Network Switch – MAC Learning, VLANs, STP, Port Security & Inter-VLAN Routing

1. What Is a Network Switch?

A network switch is an intelligent Layer 2 (and optionally Layer 3) device that interconnects devices within a LAN (Local Area Network). Unlike a hub — which blindly copies every incoming frame out every port, creating collisions — a switch learns which device is connected to each port and forwards frames only to the correct destination port.

  Hub (Layer 1) — collision domain spans ALL ports:
  PC-A sends frame to PC-B.
  Hub copies frame to PC-B, PC-C, PC-D, and Server simultaneously.
  If PC-C sends at the same time as PC-A: COLLISION -- both frames destroyed.
  All devices share one collision domain and one broadcast domain.

  Switch (Layer 2) — separate collision domain per port:
  PC-A sends frame to PC-B.
  Switch checks CAM table: PC-B is on Gi0/2.
  Switch sends frame ONLY out Gi0/2. PC-C and PC-D see nothing.
  PC-C can transmit simultaneously -- no collision (full-duplex per port).
  All ports = separate collision domains. One broadcast domain per VLAN.

2. Switch vs Hub vs Router — OSI Layer Comparison

Device	OSI Layer	Forwarding Basis	Collision Domain	Broadcast Domain	Intelligence
Hub	Layer 1 (Physical)	None — floods every port	One (all ports)	None — pure signal repeater
Switch (L2)	Layer 2 (Data Link)	MAC addresses (CAM table)	One per port (full-duplex)	One per VLAN	Learns MAC-to-port mappings; forwards or floods
Switch (L3)	Layers 2 and 3	MAC addresses AND IP addresses	One per port	One per VLAN; routes between VLANs	Full L2 switching + hardware-based IP routing. See Layer 3 Switch Routing.
Router	Layer 3 (Network)	IP addresses (routing table)	One per interface	One per interface (breaks broadcast domains)	Routing table; inter-network forwarding; NAT, ACLs

3. Types of Switches

Type	Description	Configurable?	Typical Use Case
Unmanaged	Plug-and-play; no configuration interface. Fixed functionality.	No	Small offices, home networks, simple device connectivity where VLANs and security are not needed
Managed	Full CLI/GUI/SNMP access. Supports VLANs, STP, QoS, port security, SNMP monitoring, ACLs.	Yes	Enterprise networks requiring segmentation, security, redundancy, and monitoring
Smart / Partially Managed	Web GUI only; limited feature set compared to fully managed. Typically supports basic VLANs and QoS.	Limited	Small-medium businesses needing basic VLAN support without enterprise complexity
Layer 2 (L2)	Forwards frames based on MAC addresses only. No IP routing.	Yes (managed)	Access layer — connecting end devices (PCs, phones, printers) to the network
Layer 3 (L3)	Performs both MAC-based switching AND IP-based routing (inter-VLAN routing) in hardware ASIC. Much faster than router-on-a-stick.	Yes	Distribution and core layers; inter-VLAN routing without a separate router (Cisco Catalyst 3850, 9300)
Stackable	Multiple physical chassis interconnected via a high-speed stacking bus and managed as a single logical device. Add/remove stack members without downtime.	Yes	Enterprise access layer needing scalability — add switches as port count grows; one management IP for entire stack
Modular / Chassis	Chassis-based with field-replaceable line cards (port modules), supervisor engines, and power supplies. Highly resilient.	Yes	Core and data centre — large port density, redundant supervisors (Cisco Catalyst 6500, 9400)
PoE Switch	Delivers 802.3af/at/bt power over Ethernet to connected devices alongside data.	Yes	Powering IP phones, wireless APs, IP cameras, and other PoE devices without separate power supplies

4. MAC Address Learning and Frame Forwarding

The switch's entire intelligence rests on its CAM table (Content Addressable Memory table, also called the MAC address table). Every frame received triggers two actions: learn the source MAC and look up the destination MAC.

  Frame forwarding decision logic:

  Frame arrives on Gi0/1. Source MAC = 0011.AAAA.AAAA, Dest MAC = 0022.BBBB.BBBB

  Step 1 -- LEARN SOURCE MAC:
  Record: 0011.AAAA.AAAA is reachable via Gi0/1
  (Resets aging timer to 300 sec for this entry)

  Step 2 -- LOOK UP DESTINATION MAC:
  Case A: Destination MAC in CAM table:
    0022.BBBB.BBBB -> Gi0/3
    Forward frame out Gi0/3 ONLY (unicast forwarding)

  Case B: Destination MAC NOT in CAM table (unknown unicast):
    Flood frame out ALL ports in same VLAN except ingress Gi0/1
    (PC-B's reply will populate its entry)

  Case C: Destination is broadcast (FF:FF:FF:FF:FF:FF):
    Flood frame out ALL ports in same VLAN except ingress
    (ARP requests, DHCP Discover use broadcast)

  Case D: Destination is multicast:
    Flood to all ports in VLAN (unless IGMP Snooping active)
    With IGMP Snooping: send only to ports with interested receivers

See CAM Table and show mac address-table for full MAC learning and CAM table details.

