This chapter covers Ethernet switching and VLANs, two foundational technologies for modern local area networks. Expect approximately 15-20% of N10-009 exam questions to touch on switching concepts, MAC address tables, VLAN configuration, and trunking. Mastering these topics is essential for understanding how switches forward frames, segment broadcast domains, and enable efficient network communication. We will explore the internal mechanics of switching, VLAN operation, and verification commands you must know for the exam.
Jump to a section
Imagine a large office mailroom with 100 employees. The mailroom (switch) receives letters (frames) from employees (hosts). Each employee has a unique desk number (MAC address). The mailroom maintains a directory (MAC address table) that maps desk numbers to the hallway (port) where that employee sits. When a letter arrives addressed to a specific desk, the mailroom checks the directory: if the desk is known, the letter is delivered only to that hallway (unicast forwarding). If the desk is unknown, the mailroom broadcasts a notice to all hallways asking, 'Who is at desk 42?' (flooding). The employee at that desk replies, and the mailroom updates its directory. The mailroom never sends a letter to the hallway the letter came from (no forwarding on source port). If two employees try to speak at once, the mailroom asks them to wait (CSMA/CD, but in modern switching this is rare because full-duplex eliminates collisions). This is exactly how an Ethernet switch learns MAC addresses and forwards frames selectively, unlike a hub that shouts every letter to every hallway.
What is Ethernet Switching?
Ethernet switching is the process of forwarding Ethernet frames based on MAC addresses. Unlike a hub that repeats every frame out all ports, a switch learns which MAC addresses are reachable via each port and forwards frames only to the appropriate port. This reduces collision domains and increases network efficiency. The switch operates at Layer 2 (Data Link Layer) of the OSI model.
MAC Address Table
The MAC address table (also called CAM table – Content Addressable Memory) is the core data structure. It maps MAC addresses to switch port numbers. Default aging time is 300 seconds (5 minutes) on most Cisco switches. When a frame arrives, the switch:
Learns the source MAC address and associates it with the ingress port.
Looks up the destination MAC address in the table.
If found (known unicast), forwards the frame only to the corresponding port.
If not found (unknown unicast), floods the frame to all ports except the ingress port.
If the destination is broadcast (FF-FF-FF-FF-FF-FF) or multicast, it floods (except for ports that are pruned via IGMP snooping).
Switching Methods
The N10-009 exam tests three switching methods: - Store-and-forward: The switch receives the entire frame, checks the FCS (Frame Check Sequence) for errors, then forwards. This introduces latency but ensures error-free forwarding. Used in most modern enterprise switches. - Cut-through: The switch forwards the frame as soon as it reads the destination MAC address (after the first 6 bytes). Latency is minimal, but corrupted frames may be forwarded. Subtypes: fast-forward (immediately after dest MAC) and fragment-free (reads first 64 bytes to detect collisions). - Fragment-free: A compromise – reads the first 64 bytes (the minimum Ethernet frame size) to check for runts before forwarding.
VLANs – Virtual Local Area Networks
A VLAN (IEEE 802.1Q) logically segments a switch into multiple isolated broadcast domains. By default, all ports belong to VLAN 1. VLANs allow you to group users by function (e.g., VLAN 10 for HR, VLAN 20 for Engineering) regardless of physical location. Traffic between VLANs requires a Layer 3 device (router or Layer 3 switch).
VLAN Ranges
Normal VLANs: 1-1005. VLANs 1 and 1002-1005 are reserved (FDDI, Token Ring). VLAN 1 is the default and cannot be deleted.
Extended VLANs: 1006-4094. On some platforms, these require global configuration mode.
VLAN 0 and 4095: Reserved for implementation use.
802.1Q Trunking
Trunking allows multiple VLANs to traverse a single link. The switch inserts a 4-byte tag into the Ethernet frame between the source MAC and EtherType fields. The tag includes: - TPID (Tag Protocol Identifier): 0x8100 (16 bits) - TCI (Tag Control Information): Priority (3 bits for CoS), Drop Eligible Indicator (1 bit), VLAN ID (12 bits – supports up to 4094 VLANs).
