VLANs · 802.1Q Trunking · STP/RSTP · EtherChannel · Wireless LAN · L2 Security
Study with Practice Tests →Domain 2 of the CCNA 200-301 exam (~20% of questions). Covers VLANs, 802.1Q trunking, Spanning Tree Protocol, EtherChannel, wireless LAN architecture, and Layer 2 security mechanisms.
| Domain | Weight | Key Topics |
|---|---|---|
| 1. Network Fundamentals | 20% | OSI, TCP/IP, IPv4/IPv6, TCP/UDP, switching, cloud |
| 2. Network Access | 20% | VLANs, STP, wireless, L2 security |
| 3. IP Connectivity | 25% | Routing, OSPF, static routes, FHRP |
| 4. IP Services | 10% | NAT, DHCP, DNS, NTP, SNMP, QoS |
| 5. Security Fundamentals | 15% | ACLs, VPN, AAA, threats, hardening |
| 6. Automation & Programmability | 10% | REST APIs, Python, Ansible, SD-WAN |
Virtual LANs segment broadcast domains on a single physical switch. Logical separation without needing separate hardware. Access ports carry one VLAN (untagged); trunk ports carry multiple VLANs (802.1Q tagged). Native VLAN frames travel untagged on trunk links.
IEEE standard that inserts a 4-byte tag into Ethernet frames to identify the VLAN. Tag fields: TPID (0x8100), PCP (3-bit QoS priority), DEI (drop eligible indicator), VID (12-bit VLAN ID supporting 1–4094 VLANs). Native VLAN frames are sent untagged.
Spanning Tree Protocol prevents L2 loops by blocking redundant paths. Port roles: Root Port (RP) — best path to root; Designated Port (DP) — forwarding port on each segment; Non-Designated — blocked to prevent loops. RSTP adds Alternate and Backup roles.
Bundles 2–8 parallel physical links into one logical link. Provides load balancing and redundancy. STP sees the bundle as a single link — no ports are blocked. Negotiated via LACP (IEEE 802.3ad, open) or PAgP (Cisco proprietary), or configured statically.
Autonomous APs are standalone and self-configured. Lightweight APs rely on a WLC (Wireless LAN Controller) for centralized management via CAPWAP tunnels (UDP 5246/5247). WLC handles roaming, RF management, QoS, and security policy at scale.
Three key mitigations: Port Security — limits MACs per port, shuts on violation; DHCP Snooping — blocks rogue DHCP servers on untrusted ports, builds binding table; DAI (Dynamic ARP Inspection) — validates ARP against snooping table, stops ARP spoofing.
VLANs logically segment a switched network into separate broadcast domains. 802.1Q trunking carries multiple VLANs across a single physical link between switches or between a switch and router.
Without VLANs, all ports on a switch share one broadcast domain — every broadcast reaches every device. VLANs partition this into multiple smaller broadcast domains, reducing unnecessary traffic and improving security. Devices in different VLANs cannot communicate without a Layer 3 device (router or L3 switch).
| VLAN Range | Type | Notes |
|---|---|---|
| 1 | Default VLAN | All ports belong here by default; cannot be deleted |
| 2 – 1001 | Normal Range | Standard VLANs for user configuration |
| 1002 – 1005 | Legacy Reserved | Reserved for FDDI and Token Ring; cannot be used or deleted |
| 1006 – 4094 | Extended Range | Requires VTP transparent mode or VTPv3; stored in running-config |
Assigned to a single VLAN. Frames are sent and received without any 802.1Q tag. Connected to end devices (PCs, printers, IP phones). The switch adds/removes the tag internally.
Config: switchport mode access → switchport access vlan X
Carries multiple VLANs simultaneously. Frames are tagged with 802.1Q headers (except native VLAN frames). Used on switch-to-switch links and switch-to-router links.
Config: switchport mode trunk → switchport trunk allowed vlan X,Y,Z
| Field | Size | Value / Purpose |
|---|---|---|
| TPID (Tag Protocol ID) | 16 bits | 0x8100 — identifies frame as 802.1Q tagged |
| PCP (Priority Code Point) | 3 bits | QoS class of service (0–7); higher = higher priority |
| DEI (Drop Eligible Indicator) | 1 bit | Marks frame as drop-eligible during congestion |
| VID (VLAN Identifier) | 12 bits | VLAN number (0–4095); 0 and 4095 reserved → usable 1–4094 |
The 4-byte 802.1Q tag is inserted into the Ethernet frame between the Source MAC address and the EtherType/Length field. The native VLAN does not receive a tag — frames are forwarded as-is.
Frames belonging to the native VLAN are transmitted untagged on an 802.1Q trunk. Both ends of the trunk must be configured with the same native VLAN — a mismatch causes STP topology issues, CDP warnings, and potential traffic misdelivery. Best practice: change native VLAN away from VLAN 1 and make it unused.
