OPERATOR REFERENCE · LAYER 2

Layer 2 Field Reference
Switching, VLANs, Trunks & STP

MAC table → VLANs → trunking → loop prevention → EtherChannel → port security
ACCESS PORT · VLAN 10
802.1Q trunk
SWITCH ↔ SWITCH
STP loop-free
ROOT BRIDGE
01 Switching Fundamentals

MAC Address Table (CAM)

Switch learns source MAC → ingress port on every frame. Lookups on destination MAC decide unicast forwarding vs flooding.

Forwarding Logic

  • Known unicast → out that one port
  • Unknown unicast → flood all ports in VLAN
  • Broadcast/multicast → flood all ports in VLAN

Domains

Collision domain = per switch port (full duplex ends collisions). Broadcast domain = per VLAN.

02 Ethernet Frame (802.1Q Tagged)
Preamble+SFD8 B
Dest MAC6 B
Src MAC6 B
802.1Q Tag4 B · TPID+VLAN ID
EtherType2 B
Payload46–1500 B
FCS4 B
sync
addressing
VLAN tag (trunk only)
protocol type/length
data
checksum
Untagged frames on an access port omit the 4-byte 802.1Q field entirely — the tag only appears on trunk links.
03 VLANs & Trunking
+

Create & Assign VLAN

vlan 10 name USERS interface gi0/1 switchport mode access switchport access vlan 10

Configure a Trunk

interface gi0/24 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 10,20,30

Native VLAN

switchport trunk native vlan 99
⚠ mismatched native VLAN on both trunk ends leaks traffic between VLANs

Prune Unused VLANs

switchport trunk allowed vlan remove 40
Restricting allowed VLANs on trunks limits broadcast/flood scope.
i

Verify

show vlan brief show interfaces trunk show interfaces switchport
V

VTP Modes

  • Server — creates/edits VLANs, propagates
  • Client — accepts updates, can't edit
  • Transparent — local only, forwards updates
04 Spanning Tree Protocol (Loop Prevention)
Port RoleFunction
Root PortBest path back to the root bridge — one per non-root switch
Designated PortBest port on each segment — forwards traffic for that link
Blocking PortRedundant path — receives BPDUs, doesn't forward data
Alternate (RSTP)Backup to root port, moves to forwarding fast on failure
STP StateBehavior
BlockingNo forwarding, listens for BPDUs only
ListeningPreparing to forward, no MAC learning yet
LearningBuilding MAC table, still not forwarding
ForwardingFully operational — sending/receiving data
DisabledAdministratively shut down
🏆

Root Bridge Election

Lowest Bridge ID wins (Priority + MAC). All other switches calculate shortest path cost back to it.

PortFast

spanning-tree portfast
Skips listening/learning on access ports only — instant forwarding for end hosts.
🛡

BPDU Guard

spanning-tree bpduguard enable
⚠ err-disables the port if a BPDU is received — protects against rogue switches
05 EtherChannel & Port Security

EtherChannel / LAG

interface range gi0/1-2 channel-group 1 mode active
  • LACP (802.3ad) — active / passive, multivendor standard
  • PAgP — Cisco proprietary, desirable / auto
  • Load balances by src/dst MAC, IP, or port hash — bundles bandwidth, not a single faster link
🔒

Port Security

switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security violation restrict
Violation modes: protect (drop, no log), restrict (drop + log), shutdown (err-disable port).
06 How a Switch Learns & Forwards
1

Frame arrives on a port

Switch checks the source MAC address in the frame header against its MAC address table.

Ingress
2

Table miss → learn

If the source MAC isn't known yet, the switch adds an entry: MAC → VLAN → ingress port, with an aging timer (default 300s on most Cisco platforms).

MAC learning
3

Destination MAC lookup

Switch checks the destination MAC against the table within the frame's VLAN context.

Lookup
4

Forward or flood

Known destination → switched out that single port only (frame never leaves other segments). Unknown, broadcast, or multicast → flooded to every port in the same VLAN except the source port.

Forwarding decision
5

Trunk re-tagging (if crossing a trunk)

If the frame exits via a trunk port, the switch adds the 802.1Q VLAN tag (unless it's the native VLAN, which stays untagged).

802.1Q
6

Loop check via STP

Before any of this matters topologically, STP has already put redundant links into blocking state — so frames never get flooded in a circular loop, and broadcast storms are prevented.

Topology control
07 Common Layer 2 Faults
SymptomLikely Cause
Broadcast storm / network floodSTP loop, misconfigured or disabled STP, bad cable creating a physical loop
VLAN traffic leaking acrossNative VLAN mismatch on trunk ends
Devices can't reach each other, same VLANVLAN not allowed on trunk, port in wrong VLAN
MAC flapping between portsPhysical loop, duplicate MAC, misconfigured EtherChannel
Port goes err-disabledBPDU guard triggered, port-security violation (shutdown mode)
CheckCommand
MAC tableshow mac address-table
STP topologyshow spanning-tree
Trunk status/allowed VLANsshow interfaces trunk
EtherChannel stateshow etherchannel summary
Err-disabled portsshow interfaces status err-disabled