The native VLAN (default VLAN 1) is untagged on a trunk – the switch assumes frames without a tag belong to the native VLAN. Mismatched native VLANs can cause security issues.
VTP – VLAN Trunking Protocol
VTP (Cisco proprietary) propagates VLAN information across a domain. Modes: - Server: Can create, modify, delete VLANs; advertises changes. - Client: Receives and applies changes; cannot modify locally. - Transparent: Forwards VTP advertisements but does not apply them; can manage VLANs locally.
VTP is rarely used in modern networks due to risk of accidental propagation (e.g., a switch with a higher revision number can overwrite VLAN databases). The exam expects you to know these modes.
DTP – Dynamic Trunking Protocol
DTP negotiates trunking between Cisco switches. Modes: - Dynamic desirable: Actively tries to form a trunk. - Dynamic auto: Waits for the other side to initiate. - Trunk: Forces trunking. - Access: Forces access mode (no trunking).
Security best practice: disable DTP on access ports with switchport nonegotiate.
STP – Spanning Tree Protocol
STP (IEEE 802.1D) prevents loops in redundant topologies. Switches exchange BPDUs (Bridge Protocol Data Units) to elect a root bridge, determine root ports, designated ports, and block redundant paths. Port states: Blocking (20 sec), Listening (15 sec), Learning (15 sec), Forwarding. Timers: Hello (2 sec), Forward Delay (15 sec), Max Age (20 sec).
RSTP (802.1w) speeds convergence to seconds. The exam may ask about port roles: Root, Designated, Alternate, Backup.
Port Security
Port security limits the number of MAC addresses allowed on a switch port. Default: 1 MAC. Violation modes: - Shutdown: Port goes err-disabled (default). - Restrict: Drops offending frames, increments counter. - Protect: Drops offending frames silently.
Sticky MAC learning: dynamically learned MACs are saved to the running config.
Configuration and Verification Commands
! Create VLAN
Switch(config)# vlan 10
Switch(config-vlan)# name HR
! Assign port to VLAN
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
! Configure trunk
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 99
Switch(config-if)# switchport trunk allowed vlan 10,20,30
! Verify
Switch# show vlan brief
Switch# show interfaces trunk
Switch# show mac-address-table
Switch# show spanning-tree
Switch# show port-security interface fa0/1Interaction with Related Technologies
Routers on a stick: A router with a single trunk link to a switch performs inter-VLAN routing using subinterfaces.
Layer 3 switching: Switches with routing capabilities (e.g., Cisco Catalyst 3560) can route between VLANs using SVIs (Switch Virtual Interfaces).
DHCP snooping: Filters DHCP messages on untrusted ports (access ports) to prevent rogue DHCP servers.
Dynamic ARP Inspection (DAI): Validates ARP packets against the DHCP snooping binding table.
Exam Focus on Switching Methods
Know the three switching methods and their trade-offs. Store-and-forward is the most reliable but slowest; cut-through is fastest but may forward errors. Fragment-free is a middle ground. The exam may ask which method is best for latency-sensitive applications (cut-through).
VLAN Trunking Protocol (VTP) – Legacy but Tested
VTP revision numbers increase with each change. If a switch with a higher revision number connects to the domain, it can overwrite the VLAN database. This is a common exam scenario: 'Why did VLANs disappear after adding a new switch?' Answer: The new switch had a higher VTP revision number.
Common Misconfiguration: Native VLAN Mismatch
If two switches have different native VLANs on a trunk, control traffic (CDP, VTP, STP BPDUs) may be misdirected, and the trunk may not form. The command show interfaces trunk will show 'Native VLAN mismatch'.
Summary of Key Values
MAC address table aging: 300 seconds (default)
STP Hello: 2 seconds
STP Forward Delay: 15 seconds
STP Max Age: 20 seconds
VLAN ID range: 1-4094 (0, 4095 reserved)
802.1Q tag size: 4 bytes
Default native VLAN: 1
Port security default max MAC: 1
Bullet Points for Exam
Switches use MAC address tables to forward frames selectively.