Frame Switching Methods

Method	How It Works	Latency	Error Checking	When Used
Store-and-Forward	Receives entire frame into buffer, checks FCS (CRC) for errors, THEN forwards	Higher (entire frame must arrive first)	Full — corrupted frames are dropped before forwarding	Default on most modern Cisco switches; required for QoS classification and different-speed port connections
Cut-Through	Forwards immediately after reading destination MAC (first 6 bytes of frame header)	Lower — starts forwarding in ~14 bytes	None — corrupted frames can propagate	Low-latency environments (HFT, storage networks); when all ports same speed
Fragment-Free	Reads first 64 bytes (minimum Ethernet frame) before forwarding; catches collision fragments	Moderate	Partial — catches runts (collision fragments under 64B)	Compromise between store-and-forward and cut-through; reduces collision fragment propagation

5. VLANs — Virtual LANs

VLANs logically partition a single physical switch into multiple independent broadcast domains. Devices in different VLANs cannot communicate at Layer 2 even if physically connected to the same switch — a router or Layer 3 switch is required for inter-VLAN communication.

  Without VLANs (one switch, all devices same broadcast domain):
  Finance-PC, HR-PC, IT-PC, Server all share one broadcast domain.
  Finance ARP request floods to HR-PC, IT-PC, and Server -- inefficient
  and a security concern (HR can see Finance traffic).

  With VLANs (logical segmentation):
  VLAN 10 (Finance): Finance-PC-1, Finance-PC-2
  VLAN 20 (HR):      HR-PC-1, HR-PC-2
  VLAN 30 (IT):      IT-PC-1, IT-Server

  Finance ARP request floods ONLY to Finance-PC-1 and Finance-PC-2.
  HR-PC never sees Finance broadcasts.
  To route between Finance and HR: must go through a router or L3 switch.

VLAN Configuration — Cisco IOS

! ── Create VLANs ──────────────────────────────────────────────────────────
Switch(config)# vlan 10
Switch(config-vlan)# name Finance
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name HR
Switch(config-vlan)# exit

! ── Assign access port to VLAN ────────────────────────────────────────────
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# spanning-tree portfast       ! For end-device ports
Switch(config-if)# spanning-tree bpduguard enable

! ── Configure trunk port (between switches) ───────────────────────────────
Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q   ! Older IOS
Switch(config-if)# switchport trunk allowed vlan 10,20,30
Switch(config-if)# switchport trunk native vlan 99        ! Change from default VLAN 1

! ── Verify ────────────────────────────────────────────────────────────────
Switch# show vlan brief
VLAN Name                   Status    Ports
---- ---------------------- --------- ----------------------------------
1    default                active    Gi0/2, Gi0/3, Gi0/4
10   Finance                active    Gi0/1
20   HR                     active    Gi0/5, Gi0/6
30   IT                     active    Gi0/7, Gi0/8
1002 fddi-default           act/unsup
...

Switch# show interfaces trunk
Port   Mode   Encap    Status     Native vlan
Gi0/24 on     802.1q   trunking   99

Port   Vlans allowed on trunk
Gi0/24 10,20,30

Port   Vlans allowed and active in management domain
Gi0/24 10,20,30

See show vlan for detailed output annotation, Access & Trunk Ports for the full port configuration reference, and VLANs for the conceptual overview. Hands-on practice: VLAN Configuration Lab | Assigning VLANs to Switch Ports Lab.

802.1Q VLAN Tagging

  802.1Q adds a 4-byte tag to the Ethernet frame header:

  Normal Ethernet frame:
  | Dest MAC (6B) | Src MAC (6B) | EtherType (2B) | Data | FCS |

  802.1Q tagged frame:
  | Dest MAC (6B) | Src MAC (6B) | 802.1Q Tag (4B) | EtherType (2B) | Data | FCS |
                                  ^^^^^^^^^^^^^^^^^
                                  | TPID (2B) = 0x8100 | PCP (3b) | DEI (1b) | VLAN ID (12b) |

  TPID 0x8100 = identifies this as an 802.1Q frame
  PCP (Priority Code Point) = 3 bits for QoS (0-7)
  VLAN ID (VID) = 12 bits = VLAN 0-4095 (0 and 4095 reserved; usable 1-4094)

  Native VLAN: frames on the native VLAN are NOT tagged on trunk ports.
  Mismatch of native VLAN on each end = VLAN hopping vulnerability!
  Best practice: set native VLAN to an unused VLAN (e.g., 99).

See Trunking (802.1Q) for full 802.1Q trunk configuration detail.

6. Inter-VLAN Routing — Layer 3 Switch vs Router-on-a-Stick

Devices in different VLANs cannot communicate at Layer 2. To route between VLANs, two approaches exist: router-on-a-stick (single router interface with sub-interfaces) or a Layer 3 switch with SVIs (Switched Virtual Interfaces).

Method 1: Router-on-a-Stick

  Topology: Switch --trunk--> Router Gi0/0
  Router Gi0/0 has sub-interfaces for each VLAN.

