VLAN Interview Questions & Answers

A VLAN (Virtual Local Area Network) is a way to segment a physical switch into separate logical broadcast domains. Each VLAN behaves like its own independent switch — a broadcast in VLAN 10 is never seen by VLAN 20 — yet they share the same physical hardware. This gives organization and security and lets you group users by role rather than by which switch they plug into.

👉 Interview tip: Lead with "a VLAN = one broadcast domain"; that single phrase signals you understand the L2 mechanism, not just the buzzword.

A VLAN segments a network at Layer 2 (a broadcast domain), while a subnet segments at Layer 3 (an IP address range). They are different things at different layers, but in well-designed networks they map 1:1 — VLAN 10 = 10.0.10.0/24, for example. That 1:1 mapping is convention, not a rule the protocol enforces.

👉 Interview tip: Say "VLAN is the L2 broadcast domain, subnet is the L3 address space; we keep them 1:1 for sanity." The follow-up is often "what happens if two subnets share one VLAN?" — answer: they can ARP each other and bypass your L3 controls.

Tagging marks each frame so the far switch knows which VLAN it belongs to. The switch inserts a 4-byte 802.1Q tag right after the source MAC (see the cheat-sheet above).

Q-tag structure: TPID (16 bits, 0x8100) + PCP/Priority (3 bits, 802.1p CoS) + DEI/CFI (1 bit) + VLAN ID (12 bits) = 4 bytes. The DEI bit marks frames as drop-eligible first under congestion in carrier networks; the 12-bit VID is why the usable VLAN range stops at 4094.

This lets many VLANs (e.g. voice and data) share one physical trunk while staying separate. Because the frame grows by 4 bytes, switches use a "baby giant" / jumbo MTU allowance so tagged frames aren't dropped as oversized.

👉 Interview tip: Name all four fields and the "4 bytes after the source MAC" — that precision separates a fresher from someone who's read the standard.

The flow is: create the VLAN, assign access ports, then trunk the uplinks. On Cisco IOS:

vlan 10
 name SALES
!
interface gi0/1                ! port to a PC
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
!
interface gi0/24               ! uplink to another switch
 switchport mode trunk
 switchport trunk allowed vlan 10,20
 switchport nonegotiate        ! turn off DTP

Verify with show vlan brief, show interfaces trunk and show interfaces gi0/1 switchport.

👉 Interview tip: Always mention switchport mode access + nonegotiate on user ports — hard-setting the mode is a security answer, not just a config one.

• Broadcast Control: Reduces the size of broadcast domains, improving network performance.
• Security: Sensitive data can be isolated on its own VLAN (e.g., HR dept).
• Flexibility: Users can be grouped by department rather than physical switch location.
• Cost: Reduces the need for expensive physical routers and cabling changes.

👉 Interview tip: The crisp one-liner is "smaller broadcast domains + segmentation for security + logical grouping independent of location."

Use no vlan [ID]. The gotcha: VLAN data lives in vlan.dat in flash, not the running-config — so erase startup-config alone does NOT remove VLANs. To fully wipe them you also delete flash:vlan.dat and reload.

Second gotcha: deleting a VLAN does not move its access ports anywhere — those ports go inactive (the VLAN they reference no longer exists), silently dropping host traffic until you reassign them.

👉 Interview tip: Mentioning vlan.dat and "orphaned ports go inactive" shows real lab scars, not book knowledge.

• Access Port: Carries exactly one VLAN, untagged, to an end device (PC, printer, AP).
• Trunk Port: Carries multiple VLANs, tagged (802.1Q), to another switch or router — except the native VLAN, which is untagged.

👉 Interview tip: The single crispest line: "Access = one untagged VLAN to a host; trunk = many tagged VLANs between switches." Picking the wrong one is the most common misconfig there is.

By default, hosts in different VLANs cannot communicate — a switch never forwards a frame between VLANs. Inter-VLAN routing uses a Layer 3 device (router or L3 switch) with an interface in each VLAN to route packets between them. The two designs are router-on-a-stick and SVIs on an L3 switch (covered in detail below).

