Network Access Study Guide

CCNA 200-301 Exam Domain 2 (20% of exam)

Table of Contents

1. VLANs (Virtual LANs)

A VLAN (Virtual Local Area Network) is a logical grouping of devices that can communicate as if they were on the same physical network, regardless of their actual physical location. VLANs segment a single physical switch into multiple broadcast domains.

Key Concept: Each VLAN is its own broadcast domain. Broadcasts sent in one VLAN do not reach devices in other VLANs. Traffic between VLANs requires a Layer 3 device (router or Layer 3 switch).

Benefits of VLANs

VLAN Ranges

Range VLAN Numbers Purpose Notes
Normal 1-1005 Standard user VLANs Stored in vlan.dat (flash memory)
Extended 1006-4094 Additional VLANs for large networks Requires VTP transparent mode or VTPv3
Reserved 1002-1005 Token Ring/FDDI VLANs Cannot be deleted or modified
VLAN 1 is the default VLAN and cannot be deleted. All ports belong to VLAN 1 by default. For security, you should not use VLAN 1 for user traffic.

VLAN Configuration Commands

! Create a VLAN Switch(config)# vlan 10 Switch(config-vlan)# name SALES ! Assign a port to a VLAN (access port) Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 ! Verify VLANs Switch# show vlan brief Switch# show vlan id 10 Switch# show interfaces switchport

Types of VLAN Ports

Port Type Description VLAN Membership
Access Port Connects to end devices (PCs, printers) Single VLAN only
Trunk Port Connects switches or routers Multiple VLANs (tagged)
Voice VLAN Special access port for IP phones Data VLAN + Voice VLAN

Voice VLAN Configuration

! Configure port for IP phone with PC behind it Switch(config)# interface fastethernet 0/5 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 ! Data VLAN for PC Switch(config-if)# switchport voice vlan 50 ! Voice VLAN for phone

Key Points for VLANs

  • VLANs create separate broadcast domains
  • VLAN 1 is the default and should not be used for user traffic
  • Normal VLANs: 1-1005; Extended: 1006-4094
  • Access ports carry one VLAN; trunk ports carry multiple VLANs
  • Voice VLANs allow IP phones and PCs on the same port

2. VLAN Trunking

A trunk is a point-to-point link that carries traffic for multiple VLANs between switches, or between a switch and a router. Trunk links use tagging to identify which VLAN each frame belongs to.

802.1Q Tagging

IEEE 802.1Q is the industry standard for VLAN tagging. It inserts a 4-byte tag into the Ethernet frame header.

802.1Q Frame Format: +----------+----------+------+----------+------+---------+-----+ | Dest MAC | Src MAC | TPID | TCI | Type | Payload | FCS | | 6 bytes | 6 bytes | 2 | 2 | 2 | 46-1500| 4 | +----------+----------+------+----------+------+---------+-----+ |<-- 802.1Q Tag -->| TPID (Tag Protocol ID): 0x8100 (indicates 802.1Q tagged frame) TCI (Tag Control Information): - Priority (PCP): 3 bits - QoS priority (0-7) - DEI: 1 bit - Drop Eligible Indicator - VLAN ID (VID): 12 bits - VLAN number (0-4095)
Native VLAN: Frames on the native VLAN are NOT tagged on 802.1Q trunks. By default, the native VLAN is VLAN 1. Both sides of a trunk must have the same native VLAN configured.
Native VLAN mismatch between switches causes traffic to be forwarded to the wrong VLAN. This is both a security risk and an operational problem. Always ensure native VLANs match on both ends of a trunk.

Trunk Configuration Commands

! Configure a trunk port Switch(config)# interface gigabitethernet 0/1 Switch(config-if)# switchport trunk encapsulation dot1q ! Required on some switches Switch(config-if)# switchport mode trunk ! Change native VLAN (security best practice) Switch(config-if)# switchport trunk native vlan 999 ! Limit which VLANs can traverse the trunk Switch(config-if)# switchport trunk allowed vlan 10,20,30 Switch(config-if)# switchport trunk allowed vlan add 40 Switch(config-if)# switchport trunk allowed vlan remove 30 ! Verify trunk configuration Switch# show interfaces trunk Switch# show interfaces gi0/1 switchport

Allowed VLANs on Trunk

By default, all VLANs (1-4094) are allowed on a trunk. For security and efficiency, you should limit this to only the VLANs that need to traverse the link.