! Switch side -- configure trunk to router:
Switch(config)# interface Gi0/24
Switch(config-if)# switchport mode trunk

! Router side -- sub-interfaces:
Router(config)# interface GigabitEthernet0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 192.168.10.1 255.255.255.0

Router(config)# interface GigabitEthernet0/0.20
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# ip address 192.168.20.1 255.255.255.0

Router(config)# interface GigabitEthernet0/0.30
Router(config-subif)# encapsulation dot1Q 30
Router(config-subif)# ip address 192.168.30.1 255.255.255.0

Router(config)# interface GigabitEthernet0/0
Router(config-if)# no shutdown   ! Bring up parent interface

! Default gateways: VLAN 10 hosts use 192.168.10.1, etc.
! Limitation: all inter-VLAN traffic passes through router -- single link bottleneck

Method 2: Layer 3 Switch with SVIs (Preferred)

! Enable IP routing on L3 switch:
L3Switch(config)# ip routing

! Create SVIs (one per VLAN -- acts as default gateway):
L3Switch(config)# interface vlan 10
L3Switch(config-if)# ip address 192.168.10.1 255.255.255.0
L3Switch(config-if)# no shutdown
L3Switch(config-if)# description Gateway-for-VLAN10

L3Switch(config)# interface vlan 20
L3Switch(config-if)# ip address 192.168.20.1 255.255.255.0
L3Switch(config-if)# no shutdown

! Traffic between VLAN 10 and VLAN 20 routes in hardware ASIC --
! no external router needed, wire-speed performance.

! Verify SVIs:
L3Switch# show interfaces vlan 10
Vlan10 is up, line protocol is up
  Internet address is 192.168.10.1/24

L3Switch# show ip route
C    192.168.10.0/24 is directly connected, Vlan10
C    192.168.20.0/24 is directly connected, Vlan20

See Inter-VLAN Routing Lab for hands-on practice with both methods.

7. Spanning Tree Protocol (STP)

STP (IEEE 802.1D) prevents Layer 2 loops in networks with redundant switch links. Without STP, a broadcast frame would loop indefinitely between switches, consuming all bandwidth within seconds.

  Triangle topology without STP:
  SW1 -- SW2 -- SW3 -- SW1
  PC-A sends broadcast -> SW1 forwards to SW2 and SW3
  SW2 forwards to SW3 (arrives again at SW3), SW3 forwards back to SW1...
  Frames multiply exponentially -- BROADCAST STORM -- network fails.

  STP solution:
  1. Elect a ROOT BRIDGE (lowest Bridge ID)
  2. Calculate shortest path to root from each switch
  3. Block redundant ports (Alternate/Blocking state)
  4. Only Root Ports and Designated Ports forward traffic

  Result: Loop-free tree with blocked port as standby backup.

! Verify STP root and port roles:
Switch# show spanning-tree vlan 10
VLAN0010
  Root ID    Priority    4097
             Address     0011.1111.1111
             This bridge is the root
  ...
Interface           Role Sts Cost  Prio.Nbr Type
Gi0/1               Desg FWD 4     128.1    P2p
Gi0/2               Desg FWD 4     128.2    P2p
Gi0/3               Altn BLK 4     128.3    P2p   <-- blocked to prevent loop

! Configure root bridge (recommended over relying on MAC tiebreaker):
Switch(config)# spanning-tree vlan 10 root primary
Switch(config)# spanning-tree vlan 20 root secondary

See Root Bridge Election, STP Port Roles, Spanning Tree Protocol, and PVST+ for detailed STP coverage. PortFast & BPDU Guard should be configured on all access ports.

8. Switch Port Types and Configuration

Port Type	Description	Configuration	Use Case
Access Port	Carries traffic for exactly one VLAN. Frames are NOT tagged (untagged). Connected device is unaware of VLANs.	`switchport mode access` `switchport access vlan [id]`	PC, printer, IP phone, server connected to a specific VLAN
Trunk Port	Carries traffic for multiple VLANs. Frames are 802.1Q tagged with VLAN ID (except native VLAN frames).	`switchport mode trunk` `switchport trunk allowed vlan [list]`	Switch-to-switch links, switch-to-router (router-on-a-stick), switch-to-AP (multiple SSIDs as VLANs)
Routed Port (L3)	Behaves like a router interface on an L3 switch. Has an IP address; does not do Layer 2 switching.	`no switchport` `ip address [addr] [mask]`	Uplink from distribution L3 switch to core router or firewall
SVI (Switched Virtual Interface)	Virtual interface for a VLAN on an L3 switch. Acts as the default gateway for that VLAN.	`interface vlan [id]` `ip address [addr] [mask]`	Inter-VLAN routing gateway; VLAN management access

See Access & Trunk Ports for the complete port configuration guide.

9. Port Security

Port security restricts which MAC addresses can communicate through a switch port. It limits the maximum number of MACs and can lock a port to specific known MACs — preventing rogue device connections.

