Chapter 3: Layer 2 Switching: VLANs, Trunks, and MAC Learning
Learning Objectives
Configure VLANs, access ports, and 802.1Q trunk ports on AOS-CX, including allowed-VLAN lists and the native VLAN.
Explain how MAC address learning, aging, and table behavior work on a transparent bridge.
Implement voice VLANs and LLDP-MED so an IP phone auto-provisions VLAN, 802.1p, and DSCP without user touch.
Troubleshoot common VLAN and trunk misconfigurations using show commands and structured reasoning.
Pre-Quiz: VLAN Concepts
1. What is the valid VLAN ID range on AOS-CX?
0-4095
1-4094
1-4096
2-4094
2. On AOS-CX, why does vlan access 10 often return an error or appear to do nothing on a fresh interface?
VLAN 10 must first be shut down
The interface defaults to routed (Layer 3) mode and needs no routing first
VLAN 1 must be removed before another VLAN is assigned
DTP has not yet completed negotiation
3. Why is using VLAN 1 for production data discouraged?
VLAN 1 cannot carry tagged traffic
VLAN 1 is the industry default; leaked untagged traffic and control-plane protocols mix with users
VLAN 1 has a smaller MAC table than other VLANs
AOS-CX automatically deletes VLAN 1 at boot
4. Which command sets a trunk port's native VLAN to 99 and forces all native frames to be tagged?
vlan access 99
vlan trunk allowed 99 native
vlan trunk native 99 tag
switchport native dot1q tag 99
Section 1: VLAN Concepts and Configuration
Key Points
A VLAN is a 12-bit Layer 2 broadcast domain (IDs 1-4094); ports in different VLANs are isolated as if on separate switches.
VLAN 1 is the default and cannot be deleted, but should never carry production traffic.
AOS-CX interfaces default to routed mode; you must run no routing before VLAN-membership commands work.
Access ports carry one untagged VLAN; trunk ports carry many tagged VLANs plus one untagged "native" VLAN.
Native VLAN mismatches between switches silently merge traffic between VLANs.
A VLAN (Virtual LAN) is a Layer 2 broadcast domain identified by a 12-bit VLAN ID in the range 1-4094. Two ports in the same VLAN behave as if they were plugged into the same dumb hub; two ports in different VLANs are as isolated as two unconnected switches. The VLAN ID lives in the IEEE 802.1Q tag, a 4-byte header inserted right after the source MAC of an Ethernet frame.
Analogy: VLANs as floors in an office building. Without VLANs, every cubicle on every floor opens onto the same lobby. VLANs give each department its own keycard-controlled floor that shares the elevators (the trunks). The elevator needs a label (the 802.1Q tag) to know which floor to open for each rider.
The Default VLAN
When AOS-CX boots a fresh configuration, exactly one VLAN exists: VLAN 1. Every Layer 2 switch port is implicitly a member of it in access mode. VLAN 1 cannot be deleted, but for security and operational reasons, you should never use it for production traffic:
VLAN 1 is the industry default everywhere, so untagged traffic that leaks through a misconfigured trunk often lands in VLAN 1 unnoticed.
Many control-plane protocols (LLDP, LACP, STP BPDUs) historically used VLAN 1; using it for users mixes user traffic with the control plane.
Creating VLANs
switch(config)# vlan 10
switch(config-vlan-10)# name DATA
switch(config-vlan-10)# description "User Data VLAN"
switch(config-vlan-10)# no shutdown
switch(config)# vlan 100-110
Access vs. Trunk Modes
Mode
Ingress tag handling
Egress tag handling
Use case
Access
Untagged frames into the access VLAN; tagged frames dropped
Frames sent untagged
End-host port (PC, printer)
Trunk
Tagged frames into the tag's VLAN; untagged frames into the native VLAN
Non-native VLANs tagged; native sent untagged unless tag set
Inter-switch links, AP/hypervisor uplinks
A critical AOS-CX detail: most CX platform interfaces default to routed (Layer 3) mode. You must run no routing on the interface before VLAN-membership commands take effect.
switch(config)# interface 1/1/1
switch(config-if)# no shutdown
switch(config-if)# no routing
switch(config-if)# vlan access 10
The Native VLAN
On a trunk, exactly one VLAN can be designated the native VLAN. Frames in the native VLAN are sent untagged across the wire; conversely, any untagged frame received on a trunk is mapped into the native VLAN. The default is VLAN 1.