Unknown unicast frames are flooded.
Broadcast frames are always flooded (except if VLAN is pruned).
VLANs isolate broadcast domains.
Trunks carry multiple VLANs using 802.1Q tags.
Native VLAN is untagged.
STP prevents loops; RSTP is faster.
Port security can shut down a port on violation.
VTP is dangerous; best practice is to use transparent mode or disable.
DTP should be disabled on access ports.
Advanced: Private VLANs
Private VLANs (PVLANs) further isolate ports within a VLAN. Promiscuous ports can communicate with all; isolated ports can only talk to promiscuous ports; community ports can talk to each other and promiscuous ports. Exam may ask about isolated ports.
Troubleshooting
show mac-address-table – check learned MACs.
show vlan – verify VLAN exists.
show interfaces trunk – verify trunk status and allowed VLANs.
show spanning-tree – check blocking ports.
debug spanning-tree events – live STP changes.
Recap
Ethernet switching and VLANs are the backbone of modern LANs. Understand the frame-forwarding logic, VLAN segmentation, trunking, and loop prevention. Practice configuration and verification commands. The N10-009 exam will test you on these concepts with scenario-based questions.
Frame Arrives at Switch Port
An Ethernet frame enters a switch port. The switch examines the source MAC address and records it in the MAC address table along with the ingress port number. If the MAC is already present, the switch may refresh the aging timer (default 300 seconds). The switch then looks up the destination MAC address. If it is a broadcast (FF:FF:FF:FF:FF:FF) or multicast, the switch will flood the frame to all ports except the ingress port. If it is a unicast, the switch proceeds to the next step.
MAC Address Table Lookup
The switch searches its MAC address table for the destination MAC address. If a matching entry is found (known unicast), the switch determines the egress port from that entry. If no match is found (unknown unicast), the switch must flood the frame to all ports except the ingress port. This flooding ensures the frame reaches its destination if the destination device is on the same VLAN but the switch hasn't learned its location yet. Flooding consumes bandwidth and is a security concern.
Forward or Flood Decision
Based on the lookup, the switch decides whether to forward the frame only to the egress port (unicast) or to flood it. If the destination port is the same as the ingress port, the switch drops the frame (no forwarding on source port). If the egress port is a trunk, the switch may insert an 802.1Q tag if the frame's VLAN is not the native VLAN. The switch also checks for any access control lists (ACLs) or port security violations before forwarding.
Frame Transmission on Egress Port
The switch transmits the frame out the egress port. For access ports, the frame is sent untagged. For trunk ports, the frame is tagged with the appropriate VLAN ID (unless it is native VLAN traffic, which remains untagged). The switch may also apply QoS markings (CoS) based on the port configuration. The transmission may be delayed if the egress port is congested (output queue). The switch uses store-and-forward, cut-through, or fragment-free method depending on configuration.
STP Loop Prevention Check
Before forwarding, the switch ensures that the egress port is in the forwarding state per Spanning Tree Protocol. If STP has placed the port in blocking, listening, or learning state, the frame is not forwarded. STP BPDUs are processed separately and may cause the switch to change port states. This step is critical in redundant topologies to prevent broadcast storms and MAC table instability.
In a typical enterprise campus network, Ethernet switching and VLANs are deployed to segment departments, improve security, and reduce broadcast traffic. For example, a university may have separate VLANs for students, faculty, and administration. Each VLAN is assigned a unique IP subnet (e.g., 10.1.1.0/24 for students, 10.1.2.0/24 for faculty). Access switches are configured with port security to allow only one MAC address per port, preventing unauthorized devices from connecting. Trunk links between access switches and distribution switches carry multiple VLANs using 802.1Q tagging. The native VLAN is changed from the default VLAN 1 to an unused VLAN (e.g., VLAN 999) to prevent VLAN hopping attacks. STP is configured with Rapid Spanning Tree (RSTP) for fast convergence, and root bridges are manually elected by setting the priority lower (e.g., 4096) on the core switch.