Cisco proprietary protocol that auto-negotiates trunk links between switches. Modes: dynamic auto (passive, waits), dynamic desirable (actively negotiates). Best practice: disable DTP with switchport nonegotiate and manually configure trunk/access mode to prevent VLAN hopping attacks.
One physical router interface connected to a trunk port. Multiple subinterfaces are created on the router — one per VLAN — each configured with encapsulation dot1q VLAN_ID. Router performs L3 routing between VLANs. Simple but single point of congestion.
Virtual Layer 3 interface created on a multilayer switch — one SVI per VLAN. The switch performs routing internally between VLANs without needing an external router. More scalable and faster than Router-on-a-Stick. Command: interface vlan X → assign IP → ip routing.
STP (802.1D) and RSTP (802.1w) prevent Layer 2 loops in switched networks. Without STP, redundant links cause broadcast storms that can crash a network within seconds.
Ethernet frames have no TTL (unlike IP packets). If a loop exists, a broadcast frame circulates forever — this is called a broadcast storm. It consumes 100% of bandwidth and CPU, crashing all switches in the loop. STP solves this by logically blocking redundant paths while keeping them as standby failover paths.
Total convergence time: ~30–50 seconds
Bridge ID = 2-byte Priority + VLAN ID + 6-byte MAC
The switch with the lowest Bridge ID becomes the root bridge. Default priority = 32768. If priorities tie, lowest MAC address wins.
All ports on the root bridge are Designated Ports (forwarding).
Best practice: manually set the root bridge priority to ensure predictable topology.
Non-root switches elect a Root Port (RP) — the port with the lowest cumulative path cost to the root bridge.
| Role | Location | State | Description |
|---|---|---|---|
| Root Port (RP) | Non-root switch | Forwarding | Best (lowest cost) path to root bridge — one per switch |
| Designated Port (DP) | Every segment | Forwarding | Best port on the segment toward root — all root bridge ports are DP |
| Non-Designated Port | Non-root switch | Blocking | Redundant port that is blocked to prevent loops |
| Disabled | Any | Disabled | Administratively shut down |
Alternate port = instant failover if root port fails (no recalculation needed)
| Feature | STP (802.1D) | RSTP (802.1w) |
|---|---|---|
| Convergence time | 30–50 seconds | <1 second |
| Port states | 5 (Blocking, Listening, Learning, Forwarding, Disabled) | 3 (Discarding, Learning, Forwarding) |
| Port roles | Root, Designated, Non-Designated | Root, Designated, Alternate, Backup |
| BPDU handling | Only root generates BPDUs | Every switch generates BPDUs every Hello time |
| Topology change | Propagated via TCN BPDUs (slow) | Flooded immediately (fast) |
| Backward compatible | — | Yes |
Allows an access port to skip the Listening and Learning states and go directly to Forwarding. Eliminates the 30-second wait when an end device connects. Only safe on ports connected to end hosts — never use on switch-to-switch links.
Enable: spanning-tree portfast
Global: spanning-tree portfast default
If a PortFast-enabled port receives a BPDU (which only switches send), BPDU Guard immediately error-disables the port. Protects against someone accidentally connecting a switch to an access port, which could destabilize the STP topology.
Enable: spanning-tree bpduguard enable
Recovery: shutdown → no shutdown
Bundles 2–8 physical links into one logical Port-Channel interface. STP sees a single logical link — no links are blocked. Provides load balancing across all member links based on a hash (src/dst MAC, IP, or port). If one link fails, traffic shifts to remaining links automatically.
active (initiates) / passive (responds). Active-Active or Active-Passive = forms. Passive-Passive = does NOT form.desirable (initiates) / auto (responds). Desirable-Desirable or Desirable-Auto = forms.on. Simple but no mismatch detection.Wireless networking requires understanding AP architectures, WLAN standards, and security protocols. Layer 2 security protects the switched network from common attacks like MAC flooding, VLAN hopping, and DHCP spoofing.
| Standard | Frequency | Max Speed | Key Feature |
|---|---|---|---|
| 802.11b | 2.4 GHz | 11 Mbps | Legacy; DSSS modulation |
| 802.11g | 2.4 GHz | 54 Mbps | OFDM; backward compatible with b |
| 802.11n (Wi-Fi 4) | 2.4 / 5 GHz | 600 Mbps | MIMO; channel bonding (40 MHz) |
| 802.11ac (Wi-Fi 5) | 5 GHz | 3.5 Gbps | MU-MIMO; 80/160 MHz channels; beamforming |
| 802.11ax (Wi-Fi 6) | 2.4 / 5 / 6 GHz | 9.6 Gbps | OFDMA; BSS coloring; improved dense environments |
2.4 GHz: longer range, more interference. Non-overlapping channels: 1, 6, and 11 (only 3). 5 GHz: more available channels, less interference, shorter range. WLC manages channel and power assignment automatically in enterprise deployments.
