๐ Switching & VLANs
1
Switch Operation & MAC Address Learning
How a Switch Forwards Frames
- Learn โ when a frame arrives, the switch records the source MAC address and ingress port in its MAC address table (CAM table).
- Flood โ if the destination MAC is unknown, the switch floods the frame out all ports except the ingress port.
- Forward โ if the destination MAC is known, the switch forwards the frame only to the correct port.
- Filter โ if source and destination are on the same port, the frame is dropped.
Duplex & Speed
- Half-duplex โ can only send or receive at one time (hubs, legacy).
- Full-duplex โ can send and receive simultaneously; standard for modern switches; eliminates collisions.
Cisco Switch Port Security
Limits the number of MAC addresses allowed on a port. Violation modes: Shutdown (default; disables the port), Restrict (drops frames, increments counter), Protect (drops frames silently).
2
VLANs & Trunking
VLANs (Virtual Local Area Networks)
VLANs logically segment a network into separate broadcast domains without requiring physical separation. Benefits: security, performance, simplified management.
- Access port โ carries traffic for a single VLAN; connects end devices.
- Trunk port โ carries traffic for multiple VLANs using 802.1Q tagging; connects switches or routers.
- Native VLAN โ the VLAN whose frames traverse a trunk untagged (default VLAN 1; best practice: change to an unused VLAN).
802.1Q Trunking
IEEE 802.1Q inserts a 4-byte tag into the Ethernet frame between the source MAC and EtherType fields. The tag includes a 12-bit VLAN ID (VID), allowing 4,094 VLANs.
Inter-VLAN Routing
- Router on a Stick โ single router interface with sub-interfaces, one per VLAN; trunk link between switch and router.
- Layer 3 Switch (SVI) โ switch with IP routing capability; Switch Virtual Interfaces (SVIs) route between VLANs at wire speed.