Command Effect
allowed vlan 10,20,30 Replace allowed list with only these VLANs
allowed vlan add 40 Add VLAN 40 to existing allowed list
allowed vlan remove 20 Remove VLAN 20 from allowed list
allowed vlan all Reset to allow all VLANs (default)
allowed vlan except 100-200 Allow all VLANs except 100-200
The "show interfaces trunk" command shows: trunking ports, their mode, native VLAN, allowed VLANs, and active VLANs. Active VLANs are VLANs that exist AND are allowed on the trunk.

3. Dynamic Trunking Protocol (DTP)

DTP is a Cisco proprietary protocol that automatically negotiates trunk links between switches. While convenient, it's generally recommended to disable DTP and manually configure trunk/access modes.

DTP Modes

Mode Behavior Sends DTP Command
Dynamic Auto Passively waits; becomes trunk if neighbor requests Yes switchport mode dynamic auto
Dynamic Desirable Actively tries to form trunk Yes switchport mode dynamic desirable
Trunk Always trunk, still sends DTP by default Yes* switchport mode trunk
Access Always access, still sends DTP by default Yes* switchport mode access

DTP Negotiation Results

DTP Mode Combinations: +------------------+----------+----------+--------+--------+ | | Desirable| Auto | Trunk | Access | +------------------+----------+----------+--------+--------+ | Desirable | Trunk | Trunk | Trunk | Access | | Auto | Trunk | Access | Trunk | Access | | Trunk | Trunk | Trunk | Trunk | !!! | | Access | Access | Access | !!! | Access | +------------------+----------+----------+--------+--------+ !!! = Limited connectivity / Misconfiguration
DTP is a security risk! An attacker can potentially negotiate a trunk with a switch, gaining access to multiple VLANs (VLAN hopping attack). Always disable DTP on access ports.

Disabling DTP (Best Practice)

! On access ports - disable DTP Switch(config-if)# switchport mode access Switch(config-if)# switchport nonegotiate ! On trunk ports - disable DTP negotiation Switch(config-if)# switchport mode trunk Switch(config-if)# switchport nonegotiate ! Verify DTP is disabled Switch# show interfaces gi0/1 switchport Look for: Negotiation of Trunking: Off
The "switchport nonegotiate" command disables DTP on an interface. This is a security best practice for all ports, whether configured as access or trunk.

4. Inter-VLAN Routing

Since VLANs are separate broadcast domains, a Layer 3 device is required to route traffic between them. There are three main methods for inter-VLAN routing.

Method 1: Legacy Inter-VLAN Routing

Uses separate physical router interfaces for each VLAN. Rarely used due to limited scalability.

Legacy Inter-VLAN Routing: +----------+ | Router | | Fa0/0 | Fa0/1 +----+-----+ | | VLAN 10 | | VLAN 20 +----+----+----+----+ | Switch | +-------------------+

Method 2: Router-on-a-Stick (ROAS)

Uses a single physical router interface with subinterfaces, one per VLAN. The switch port is configured as a trunk.

Router-on-a-Stick: +----------+ | Router | | Gi0/0 | (Trunk) | .10 | - Subinterface for VLAN 10 | .20 | - Subinterface for VLAN 20 +----+-----+ | +----+----+ | Switch | (Trunk port) +---------+ | | | PC1 PC2 PC3 V10 V10 V20

ROAS Configuration

! Router Configuration Router(config)# interface gigabitethernet 0/0 Router(config-if)# no shutdown ! Create subinterface for VLAN 10 Router(config)# interface gigabitethernet 0/0.10 Router(config-subif)# encapsulation dot1q 10 Router(config-subif)# ip address 192.168.10.1 255.255.255.0 ! Create subinterface for VLAN 20 Router(config)# interface gigabitethernet 0/0.20 Router(config-subif)# encapsulation dot1q 20 Router(config-subif)# ip address 192.168.20.1 255.255.255.0 ! For native VLAN (no tag) Router(config)# interface gigabitethernet 0/0.99 Router(config-subif)# encapsulation dot1q 99 native Router(config-subif)# ip address 192.168.99.1 255.255.255.0 ! Switch trunk configuration Switch(config)# interface gigabitethernet 0/1 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk native vlan 99

Method 3: Layer 3 Switch (SVI)

Uses Switch Virtual Interfaces (SVIs) on a Layer 3 switch. Most efficient method for enterprise networks.

! Enable IP routing on L3 switch Switch(config)# ip routing ! Create SVI for VLAN 10 Switch(config)# interface vlan 10 Switch(config-if)# ip address 192.168.10.1 255.255.255.0 Switch(config-if)# no shutdown ! Create SVI for VLAN 20 Switch(config)# interface vlan 20 Switch(config-if)# ip address 192.168.20.1 255.255.255.0 Switch(config-if)# no shutdown ! Verify SVIs Switch# show ip interface brief Switch# show interfaces vlan 10
SVI Requirements: For an SVI to be "up/up", the VLAN must exist, have at least one access port in that VLAN that is up, OR a trunk port carrying that VLAN that is up.

