Switching Concepts You Must Master (CCNA / CCNP)
Home › Routing & Switching › Switching Concepts CCNA/CCNP
Table of Contents
- VLANs — Virtual Local Area Networks
- Trunking — 802.1Q & VTP
- Spanning Tree Protocol (STP / RSTP / MSTP)
- STP Tuning & Protection Features
- EtherChannel — PAgP & LACP
- Inter-VLAN Routing — Router-on-a-Stick & Layer 3 Switch
- Port Security & DHCP Snooping
- Switch Stacking & VSS / StackWise
- CAM Table, ARP, & MAC Address Learning
- Exam Tips & Quick-Reference
Switching is the foundation of every enterprise network. Without a solid understanding of how Layer 2 works — how frames are forwarded, how loops are prevented, how VLANs segment traffic, and how redundancy is achieved without packet storms — you cannot design, troubleshoot, or operate any real-world network. Both the CCNA (200-301) and CCNP ENCOR (350-401) exams test switching deeply, and it regularly appears in interview questions and day-to-day network operations.
This guide covers every switching concept you need to master — with plain-English explanations, architecture context, and production-ready Cisco IOS commands for each topic.
1. VLANs — Virtual Local Area Networks
A VLAN (Virtual LAN) is a logical grouping of switch ports into separate broadcast domains, regardless of physical location. Without VLANs, every device on a switch receives every broadcast — a disaster at scale. VLANs solve this by dividing the switch into multiple isolated Layer 2 networks, each with its own broadcast domain.
Access Port
Belongs to exactly one VLAN. Carries untagged frames to end devices (PCs, printers, servers). The switch adds the VLAN tag internally but strips it before sending to the endpoint.
Trunk Port
Carries frames from multiple VLANs simultaneously using 802.1Q tags. Used between switches, between a switch and a router, or to a server with a VLAN-aware NIC.
Native VLAN
The VLAN whose frames are sent untagged on a trunk. Default is VLAN 1. Must match on both ends of a trunk — a mismatch causes VLAN 1 traffic to be misdelivered and is a common misconfiguration.
Voice VLAN
Allows a single access port to carry both data and VoIP traffic. The IP phone receives a tagged VLAN for voice; the PC behind the phone uses the untagged data VLAN.
Essential VLAN Commands
! Create VLANs
Switch(config)# vlan 100
Switch(config-vlan)# name SALES
Switch(config)# vlan 110
Switch(config-vlan)# name ENGINEERING
! Configure access port
Switch(config)# interface Gi0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 100
! Configure trunk port
Switch(config)# interface Gi0/24
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 100,110
Switch(config-if)# switchport trunk native vlan 99
! Verify
Switch# show vlan brief
Switch# show interfaces trunk
2. Trunking — 802.1Q & VTP
802.1Q is the IEEE standard for VLAN tagging on trunk links. It inserts a 4-byte tag into the Ethernet frame header immediately after the source MAC address. The tag contains the VLAN ID (12-bit, supporting VLANs 1–4094) and a Priority Code Point (PCP) for QoS marking.
VTP — VLAN Trunking Protocol
VTP is a Cisco proprietary protocol that propagates VLAN database changes from a VTP Server to all VTP Clients in the same VTP domain, reducing the manual effort of VLAN provisioning across large campus networks. However, VTP is a double-edged sword — a misconfigured VTP Server with a higher revision number can instantly overwrite the VLAN database on every switch in the domain.
| VTP Mode | Creates VLANs? | Forwards Ads? | Saves to NVRAM? |
|---|---|---|---|
| Server | ✔ Yes | ✔ Yes | ✔ Yes |
| Client | ✘ No | ✔ Yes | ✘ No (VTPv1/v2) |
| Transparent | ✔ Yes (local only) | ▶ Forwards only | ✔ Yes |
| Off (VTPv3) | ✔ Yes (local only) | ✘ No | ✔ Yes |
⚠ VTP Danger Zone: Always set access-layer switches to VTP Transparent or Off mode in production. Never add a switch with an unknown VTP revision number to a live network without first resetting its revision to 0 — changing the domain name and changing it back resets the revision counter.