👉 Interview tip: Tie it back to fundamentals — "different VLAN = different subnet, so it must be routed, not switched."

• ISL (Inter-Switch Link): Cisco-proprietary. Encapsulates the entire original frame in a 26-byte header + 4-byte trailer. No native-VLAN concept (everything is encapsulated). Obsolete — not supported on modern Cisco switches.
• 802.1Q (Dot1Q): The IEEE standard. Inserts a 4-byte tag into the existing frame and leaves the native VLAN untagged. The only one you'll deploy today.

👉 Interview tip: The keyword contrast is "ISL encapsulates vs 802.1Q inserts a tag" — and only 802.1Q has a native (untagged) VLAN.

VLAN ID range: 1–4094 usable (12-bit field). VLAN 0 is reserved for priority-tagged frames (802.1p), VLAN 4095 is reserved by the standard.

• Reserved: 0 (priority-tagged frames), 4095 (standard-reserved)
• Default VLAN: 1 (Cisco — cannot be deleted; other vendors allow it)
• Normal Range: 2 - 1001 (Stored in vlan.dat on Cisco)
• Reserved (Token Ring legacy): 1002 - 1005
• Extended Range: 1006 - 4094 (Stored in running-config; needs VTP Transparent on VTPv1/v2; VTPv3 supports extended even in Server mode)

👉 Interview tip: Connect the "4094" to the 12-bit VID field — and add that QinQ exists precisely to scale past that ceiling for service providers.

On an 802.1Q trunk, frames in the native VLAN are sent untagged (default VLAN 1 on Cisco). Both ends must agree on which VLAN is native.

If they disagree, untagged frames are placed into different VLANs on each side — causing VLAN leakage (traffic crossing into the wrong VLAN, a security hole) plus CDP/STP "native VLAN mismatch" warnings. Best practice: set the native VLAN to an unused ID (not VLAN 1) and explicitly tag it with vlan dot1q tag native.

👉 Interview tip: "Untagged on the trunk, must match both ends, never leave it VLAN 1" — that hits accuracy and security in one breath.

A single access port can carry two VLANs: the PC's data VLAN (untagged) and the IP phone's voice VLAN (tagged). Config: switchport access vlan 10 + switchport voice vlan 20. The phone has a small built-in switch; the PC plugs into the back of the phone and its untagged data traffic passes through.

The switch tells the phone which voice VLAN to tag with via CDP or LLDP-MED. This separates voice for QoS and security without running a second cable.

👉 Interview tip: "Voice tagged, data untagged, on the same access port — phone learns the voice VLAN via CDP/LLDP-MED."

VTP (VLAN Trunking Protocol) syncs the VLAN database across a domain. Modes:

• Server — can add/modify/delete VLANs; propagates them.
• Client — receives and applies, can't edit.
• Transparent — keeps its own VLANs, forwards VTP but doesn't sync.
• Off — VTP disabled entirely.

The danger: VTP trusts whichever switch has the highest configuration revision number. Plug in an old lab switch (same domain name, higher revision) and its database overwrites the entire production domain — wiping every VLAN. To reset a switch's revision to 0 before adding it: change the VTP domain name and change it back, or use Transparent mode.

Fix: Run VTP Transparent or Off in most modern shops, or VTPv3 (primary-server model eliminates the accidental overwrite).

👉 Interview tip: The line that lands: "highest revision wins, so a re-introduced switch can nuke your VLANs — that's why we run transparent or VTPv3."

DTP (Dynamic Trunking Protocol) auto-negotiates whether a link becomes a trunk or an access port (dynamic auto / dynamic desirable). The risk is the switch-spoofing attack: an attacker's PC sends DTP frames and negotiates a trunk on what should be an access port, then sees every VLAN.