A common issue in production is a native VLAN mismatch on a trunk. For example, if Switch A has native VLAN 99 and Switch B has native VLAN 1, the trunk may still come up, but control traffic (CDP, STP BPDUs) will be misdirected, potentially causing a loop or connectivity loss. The solution is to ensure consistent native VLAN configuration on both ends.
Another scenario is a VTP disaster: an engineer connects a new switch with a higher VTP revision number to the network, and within seconds, all VLANs are deleted from the domain. This is why best practice is to set VTP to transparent mode or disable it entirely. In cloud environments, virtual switches (e.g., VMware vSwitch or AWS VPC) implement similar VLAN concepts but with software-defined networking. For instance, a VMware vSwitch can be configured with VLAN tagging (VST mode) to isolate virtual machines. Misconfiguration can lead to VM-to-VM communication failures if port groups are not assigned correctly.
Performance considerations: The MAC address table size varies by switch model – enterprise switches may support 32,000 to 128,000 entries. Exceeding this limit can cause flooding of all unknown unicast traffic, degrading performance. Monitoring CAM table utilization is important. Also, STP convergence time can be an issue in large networks; using RSTP or MSTP (Multiple Spanning Tree) helps. For high availability, link aggregation (LACP) is used to bundle multiple physical links into one logical trunk, increasing bandwidth and providing redundancy.
The N10-009 exam (Objective 2.1 – Given a scenario, configure and deploy Ethernet switching and VLANs) tests your ability to configure switches, troubleshoot issues, and understand frame forwarding. Expect multiple-choice questions that present a scenario and ask for the correct command or concept. The most common wrong answers include: 1. Confusing hub and switch behavior – Candidates often think a switch floods all frames like a hub. Remember: switches flood only unknown unicast and broadcast frames. 2. Mixing up VLAN ranges – Some think VLANs 1002-1005 are extended VLANs; they are actually reserved (FDDI/Token Ring). Normal VLANs are 1-1005. 3. Assuming all trunk ports tag native VLAN – Native VLAN is untagged on a trunk. A common trick question: 'Which VLAN is untagged on a trunk?' Answer: native VLAN. 4. Forgetting STP port states – The exam may ask how long a port stays in listening state (15 seconds). Many confuse forward delay (15 sec) with max age (20 sec). 5. Port security violation modes – Shutdown is the default; protect drops silently; restrict logs. The exam may ask which mode sends a syslog message (restrict).
Key numbers to memorize:
MAC address table aging: 300 seconds
STP hello: 2 seconds
STP forward delay: 15 seconds
STP max age: 20 seconds
802.1Q tag size: 4 bytes
Default native VLAN: 1
VLAN ID maximum: 4094
Port security default max MAC: 1
DTP modes: dynamic desirable, dynamic auto, trunk, access
VTP modes: server, client, transparent
Edge cases the exam loves:
A switch receives a frame with source MAC already in table but on a different port – the switch updates the table (relearns).
Two switches connected with redundant links – STP blocks one; if the root bridge fails, convergence takes 30-50 seconds with 802.1D.
A trunk port with allowed VLAN list – if a VLAN is not allowed, frames from that VLAN are dropped.
Private VLAN isolated ports – cannot communicate with each other.
How to eliminate wrong answers: Understand the underlying mechanism. For example, if a question asks 'What happens when a switch receives a frame with a destination MAC not in the table?' The answer is 'flood the frame to all ports except the ingress port.' Wrong answers might include 'drop the frame' or 'forward to the default gateway' – these are incorrect because switches do not drop unknown unicasts (they flood).
Study the output of show mac-address-table, show vlan brief, and show interfaces trunk – the exam may present output and ask for interpretation. For instance, if show interfaces trunk shows 'Native VLAN mismatch', the correct action is to correct the native VLAN on one side.
Switches learn MAC addresses by reading source MAC of incoming frames and store them in the MAC address table with a 300-second aging timer.
Unknown unicast frames are flooded to all ports except the ingress port; broadcast frames are always flooded.
