§ 2 Ethernet, VLANs, STP, and Campus L2 Controls
Frame forwarding, VLAN tagging, VTP risks, STP/RSTP/MSTP convergence, LACP bundles, access-layer security, IPv6 first-hop protection, and why modern fabrics moved past STP.
1. § 2.1 — Ethernet Frame and MAC Forwarding
A switch learns from the source MAC on ingress and forwards by looking up the destination MAC inside the same VLAN. Unknown unicast, broadcast, and most multicast traffic is flooded only inside the VLAN boundary.
| Structure | Lookup Shape | Used For | Failure Mode |
|---|---|---|---|
| CAM | Exact match MAC + VLAN | L2 forwarding table | Overflow causes unknown-unicast flooding |
| TCAM | Ternary 0 / 1 / X match | ACL, QoS, routing policy | Exhaustion blocks new hardware-programmed policy |
Minimal C Demo — MAC Learning Simulator
2. § 2.2 — VLAN, 802.1Q, and QinQ
An access port maps untagged host frames into one VLAN. A trunk carries multiple VLANs by inserting a 4-byte 802.1Q tag after the source MAC. QinQ adds a provider S-tag outside the customer C-tag so a service provider can transport overlapping customer VLAN IDs.
VLAN hopping abuses native VLAN behavior or Dynamic Trunking Protocol. The practical mitigations are simple: use an unused native VLAN, avoid VLAN 1 for user traffic, force access mode, and disable negotiation with switchport nonegotiate.
Minimal C Demo — VLAN Tag Inspector
3. § 2.3 — VTP
VTP replicates the VLAN database across a domain, but the revision number is the trap: a switch with the same domain and a higher stale revision can overwrite the production VLAN database. Modern designs usually run transparent or off and let automation own VLAN state.
- Server creates, modifies, and advertises VLANs.
- Client accepts and forwards advertisements but cannot locally create VLANs.
- Transparent keeps local VLANs and forwards VTP frames without synchronizing.
- VTPv3 adds extended VLAN and private VLAN support plus stronger ownership controls.
4. § 2.4 — STP, RSTP, and MSTP
STP prevents L2 loops by electing the lowest bridge ID as root, selecting one root port per non-root switch, selecting one designated port per segment, and blocking the remaining redundant ports.
RSTP replaces timer-heavy convergence with a proposal/agreement handshake on point-to-point links. Edge ports can go straight to forwarding, but they should run BPDU Guard so accidental switch attachment is err-disabled immediately.
MSTP groups many VLANs into a small set of spanning-tree instances. The region is defined by name, revision, and VLAN-to-instance map; instance 0, the IST, connects the region to external STP domains.
Minimal C Demo — STP Root Election
5. § 2.5 — EtherChannel and LACP
EtherChannel bundles physical links into one logical port-channel. LACP exchanges actor and partner information, verifies matching keys and speed, and then selects active members. Per-flow hashing preserves packet order, which also means one large flow cannot use every member link at once.
channel-group 1 mode activeinitiates LACP.mode passiveresponds but does not initiate.mode onis static and should match exactly on both sides.port-channel min-links 2prevents degraded asymmetric operation.
6. § 2.6 — Switchport Security
Access-layer security is a chain. Port security constrains learned MAC addresses; DHCP snooping identifies legitimate leases; Dynamic ARP Inspection validates ARP against those bindings; IP Source Guard filters source IP and MAC on the access port.
| Feature | Stops | Key Command |
|---|---|---|
| Port Security | MAC churn, simple hub attachment, CAM abuse per port | switchport port-security maximum 2 |
| DHCP Snooping | Rogue DHCP servers | ip dhcp snooping vlan 10 |
| DAI | ARP spoofing | ip arp inspection vlan 10 |
| IP Source Guard | Source IP spoofing | ip verify source |
7. § 2.7 — IPv6 First-Hop Security
IPv6 hosts learn default gateways from Router Advertisements, so a rogue RA can hijack traffic without DHCP. RA Guard drops RA messages on untrusted access ports; IPv6 Source Guard applies the same binding-table idea to SLAAC and DHCPv6 clients.
8. § 2.8 — TRILL and SPB
STP protects Ethernet by disabling redundant links. TRILL and SPB kept the L2 service model but used IS-IS control planes and shortest-path forwarding so all links could carry traffic. In most modern data centers, VXLAN/EVPN won because overlays scale the L2 service independently from the physical underlay.
9. Interview Prep
- What does a switch learn from a frame? Source MAC, ingress port, and VLAN; destination MAC is used for lookup, not learning.
- Why is native VLAN dangerous? Untagged trunk traffic can interact with double-tag attacks and mismatches; move it to an unused VLAN and disable DTP.
- How does STP elect the root bridge? Lowest bridge ID wins: priority first, then MAC address.
- Why can a port-channel be imbalanced? The hash maps each flow to one member link, so a small number of large flows may not distribute evenly.
- How do DHCP snooping, DAI, and IPSG relate? DHCP snooping builds the trusted binding table; DAI and IPSG enforce ARP and IP traffic against it.