A native VLAN mismatch causes silent traffic merging: frames that left as untagged from VLAN 1 on switch A arrive at switch B and get classified into switch B's native VLAN. Best practice: either use an unused native VLAN, or force tagging with vlan trunk native <id> tag.
Without add or remove, the new list replaces the existing list — a classic outage cause when an engineer tries to "just add VLAN 30."
Common Trunking Pitfalls
Symptom
Likely cause
Fix
Hosts in VLAN X cannot reach across switches
VLAN X not in vlan trunk allowed
vlan trunk allowed X add
Sporadic connectivity, traffic in wrong VLAN
Native VLAN mismatch
Align native or vlan trunk native <id> tag
Trunk doesn't come up
Forgot no routing; or peer not in trunk mode
Configure trunk statically on both ends
Replaced switch dropped a VLAN
New vlan trunk allowed overwrote prior list
Always use add/remove
Figure 3.2: Frame tagging across a trunk boundary
sequenceDiagram
participant H1 as "Host A (VLAN 10)"
participant SA as "Switch A"
participant SB as "Switch B"
participant H2 as "Host B (VLAN 10)"
H1->>SA: "Untagged frame ingress on access VLAN 10"
Note over SA: "Lookup egress: trunk to Switch B"
SA->>SB: "Tagged frame (TPID 0x8100, VID=10) on trunk"
Note over SB: "Read tag, classify into VLAN 10"
SB->>H2: "Untagged frame egress on access VLAN 10"
Note over SA,SB: "Native VLAN frames travel UNTAGGED — mismatch silently merges VLANs"
Post-Quiz: 802.1Q Trunking
1. What is the total length of an 802.1Q tag, and which TPID identifies it?
2 bytes; TPID 0x0800
4 bytes; TPID 0x8100
4 bytes; TPID 0x86DD
8 bytes; TPID 0x88A8
2. You run vlan trunk allowed 30 on a trunk that previously allowed VLANs 10, 20, 99. What is the result?
VLANs 10, 20, 30, 99 are all allowed
Only VLAN 30 is allowed; the previous list was replaced
The command is rejected because add is required
VLAN 30 is added but VLAN 99 is removed automatically
3. Why does AOS-CX require both ends of a trunk to be statically configured?
Because LACP only runs on access ports
Because AOS-CX does not implement Cisco's DTP
Because trunks require IP addresses on both ends
Because LLDP-MED disables auto-negotiation
4. Which 802.1Q tag field carries the 802.1p Class of Service used for QoS?
TPID
DEI
VLAN ID
PCP
Pre-Quiz: MAC Address Table
1. What is the default MAC aging time on AOS-CX?
60 seconds
300 seconds
900 seconds
3600 seconds
2. A switch receives a unicast frame whose destination MAC is not in the MAC table (in the matching VLAN). What does the switch do?
Drops the frame
Sends an ARP request
Floods the frame to all ports in the VLAN except the ingress port
Floods the frame to every port on the switch regardless of VLAN
3. The MAC table maps which key to which value?
Source IP -> ingress port
{VLAN, source MAC} -> ingress port
{VLAN, destination MAC} -> egress IP
EtherType -> queue ID
4. Rapid, repeated MAC moves of the same MAC between two ports most likely indicates which problem?
Normal endpoint roaming
A Layer 2 loop, duplicate MAC, or flapping link
An expired SSL certificate
An unconfigured native VLAN
Section 3: MAC Address Table
Key Points
The MAC table maps {VLAN, source MAC} -> ingress port; populated by source-MAC learning.
