Local Area Network (LAN) – Components, Topologies & Design

1. What Is a LAN?

A Local Area Network (LAN) is a network that connects computers, servers, printers, and other devices within a limited geographical area — typically a single building, floor, or campus. Devices on a LAN communicate directly using Layer 2 (MAC addressing) without needing to route through external infrastructure, which is why LANs deliver very high speeds and very low latency compared to wide area connections.

  Typical small office LAN:

  Internet
     │
  ┌──┴──────┐
  │  Router │  ← connects LAN to internet (Layer 3 gateway)
  └──┬──────┘
     │
  ┌──┴────────────┐
  │    Switch     │  ← interconnects all devices at Layer 2
  └──┬──┬──┬──┬──┘
     │  │  │  │
    PC  PC Printer Server

  Add wireless:
  Switch ──── AP ──── laptops, phones (Wi-Fi clients)

LANs are characterised by:

Geographic scope: Single building, floor, or campus — typically up to a few hundred metres over copper, or kilometres with fibre
Ownership: Privately owned and managed by a single organisation or individual — no carrier involvement
Speed: 100 Mbps (Fast Ethernet) to 10 Gbps (10GBASE-T) over copper; up to 100 Gbps over fibre backbone links
Latency: Sub-millisecond — devices are physically close and communicate without WAN hops
Broadcast domain: All devices on the same LAN (without VLANs) receive each other's broadcast frames

2. LAN vs WAN vs MAN — Network Type Comparison

Type	Full Name	Geographic Scope	Typical Speed	Ownership	Example
LAN	Local Area Network	Room, building, campus	1–10 Gbps (copper); up to 100 Gbps (fibre)	Private (single org)	Office network, home network, school computer lab
MAN	Metropolitan Area Network	City or metro area	100 Mbps – 10 Gbps	Often ISP or utility	City government network, university campus spanning multiple buildings km apart
WAN	Wide Area Network	Country, continent, global	Variable — 1 Mbps to 100 Gbps	Carrier/ISP leased	Internet, MPLS connecting branch offices, leased lines
PAN	Personal Area Network	~10 metres around a person	1–3 Mbps (Bluetooth)	Personal device	Bluetooth headset to phone, smartwatch to laptop

3. LAN Components

Component	OSI Layer	Role in the LAN	Key Characteristic	Example
Hub	Layer 1 (Physical)	Repeats incoming signal out all other ports — all devices share one collision domain	Half-duplex; collisions are common; obsolete in modern networks	Legacy 10BASE-T hub; still appears in CCNA labs to illustrate collision domains. See: Hub Overview
Switch	Layer 2 (Data Link)	Forwards frames to the correct port based on destination MAC address (learned in CAM table); each port is its own collision domain	Full-duplex; eliminates collisions; creates one broadcast domain per VLAN; central device of modern LANs	Cisco Catalyst 2960, 3750, 9200. See: Frame Forwarding
Router	Layer 3 (Network)	Connects the LAN to other networks (internet, WAN, other LAN subnets); routes packets between subnets; acts as default gateway	Separates broadcast domains; performs NAT for internet access; each interface = separate broadcast domain	Cisco ISR 1100/4000 series; home broadband router
Access Point (AP)	Layer 1–2	Bridges wireless clients onto the wired LAN; Wi-Fi clients connect to the AP which connects to a switch port	802.11 standard (a/b/g/n/ac/ax); provides wireless extension of the LAN; can be standalone or controller-managed	Cisco Aironet, Meraki MR, Ubiquiti UniFi
Multilayer Switch (MLS)	Layer 2–3	Switches at Layer 2 AND routes between VLANs at Layer 3 in hardware — combines switch and router functionality	Used at distribution/core layers; performs inter-VLAN routing without needing a dedicated router (router-on-a-stick alternative)	Cisco Catalyst 3560, 3850, 9300
End Devices	Layer 3–7	Generate and consume data — the reason the LAN exists	PCs, laptops, IP phones, printers, servers, IoT devices, IP cameras	Windows workstation, file server, VoIP phone

4. LAN Topologies

A topology describes how devices are physically connected or how data logically flows. Modern LANs almost universally use a physical star topology, but understanding all topology types is required for CCNA.

Star Topology

  PC1 ─────────┐
  PC2 ──────── Switch ──── PC3
  PC4 ─────────┘

  All devices connect to a central switch.
  Failure of one link affects only that device.
  Failure of the switch affects ALL devices.

Pros: Easy to add/remove devices; single link failure affects only one device; easy troubleshooting; full-duplex operation on each link
Cons: Single point of failure at the central switch; requires more cable than bus topology
Modern status: Universal standard — every modern LAN uses this topology

Bus Topology

  PC1 ──┬── PC2 ──┬── PC3 ──┬── PC4
        │         │          │
      terminators on each end required
  All devices share one cable backbone.