Mitigation: hard-set the mode (switchport mode access or trunk) and add switchport nonegotiate on every link. Never leave ports on the dynamic default in production.

👉 Interview tip: "DTP auto-trunking enables switch-spoofing — hard-set mode + nonegotiate everywhere."

Two ways to do inter-VLAN routing:

• SVI (Switch Virtual Interface): an L3 switch holds an IP per VLAN on interface vlan10/20. Hardware-forwarded at line rate via ASIC — the modern default.
• Router-on-a-Stick (ROAS): one trunk to a router with a subinterface per VLAN (encapsulation dot1q 10). Software-forwarded on the router CPU and bottlenecked by the single uplink — fine for a lab, not for scale.

👉 Interview tip: "SVI = ASIC line-rate; ROAS = one trunk through a CPU. SVI for anything real." Bonus: an SVI only comes up if the VLAN exists AND at least one access port in it is up.

Native-VLAN traffic (VLAN 1 by default) is untagged and always passes, regardless of the allowed list — the allowed list only filters tagged VLANs. Change the native VLAN to an unused ID and explicitly tag it with vlan dot1q tag native, and confirm switchport trunk native vlan matches on both ends.

👉 Interview tip: "The allowed list doesn't filter the native VLAN — it's untagged, so it rides the trunk anyway."

The attacker sends a frame with two 802.1Q tags: the outer tag matches the trunk's native VLAN and gets stripped on the first hop; the inner tag then delivers the frame into the target VLAN. It's a one-way attack but it crosses VLAN boundaries.

Mitigations: (1) don't use VLAN 1 as native; (2) make the native VLAN an unused ID and vlan dot1q tag native; (3) set user ports to access mode and disable DTP. The second attack variant — switch-spoofing via DTP — is closed by the same access-mode + nonegotiate hardening.

👉 Interview tip: "Double-tagging abuses the native VLAN; tag the native and never use VLAN 1 native — that's the fix."

VTP pruning stops a switch from flooding broadcast/unknown-unicast for a VLAN onto a trunk when the neighbor has no active ports in that VLAN. It dynamically prunes unneeded VLANs from trunks, saving bandwidth in large domains.

Caveat: it only works in VTP Server/Client mode (not Transparent), VLAN 1 is never pruned, and many shops avoid it because they avoid VTP itself. The static alternative is to manually scope each trunk with switchport trunk allowed vlan.

👉 Interview tip: "Pruning = don't flood a VLAN onto a trunk where nobody's listening; the manual equivalent is a tight allowed-vlan list."

The commands every L2 interviewer expects:

show vlan brief                 ! VLANs and their access ports
show interfaces trunk           ! trunked ports, native, allowed, pruned
show interfaces gi0/1 switchport! mode, access/native VLAN, neg state
show mac address-table          ! which MAC is learned on which port/VLAN
show interfaces status          ! up/down, speed, VLAN, errdisable

show interfaces trunk is the one to reach for first — it shows the native VLAN, the allowed list, and which VLANs are actually forwarding, so it catches native mismatches, missing-from-allowed, and STP-pruned VLANs at a glance.

👉 Interview tip: Name show interfaces trunk and show interfaces switchport — those two solve most "VLAN won't pass" tickets.

Layer 2 has no TTL, so a single physical loop turns a broadcast into a broadcast storm that melts the network (plus MAC-table instability and duplicate frames). STP (802.1D) builds a loop-free logical tree by electing a root bridge and blocking redundant links — the links stay physically cabled for redundancy but logically idle until needed.

👉 Interview tip: "L2 has no TTL → loops storm forever → STP blocks redundant paths to leave one loop-free tree."

Switches exchange BPDUs and the lowest Bridge ID (BID) wins. The BID is:

BID = Bridge Priority (4 bits) + Sys-ID-Extension (12 bits = the VLAN) + MAC address (6 bytes)

1. Lowest priority wins first. Default 32768; settable only in multiples of 4096 because the priority field is 4 bits and the sys-id-ext (VLAN) fills the rest.
2. Tie-break = lowest MAC address. Equal priority means the oldest switch (lowest MAC) silently becomes root — a classic gotcha where a tiny access switch ends up root.