! Configure port security on an access port:
Switch(config)# interface GigabitEthernet0/5
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport port-security                   ! Enable port security
Switch(config-if)# switchport port-security maximum 1         ! Allow only 1 MAC
Switch(config-if)# switchport port-security violation shutdown ! Err-disable on violation
Switch(config-if)# switchport port-security mac-address sticky ! Auto-learn & lock MAC

! Violation modes:
! shutdown  -- err-disables port (default); manual recovery needed
! restrict  -- drops violating frames + syslog; port stays UP
! protect   -- drops violating frames silently; NO syslog

! Verify port security:
Switch# show port-security interface GigabitEthernet0/5
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Maximum MAC Addresses      : 1
Sticky MAC Addresses       : 1
Security Violation Count   : 0

! Recover an err-disabled port:
Switch(config)# interface GigabitEthernet0/5
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

See Port Security Overview, Sticky MAC, Violation Modes, and Port Security & Sticky MAC Lab.

10. Layer 2 Security Features

Feature	What It Prevents	How It Works	Key Command
Port Security	Rogue device connections; MAC flooding attacks	Limits MACs per port; violation triggers action (shutdown/restrict/protect)	`switchport port-security`
DHCP Snooping	Rogue DHCP servers assigning incorrect IP addresses to clients (starvation, spoofing)	Marks ports as trusted (uplinks, real DHCP servers) or untrusted (end-device ports). DHCP Offer/Ack only allowed from trusted ports. Builds binding table (MAC-IP-port-VLAN)	`ip dhcp snooping` `ip dhcp snooping vlan [id]`
Dynamic ARP Inspection (DAI)	ARP spoofing / ARP poisoning attacks (man-in-the-middle)	Validates ARP packets against the DHCP snooping binding table. Discards ARP with MAC-IP bindings not in the table. Requires DHCP Snooping to be configured first.	`ip arp inspection vlan [id]`
802.1X Port Authentication	Unauthenticated device access to the network	Port blocked until device authenticates via RADIUS (EAP). Authentication before any Layer 2 frames pass. See AAA Authentication Methods.	`dot1x system-auth-control`
PortFast + BPDU Guard	Rogue switch connecting to access port; accidental STP topology changes from end-device ports	PortFast skips STP listening/learning on access ports. BPDU Guard err-disables port if any BPDU received.	`spanning-tree portfast` `spanning-tree bpduguard enable`
Storm Control	Broadcast/multicast/unicast storms degrading network	Monitors traffic rate per port; shuts down or drops when threshold exceeded (% bandwidth or pps)	`storm-control broadcast level [%]`

DHCP Snooping and DAI Configuration

! ── DHCP Snooping ─────────────────────────────────────────────────────────
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10,20,30

! Mark uplink/server ports as trusted:
Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# ip dhcp snooping trust

! All other (access) ports are untrusted by default.
! Verify:
Switch# show ip dhcp snooping
DHCP snooping is configured on the following VLANs: 10,20,30
Interface           Trusted   Rate limit (pps)
Gi0/24              yes       unlimited
Gi0/1               no        15

Switch# show ip dhcp snooping binding
MacAddress          IpAddress        Lease    Type      VLAN  Interface
00:11:AA:BB:CC:01   192.168.10.50    86400    dhcp-sn   10    Gi0/1

! ── Dynamic ARP Inspection ────────────────────────────────────────────────
Switch(config)# ip arp inspection vlan 10,20,30
! Uplink ports must also be trusted for ARP inspection:
Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# ip arp inspection trust

See DHCP Snooping, Dynamic ARP Inspection, and DHCP Snooping & DAI Lab.

11. EtherChannel (Link Aggregation)

EtherChannel bundles multiple physical links between two switches into one logical link, providing higher bandwidth and redundancy. If one physical link fails, traffic continues on the remaining links with no STP reconvergence.

  Without EtherChannel (two links between switches):
  SW1 Gi0/1 --- Gi0/1 SW2   (STP blocks one link -- only 1G effective)
  SW1 Gi0/2 --- Gi0/2 SW2   (blocked by STP)

  With EtherChannel (two links bundled):
  SW1 Gi0/1 ---|         |--- Gi0/1 SW2
  SW1 Gi0/2 ---| Port-Ch |--- Gi0/2 SW2   2G effective bandwidth
               |  (Po1)  |               both links active, load-balanced

! Configure LACP EtherChannel (recommended -- IEEE standard):
Switch(config)# interface range GigabitEthernet0/1 - 2
Switch(config-if-range)# channel-group 1 mode active    ! LACP active
Switch(config-if-range)# channel-protocol lacp

! Configure the Port-Channel interface:
Switch(config)# interface Port-channel1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30

! Alternative: PAgP (Cisco proprietary):
Switch(config-if-range)# channel-group 1 mode desirable ! PAgP

! Verify:
Switch# show etherchannel summary
Flags:  D - down        P - bundled in port-channel
        U - in use      S - Layer2
Group  Port-channel  Protocol    Ports
------+-------------+-----------+-------------------------------------------
1      Po1(SU)         LACP      Gi0/1(P)   Gi0/2(P)

See EtherChannel Load Balancing for hashing algorithms and load distribution details.