3. Spanning Tree Protocol (STP / RSTP / MSTP)
Spanning Tree Protocol (STP, IEEE 802.1D) prevents Layer 2 loops in networks with redundant switch paths. Without STP, a single broadcast frame would circulate endlessly between switches — consuming all bandwidth and crashing every device on the network within seconds. STP creates a loop-free logical topology by selectively blocking redundant ports while keeping at least one active path between every pair of switches.
STP Election Process — 4 Steps
STP Port States & Timers
| State | Forwards Data? | Learns MACs? | Duration (802.1D) |
|---|---|---|---|
| Blocking | No | No | Up to 20 sec (Max Age) |
| Listening | No | No | 15 sec (Forward Delay) |
| Learning | No | Yes | 15 sec (Forward Delay) |
| Forwarding | Yes | Yes | Indefinite |
RSTP (802.1w) — Rapid Spanning Tree
RSTP replaces the 30–50 second convergence of 802.1D with sub-second convergence by introducing a negotiation mechanism (Proposal/Agreement) between adjacent switches. RSTP collapses the Listening and Learning states into a single Discarding state and adds new port roles: Alternate (backup Root Port) and Backup (backup Designated Port). RSTP is backward-compatible with 802.1D and is the default on all modern Cisco switches.
STP Configuration Commands
! Set switch as Root Bridge for VLAN 10 (lowers priority to 24576)
Switch(config)# spanning-tree vlan 10 root primary
! Or set priority manually
Switch(config)# spanning-tree vlan 10 priority 4096
! Enable RSTP (Rapid-PVST+ on Cisco)
Switch(config)# spanning-tree mode rapid-pvst
! Adjust port cost and priority
Switch(config-if)# spanning-tree vlan 10 cost 4
Switch(config-if)# spanning-tree vlan 10 port-priority 64
! Verify
Switch# show spanning-tree vlan 10
Switch# show spanning-tree summary
4. STP Tuning & Protection Features
Raw STP gets loops under control, but production networks require additional features to make STP fast, stable, and secure against misconfigurations or attacks.
✌ PortFast
Skips Listening and Learning states — port goes directly to Forwarding. Only enable on access ports connected to end devices, never on switch-to-switch links.
spanning-tree portfast
BPDU Guard
Places a PortFast port into err-disabled state if a BPDU is received — preventing a rogue switch from joining the topology and potentially becoming Root Bridge.
spanning-tree bpduguard enable
BPDU Filter
Stops sending and receiving BPDUs on a port. When applied globally with PortFast, it sends 11 BPDUs on startup then stops. Use carefully — disabling BPDUs on inter-switch links creates loops.
spanning-tree bpdufilter enable
☠ Root Guard
Prevents an unexpected switch from becoming Root Bridge. If a superior BPDU is received on a Root Guard port, that port is placed in root-inconsistent state and blocked.
spanning-tree guard root
Loop Guard
Protects against unidirectional link failures. If BPDUs stop arriving on a non-Designated port (which should never originate BPDUs), Loop Guard puts it in loop-inconsistent state instead of transitioning to Forwarding.
spanning-tree guard loop
⚡ UplinkFast / BackboneFast
UplinkFast provides fast failover when a Root Port fails (legacy 802.1D only). BackboneFast speeds recovery from indirect failures. Both are built into RSTP natively — no separate configuration needed on modern switches.
spanning-tree uplinkfast (legacy only)
5. EtherChannel — PAgP & LACP
EtherChannel bundles multiple physical Ethernet links into a single logical interface, providing both bandwidth aggregation and link redundancy. STP sees the EtherChannel as one interface — eliminating the blocking that would otherwise occur on redundant links between the same two switches.
PAgP — Port Aggregation Protocol
Cisco proprietary. Modes: Auto (passive — waits) and Desirable (active — initiates). Both sides cannot be Auto — at least one must be Desirable.