Comparison of Inter-VLAN Routing Methods

Feature Legacy ROAS L3 Switch/SVI
Scalability Poor (limited by physical ports) Moderate Excellent
Performance Limited by links Limited by single link Hardware-based, fast
Cost High (needs many ports) Low Higher initial, better long-term
Use Case Legacy, rarely used Small networks, labs Enterprise networks
Know how to configure both ROAS subinterfaces and L3 switch SVIs. Remember: subinterface numbers don't have to match VLAN numbers, but it's a best practice for clarity.

5. Spanning Tree Protocol (STP)

STP prevents Layer 2 loops in redundant switched networks by blocking redundant paths. Without STP, broadcast storms, MAC table instability, and duplicate frames would crash the network.

Why We Need STP

Without STP - Layer 2 Loop: +----------+ +----------+ | Switch A |----------| Switch B | +----+-----+ +-----+----+ | | +----------------------+ (redundant link) A broadcast from any device would: 1. Go to Switch A 2. Forward out all ports (including to B) 3. Switch B forwards back to A 4. Infinite loop = Broadcast Storm!

STP Port States (802.1D)

State Duration Learns MAC Forwards Data Sends/Receives BPDU
Blocking 20 sec (Max Age) No No Receives only
Listening 15 sec (Forward Delay) No No Yes
Learning 15 sec (Forward Delay) Yes No Yes
Forwarding Stable state Yes Yes Yes
Disabled Admin disabled No No No
STP Convergence Time: With 802.1D, it takes 30-50 seconds for a port to go from blocking to forwarding. This is why RSTP was developed - for faster convergence.

STP Port Roles

Role Description State
Root Port (RP) Best path to root bridge (one per non-root switch) Forwarding
Designated Port (DP) Best port on each segment toward root Forwarding
Non-Designated / Blocked Redundant ports that could cause loops Blocking

Root Bridge Election

The switch with the lowest Bridge ID becomes the root bridge. All its ports become designated ports in forwarding state.

Bridge ID (8 bytes): +----------------+------------------+ | Bridge Priority| MAC Address | | (2 bytes) | (6 bytes) | +----------------+------------------+ Priority: 0-65535 (default 32768) Increments of 4096 due to Extended System ID Extended Bridge ID: +--------+----------+------------------+ |Priority| VLAN ID | MAC Address | | 4 bits | 12 bits | (6 bytes) | +--------+----------+------------------+ Example: Priority 32768 + VLAN 10 = 32778

STP Path Cost

Link Speed IEEE Cost (Revised) Legacy Cost
10 Mbps 2,000,000 100
100 Mbps 200,000 19
1 Gbps 20,000 4
10 Gbps 2,000 2

STP Decision Process

When determining which ports to block, STP uses this order of tiebreakers:

  1. Lowest Root Bridge ID - Elects the root bridge
  2. Lowest Root Path Cost - Determines root port
  3. Lowest Sender Bridge ID - Tiebreaker for designated port
  4. Lowest Sender Port ID - Final tiebreaker

STP Configuration

! Set switch as root bridge (lowers priority) Switch(config)# spanning-tree vlan 10 root primary Switch(config)# spanning-tree vlan 10 root secondary ! Manually set priority (must be multiple of 4096) Switch(config)# spanning-tree vlan 10 priority 4096 ! Modify port cost Switch(config-if)# spanning-tree cost 10 ! Modify port priority (for port ID tiebreaker) Switch(config-if)# spanning-tree port-priority 64 ! Verification commands Switch# show spanning-tree Switch# show spanning-tree vlan 10 Switch# show spanning-tree interface gi0/1

PortFast and BPDU Guard

! PortFast - Skip listening/learning on access ports Switch(config-if)# spanning-tree portfast ! Enable PortFast globally for all access ports Switch(config)# spanning-tree portfast default ! BPDU Guard - Shut down port if BPDU received Switch(config-if)# spanning-tree bpduguard enable ! Enable BPDU Guard globally on PortFast ports Switch(config)# spanning-tree portfast bpduguard default
PortFast should ONLY be used on access ports connecting to end devices (PCs, printers). Never enable PortFast on ports connected to other switches - this could cause temporary loops.

Key STP Points

  • Root bridge has all ports as designated (forwarding)
  • Non-root switches have one root port each
  • Each segment has one designated port
  • Lower priority number = more likely to be root
  • PortFast + BPDU Guard = best practice for access ports

6. Rapid Spanning Tree Protocol (RSTP)

RSTP (802.1w) is an evolution of STP that provides faster convergence - typically under 1 second compared to 30-50 seconds for 802.1D STP.