Default aging is 300 seconds; each frame from a source resets that entry's clock.
Static entries persist forever, override learning, and survive reboot.
Unknown unicast and broadcast are flooded within the VLAN; the switch learns the source MAC of any reply.
Frequent MAC moves indicate a loop, duplicate MAC, or flapping link — investigate with loop-protect and logs.
The MAC address table is what makes a switch a switch and not a hub: instead of flooding every frame to every port, the switch learns where each MAC lives and sends frames only where they need to go.
Analogy: the mailroom. A new mailroom has no list of who sits where. The first time it sees outbound mail from Alice in office 1404, it scribbles "Alice -> 1404" on a sticky note. Now letters addressed to Alice go straight to 1404. If nobody mails from Alice for five minutes, the note is thrown away (aging). If "Alice" appears on a different floor, the note is updated (MAC move). Static entries are permanent nameplates.
Forwarding Decision Ladder
Destination MAC is in the table (same VLAN) -> forward out the matching port.
Destination MAC is broadcast -> flood within VLAN.
Destination MAC is multicast (no IGMP/MLD constraint) -> flood within VLAN.
Destination MAC is unknown unicast -> flood within VLAN, hoping to provoke a reply.
Animated: MAC Learning on a Switch
MAC Learning — frames arrive, table populates with src MAC + port
Each frame's source MAC is learned against its ingress port. After 300s without traffic, the entry ages out.
When the same source MAC appears on a different port within the same VLAN, the switch updates the table. Rapid, repeated moves are a strong signal of:
A Layer 2 loop — the switch is seeing its own frames echoed.
A duplicate MAC — two different devices using the same Ethernet address.
A flapping link — the device alternates between two access paths.
The companion feature loop-protect proactively detects loops by emitting probe frames; if a probe returns, the originating port is err-disabled.
Figure 3.3: MAC learning lifecycle
stateDiagram-v2
[*] --> Unknown: "Switch boots / table empty"
Unknown --> Flooding: "Frame to dest MAC X arrives"
Flooding --> Learning: "Reply seen with src MAC X on port P"
Learning --> Active: "Install {VLAN, X} -> port P (dynamic)"
Active --> Active: "Refresh on each frame from X (reset 300s timer)"
Active --> Moved: "Same MAC X seen on port Q (MAC move)"
Moved --> Active: "Update entry to port Q; log move"
Active --> Aged: "No frames from X for 300s"
Aged --> [*]: "Entry purged from table"
Active --> Static: "Admin pins MAC (mac-address-table static)"
Static --> Static: "Survives reboot, never ages"
Useful Show Commands
switch# show mac-address-table
switch# show mac-address-table vlan 10
switch# show mac-address-table port 1/1/5
switch# show mac-address-table address 00:11:22:33:44:55
switch# show mac-address-table count
Post-Quiz: MAC Address Table
1. What is the default MAC aging time on AOS-CX?
60 seconds
300 seconds
900 seconds
3600 seconds
2. A switch receives a unicast frame whose destination MAC is not in the MAC table (in the matching VLAN). What does the switch do?