To force a switch to be root: spanning-tree vlan 10 root primary (a macro that lowers priority to 24576, or below the current root) — or set it explicitly with spanning-tree vlan 10 priority 0 (the lowest possible). Pair the intended backup with root secondary (28672).

👉 Interview tip: Recite the BID layout, then "priority then MAC; force it with root primary or priority 0."

The original 8-byte BID was 2-byte priority + 6-byte MAC. Cisco PVST+ runs one STP instance per VLAN but a switch has only a few MAC addresses to share — so the priority field was split into a 4-bit priority + a 12-bit sys-id-extension that carries the VLAN number. That way a single MAC + the VLAN ID makes a unique BID per VLAN, and each VLAN can elect its own root. It's also why priority only changes in steps of 4096.

👉 Interview tip: "Sys-id-ext = the VLAN baked into the BID, so one MAC serves a separate root election per VLAN — hence priority in steps of 4096."

Roles (who the port is): Root Port — the one best path toward the root (one per non-root switch); Designated Port — the forwarding port on each segment (every segment has exactly one, and all root-bridge ports are designated); Non-designated / Blocking (Alternate & Backup in RSTP terms) — kept loop-free in standby.

States (what the port is doing) in classic STP: Blocking → Listening → Learning → Forwarding (plus Disabled). It takes ~50 seconds to converge: 20s max-age + 15s listening + 15s learning. Root-port selection cost ladder: lowest root path cost → lowest sender BID → lowest sender port ID.

👉 Interview tip: Separate the two ideas cleanly — "role = root/designated/blocking; state = the 4-step listening/learning transition." Mixing them is the #1 tell of a shaky candidate.

• PortFast — on access/edge ports facing hosts. Skips listening/learning and goes straight to forwarding, so a PC gets a link in ~1s instead of 30s. Never on a switch-to-switch link (it would create a transient loop).
• BPDU Guard — pairs with PortFast on host ports. If such a port ever receives a BPDU (someone plugged a switch into a wall jack), it goes err-disabled immediately — protecting the topology. Recover with errdisable recovery or a shut/no-shut.
• Root Guard — on ports facing downstream switches you never want to become root. If the port hears a superior BPDU, it goes root-inconsistent (blocks) until the superior BPDUs stop — keeping the root where you designed it.

Memory hook: PortFast + BPDU Guard face down to hosts; Root Guard faces out to the network. (Loop Guard / BPDU Filter are the adjacent extras.)

👉 Interview tip: "BPDU Guard err-disables on ANY BPDU; Root Guard blocks only on a SUPERIOR BPDU" — getting that distinction right is the whole question.

RSTP collapses the states to Discarding / Learning / Forwarding and converges in well under a second instead of ~50s. The mechanisms:

• Proposal/Agreement handshake on point-to-point links replaces the timer-based wait — neighbors negotiate forwarding directly.
• Alternate and Backup port roles are pre-computed, so a failed root port is replaced instantly.
• Edge ports (built-in PortFast) forward immediately.
• Every switch generates its own BPDUs as keepalives rather than only relaying the root's.

Rapid-PVST+ is Cisco's per-VLAN RSTP and the sane default today.

👉 Interview tip: "Proposal/agreement on P2P links + pre-computed alternate ports = sub-second, no 50s timers."

PVST+/Rapid-PVST+ run one STP instance per VLAN — flexible per-VLAN load balancing, but one BPDU stream per VLAN doesn't scale much past ~100 VLANs (CPU and BPDU overhead). MST (802.1s) maps many VLANs onto a small number of instances (e.g. odd VLANs to MSTI 1, even to MSTI 2), drastically cutting overhead while still letting you load-balance traffic across uplinks.

