200-301 Question #413: Real Exam Question with Answer & Explanation

The correct answer is D: configure it as a different VLAN ID on each end of the link. To secure the native VLAN, it should be configured as a different, unused VLAN ID on each end of the trunk link, and preferably not VLAN 1, which is the default native VLAN on many switches. This prevents double-tagging attacks and isolates untagged traffic.

Submitted by tarun92· Mar 5, 2026

Question

How is the native VLAN secured in a network?

Options

Aseparate from other VLANs within the administrative domain
Bgive it a value in the private VLAN range
Cassign it as VLAN 1
Dconfigure it as a different VLAN ID on each end of the link

Explanation

To secure the native VLAN, it should be configured as a different, unused VLAN ID on each end of the trunk link, and preferably not VLAN 1, which is the default native VLAN on many switches. This prevents double-tagging attacks and isolates untagged traffic.

Common mistakes.

A. While separating it is good, merely being separate doesn't define the specific security mechanism for the native VLAN itself.
B. Giving it a value in the private VLAN range relates to Private VLAN (PVLAN) technology, which is a different security feature, not the primary method for securing the native VLAN.
C. Assigning it as VLAN 1 is the default and often insecure configuration, as VLAN 1 is a well-known VLAN that attackers frequently target.

Concept tested. Native VLAN security best practices

Reference. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_011.html

Topics

#Native VLAN#VLAN security#Trunking

Community Discussion

No community discussion yet for this question.

Full 200-301 Practice Browse All 200-301 Questions