Pros: Simple and inexpensive; minimal cable required
Cons: Any cable break takes down the entire network; half-duplex only; collisions; difficult to troubleshoot; does not scale
Modern status: Obsolete — used in legacy 10BASE2 coaxial networks; Ethernet's logical data flow is still described as a "logical bus" even though the physical layout is now star

Ring Topology

  PC1 ──▶── PC2
   ▲              │
   │              ▼
  PC4 ──◀── PC3
  Token passes around the ring; only the holder transmits.

Pros: No collisions (token-passing); predictable performance
Cons: One device failure can disrupt the ring; complex; slow troubleshooting
Modern status: Largely obsolete (Token Ring, FDDI); still seen in some industrial and metropolitan fibre rings (SONET/SDH)

Mesh Topology

  Full Mesh (every device connected to every other):
  PC1 ─────── PC2
   │ ╲       ╱ │
   │  ╲     ╱  │
   │   PC3──   │
   │  ╱     ╲  │
   │ ╱       ╲ │
  PC4 ─────── PC5

  Partial Mesh: some (not all) redundant links — common in WAN/core routing

Pros: Highest redundancy — multiple paths; failure of any single link does not disrupt connectivity
Cons: Very expensive; complex configuration; n(n-1)/2 links needed for full mesh
Modern status: Full mesh impractical for large LANs; partial mesh used in core/distribution layer switch interconnects and WAN routing

Physical vs Logical Topology

Type	Definition	Example
Physical topology	How cables and devices are actually physically connected	Star — all cables run to a central switch
Logical topology	How data logically flows through the network	Ethernet uses a logical bus — every device on the same segment can theoretically "hear" every transmission (CSMA/CD was designed for this); despite physical star cabling

5. Ethernet — The Dominant LAN Technology

Ethernet (IEEE 802.3) is the Layer 2 protocol used in virtually all modern wired LANs. It defines how frames are structured, how devices share the medium (CSMA/CD — now largely irrelevant with full-duplex switches), and the physical standards for different cable types and speeds.

Ethernet Frame Structure

  Ethernet II Frame:
  ┌──────────┬────────────┬──────┬──────────────────────┬─────┐
  │ Dest MAC │ Source MAC │ Type │ Payload (46–1500 bytes)│ FCS │
  │ 6 bytes  │  6 bytes   │2 bytes│                      │4 bytes│
  └──────────┴────────────┴──────┴──────────────────────┴─────┘

  Destination MAC: Where the frame should go (unicast, multicast, or broadcast FF:FF:FF:FF:FF:FF)
  Source MAC:      Who sent the frame
  EtherType:       What's in the payload (0x0800 = IPv4, 0x0806 = ARP, 0x86DD = IPv6, 0x8100 = 802.1Q VLAN)
  Payload:         The data (IP packet for most traffic)
  FCS:             Frame Check Sequence — CRC-32 error detection; receiver discards corrupted frames

Ethernet Speed Standards

Standard	Speed	IEEE	Cable Required	Max Distance	Common Use
Fast Ethernet	100 Mbps	802.3u	Cat5 or better	100 m	Legacy end devices; still used for basic IoT sensors
Gigabit Ethernet	1 Gbps	802.3ab	Cat5e or better	100 m	Standard desktop/server connections; access layer uplinks
10 Gigabit	10 Gbps	802.3an	Cat6a (100 m) or Cat6 (55 m)	100 m (Cat6a)	Switch uplinks; server connections; backbone links
25/40/100 Gbps	25–100 Gbps	802.3cc/bq/bm	Fibre or Cat8 (short runs)	Up to 10+ km (fibre)	Data-centre spine/leaf, inter-switch backbone

CSMA/CD — Why Switches Made It Obsolete

CSMA/CD (Carrier Sense Multiple Access with Collision Detection) was the access control mechanism for early Ethernet. Devices listened before transmitting, but collisions still occurred when two devices started simultaneously. After detecting a collision, both backed off for a random time and retried.

Modern full-duplex switched Ethernet eliminates CSMA/CD entirely: each switch port has a dedicated collision-free, full-duplex link. CSMA/CD is only relevant in legacy half-duplex scenarios (hubs) and is still tested on CCNA exams as a historical concept.

6. Collision Domains vs Broadcast Domains

Two of the most important Layer 2 concepts for LAN design are collision domains and broadcast domains. Every CCNA candidate must be able to count these from any network diagram.

