VLAN Reference

An access port belongs to a single VLAN and carries untagged traffic for that VLAN only, typically connecting end devices like PCs or printers. A trunk port carries traffic for multiple VLANs simultaneously using 802.1Q tags, and is used for switch-to-switch or switch-to-router links. Configure access ports with "switchport mode access" and "switchport access vlan X", and trunks with "switchport mode trunk".

The native VLAN carries untagged traffic on a trunk link. Leaving it as VLAN 1 (the default) creates a security risk known as VLAN hopping, where an attacker can craft double-tagged 802.1Q frames to reach VLANs they should not access. Best practice is to set the native VLAN to an unused VLAN (e.g., VLAN 99) with "switchport trunk native vlan 99" and ensure no user traffic is assigned to it.

VTP server mode can create, modify, and delete VLANs and propagates changes to the entire VTP domain. Client mode receives and applies VLAN updates from servers but cannot make local VLAN changes. Transparent mode does not participate in VTP synchronization but forwards VTP advertisements; it manages VLANs locally. In most modern networks, transparent mode or VTP version 3 with primary server election is preferred for safety.

Router-on-a-Stick uses a router with sub-interfaces (e.g., GigabitEthernet0/0.10 with encapsulation dot1q 10) connected to a trunk port on the switch. It is suitable for small networks but creates a bandwidth bottleneck since all inter-VLAN traffic traverses a single physical link. SVI-based routing on a Layer 3 switch (interface vlan 10 with ip address and ip routing enabled) provides wire-speed routing and is preferred for enterprise networks.

Sticky MAC learning dynamically learns the MAC addresses connected to a port and saves them to the running configuration, so they persist after a reload if you write the config. Configure with "switchport port-security mac-address sticky" and set a maximum MAC count. When the limit is exceeded, the violation action determines the response: shutdown disables the port, restrict drops violating frames and logs them, and protect silently drops violating frames.

DHCP snooping is a Layer 2 security feature that creates a trusted/untrusted port model. Only ports marked as "ip dhcp snooping trust" (typically uplinks to legitimate DHCP servers) can send DHCP server responses. All other ports are untrusted and can only send DHCP client requests. This prevents rogue DHCP servers from distributing incorrect IP configurations or performing man-in-the-middle attacks. It also builds a binding table used by Dynamic ARP Inspection.

Private VLANs provide isolation between ports within the same VLAN. A primary VLAN contains secondary VLANs that can be isolated (ports cannot communicate with each other) or community (ports within the same community can communicate). Use cases include ISP environments where multiple customers share a subnet but must be isolated, or DMZ segments where servers should not communicate laterally. Configure with "private-vlan primary" and "private-vlan isolated/community".

VTP pruning is an automatic mechanism that prevents trunk links from carrying traffic for VLANs that have no active ports on the receiving switch, reducing unnecessary broadcast traffic. It is enabled globally with "vtp pruning". Manual pruning uses "switchport trunk allowed vlan" to statically define which VLANs a trunk carries. Manual pruning gives more control and is preferred in networks not using VTP, while VTP pruning adapts automatically as ports change VLAN assignments.