LACP — Link Aggregation Control Protocol
IEEE 802.3ad standard. Modes: Passive (waits) and Active (initiates). Preferred over PAgP for multi-vendor environments. Both sides cannot be Passive.
EtherChannel Configuration (LACP)
! Layer 2 EtherChannel using LACP
Switch(config)# interface range Gi0/1-2
Switch(config-if-range)# switchport mode trunk
Switch(config-if-range)# switchport trunk allowed vlan 100,110
Switch(config-if-range)# channel-group 1 mode active
Switch(config-if-range)# exit
Switch(config)# interface port-channel 1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 100,110
! Layer 3 EtherChannel (routed)
Switch(config)# interface range Gi0/3-4
Switch(config-if-range)# no switchport
Switch(config-if-range)# channel-group 2 mode active
Switch(config)# interface port-channel 2
Switch(config-if)# no switchport
Switch(config-if)# ip address 10.1.1.1 255.255.255.0
! Verify
Switch# show etherchannel summary
Switch# show etherchannel port-channel
⚠ Common EtherChannel Failure: All member interfaces must have identical configuration — same speed, duplex, VLAN allowed list, native VLAN, and trunk/access mode. Any mismatch causes the EtherChannel to fail to form or become suspended (shown as P vs I in show etherchannel summary).
6. Inter-VLAN Routing — Router-on-a-Stick & Layer 3 Switch
VLANs are isolated broadcast domains — devices in different VLANs cannot communicate without a Layer 3 device performing routing. Two approaches are commonly deployed:
Method 1 — Router-on-a-Stick (ROAS)
A single physical router interface is divided into multiple sub-interfaces, each assigned a VLAN tag and acting as the default gateway for that VLAN. A trunk link carries all VLAN traffic between the router and switch. Cost-effective for small deployments but creates a bandwidth bottleneck at the single uplink.
! Router sub-interface configuration
Router(config)# interface Gi0/0.100
Router(config-subif)# encapsulation dot1q 100
Router(config-subif)# ip address 192.168.100.1 255.255.255.0
Router(config)# interface Gi0/0.110
Router(config-subif)# encapsulation dot1q 110
Router(config-subif)# ip address 192.168.110.1 255.255.255.0
! Enable the physical interface
Router(config)# interface Gi0/0
Router(config-if)# no shutdown
Method 2 — Layer 3 Switch (SVI)
A multilayer switch creates Switched Virtual Interfaces (SVIs) — one per VLAN — acting as the Layer 3 gateway. Routing happens in hardware using the switch's FIB (Forwarding Information Base), delivering wire-speed inter-VLAN routing with far higher throughput than ROAS. This is the preferred method in campus and data center designs.
! Enable IP routing on Layer 3 switch
Switch(config)# ip routing
! Create SVIs for each VLAN
Switch(config)# interface vlan 100
Switch(config-if)# ip address 192.168.100.1 255.255.255.0
Switch(config-if)# no shutdown
Switch(config)# interface vlan 110
Switch(config-if)# ip address 192.168.110.1 255.255.255.0
Switch(config-if)# no shutdown
! Routed uplink to WAN/core router
Switch(config)# interface Gi0/1
Switch(config-if)# no switchport
Switch(config-if)# ip address 10.0.0.2 255.255.255.252
! Add default route
Switch(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.1
7. Port Security & DHCP Snooping
Port Security
Port Security limits which MAC addresses can send frames through an access port, preventing unauthorized devices from connecting to the network. Three violation modes control what happens when an unauthorized MAC appears:
- Shutdown (default): Port is placed into err-disabled state — the most secure option, requires manual recovery or auto-recovery timer.
- Restrict: Drops frames from unauthorized MACs and increments violation counter — port stays up.
- Protect: Silently drops frames from unauthorized MACs — no logging, no counter.