Concept	Definition	Broken by	Hub	Switch	Router
Collision Domain	Group of devices that share the same network segment and can interfere with each other's transmissions	Switches and routers (each port = new collision domain)	One collision domain for ALL ports	One collision domain per port (eliminates collisions)	One collision domain per interface
Broadcast Domain	Group of devices that receive each other's broadcast frames (dest MAC = FF:FF:FF:FF:FF:FF)	Routers and VLANs only (switches forward broadcasts)	One broadcast domain for ALL ports	One broadcast domain for ALL ports (unless VLANs configured)	One broadcast domain per interface (each interface = new broadcast domain)

  Network: Hub ──── Switch ──── Router ──── Switch ──── Hub
           (3 PCs)   (4 PCs)              (3 PCs)   (2 PCs)

  Collision domains:
  - Left hub: 1 (all 3 PCs share one)
  - Switch left: 4 (one per port)
  - Router: counts as 1 per interface
  - Switch right: 3 (one per port)
  - Right hub: 1 (all 2 PCs share one)
  Total collision domains = 1 + 4 + 1 + 1 + 3 + 1 = 11

  Broadcast domains:
  - Everything left of router: 1
  - Everything right of router: 1
  Total broadcast domains = 2
  (VLANs would further divide these)

7. ARP — Address Resolution Protocol

ARP (Address Resolution Protocol) is the mechanism that allows a device to discover the MAC address of another device on the same LAN when it only knows its IP address. Every IP packet requires both a source and destination MAC address at Layer 2 — ARP is how the destination MAC is found. See: ARP & arp -a Command

  PC1 (192.168.1.10) wants to send a packet to PC2 (192.168.1.20).
  PC1 knows the IP but not the MAC of PC2.

  Step 1 — ARP Request (broadcast):
  PC1 sends: "Who has 192.168.1.20? Tell 192.168.1.10"
  Destination MAC: FF:FF:FF:FF:FF:FF (broadcast — ALL devices receive this)
  Source MAC: PC1's MAC (AA:BB:CC:11:22:33)

  Step 2 — ARP Reply (unicast):
  PC2 responds: "192.168.1.20 is at DD:EE:FF:44:55:66"
  Destination MAC: AA:BB:CC:11:22:33 (sent directly to PC1 only)

  Step 3 — PC1 caches the result:
  ARP cache entry: 192.168.1.20 → DD:EE:FF:44:55:66 (TTL ~2 minutes)
  PC1 can now send frames directly to PC2's MAC without ARP-ing again

ARP and routing: ARP only works within the same broadcast domain (same subnet). When PC1 needs to reach a device on a different subnet, it ARPs for the default gateway's MAC address — not the remote device's MAC. The router then routes the packet and ARPs for the next-hop MAC address on the destination subnet.

8. Spanning Tree Protocol (STP)

STP (IEEE 802.1D) prevents broadcast storms and frame duplication by automatically detecting and blocking redundant Layer 2 paths in a switched network. Without STP, loops in a switched network cause frames to circulate indefinitely — quickly consuming all bandwidth and crashing the network within seconds. See: Spanning Tree Protocol | PortFast & BPDU Guard Lab

  Without STP — a loop:
  ┌──────────┐        ┌──────────┐
  │ Switch A │────────│ Switch B │
  └──────────┘        └──────────┘
        │                   │
        └───────────────────┘  ← redundant link creates a loop!

  PC sends broadcast → Switch A floods to Switch B via both paths
  Switch B receives broadcast twice → floods back on both paths
  Frames multiply exponentially → broadcast storm → network down

  With STP — one port blocked:
  ┌──────────┐        ┌──────────┐
  │ Switch A │────────│ Switch B │
  └──────────┘        └──────────┘
        │                   │
        └─ ─ ─[BLOCKED]─ ─ ─┘  ← STP blocks one port logically

  If the active path fails → STP unblocks the redundant path → failover

STP Port States

STP State	Forwards Frames?	Learns MACs?	Duration
Blocking	No	No	20 seconds (max age)
Listening	No	No	15 seconds
Learning	No	Yes	15 seconds
Forwarding	Yes	Yes	Normal operation
Disabled	No	No	Admin shutdown

RSTP (802.1w) and MSTP (802.1s) are modern improvements over classic 802.1D STP. RSTP converges in 1–2 seconds vs 30–50 seconds for classic STP. Cisco's PVST+ runs a separate STP instance per VLAN. Most modern Cisco switches default to spanning-tree mode rapid-pvst.