Caveat: all switches must share the same MST region (name, revision, and VLAN-to-instance map) or they fall back to a single boundary instance.

👉 Interview tip: "PVST+ = one instance per VLAN (doesn't scale); MST = group VLANs into a few instances (scales) — but every switch needs identical region config."

Structured approach:

1. Find the flapping link: show spanning-tree vlan X and show spanning-tree detail | include ieee|occurred|from to see TCN (topology-change) counts and which port last changed.
2. Unidirectional link? A fibre with TX/RX mismatched can make a blocking port wrongly forward → loop. Enable UDLD and Loop Guard.
3. Err-disabled port: show interfaces status err-disabled — usually BPDU Guard (a switch on a host port) or port-security. Fix the cause, then recover.
4. Root in the wrong place: verify with show spanning-tree root; apply root primary on the intended core and Root Guard toward access.

👉 Interview tip: Lead with "check the root and TCN counters first," then "UDLD/Loop Guard for unidirectional links" — that's senior-level reasoning.

Storm control caps broadcast/multicast/unknown-unicast traffic on a port to a percentage of bandwidth (or pps); above the threshold the switch drops or err-disables. It's a safety net against the kind of flooding STP is meant to prevent (and against host-side broadcast misbehaviour STP can't see).

interface gi0/1
 storm-control broadcast level 10.00
 storm-control action shutdown

👉 Interview tip: "STP prevents loop-induced storms; storm-control is the rate-limit backstop for everything else." Don't confuse the two — interviewers test whether you treat storm-control as a replacement for STP (it isn't).

EtherChannel bundles up to 8 active physical links into one logical interface (a Port-channel) for more bandwidth and redundancy. STP sees the bundle as a single link, so it never blocks the member ports — you get to use all the bandwidth instead of having STP shut down the redundant paths.

Load-balancing is per-flow (hashing on src/dst MAC or IP or port), not per-packet, so a single conversation rides one member — bundling 4×1G doesn't make one transfer 4G.

👉 Interview tip: "STP treats the channel as one link → all members forward; load-balance is per-flow, so one flow ≠ aggregate speed."

Three ways to form a channel:

• LACP (IEEE 802.3ad, standard, multi-vendor) — modes active / passive.
• PAgP (Cisco-proprietary) — modes desirable / auto.
• Static "on" — mode on, no negotiation protocol at all.

Pairings that form a channel ✔: LACP active–active, active–passive · PAgP desirable–desirable, desirable–auto · static on–on.

Pairings that fail ✘: passive–passive (nobody initiates), auto–auto (nobody initiates), on with anything negotiating (on–active, on–desirable), and LACP on one side, PAgP on the other (different protocols). "on" only ever pairs with "on" — and a one-sided "on" is the most dangerous misconfig because it can forward into a loop before the other side is ready.

👉 Interview tip: Memorise the two "nobody initiates" failures (passive–passive, auto–auto) and "never mix protocols or mix on with negotiation" — that's exactly what they're probing.

Members must be consistent on both sides or the channel stays down / suspended. The switch checks: same speed & duplex, same switchport mode (all access or all trunk), same allowed VLAN list and native VLAN (for trunks), same STP settings, and a compatible channel protocol/mode. A mismatch puts ports into suspended or err-disabled.

Verify with show etherchannel summary (look for flags: P = bundled, s = suspended, I = stand-alone) and show interfaces etherchannel.

👉 Interview tip: "Speed/duplex/mode/trunk-config must match on every member, plus a valid mode pairing — then read the flags in show etherchannel summary."

Plain EtherChannel bundles links to one neighbor switch — so that switch is a single point of failure. Multi-chassis link aggregation lets a downstream device bundle links to two upstream switches that present themselves as one: Cisco vPC (Nexus), StackWise/VSS (Catalyst), generic MLAG on other vendors. The downstream device just runs ordinary LACP; the magic is upstream.

Benefit: full redundancy and all links forwarding (no STP-blocked uplink), which is why it's standard in modern data-center access layers.

