on-a-stick) or a Layer 3 switch with SVIs.
🔴 Hard (3)¶
1. A Linux VLAN interface (eth0.100) is up and has an IP assigned, but no traffic passes. List four things to check.
Show answer
(1) Physical interface eth0 is up and linked. (2) The 8021q kernel module is loaded (`lsmod | grep 8021q`). (3) The switch port is in trunk mode and allows VLAN 100. (4) MTU is sufficient — the 4-byte VLAN tag can cause oversized frames to be dropped if the path MTU is tight.2. How does Multus CNI enable VLAN access for Kubernetes pods?
Show answer
Multus allows attaching multiple network interfaces to a pod. A NetworkAttachmentDefinition can specify a macvlan or host-device interface on a VLAN sub-interface (e.g., eth0.200), giving the pod a second NIC on that VLAN while keeping the primary interface on the cluster overlay network.3. What is a VLAN hopping attack and how do you prevent it?