RSTP Port States

STP State RSTP State Is Port Active?
Disabled Discarding No
Blocking Discarding No
Listening Discarding No
Learning Learning No (building MAC table)
Forwarding Forwarding Yes

RSTP Port Roles

Role Description
Root Port Same as STP - best path to root
Designated Port Same as STP - best port on segment
Alternate Port Backup to root port (blocked, can quickly take over)
Backup Port Backup to designated port on same switch (rare)
RSTP Fast Convergence: RSTP achieves fast convergence through the Alternate and Backup port roles. These ports are pre-calculated and can immediately take over if the primary path fails.

RSTP Link Types

Link Type Description Fast Transition?
Point-to-Point Full-duplex link (switch-to-switch) Yes
Shared Half-duplex link (hub connection) No
Edge Connected to end device (like PortFast) Yes (immediate)

RSTP Configuration

! Enable Rapid PVST+ (Cisco's per-VLAN RSTP) Switch(config)# spanning-tree mode rapid-pvst ! Configure edge port (equivalent to PortFast) Switch(config-if)# spanning-tree portfast edge ! Configure point-to-point link type Switch(config-if)# spanning-tree link-type point-to-point ! Verify RSTP Switch# show spanning-tree

STP Versions Comparison

Feature STP (802.1D) RSTP (802.1w) MSTP (802.1s)
Convergence 30-50 seconds ~1 second ~1 second
VLAN Support One tree for all One tree for all* Multiple VLANs per instance
Cisco Version PVST+ Rapid PVST+ MST
Resources Low Medium Efficient

*Note: Cisco's Rapid PVST+ runs a separate RSTP instance per VLAN, combining RSTP speed with per-VLAN flexibility.

The default STP mode on Cisco switches is PVST+ (per-VLAN STP). For better convergence, use "spanning-tree mode rapid-pvst" to enable Rapid PVST+.

7. EtherChannel

EtherChannel bundles multiple physical links into a single logical link, providing increased bandwidth and redundancy. STP sees the EtherChannel as a single link, so no ports are blocked.

EtherChannel Bundle: +----------+ +----------+ | Switch A |======================| Switch B | | | Logical Link | | | Po1 |======================| Po1 | +----------+ (4 physical links) +----------+ Combined bandwidth Example: 4 x 1Gbps = 4Gbps logical bandwidth If one link fails, others continue (3Gbps)

EtherChannel Protocols

Protocol Standard Modes Notes
LACP IEEE 802.3ad Active, Passive Industry standard, preferred
PAgP Cisco proprietary Desirable, Auto Cisco devices only
Static None (manual) On No negotiation, both sides must be "on"

Mode Compatibility

LACP Modes: +----------+----------+----------+ | | Active | Passive | +----------+----------+----------+ | Active | Yes | Yes | | Passive | Yes | No | +----------+----------+----------+ PAgP Modes: +----------+----------+----------+ | |Desirable | Auto | +----------+----------+----------+ |Desirable | Yes | Yes | | Auto | Yes | No | +----------+----------+----------+ Static Mode: +----------+----------+ | | On | +----------+----------+ | On | Yes | +----------+----------+

EtherChannel Configuration

! LACP EtherChannel (recommended) Switch(config)# interface range gigabitethernet 0/1-4 Switch(config-if-range)# channel-group 1 mode active Switch(config-if-range)# exit ! Configure the port-channel interface Switch(config)# interface port-channel 1 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk allowed vlan 10,20,30 ! PAgP EtherChannel Switch(config-if-range)# channel-group 1 mode desirable ! Static EtherChannel (no negotiation) Switch(config-if-range)# channel-group 1 mode on ! Verification Switch# show etherchannel summary Switch# show etherchannel port-channel Switch# show interfaces port-channel 1

EtherChannel Requirements

All interfaces in an EtherChannel must have matching configurations: speed, duplex, VLAN mode (access/trunk), allowed VLANs, native VLAN, and STP settings. Mismatches will prevent the channel from forming.

Load Balancing

EtherChannel distributes traffic across member links using a hash of frame attributes.