VLANs create separate broadcast domains; communication between VLANs requires a Layer 3 device.
802.1Q trunk tags add a 4-byte header with VLAN ID (12 bits, up to 4094).
Native VLAN is untagged on a trunk; mismatched native VLANs cause control plane issues.
STP prevents loops with BPDUs; default timers: Hello 2s, Forward Delay 15s, Max Age 20s.
RSTP (802.1w) provides faster convergence (seconds vs 30-50s).
Port security default violation mode is shutdown (err-disabled).
VTP is dangerous; use transparent mode or disable it.
DTP should be disabled on access ports with 'switchport nonegotiate'.
These come up on the exam all the time. Here's how to tell them apart.
Store-and-Forward Switching
Receives entire frame before forwarding
Checks FCS for errors, discards corrupt frames
Higher latency (depends on frame size)
More reliable – no error propagation
Used in most enterprise switches
Cut-Through Switching
Forwards as soon as destination MAC is read (first 6 bytes)
Does not check FCS – may forward errors
Lowest latency (few microseconds)
Less reliable – corrupt frames consume bandwidth
Used in latency-sensitive environments (HPC, trading)
Mistake
Switches forward all frames to all ports like hubs.
Correct
Switches selectively forward frames based on MAC address table. Only unknown unicast and broadcast frames are flooded. Known unicast frames are sent only to the destination port.
Mistake
VLAN 1 is the default and can be deleted.
Correct
VLAN 1 is the default VLAN and cannot be deleted. It exists on all switches and is used for management and control traffic (CDP, VTP, STP).
Mistake
All VLANs are tagged on a trunk port.
Correct
The native VLAN is untagged on a trunk. Only non-native VLANs are tagged with 802.1Q. Mismatched native VLANs can cause issues.
Mistake
Port security violation 'shutdown' mode only shuts down the port temporarily.
Correct
Shutdown mode places the port in err-disabled state, requiring manual intervention (shutdown/no shutdown) or automatic recovery (errdisable recovery).
Mistake
STP blocks all redundant links permanently.
Correct
STP blocks redundant links only until a topology change occurs. If the primary link fails, STP transitions a blocked port to forwarding state after convergence (listening + learning = 30 seconds).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A hub operates at Layer 1 and repeats all electrical signals out all ports, creating a single collision domain. A switch operates at Layer 2, uses MAC addresses to forward frames selectively, and each port is its own collision domain. Switches improve performance and security by isolating traffic.
When a switch receives a frame, it reads the source MAC address and records it in the MAC address table along with the ingress port. If the MAC is already in the table, the switch refreshes the aging timer (default 300 seconds). This process is called 'learning'.
VLANs logically segment a switch into multiple isolated broadcast domains. This reduces broadcast traffic, improves security by separating sensitive traffic, and allows grouping of users regardless of physical location. Devices in different VLANs cannot communicate without a router or Layer 3 switch.
A trunk port carries traffic for multiple VLANs over a single link. It uses 802.1Q tagging to identify which VLAN a frame belongs to. The switch inserts a 4-byte tag containing the VLAN ID into the frame. The native VLAN is sent untagged. Trunks are used between switches and to routers (router-on-a-stick).
The native VLAN is the VLAN that is not tagged on a trunk. By default, it is VLAN 1. It is used for control traffic (CDP, VTP, STP BPDUs). If the native VLAN mismatches on two ends of a trunk, control traffic may be misdirected, causing STP issues or VLAN hopping. Best practice is to change the native VLAN to an unused VLAN.
Spanning Tree Protocol (STP) prevents loops in redundant network topologies. Switches exchange BPDUs to elect a root bridge, then determine root ports, designated ports, and block redundant paths. Ports transition through blocking (20s), listening (15s), learning (15s), and forwarding. RSTP provides faster convergence.
Use global config: 'vlan 10' then 'name HR'. To assign a port: interface config: 'switchport mode access', 'switchport access vlan 10'. Verify with 'show vlan brief'.
You've just covered Ethernet Switching and VLANs — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?