Self-contained AP that is individually configured per device. All wireless intelligence (SSID config, security, RF settings) resides on the AP itself. Suitable for small deployments. Does not scale well — managing 50+ APs individually is impractical.
Lightweight APs are "thin" — they forward all wireless traffic to the WLC (Wireless LAN Controller) via CAPWAP tunnels. WLC centrally manages RF channels, power, security policies, QoS, roaming, and firmware for all APs. Scales easily to hundreds of APs. CCNA exam favors this model for enterprise.
| Standard | Encryption | Authentication | Notes |
|---|---|---|---|
| WEP | RC4 (40/128-bit) | Open/Shared Key | Broken — do not use. Cracked in minutes. |
| WPA | TKIP/RC4 | PSK or 802.1X | Transitional — deprecated. TKIP is weak. |
| WPA2-Personal | CCMP/AES | PSK (passphrase) | Vulnerable to offline dictionary attacks via PMKID |
| WPA2-Enterprise | CCMP/AES | 802.1X/EAP + RADIUS | Per-user credentials; enterprise-grade |
| WPA3-Personal | CCMP/AES | SAE (dragonfly) | Resists offline attacks; forward secrecy |
| WPA3-Enterprise | GCMP-256 | 802.1X/EAP | 192-bit security mode; strongest option |
SAE (Simultaneous Authentication of Equals): WPA3's replacement for PSK. Uses a dragonfly handshake that is resistant to offline dictionary attacks and provides forward secrecy — past sessions cannot be decrypted even if the password is later compromised.
Attacker sends thousands of frames with fake source MACs, filling the switch's CAM table. Once full, the switch cannot learn new entries and begins flooding all frames to all ports — acting like a hub. Attacker can capture all traffic. Mitigated by Port Security.
Two methods: Double Tagging — attacker sends frame with two 802.1Q tags; switch strips outer tag, inner tag lands in victim VLAN; DTP Switch Spoofing — attacker tricks switch into forming a trunk using DTP. Mitigated by disabling DTP (switchport nonegotiate) and changing native VLAN.
DHCP Starvation: Attacker exhausts DHCP pool with fake MAC requests — legitimate clients cannot get IPs. DHCP Spoofing: Rogue DHCP server responds with malicious gateway/DNS — man-in-the-middle attack. Both mitigated by DHCP Snooping.
Attacker sends gratuitous ARP replies associating their MAC with a legitimate IP (often the gateway). Victims update their ARP cache — traffic flows to attacker instead. Enables man-in-the-middle attacks. Mitigated by Dynamic ARP Inspection (DAI).
Limits the number of valid MAC addresses per switch port. Violation modes:
Protect: Drops violating frames silently, no log
Restrict: Drops frames + increments violation counter + syslog
Shutdown (default): Error-disables the port immediately, sends SNMP trap
Sticky MACs: dynamically learned and saved to running-config
Switch feature that classifies ports as trusted (uplinks to real DHCP server) or untrusted (access ports to clients). Blocks DHCP OFFER/ACK on untrusted ports. Builds a DHCP snooping binding table (MAC, IP, port, VLAN) used by DAI and IP Source Guard. Enable globally + per VLAN + mark uplinks trusted.
Validates ARP packets by checking them against the DHCP snooping binding table. If the MAC-IP mapping in an ARP reply doesn't match the binding table, the frame is dropped. Operates on untrusted ports. Requires DHCP snooping to be enabled first to populate the binding table.
Limits the rate of broadcast, multicast, or unknown unicast frames on a port. If the rate exceeds a configured threshold (as % of bandwidth or pps), frames are dropped or the port is shut down. Prevents broadcast storms from affecting the rest of the network.
10 questions covering VLANs, STP, EtherChannel, wireless, and L2 security. Select your answers and submit to see your score with explanations.
Six visual memory anchors to lock in the most exam-critical concepts from Network Access & Switching.
spanning-tree vlan X root primary.Click any card to flip it. Use the Exam Advisor below for category-specific tips, key commands, and common exam traps.
Click a card to reveal the definition →
spanning-tree vlan X root primary.shutdown / no shutdown or errdisable recovery.show vlan brief to see VLANs and their assigned ports; use show interfaces trunk to see active trunk ports and allowed VLANsswitchport access vlan 10 + switchport voice vlan 20 — both on the same portswitchport nonegotiate on manually configured trunk/access ports to prevent VLAN hopping