! Enable port security with sticky MAC learning
Switch(config)# interface Gi0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation restrict
! Auto-recovery from err-disable
Switch(config)# errdisable recovery cause psecure-violation
Switch(config)# errdisable recovery interval 300
! Verify
Switch# show port-security interface Gi0/1
Switch# show port-security address
DHCP Snooping
DHCP Snooping protects against rogue DHCP servers by classifying switch ports as Trusted (only legitimate DHCP servers) or Untrusted (all access ports). DHCP replies arriving on untrusted ports are dropped. The snooping binding table (IP-to-MAC-to-port mapping) also serves as the foundation for Dynamic ARP Inspection (DAI) and IP Source Guard.
! Enable DHCP snooping globally
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 100,110
! Trust uplink ports (toward DHCP server/router)
Switch(config)# interface Gi0/24
Switch(config-if)# ip dhcp snooping trust
! Rate-limit DHCP on untrusted ports
Switch(config)# interface Gi0/1
Switch(config-if)# ip dhcp snooping limit rate 15
Switch# show ip dhcp snooping binding
8. Switch Stacking & VSS / StackWise
Enterprise networks use switch stacking or virtual switching systems to create highly available, simplified switching infrastructure.
Cisco StackWise / StackWise-480
Connects up to 8 physical Catalyst switches using a dedicated stacking cable into a single logical switch managed by one IP address and one config file. All switches share a single control plane. The active switch manages the stack; a standby switch takes over immediately on failure. Used on Cisco Catalyst 3850, 9300, 9200 series.
⚙ Cisco VSS — Virtual Switching System
Combines two physical Cisco Catalyst 6500/4500 chassis into a single logical switch. The VSL (Virtual Switch Link) connects the two chassis. From the network's perspective it is one switch — eliminating STP between the distribution and access layers and enabling all uplinks to be active via MEC (Multi-chassis EtherChannel). Used in large campus core/distribution designs.
9. CAM Table, ARP & MAC Address Learning
Understanding how a switch actually makes forwarding decisions is foundational knowledge that underpins every other switching topic.
CAM Table Commands
Switch# show mac address-table
Switch# show mac address-table vlan 100
Switch# show mac address-table dynamic
Switch# show mac address-table count
Switch# clear mac address-table dynamic
10. Exam Tips & Quick-Reference
| Topic | Key Number / Fact | Exam Trap |
|---|---|---|
| STP Timers (802.1D) | Hello=2s, Forward Delay=15s, Max Age=20s → 50 sec convergence | Don't confuse 802.1D (slow) with RSTP 802.1w (fast) |
| STP Bridge Priority | Must be a multiple of 4096. Default = 32768 | Lower priority = preferred Root Bridge (not higher) |
| STP Port Cost | 10G=2, 1G=4, 100M=19, 10M=100 | Lower cost = preferred path (not higher) |
| VLAN Range | Normal: 1–1005 | Extended: 1006–4094 | VTP does NOT propagate extended VLANs (v1/v2) |
| EtherChannel Max Links | Up to 8 active (LACP) + 8 standby | PAgP supports max 8 active, no standby |
| PortFast + BPDU Guard | Always pair them on access ports | PortFast alone on a switch-to-switch port creates a loop |
| Native VLAN | Must match on both ends of an 802.1Q trunk | Mismatch = CDP warning + traffic misdelivered to wrong VLAN |
| DTP (Dynamic Trunking) | Auto + Auto = Access. Desirable + Auto = Trunk | Always disable DTP in production: switchport nonegotiate |
Master Checklist — Before Your CCNA/CCNP Exam
☑ Explain how a switch builds its CAM table
☑ Configure VLANs, access, and trunk ports from scratch
☑ Trace STP election step-by-step for any topology
☑ Identify which port is Root Port vs Designated vs Blocking
☑ Configure PortFast + BPDU Guard on access ports
☑ Build a LACP EtherChannel between two switches
☑ Configure inter-VLAN routing using SVIs on a L3 switch
☑ Enable port security with sticky MAC + violation restrict
☑ Configure DHCP snooping with trusted/untrusted ports
☑ Explain the difference between VTP Server, Client, Transparent
Tags
