Switch learns source MAC → ingress port on every frame. Lookups on destination MAC decide unicast forwarding vs flooding.
Collision domain = per switch port (full duplex ends collisions). Broadcast domain = per VLAN.
vlan 10
name USERS
interface gi0/1
switchport mode access
switchport access vlan 10
interface gi0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20,30
switchport trunk native vlan 99
switchport trunk allowed vlan remove 40
show vlan brief
show interfaces trunk
show interfaces switchport
| Port Role | Function |
|---|---|
| Root Port | Best path back to the root bridge — one per non-root switch |
| Designated Port | Best port on each segment — forwards traffic for that link |
| Blocking Port | Redundant path — receives BPDUs, doesn't forward data |
| Alternate (RSTP) | Backup to root port, moves to forwarding fast on failure |
| STP State | Behavior |
|---|---|
| Blocking | No forwarding, listens for BPDUs only |
| Listening | Preparing to forward, no MAC learning yet |
| Learning | Building MAC table, still not forwarding |
| Forwarding | Fully operational — sending/receiving data |
| Disabled | Administratively shut down |
Lowest Bridge ID wins (Priority + MAC). All other switches calculate shortest path cost back to it.
spanning-tree portfast
spanning-tree bpduguard enable
interface range gi0/1-2
channel-group 1 mode active
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation restrict
Switch checks the source MAC address in the frame header against its MAC address table.
IngressIf the source MAC isn't known yet, the switch adds an entry: MAC → VLAN → ingress port, with an aging timer (default 300s on most Cisco platforms).
MAC learningSwitch checks the destination MAC against the table within the frame's VLAN context.
LookupKnown destination → switched out that single port only (frame never leaves other segments). Unknown, broadcast, or multicast → flooded to every port in the same VLAN except the source port.
Forwarding decisionIf the frame exits via a trunk port, the switch adds the 802.1Q VLAN tag (unless it's the native VLAN, which stays untagged).
802.1QBefore any of this matters topologically, STP has already put redundant links into blocking state — so frames never get flooded in a circular loop, and broadcast storms are prevented.
Topology control| Symptom | Likely Cause |
|---|---|
| Broadcast storm / network flood | STP loop, misconfigured or disabled STP, bad cable creating a physical loop |
| VLAN traffic leaking across | Native VLAN mismatch on trunk ends |
| Devices can't reach each other, same VLAN | VLAN not allowed on trunk, port in wrong VLAN |
| MAC flapping between ports | Physical loop, duplicate MAC, misconfigured EtherChannel |
| Port goes err-disabled | BPDU guard triggered, port-security violation (shutdown mode) |
| Check | Command |
|---|---|
| MAC table | show mac address-table |
| STP topology | show spanning-tree |
| Trunk status/allowed VLANs | show interfaces trunk |
| EtherChannel state | show etherchannel summary |
| Err-disabled ports | show interfaces status err-disabled |