12. Switch Management

! ── Management VLAN and IP address ───────────────────────────────────────
Switch(config)# vlan 99
Switch(config-vlan)# name Management
Switch(config)# interface vlan 99
Switch(config-if)# ip address 10.0.0.10 255.255.255.0
Switch(config-if)# no shutdown
Switch(config)# ip default-gateway 10.0.0.1

! ── SSH access (secure -- replace Telnet) ──────────────────────────────
Switch(config)# hostname SW-Core-01
Switch(config)# ip domain-name netstuts.com
Switch(config)# crypto key generate rsa modulus 2048
Switch(config)# ip ssh version 2
Switch(config)# line vty 0 15
Switch(config-line)# transport input ssh
Switch(config-line)# login local
Switch(config)# username admin privilege 15 secret AdminP@ss

! ── Disable Telnet on VTY ─────────────────────────────────────────────
Switch(config)# line vty 0 15
Switch(config-line)# transport input ssh    ! SSH only; reject Telnet

! ── Enable SNMP for monitoring ────────────────────────────────────────
Switch(config)# snmp-server community PUBLIC ro
Switch(config)# snmp-server community PRIVATE rw
Switch(config)# snmp-server host 10.0.0.100 version 2c PUBLIC

! ── Console password ──────────────────────────────────────────────────
Switch(config)# line console 0
Switch(config-line)# password ConsoleP@ss
Switch(config-line)# login
Switch(config-line)# exec-timeout 5 0   ! Auto-logout after 5 minutes

See SSH Configuration for the full SSH setup guide, SNMP for monitoring configuration, and show running-config to verify the management configuration.

13. Switch Troubleshooting — Commands and Scenarios

Symptom	Likely Cause	Diagnostic Command	Fix
PC cannot ping gateway (same VLAN)	Port not in correct VLAN; port in wrong mode (trunk instead of access)	`show interfaces Gi0/x switchport` `show vlan brief`	Verify `switchport access vlan [id]`; confirm `switchport mode access`
VLANs not passing between switches	Trunk not configured; VLAN not in allowed list; native VLAN mismatch	`show interfaces trunk`	Verify trunk mode on both ends; check allowed VLAN list; align native VLAN on both switches. See Layer 2 Troubleshooting Lab.
Broadcast storm / MAC flapping	Layer 2 loop — STP not blocking redundant port; unmanaged switch connected without STP	`show spanning-tree` `show logging \| include MACFLAP`	Verify STP running; check all ports for unexpected FWD state; enable STP on any unmanaged connections
Port in err-disabled state	Port security violation; BPDU Guard triggered; Loop detected by loop-guard	`show interfaces status err-disabled` `show port-security interface Gi0/x`	Investigate cause; remove offending device; `shutdown` then `no shutdown`; or configure errdisable auto-recovery
DHCP not working on a VLAN	No DHCP server for VLAN; DHCP Snooping blocking; missing ip helper-address on L3 SVI	`show ip dhcp snooping` `show ip dhcp binding`	Check DHCP snooping trust on uplinks; add `ip helper-address` on VLAN SVI if DHCP server is on a different subnet

Essential Troubleshooting Commands

Switch# show mac address-table                ! CAM table entries and ports
Switch# show interfaces status                ! All ports: speed, duplex, VLAN, status
Switch# show interfaces GigabitEthernet0/1   ! Detailed counters: errors, CRC, drops
Switch# show vlan brief                       ! VLAN IDs, names, assigned ports
Switch# show interfaces trunk                 ! Trunk ports, allowed VLANs, native VLAN
Switch# show interfaces GigabitEthernet0/1 switchport  ! Port mode, VLAN assignment
Switch# show spanning-tree vlan 10            ! STP roles and states per VLAN
Switch# show port-security interface Gi0/1   ! Port security config and violations
Switch# show ip dhcp snooping binding         ! DHCP snooping binding table
Switch# show ip arp inspection vlan 10        ! DAI statistics
Switch# show etherchannel summary             ! EtherChannel port-channel status
Switch# show version                          ! IOS version, platform, uptime

See show interfaces, show vlan, show mac address-table, and ping for detailed command references. For complex layer 2 issues see Layer 2 Troubleshooting Lab.

14. Key Points & Exam Tips

Switches operate at Layer 2 (MAC addresses). Layer 3 switches also perform IP routing. Hubs are Layer 1 (no intelligence). Routers are Layer 3 (IP addresses).
MAC learning: Switch records source MAC + ingress port on every frame. Destination lookup: found = unicast forward; not found = flood (unknown unicast). Aging default = 300 seconds. See CAM Table.
Store-and-forward = full error checking, higher latency. Cut-through = lowest latency, no error checking. Default on modern Cisco switches = store-and-forward.
Access port = one VLAN, untagged frames, end devices. Trunk port = multiple VLANs, 802.1Q tagged, between switches or to routers/APs.
Native VLAN on trunk ports sends frames untagged. Both sides must match or VLAN hopping is possible. Best practice: change from VLAN 1 to unused VLAN.
Inter-VLAN routing: router-on-a-stick (router with sub-interfaces, single trunk) or L3 switch with SVIs and ip routing (faster, no external router needed).
STP prevents Layer 2 loops. Root Bridge = lowest BID. Root Port = best path to root. Designated Port = best for a segment. Blocked ports prevent loops. All root bridge ports = Designated. See Root Bridge Election.
Port security violation modes: shutdown (err-disables, logs), restrict (drops + logs, port UP), protect (drops silently, no log).
DHCP Snooping prevents rogue DHCP servers. Trusted ports (uplinks/servers) vs untrusted (access). Builds binding table used by DAI. DAI prevents ARP spoofing.
EtherChannel bundles links for bandwidth + redundancy. LACP (IEEE, mode active/passive) or PAgP (Cisco, mode desirable/auto). STP treats bundle as one port.
Management: use SSH (not Telnet) on VTY lines; configure a management VLAN SVI; monitor with SNMP. Verify with show running-config.