👉 Interview tip: "vPC/VSS/MLAG = an EtherChannel split across two upstream switches that look like one — redundancy without an STP-blocked link."

The switch reads the source MAC of every incoming frame and records "this MAC lives on this port, in this VLAN" in its CAM (MAC address) table, with a default aging timer of 300s. To forward, it looks up the destination MAC:

• Known unicast → sent out the one learned port.
• Unknown unicast / broadcast / multicast → flooded out every port in that VLAN (except the one it came in on).

That flooding behaviour is exactly the attack surface for a CAM/MAC-flooding attack: fill the table with bogus MACs, it overflows, and the switch fails open (floods everything) — letting an attacker sniff. Defence: port-security (limit MACs per port).

👉 Interview tip: "Learn on source MAC, forward on destination MAC, flood on unknown — and that flood-on-overflow is why CAM flooding works, mitigated by port-security."

Port-security caps how many (and optionally which) MAC addresses an access port accepts, defeating CAM flooding and rogue devices. Sticky learning (switchport port-security mac-address sticky) pins the first seen MAC into the config. Violation modes:

• protect — silently drops offending frames.
• restrict — drops + logs/increments a counter (SNMP/syslog).
• shutdown (default) — err-disables the port.

👉 Interview tip: Name all three and that the default is shutdown — interviewers love the "protect is silent, restrict logs, shutdown err-disables" trio.

Private VLANs (PVLANs) partition one subnet/VLAN into sub-domains without burning extra subnets. Structure:

• Primary VLAN — carries traffic from the gateway down to all hosts.
• Isolated (secondary) VLAN — hosts can talk only to the promiscuous port (gateway), not even to each other.
• Community (secondary) VLAN — hosts can talk to each other within the community and to the promiscuous port, but not to other communities/isolated hosts.

Port types: promiscuous (talks to everyone — the router/gateway), isolated, community. Classic use cases: a hotel/hosting/DMZ segment where every server shares a subnet and gateway but must NOT reach its neighbours, all without allocating a /30 per host.

👉 Interview tip: "Isolated = talks only to the gateway; community = talks within its group + gateway; promiscuous = the gateway that talks to all — one subnet, L2 segmentation." Great for backup/DMZ/hosting tiers.

QinQ (IEEE 802.1ad, "provider bridging" / VLAN stacking) wraps the customer's existing 802.1Q tag inside a second, outer "service" tag (S-VLAN). The carrier switches only on the outer tag and treats the customer's inner tag (C-VLAN) as opaque data.

Differences from plain 802.1Q:

• Two stacked tags, not one — so the frame can carry 4094 × 4094 VLAN combinations, smashing the single-tag 4094 ceiling.
• Lets a provider carry many customers' overlapping VLAN numbers across a shared metro/L2VPN without collision — each customer gets a unique outer S-tag.
• The outer TPID is typically 0x88A8 (802.1ad) vs 0x8100 for the inner 802.1Q tag.

👉 Interview tip: "QinQ = a tag inside a tag; the provider switches on the outer S-VLAN, so customers keep their own C-VLANs and we break past the 4094 limit." That's the service-provider answer interviewers want.

Both are per-VLAN L2 security features. DHCP snooping marks switch ports as trusted (toward the real DHCP server) or untrusted (toward hosts) and drops DHCP server replies on untrusted ports — killing rogue-DHCP attacks. It also builds a binding table of IP↔MAC↔port↔VLAN.

Dynamic ARP Inspection (DAI) uses that binding table to drop spoofed ARP replies, defeating ARP poisoning / MITM. IP Source Guard extends it to filter spoofed source IPs. All three are scoped per VLAN — a common follow-up to "how do you secure an access VLAN?"

👉 Interview tip: "DHCP snooping builds the binding table; DAI uses it to stop ARP spoofing — both applied per VLAN on access ports."