! View current load-balance method Switch# show etherchannel load-balance ! Configure load-balance method Switch(config)# port-channel load-balance src-dst-mac ! Common methods: ! src-mac - Source MAC address ! dst-mac - Destination MAC address ! src-dst-mac - Source and destination MAC ! src-ip - Source IP address ! dst-ip - Destination IP address ! src-dst-ip - Source and destination IP (best for L3)

Layer 3 EtherChannel

! Create L3 EtherChannel (routed ports) Switch(config)# interface range gigabitethernet 0/1-2 Switch(config-if-range)# no switchport Switch(config-if-range)# channel-group 1 mode active Switch(config)# interface port-channel 1 Switch(config-if)# no switchport Switch(config-if)# ip address 10.0.0.1 255.255.255.252
The "show etherchannel summary" command is your go-to for quick EtherChannel status. Look for the flags: P = bundled in port-channel, I = stand-alone, D = down.

8. Wireless Fundamentals

Wireless LANs (WLANs) use radio frequencies to connect devices without cables. Understanding wireless standards, architectures, and security is essential for CCNA.

Wireless Standards (802.11)

Standard Frequency Max Speed Wi-Fi Alliance Name
802.11b 2.4 GHz 11 Mbps Wi-Fi 1
802.11a 5 GHz 54 Mbps Wi-Fi 2
802.11g 2.4 GHz 54 Mbps Wi-Fi 3
802.11n 2.4 / 5 GHz 600 Mbps Wi-Fi 4
802.11ac 5 GHz 6.9 Gbps Wi-Fi 5
802.11ax 2.4 / 5 / 6 GHz 9.6 Gbps Wi-Fi 6/6E

Wireless Frequency Bands

2.4 GHz Band: Channels: 1-14 (varies by country) Channel Width: 20 MHz (or 40 MHz with bonding) Non-overlapping channels: 1, 6, 11 (in US) |--1--|--2--|--3--|--4--|--5--|--6--|--7--|--8--|--9--|--10-|--11-| |=====| |=====| |=====| Ch1 Ch6 Ch11 5 GHz Band: - More channels available (UNII bands) - Less interference from other devices - Shorter range than 2.4 GHz - Channels: 36, 40, 44, 48, 52, 56, 60, 64, 100, 104...
2.4 GHz vs 5 GHz: 2.4 GHz has better range and wall penetration but more interference. 5 GHz has more bandwidth and less interference but shorter range. Wi-Fi 6E adds the 6 GHz band for even more capacity.

Wireless Architectures

Autonomous AP Architecture

Lightweight AP with WLC (Controller-Based)

Controller-Based Architecture: [WLC - Wireless LAN Controller] | +-----------+-----------+ | | | [LAP] [LAP] [LAP] (CAPWAP) (CAPWAP) (CAPWAP) | | | Clients Clients Clients CAPWAP = Control And Provisioning of Wireless Access Points - UDP ports 5246 (control) and 5247 (data) - AP configuration stored on WLC - Real-time management and control

Cloud-Based (e.g., Cisco Meraki)

AP Modes

Mode Description
Local Default mode; serves clients and scans channels between beacons
FlexConnect For remote sites; can switch traffic locally even if WLC connection is lost
Monitor Dedicated to scanning for rogues and intrusion detection
Sniffer Captures wireless frames and sends to analyzer
Bridge Point-to-point or point-to-multipoint outdoor bridging
SE-Connect Spectrum analysis mode

Wireless Security

Security Method Encryption Authentication Status
WEP RC4 (weak) Open or Shared Key Deprecated - Do not use
WPA TKIP PSK or 802.1X Legacy - Avoid if possible
WPA2 AES-CCMP PSK or 802.1X Current standard
WPA3 AES-GCMP SAE or 802.1X Latest - Enhanced security

Authentication Methods

Personal (PSK): Pre-Shared Key. All users share the same password. Simple but less secure for enterprise use.
Enterprise (802.1X): Each user has unique credentials. Uses RADIUS server for authentication. Recommended for businesses.
802.1X Authentication Flow: [Wireless Client] -----> [AP/WLC] -----> [RADIUS Server] (Supplicant) (Authenticator) (Auth Server) | | | |---EAP Request----->| | | |---RADIUS Access-->| | |<--RADIUS Accept---| |<--EAP Success------| | | | | [Connected with unique encryption keys]

Wireless Key Points

  • Use non-overlapping channels (1, 6, 11) for 2.4 GHz
  • 5 GHz offers more bandwidth, less interference
  • WPA2-Enterprise (802.1X) is best for business
  • WPA3 provides enhanced security with SAE
  • CAPWAP uses UDP 5246 (control) and 5247 (data)
  • FlexConnect allows local switching at remote sites
Know the Wi-Fi generations (Wi-Fi 4 = 802.11n, Wi-Fi 5 = 802.11ac, Wi-Fi 6 = 802.11ax) and their frequencies. Also understand the difference between WPA2-Personal (PSK) and WPA2-Enterprise (802.1X).