15. Network Switch Quiz

1. A network engineer connects three switches in a triangle (SW1-SW2, SW2-SW3, SW1-SW3), all links Gigabit. No configuration is applied. PC-A on SW1 sends a broadcast. What happens on the network, and what feature prevents this from becoming catastrophic?

A. The broadcast reaches all PCs once — switches automatically limit broadcast propagation B. The broadcast loops until the default aging timer (300 seconds) expires and all entries are cleared C. Without STP, a broadcast storm forms immediately as the frame loops SW1→SW2→SW3→SW1 indefinitely. STP prevents this by electing a root bridge and blocking one port in the triangle, creating a loop-free tree while keeping the blocked link available as standby D. The broadcast is rate-limited by storm control and dropped after exceeding the threshold

Correct answer is C. A triangle topology with three interconnected switches and no loop prevention is a textbook broadcast storm scenario. When PC-A sends a broadcast (e.g., an ARP request), SW1 floods it out both links — toward SW2 and toward SW3. SW2 receives it and floods toward SW3. SW3 receives copies from both SW1 and SW2 and floods back toward SW1 from both directions. SW1 receives the looped copies and floods again. The frame multiplies exponentially — within seconds, all available bandwidth is consumed by looping broadcast frames. MAC tables flip rapidly as the same source MAC appears on different ports (MAC flapping). The network becomes completely unusable. Spanning Tree Protocol (STP) specifically solves this: it runs BPDUs between switches to elect a Root Bridge, calculate shortest paths, and then block one port in each loop. In the triangle, one port is placed in Blocking state, mathematically eliminating all loops while keeping the link available as a standby that activates on primary path failure. Storm control (option D) is a rate-limiting feature but does not eliminate loops — it just throttles storm traffic temporarily; the loop itself remains.

2. An administrator configures two access ports on SW-Floor1: Gi0/1 for PC-A assigned to VLAN 10 (Finance), and Gi0/2 for PC-B assigned to VLAN 20 (HR). Both PCs have IP addresses in 192.168.10.0/24. PC-A cannot ping PC-B. What is the correct explanation?

A. The switch needs to be rebooted to apply VLAN changes B. VLANs create separate Layer 2 broadcast domains — PC-A and PC-B cannot communicate at Layer 2 even on the same switch. To route between VLANs, an L3 switch with SVIs or a router-on-a-stick is needed. PC-B also has an incorrect IP (should be in 192.168.20.0/24 for VLAN 20) C. The trunk port between Finance and HR VLANs needs to be configured D. Port security is blocking communication between the two ports

Correct answer is B. VLANs create logically isolated Layer 2 broadcast domains. Even though PC-A and PC-B are on the same physical switch, they are in different VLANs — VLAN 10 and VLAN 20. The switch does not forward frames between VLANs at Layer 2; frames in VLAN 10 stay in VLAN 10 and frames in VLAN 20 stay in VLAN 20. This is the purpose of VLANs: logical isolation. To communicate between VLANs, a router (router-on-a-stick) or a Layer 3 switch with SVIs and ip routing is required. The IP addressing is also wrong: PC-B in VLAN 20 should use an IP address in the VLAN 20 subnet (192.168.20.0/24), not the VLAN 10 subnet. Use ping and show vlan brief to verify.

3. A switch port on SW-Distribution is connected to an end-user PC. An administrator wants to block rogue switch connections on this port and ensure the PC's traffic starts forwarding immediately without waiting for STP convergence. Which two features should be enabled?

A. PortFast (skips STP listening/learning for immediate forwarding) + BPDU Guard (err-disables port if any BPDU is received, blocking rogue switch connections) B. PortFast + Root Guard (Root Guard prevents a port from becoming root port — designed for uplinks, not access ports) C. Port Security + BPDU Guard — port security prevents MAC floods; BPDU Guard blocks rogue switches D. EtherChannel + PortFast — bundling the links eliminates STP convergence delays automatically

Correct answer is A. These two features are designed to work together on access ports: PortFast moves the port immediately from blocking to forwarding, bypassing the 30-second STP listening/learning delay — essential for end devices like PCs and IP phones that would time out waiting for a DHCP response during STP convergence. BPDU Guard complements PortFast: if any switch BPDU is received on the port, the port is immediately err-disabled. Since legitimate end devices never send BPDUs, any received BPDU indicates either a rogue switch or misconfiguration, and the err-disable response protects the STP topology. Root Guard (option B) is for uplinks toward other switches to prevent them from claiming the root bridge role. See PortFast & BPDU Guard.

4. A managed switch has store-and-forward switching enabled (default). What is the operational tradeoff compared to cut-through switching?