9. VLANs — Virtual Local Area Networks

A VLAN (Virtual LAN) logically divides a single physical switch (or group of switches) into multiple independent broadcast domains. Devices in different VLANs cannot communicate at Layer 2 — communication between VLANs requires Layer 3 routing (a router or multilayer switch). See: VLANs Overview | Inter-VLAN Routing

  Physical switch with 3 VLANs:

  ┌────────────────────────────────────────┐
  │              Switch                    │
  │  Port 1,2,3  │  Port 4,5,6  │ Port 7,8│
  │  VLAN 10     │  VLAN 20     │ VLAN 30 │
  │  (Sales)     │  (Finance)   │  (IT)   │
  └────────────────────────────────────────┘

  VLAN 10 devices can only communicate with other VLAN 10 devices at L2
  VLAN 20 devices cannot receive broadcasts from VLAN 10
  Inter-VLAN traffic (Sales → Finance) must go through a router/L3 switch

VLAN Benefits

Benefit	Explanation	Example
Security	Finance and HR cannot receive broadcasts from the general employee VLAN; reduces attack surface for lateral movement	HR payroll servers on VLAN 30 — inaccessible from VLAN 10 student devices
Broadcast containment	Smaller broadcast domains = fewer devices receive each broadcast = less wasted bandwidth	ARP broadcasts from 500 sales PCs don't reach 200 engineering PCs on a different VLAN
Flexibility	VLAN membership is configured in software — a device can be moved to a different VLAN without changing physical cabling	New employee in Finance gets assigned to VLAN 20 by reconfiguring their switch port
QoS (Quality of Service)	VoIP phones can be placed in a dedicated Voice VLAN with higher priority treatment	VLAN 100 for IP phones — traffic prioritised over regular data VLANs

10. Three-Tier Hierarchical LAN Design

Cisco's three-tier hierarchical model is the standard architecture for designing scalable, resilient enterprise LANs. Each layer has a specific role, and devices are chosen to match those roles.

  ┌─────────────────────────────────────────────────────────────────┐
  │                       CORE LAYER                                │
  │   High-speed backbone; fast packet forwarding only             │
  │   Cisco Catalyst 9500/6800; 10/40/100 Gbps; no user devices    │
  └──────────────────────┬──────────────────────────────────────────┘
                         │ (redundant uplinks)
  ┌──────────────────────┴──────────────────────────────────────────┐
  │                   DISTRIBUTION LAYER                            │
  │   Policy enforcement; inter-VLAN routing; ACLs; QoS; STP root  │
  │   Multilayer switches (Cisco 9300); aggregates access switches  │
  └────────────┬─────────────────────────────────┬──────────────────┘
               │                                 │
  ┌────────────┴──────────┐           ┌──────────┴────────────────┐
  │     ACCESS LAYER      │           │     ACCESS LAYER          │
  │  Connects end devices │           │  Connects end devices     │
  │  Port security; PoE   │           │  Port security; PoE       │
  │  Cisco 2960/9200      │           │  Cisco 2960/9200          │
  │  PCs, phones, APs     │           │  PCs, phones, APs         │
  └───────────────────────┘           └───────────────────────────┘

Layer	Primary Function	Key Features	Design Rule
Core	High-speed backbone — routes traffic between distribution blocks as fast as possible	Maximum throughput; minimal latency; redundant links; no user connections; no policies	Never apply access lists, QoS, or other processing at the core — it must forward at line rate
Distribution	Policy enforcement between core and access; inter-VLAN routing; aggregation point	Multilayer switching; routing (OSPF/EIGRP); ACLs; QoS; HSRP/VRRP for gateway redundancy; STP root bridge	Every access switch uplinks to two distribution switches for redundancy; distribution switches are the Layer 3 boundary for each access block
Access	Connect end-user devices to the network	802.1Q access/trunk ports; PortFast; BPDU Guard; port security; PoE; VLAN assignment	Access layer = Layer 2 only (no routing); VLAN assignment happens here; 802.1X port authentication for device security

Two-tier (Collapsed Core) model: Smaller organisations often merge the core and distribution layers into a single layer — a single pair of multilayer switches handles both routing and high-speed forwarding. This saves cost while maintaining redundancy.

11. LAN Security Mechanisms

Mechanism	What It Does	Configuration Summary
Port Security	Limits which MAC addresses can connect to a switch port — blocks or shuts down ports where unauthorised devices connect	`switchport port-security maximum 1` `switchport port-security violation shutdown` `switchport port-security` See: Port Security
802.1X Port Authentication	Requires devices to authenticate (via RADIUS) before the switch allows any traffic through the port	Requires RADIUS server; supplicant software on client; `dot1x pae authenticator` on switch port. See: 802.1X Overview
VLAN Segmentation	Isolates groups of devices — even if one VLAN is compromised, attacker cannot reach other VLANs without traversing the Layer 3 boundary (firewall/router)	Assign sensitive servers to dedicated VLANs; control inter-VLAN routing with ACLs
DHCP Snooping	Prevents rogue DHCP servers on untrusted ports from handing out malicious IP configuration to clients	`ip dhcp snooping` `ip dhcp snooping vlan 10` Trust only uplink ports
Dynamic ARP Inspection (DAI)	Validates ARP packets against the DHCP snooping binding table to prevent ARP spoofing / ARP poisoning attacks	`ip arp inspection vlan 10` Works in conjunction with DHCP snooping
BPDU Guard	Disables a switch port if a BPDU (STP packet) is received on an access port — prevents rogue switches from joining the STP topology	`spanning-tree portfast bpduguard default` Applied on access ports (PortFast ports)