Instead of statically pinning a port to a VLAN, 802.1X with a RADIUS server authenticates the device/user at link-up and the RADIUS reply dynamically assigns the VLAN (and ACLs). A laptop lands in the Corp VLAN; an unknown device lands in a Guest/quarantine VLAN — regardless of which jack it uses. This is the backbone of NAC (Network Access Control).

👉 Interview tip: "Port VLAN follows identity, not the cable — RADIUS returns the VLAN at 802.1X auth; failures drop to a restricted/guest VLAN."

Native VLAN traffic (VLAN 1 by default) is untagged and always passes regardless of the allowed list. Change the native VLAN to an unused ID, or explicitly tag the native VLAN with vlan dot1q tag native. Confirm switchport trunk native vlan matches on both ends — mismatched native VLANs trigger CDP errors and silently leak frames.

👉 Interview tip: "The allowed list filters tagged VLANs only; the native rides untagged."

Inter-VLAN routing path issue. Walk the layers: (1) Is the local SVI up on the L3 switch? show ip interface brief. (2) Is the routing protocol learning the other site's subnets? show ip route. (3) Is an ACL on the L3 boundary blocking the destination subnet? (4) Is the inter-site link itself up and carrying the right VLANs? Most common root cause: missing route on the L3 switch back to the user's source subnet (a return-path problem).

👉 Interview tip: "Pings the gateway = local L2/SVI is fine, so the break is L3 forwarding or the return route" — naming that narrows it instantly.

Classic VTP revision-number conflict. A switch with a higher VTP revision number was added to the domain (often a lab switch with stale config), and its higher revision overwrote the production domain's VLAN database. Mitigation: VTPv3 (primary-server model fixes this), or VTP Transparent/Off in production. To clear the revision before adding a switch: change the VTP domain name and change it back — resets revision to 0.

👉 Interview tip: "Highest revision wins — pre-stage by resetting it to 0, and run transparent/v3 to never relive this."

DHCP relay (ip helper-address) not configured on the voice VLAN SVI, or there's no DHCP scope for the voice subnet. The phone works because it learned the voice VLAN via CDP/LLDP-MED and may have cached config; new DHCP-dependent operations fail. Fix: add a scope for the voice VLAN and point ip helper-address at the DHCP server from the voice SVI (option 150 supplies the TFTP/config server for phones).

👉 Interview tip: "Different VLAN = different subnet = needs its own scope + ip helper-address; the phone's CDP-learned VLAN is a red herring."

Three likely causes, in order: (1) VLAN 20 not in the trunk's allowed list — check switchport trunk allowed vlan on both ends. (2) STP blocked the inter-switch link for VLAN 20 — a different per-VLAN topology than other VLANs; show spanning-tree vlan 20. (3) VLAN 20 doesn't exist on Switch-B — VTP transparent/off and the DB wasn't synced, or it was never created.

👉 Interview tip: "Trunk up but one VLAN dead = allowed-list, per-VLAN STP, or the VLAN simply not existing on the far switch."

Read the reason first: show interfaces status err-disabled and the log. The usual suspects: BPDU Guard (someone plugged a switch/loop into a host port), port-security violation (too many MACs / a different MAC), or a storm-control shutdown. Fix the root cause, then re-enable with shut/no-shut or set errdisable recovery cause <reason> for auto-recovery after a timer.

👉 Interview tip: "Don't just bounce the port — show interfaces status err-disabled tells you which feature tripped, then fix that."

Mode mismatch. "on" does no negotiation, while LACP active expects an LACP partner — so they never form a channel, and worse, the "on" side may already be forwarding into a potential loop. show etherchannel summary shows the members as stand-alone (I) or suspended (s). Fix: make both sides the same scheme — either on/on, or active/active (or active/passive). Also confirm matching speed/duplex/trunk config on every member.

👉 Interview tip: "on only pairs with on; LACP needs an LACP partner — never mix static with a negotiating mode." Add that one-sided "on" is the riskiest combo because it can loop.