A. Store-and-forward is faster because it only reads the first 14 bytes of the frame; cut-through must read the entire frame before forwarding B. Store-and-forward provides no error checking; cut-through performs full FCS validation on every frame C. Store-and-forward and cut-through have identical performance — the difference is only in which IEEE standard they conform to D. Store-and-forward adds latency because the switch must receive and buffer the entire frame before forwarding, but provides full FCS error checking — corrupted frames are dropped before being forwarded. Cut-through starts forwarding after reading only the destination MAC (first 6 bytes), providing lower latency but forwarding corrupted frames

Correct answer is D. In store-and-forward, the switch receives the complete frame into its buffer, verifies the FCS (Frame Check Sequence/CRC), and only then forwards it. This means corrupted frames are detected and discarded — protecting downstream devices from errors. The cost is latency: the switch must wait for the entire frame to arrive. Cut-through begins forwarding as soon as it reads the destination MAC address (the first 6 bytes of the Ethernet header) — latency can be as low as 14 bytes. However, it cannot perform FCS checking and may forward corrupted frames. Store-and-forward is the default on Cisco switches and is required when connecting ports of different speeds (e.g., 100 Mbps access to 1 Gbps uplink) because the entire frame must be buffered during speed adaptation.

5. DHCP Snooping is enabled on VLAN 10. A PC connects to Gi0/5 and cannot obtain an IP address from the legitimate DHCP server. The DHCP server is connected to the core router uplink on Gi0/24. What is the most likely cause?

A. DHCP Snooping is disabled globally — it needs to be re-enabled with ip dhcp snooping B. The PC's port is missing the access VLAN assignment — add switchport access vlan 10 to fix it C. The uplink Gi0/24 has not been configured as trusted for DHCP Snooping — all ports are untrusted by default, so DHCP Offer/ACK packets arriving on Gi0/24 from the legitimate server are being dropped. Fix: ip dhcp snooping trust on Gi0/24 D. The DHCP server needs to be in the same VLAN as the PC — DHCP does not work across VLAN boundaries

Correct answer is C. DHCP Snooping operates on a trust model: by default, ALL ports are untrusted. On untrusted ports, only DHCP Discovery and Request messages (client-originated) are allowed through — DHCP Offer and ACK messages (server-originated) are dropped. This prevents rogue DHCP servers on access ports. The problem: the uplink port Gi0/24 (carrying traffic from the legitimate DHCP server) is also untrusted by default. When the DHCP server sends an Offer or ACK in response to the PC's Discovery, those packets arrive on Gi0/24, are identified as server responses, and are dropped. The PC never receives the Offer. Fix: mark all uplinks and ports facing legitimate DHCP servers as trusted with ip dhcp snooping trust.

6. An engineer configures EtherChannel between SW1 and SW2 using `channel-group 1 mode active` on both switches. The Port-Channel1 interface shows as down. What is the most likely cause?

A. LACP requires one end to be passive — both ends in active mode is not a valid configuration B. A configuration mismatch between the member ports — speed, duplex, VLAN membership, allowed VLANs, native VLAN, or trunking mode must match on all member interfaces for the bundle to form C. EtherChannel requires at least four physical links to function; a two-link bundle is invalid D. LACP mode active requires a dedicated management VLAN configured on both switches before the bundle will form

Correct answer is B. LACP (IEEE 802.3ad) with mode active on both ends is perfectly valid — both sides actively negotiate the bundle. The most common reason an EtherChannel fails to form is a configuration mismatch between member ports. LACP requires that all ports in a channel group have identical: speed and duplex, switchport mode (access vs trunk), access VLAN (if access ports) or allowed/native VLANs (if trunk ports). If Gi0/1 is configured as a trunk with native VLAN 1 and allowed VLANs 10,20 but Gi0/2 has a different native VLAN or different allowed VLANs, LACP will not bundle them. Check with show etherchannel summary and show interfaces Gi0/1 switchport.

7. A Layer 3 switch has three VLANs with SVIs configured and `ip routing` enabled. A PC in VLAN 10 (192.168.10.0/24) needs to reach a server in VLAN 20 (192.168.20.0/24). The PC's default gateway is 192.168.10.1 (the VLAN 10 SVI). Traffic still fails. What should be verified?

A. The VLAN 20 SVI (interface vlan 20) must be created and up/up with the correct IP address (192.168.20.1/24), and the server's default gateway must point to 192.168.20.1 B. A trunk link must be configured between the L3 switch and an external router for inter-VLAN routing to work C. The PC's ARP table needs to be cleared — ARP caching is preventing L3 switch routing from functioning D. VLANs 10 and 20 must be in the same STP instance for inter-VLAN routing to work on the L3 switch

Correct answer is A. For Layer 3 switch inter-VLAN routing to work, two things must be true for each VLAN: (1) an SVI (interface vlan X) must exist and be up/up with an IP address in the VLAN's subnet; (2) devices in that VLAN must have their default gateway set to the SVI IP. The PC's gateway (192.168.10.1) is correct. But if the VLAN 20 SVI doesn't exist, or is in shutdown state, or the server has the wrong default gateway (or no default gateway), traffic from the L3 switch to the server will fail. Use ping from the L3 switch to verify both SVIs are reachable, and verify with show interfaces vlan 20.