12. LAN Performance Factors

Factor	Definition	Impact	How to Measure / Improve
Bandwidth	Maximum theoretical capacity of a link (e.g., 1 Gbps)	Sets the ceiling for data transfer — actual performance is always less	Check interface speed with `show interfaces`; upgrade link speed or add EtherChannel
Throughput	Actual data successfully delivered per unit time	What users actually experience — affected by errors, retransmissions, overhead, and congestion	Measure with iperf3; improve by reducing errors and congestion
Latency	Time for a packet to travel from source to destination (round-trip time)	Critical for real-time applications — VoIP requires <150 ms one-way; high latency causes voice/video degradation	Measure with `ping`; LAN latency should be <1 ms; WAN latency varies
Jitter	Variation in latency between consecutive packets	Most damaging for real-time traffic (VoIP, video) — causes choppy audio even if average latency is acceptable	Measure with jitter tools; implement QoS to prioritise real-time traffic
Packet Loss	Percentage of packets that never arrive	TCP retransmits (slowing throughput); UDP applications (VoIP, video) simply lose data	Check interface error counters (`show interfaces` — input errors, CRC, output drops); identify and fix bad cables or congested links

13. Common LAN Issues and Troubleshooting

Issue	Cause	Symptoms	Diagnostic & Fix
Broadcast storm	Layer 2 loop — frames circulate endlessly; STP not running or disabled	Network suddenly unusable; all links show 100% utilisation; switches may crash or restart	Verify STP is running (`show spanning-tree`); check for BPDU Guard violations; check physical loops; enable RSTP for faster recovery
Duplex mismatch	One end auto-negotiates to half-duplex while the other is forced full-duplex	High CRC errors and late collisions on the interface; poor throughput (10–100× below expected)	`show interfaces` — look for input errors, CRC, late collisions; fix by setting both ends to same duplex and speed, or both to auto
IP address conflict	Two devices assigned the same IP address (static misconfiguration or DHCP scope exhaustion)	Intermittent connectivity; OS warnings "IP address conflict detected"; one or both devices drop off network	`arp -a` to check duplicate MACs for same IP; review DHCP pool and exclude statically assigned addresses; fix static assignments
Switch port error-disabled	Port security violation, BPDU Guard trigger, or excessive errors caused the port to shut down automatically	Device cannot connect; `show interfaces` shows "err-disabled"	`show interfaces status`; identify cause; `shutdown` then `no shutdown` to re-enable after fixing root cause
VLAN mismatch	Device assigned to wrong VLAN, or trunk link missing the required VLAN	Devices in the same physical area cannot ping each other; DHCP fails for affected devices	`show vlan brief` — verify port VLAN assignment; `show interfaces trunk` — verify VLANs allowed on trunk; correct access or trunk port configuration
Cable fault	Damaged cable, bad connector, or bent/crushed cable causing signal degradation	Interface shows up/down intermittently; high CRC errors; speed negotiation instability	Replace cable; use cable tester or TDR to identify fault location; check connector crimp quality

14. Key Points & Exam Tips

A LAN connects devices within a limited area (building/campus); privately owned; high speed (1–10 Gbps typical); sub-millisecond latency.
Hub = Layer 1, one collision domain for all ports, obsolete. Switch = Layer 2, one collision domain per port, one broadcast domain per VLAN. Router = Layer 3, one broadcast domain per interface.
Every switch port is its own collision domain. Routers and VLANs break broadcast domains — switches alone do not.
Topology: Star = all cables to central switch (modern standard). Bus = shared backbone (obsolete). Ring = token-passing loop (largely obsolete). Mesh = redundant interconnects (partial mesh at core/distribution).
Physical star + logical bus = modern Ethernet. Data appears to flow on a shared bus (CSMA/CD heritage) even though wired as star.
Ethernet frame: Dest MAC | Src MAC | EtherType | Payload (46–1500 bytes) | FCS. Broadcast MAC = FF:FF:FF:FF:FF:FF.
ARP resolves IP → MAC within a broadcast domain. For remote subnets, devices ARP for the default gateway's MAC — not the remote host's MAC.
STP (802.1D) prevents broadcast storms from Layer 2 loops by blocking redundant ports. RSTP (802.1w) converges in 1–2 seconds vs 30–50 for STP.
VLANs logically segment the LAN into multiple broadcast domains. Inter-VLAN routing requires Layer 3 (router-on-a-stick or multilayer switch).
Three-tier design: Core = fast backbone, no policies. Distribution = routing, ACLs, QoS. Access = end devices, port security, PoE.
LAN security: Port security (MAC limits), 802.1X (authentication before access), DHCP snooping (no rogue DHCP), DAI (no ARP spoofing), BPDU Guard (no rogue switches).
Performance: Bandwidth (capacity) ≠ Throughput (actual). Latency and jitter critical for VoIP. Packet loss measured with ping and interface error counters.

15. LAN Quiz

1. A network engineer counts collision domains in the following topology: a hub with 4 PCs connected to a switch with 6 ports, connected to a router. The router has two interfaces — one to the switch, one to another switch with 3 ports. How many collision domains exist in total?

A. 3 — one per network segment B. 7 — one per switch port plus the hub C. 11 — the hub = 1; left switch = 6 ports = 6; router = 1 per interface = 2 (but these are the switch-facing sides, counted with the switches); right switch = 3 ports = 3. Total: 1 (hub) + 6 (left switch) + 3 (right switch) + router interfaces = 11 D. 2 — one broadcast domain per router interface

Correct answer is C. Counting collision domains: A hub creates exactly 1 collision domain for all connected ports — all 4 PCs share one collision domain. A switch creates 1 collision domain per port — the 6-port switch creates 6 collision domains (one port connects to the hub, which itself is 1 collision domain; the other ports each individually). A router creates 1 collision domain per interface. The 3-port second switch creates 3 collision domains. Total: hub (1) + left switch (6) + router contributes to its interface segments (these are counted as part of the switch port counts) + right switch (3) = approximately 11. The key rule: every switch port = its own collision domain; all ports on a hub = one shared collision domain.

2. PC1 (192.168.1.10) wants to send data to PC2 (192.168.2.50) which is on a different subnet, connected through a router. PC1 has never communicated before. What MAC address does PC1 put in the destination field of its first Ethernet frame?

A. The MAC address of PC2 (192.168.2.50) B. The MAC address of PC1's default gateway (the router's interface on the 192.168.1.0/24 subnet) — ARP resolves the gateway's IP to its MAC; PC1 cannot ARP for PC2 because it is on a different subnet C. FF:FF:FF:FF:FF:FF (broadcast) — PC1 broadcasts to find any path to PC2 D. The MAC address is not needed — IP routing uses IP addresses only

Correct answer is B. Every Ethernet frame must have a destination MAC address. ARP only works within the same broadcast domain (subnet). When PC1 needs to reach 192.168.2.50 (a different subnet), it determines that this IP is not on its local subnet by comparing it against its subnet mask. PC1 then sends the packet to its default gateway (the router). PC1 first ARPs for the default gateway's IP (e.g., 192.168.1.1) to get its MAC address. The Ethernet frame is then sent with the router's MAC as the destination — but the IP destination remains 192.168.2.50. The router receives the frame, strips the Layer 2 header, looks up 192.168.2.50 in its routing table, then ARPs for PC2's MAC on the 192.168.2.0/24 subnet and forwards the packet with a new Ethernet frame.

3. A network administrator connects two switches with two cables for redundancy but does not configure STP. One minute later, all users lose network access and all switch interfaces show maximum utilisation. What happened and what should be done?

A. A DDoS attack is in progress — block all external traffic B. The switches are overloaded — upgrade to higher capacity switches C. One cable is faulty — remove it and try again D. A broadcast storm caused by the Layer 2 loop — the two cables create a redundant path; without STP blocking one path, broadcast frames loop endlessly between the switches, multiplying until they consume 100% of bandwidth. Fix: disconnect one cable to break the loop, then enable STP (or verify it is running) before reconnecting

Correct answer is D. This is a classic broadcast storm scenario caused by a Layer 2 loop. When two cables connect the same two switches, a loop forms. Any broadcast frame (ARP, DHCP discover, unknown unicast) that the first switch floods will arrive on the second switch via both cables. The second switch floods it back on both ports, which arrives at the first switch via both paths, which floods again — the frame count doubles with every cycle. Within milliseconds, broadcast frames fill all available bandwidth. Modern Cisco switches run STP by default and would block one port automatically. The fact that the storm occurred means STP was disabled or the port was put in "no spanning-tree" mode. Immediate fix: disconnect one cable to break the loop. Long-term fix: verify show spanning-tree shows STP active and at least one port in blocking state on the redundant link.