8. An administrator enables port security on Gi0/5 with maximum 1 and violation shutdown. The PC that normally connects (MAC A) is replaced with a new PC (MAC B). The port goes err-disabled. After identifying the issue, what are the correct recovery steps?

A. Run no shutdown on the port — this alone clears err-disabled state B. Disable and re-enable port security on the interface to clear the violation counter C. Reboot the switch — sticky MAC entries and err-disabled state are cleared on reload D. Remove the sticky MAC entry for MAC A (or clear all sticky MACs), then cycle the port with shutdown/no shutdown to clear err-disabled — if using sticky MAC, save config afterward so the new MAC B is persisted

Correct answer is D. The problem has two parts: (1) the port is err-disabled and must be recovered; (2) the sticky MAC entry for MAC A is still locked in the config — even after recovery, MAC B will trigger another violation if MAC A's entry isn't removed. The correct procedure: remove the old sticky entry with no switchport port-security mac-address sticky <MAC A> (or clear port-security sticky interface Gi0/5); then cycle the interface with shutdown / no shutdown to clear the err-disabled state; allow MAC B to connect and be learned; save with write memory. Simply running no shutdown (option A) doesn't work while the old MAC is still locked and the new device is still connected. See Sticky MAC and Violation Modes.

9. After enabling Dynamic ARP Inspection (DAI) on VLAN 10, hosts connected to access ports can communicate within VLAN 10, but no host can reach devices in other subnets (gateway, internet). What is wrong?

A. DAI is not compatible with inter-VLAN routing — it must be disabled when a Layer 3 switch is present B. The DHCP snooping binding table has expired — re-enable DHCP snooping to rebuild the table C. The uplink port (Gi0/24) is not trusted for DAI. ARP replies from devices upstream are being dropped because they arrive on an untrusted port and their bindings may not be in the DHCP snooping table. Fix: ip arp inspection trust on Gi0/24 D. ARP inspection requires IPv6 to function

Correct answer is C. DAI (Dynamic ARP Inspection) validates ARP packets against the DHCP snooping binding table. Like DHCP Snooping, DAI has trusted and untrusted ports. Untrusted ports: ARP packets are validated — the MAC-IP binding in the ARP packet must match an entry in the DHCP snooping binding table. If no match: ARP packet is DROPPED. Trusted ports: ARP packets pass without inspection. The problem: the uplink port Gi0/24 is untrusted. ARP replies arriving from upstream routers, servers, or other subnets come in on Gi0/24. These devices got their IP addresses through means other than DHCP (static IPs, DHCP on other switches) so their bindings may not be in this switch's DHCP snooping table. DAI drops their ARP replies as "invalid." Hosts on the switch send ARP requests but never receive replies → no ARP resolution → no connectivity. Fix: mark all uplinks and ports facing statically-addressed devices as DAI-trusted: ip arp inspection trust. Also: for statically-addressed devices on access ports, use ARP ACLs to create manual bindings that DAI validates against.

10. A Catalyst 2960 (Layer 2 only) switch has VLAN 10 with PCs and VLAN 20 with servers. The PCs need to access servers in VLAN 20. The network has a Cisco ISR router connected to the switch. No Layer 3 switch is available. What is the correct solution?

A. Upgrade to a Layer 3 switch — there is no way to route VLANs on a Layer 2 switch B. Configure router-on-a-stick: create a trunk link between the switch and the ISR router, configure sub-interfaces on the router for each VLAN with gateway IPs, and configure PC/server default gateways to point to their respective sub-interface IPs C. Move all servers to VLAN 10 — VLANs cannot communicate so use only one VLAN D. Configure SVIs on the 2960 switch — Layer 2 switches support SVIs for routing

Correct answer is B. This is the classic router-on-a-stick scenario — the correct inter-VLAN routing solution when only a Layer 2 switch and a router are available. Configuration steps: (1) On the 2960 switch, configure Gi0/24 (connecting to router) as a trunk port: switchport mode trunk, allowing VLAN 10 and 20. (2) On the ISR router, configure one physical interface (e.g., Gi0/0) with two sub-interfaces: interface Gi0/0.10 → encapsulation dot1Q 10 → ip address 192.168.10.1/24 and interface Gi0/0.20 →

encapsulation
                  dot1Q 20

→ ip address 192.168.20.1/24. (3) Configure VLAN 10 PCs with default gateway 192.168.10.1 and VLAN 20 servers with default gateway 192.168.20.1. When a PC in VLAN 10 needs to reach a server in VLAN 20, its frame travels up the trunk tagged as VLAN 10, arrives at the router's Gi0/0.10 sub-interface, the router routes the packet to the VLAN 20 subnet, and sends it back down the trunk tagged as VLAN 20 to the server. The 2960 does support SVI interfaces (option D) but only for management purposes — it cannot route between VLANs because it lacks IP routing hardware. ip routing is not available on Layer 2-only switches. See Inter-VLAN Routing Lab.

← Back to Home