4. A new employee in the Finance department connects their laptop to a switch port that has port security configured with maximum 1 MAC address and violation mode shutdown. The port was previously used by a different laptop. The new laptop cannot connect. What most likely happened and how is it resolved?

A. The switch remembered the previous laptop's MAC address (sticky secure MAC); the new laptop's different MAC triggers a security violation putting the port in err-disabled state. Fix: clear the port's secure MACs, then manually shut and no-shut the port to re-enable it B. The new laptop needs a static IP — DHCP is blocked on secure ports C. The VLAN was changed when the previous user left D. Port security only works on trunk ports — the port must be converted

Correct answer is A. Port security with switchport port-security mac-address sticky (or manually configured MAC) remembers which MAC address is authorised on that port. When the new laptop connects with a different MAC, it violates the port security policy. With violation mode "shutdown," the port enters err-disabled state — it goes down and stays down until an administrator clears it. Recovery procedure: (1) Identify the issue with

show
                  port-security interface Fa0/1

— look for "Security Violation Count." (2) Clear the sticky MAC address:

clear port-security sticky interface
                  Fa0/1

. (3) Re-enable the port: interface Fa0/1 → shutdown → no shutdown. (4) Alternatively, configure errdisable recovery to automate this process.

5. In a three-tier hierarchical LAN design, where should inter-VLAN routing and ACL enforcement be performed, and why should this NOT be done at the core layer?

A. At the access layer — it connects end devices so it should enforce policies directly B. At the core layer — it is the fastest layer and can apply policies without latency impact C. At the distribution layer — it is specifically designed for policy enforcement (routing, ACLs, QoS). The core must forward packets at line rate with minimal processing — applying ACLs at the core introduces latency and defeats the core's purpose of maximum throughput backbone forwarding D. Equally at all three layers — redundant policy enforcement improves security

Correct answer is C. This is a core design principle of the three-tier model. The distribution layer is specifically designed as the policy enforcement point: it performs inter-VLAN routing (connecting VLAN 10/20/30 subnets), applies ACLs to control traffic between VLANs and toward the core, implements QoS marking and queuing, and runs first-hop redundancy protocols (HSRP/VRRP) for gateway redundancy. The core layer's sole job is to move packets between distribution blocks as fast as possible — any packet processing (ACL lookup, NAT, QoS) slows this down. The Cisco design rule: "Never do at the core what can be done at the distribution layer." The access layer is appropriate for port-level security (port security, 802.1X, DHCP snooping) but not for complex routing policies.

6. A switch has 24 access ports, each carrying one end device, plus two trunk ports connecting to distribution switches. How many broadcast domains exist on this switch if all 24 access ports are in VLAN 10 and the trunk ports carry VLANs 10, 20, and 30?

A. 26 — one per port B. 1 — all 24 access ports are in VLAN 10, forming one broadcast domain on this switch. VLANs 20 and 30 exist on the trunks but have no local access ports, so no devices are in those broadcast domains on this switch C. 3 — one per VLAN (10, 20, 30) D. 24 — one per access port

Correct answer is B. Broadcast domains on a switch are defined by VLANs, not by port count. All 24 access ports are in VLAN 10 — they form a single broadcast domain. A broadcast sent by any of the 24 PCs reaches all 24 PCs (and is forwarded out the trunk ports as VLAN 10 tagged frames to the distribution switches). VLANs 20 and 30 are present on the trunk links but have no locally attached devices — they are simply transit VLANs on this switch. Broadcast domains for VLANs 20 and 30 exist at the distribution layer where those VLANs have active ports. Remember: switches do NOT break broadcast domains — only routers and VLANs do. If all 24 ports were in different VLANs, there would be 24 broadcast domains.

7. A user reports their computer shows "Duplicate IP address detected" and has intermittent connectivity. Another user reports the same message starting at the same time. Both users have statically assigned IP addresses. What has happened and what is the systematic fix?

A. A virus is spoofing MAC addresses on the network B. The DHCP server has a fault and assigned the same address twice C. STP topology change moved a port between VLANs D. Two administrators independently assigned the same static IP to different machines — an IP address management (IPAM) failure. Fix: document all static assignments in an IPAM tool; use DHCP with DHCP snooping for dynamic clients; reserve static IPs outside the DHCP scope to prevent overlap

Correct answer is D. Since both users have statically assigned addresses and both are reporting the conflict simultaneously, this is a static IP address management failure — two administrators assigned the same IP address without coordinating. When both devices boot (or reconnect to the network), each sends a gratuitous ARP announcing its IP. Each device sees the other's ARP and generates the "duplicate IP" warning. The switch's ARP table alternates between the two MACs for the same IP, causing intermittent connectivity for both users. Short-term fix: change one device to a different unused IP. Long-term fix: implement an IP Address Management (IPAM) system (Infoblox, SolarWinds IP Address Manager, or even a shared spreadsheet); migrate end devices to DHCP where possible; configure DHCP with reserved scopes to prevent static/dynamic overlap.

8. A network engineer notices that a critical server's interface shows: Input errors: 4,523 — CRC: 4,521 — Late collisions: 0. The server is connected to a Cisco switch port configured for auto/auto (speed and duplex). What is the most likely cause?

A. A faulty cable or bad connector between the server and switch — CRC errors without late collisions in a full-duplex switched environment indicate physical layer corruption, not a duplex mismatch (which would show late collisions) B. A duplex mismatch — the server is operating half-duplex and the switch is full-duplex C. The VLAN is misconfigured causing frames to be rejected D. The switch port is in STP blocking state

Correct answer is A. This is a subtle but important distinction between error types. CRC (FCS) errors mean received frames failed the integrity check — the data was corrupted in transit. Late collisions occur after the first 64 bytes of a frame and are the signature of a duplex mismatch (one end is half-duplex and the other full-duplex). In this case there are almost no late collisions, ruling out duplex mismatch. CRC errors without late collisions in a switched, full-duplex environment point directly to the physical medium: damaged cable, poor connector crimp, cable too long, or EMI interference. The fix: replace the cable and re-terminate the connector. If errors persist, test with a known-good cable and use a cable certifier to verify signal integrity.

9. A rogue switch is connected to an access port by a user. The rogue switch generates BPDUs and begins participating in the STP topology. This could allow the rogue switch to become the STP root bridge, disrupting the entire LAN. Which Cisco feature prevents this scenario?

A. DHCP Snooping — blocks unauthorised devices from getting IP addresses B. Dynamic ARP Inspection — prevents ARP spoofing from the rogue switch C. BPDU Guard — disables any access port that receives a BPDU (STP packet), preventing a rogue switch from joining the STP topology. Combined with PortFast, it protects all end-device ports D. Port Security — limits the number of MACs on the port to prevent additional switches from connecting

Correct answer is C. BPDU Guard is the specific STP security feature for this threat. Access ports connect to end devices (PCs, phones) which should never generate BPDUs (STP packets). When BPDU Guard is enabled on a port, if any BPDU is received, the port is immediately placed in err-disabled state — effectively shutting it down. This prevents a rogue switch from: (1) participating in STP topology changes, (2) advertising a lower bridge priority and becoming the root bridge, and (3) manipulating the STP topology to cause network disruptions (a documented attack vector). BPDU Guard is typically enabled globally on all PortFast ports: spanning-tree portfast bpduguard default. PortFast itself skips the STP listening/learning states for fast port bring-up; BPDU Guard is its security companion.

10. An enterprise is upgrading from a flat LAN (all devices in one broadcast domain, single VLAN) to a VLAN-segmented design with separate VLANs for Sales, Finance, and IT. Users in Sales need to access a shared file server in IT. What must be configured to allow this cross-VLAN communication?

A. Configure trunk ports between all switches — trunking alone allows VLAN traffic to cross between all VLANs B. Layer 3 inter-VLAN routing — either a router with sub-interfaces (router-on-a-stick) or a multilayer switch with SVI (Switched Virtual Interfaces). Without Layer 3 routing, devices on different VLANs cannot communicate regardless of physical connectivity C. Move the file server to all VLANs simultaneously using multi-VLAN access ports D. Configure port security to allow specific MACs to cross VLAN boundaries

Correct answer is B. VLANs create separate broadcast domains — devices in VLAN 10 (Sales) and VLAN 30 (IT) are in completely separate Layer 2 networks. They cannot communicate at Layer 2 regardless of switch configuration. Cross-VLAN communication requires Layer 3 routing. Two common methods: (1) Router-on-a-stick: A physical router connected to a trunk port creates sub-interfaces for each VLAN (e.g., Gi0/0.10 for VLAN 10, Gi0/0.30 for VLAN 30). Traffic from Sales to IT goes up to the router which routes between the sub-interfaces and returns it to IT. (2) Multilayer switch with SVIs (Switched Virtual Interfaces): The distribution switch creates virtual Layer 3 interfaces for each VLAN (interface vlan 10, interface vlan 30) and routes between them in hardware — much faster than router-on-a-stick. Trunk ports only carry tagged frames for multiple VLANs between switches — they do not route between VLANs.

← Back to Home