Drops the frame
Sends an ARP request
Floods the frame to all ports in the VLAN except the ingress port
Floods the frame to every port on the switch regardless of VLAN
3. The MAC table maps which key to which value?
Source IP -> ingress port
{VLAN, source MAC} -> ingress port
{VLAN, destination MAC} -> egress IP
EtherType -> queue ID
4. Rapid, repeated MAC moves of the same MAC between two ports most likely indicates which problem?
Normal endpoint roaming
A Layer 2 loop, duplicate MAC, or flapping link
An expired SSL certificate
An unconfigured native VLAN
Pre-Quiz: Voice VLAN and LLDP-MED
1. Which LLDP-MED TLV tells an IP phone its VLAN, 802.1p priority, and DSCP?
Chassis ID TLV
Network Policy TLV
Inventory TLV
System Capabilities TLV
2. In the standard "phone + PC daisy chain" port design, how is VLAN tagging handled?
Voice and data both untagged on the access VLAN
Voice tagged on the voice VLAN, data untagged on the access VLAN
Voice untagged, data tagged with VLAN 1
Both voice and data tagged with the same VLAN
3. Typical recommended QoS markings for voice RTP traffic are:
Priority 0, DSCP 0
Priority 7, DSCP 56
Priority 5, DSCP 46 (EF)
Priority 3, DSCP 24 (CS3)
4. After plugging in an IP phone, show lldp neighbor-info ... detail shows no Network Policy block. Which fix is most likely needed?
Enable DTP on the access port
Apply lldp med network-policy voice vlan ... priority ... dscp ... on the interface and ensure the voice VLAN is in the trunk's allowed list
Reduce MAC aging to 60 seconds
Set vlan trunk allowed all on every port
Section 4: Voice VLAN and LLDP-MED
Key Points
The standard model is tagged voice + untagged data on the same port; the phone learns its VLAN via LLDP-MED.
Mark a VLAN as voice with the voice keyword inside the VLAN context.
The LLDP-MED Network Policy TLV carries application type, VLAN ID, 802.1p priority, and DSCP.
Common voice settings: priority 5, DSCP 46 (EF) for RTP; priority 3, DSCP 24 (CS3) for signaling.
qos trust dscp tells the switch to honor the phone's DSCP markings and queue voice ahead of data.
LLDP and LLDP-MED Basics
LLDP (IEEE 802.1AB) is a vendor-neutral neighbor-discovery protocol; each device periodically multicasts a frame describing itself. LLDP-MED (ANSI/TIA-1057) extends LLDP for IP phones, adding Network Policy TLVs that let a switch tell a phone which VLAN, 802.1p priority, and DSCP to use.
Analogy: LLDP-MED as the hotel concierge. When a guest (the phone) checks in, the concierge (the switch) hands them a card explaining which floor (VLAN), which entrance (priority), and which elevator key (DSCP) to use. A PC, with no reservation, just uses the lobby (the data VLAN).
Voice VLAN Auto-Configuration
The standard model on a shared phone+PC port: voice tagged, data untagged.
The phone learns voice VLAN 200, priority 5, and DSCP 46 from the switch's Network Policy TLV; it then DHCPs and registers tagged.
Application Types and QoS Marks
Application
Typical 802.1p
Typical DSCP
voice (RTP)
5
46 (EF)
voice-signaling
3
24 (CS3)
video-conferencing
4
34 (AF41)
streaming-video
4
26 (AF31)
Verifying Phone Discovery
switch# show lldp neighbor-info 1/1/5 detail
...
LLDP-MED Capabilities
Device Type : Endpoint Class III
Network Policy
Application : voice
VLAN ID : 20
Priority : 5
DSCP : 46
If the Network Policy block matches the intended VLAN, priority, and DSCP, the LLDP-MED handshake succeeded. If it's missing, check show lldp configuration, show lldp tlvs-tx, show vlan port, and show running-config interface.
Figure 3.4: LLDP-MED voice VLAN auto-provisioning
sequenceDiagram
participant Phone as "IP Phone"
participant SW as "AOS-CX Switch"
participant DHCP as "DHCP Server"
participant CM as "Call Manager"
Phone->>SW: "Link up + PoE classification"
SW-->>Phone: "PoE class 3/4 power supplied"
SW->>Phone: "LLDP-MED Network Policy TLV (VLAN 200, PCP 5, DSCP 46)"
Note over Phone: "Phone configures voice VLAN tag"
Phone->>SW: "Tagged DHCP DISCOVER on VLAN 200"
SW->>DHCP: "Forward DHCP request (voice scope)"
DHCP-->>Phone: "DHCP OFFER: IP, TFTP, call-mgr address"
Phone->>CM: "SIP REGISTER (DSCP 46 on voice VLAN)"
CM-->>Phone: "200 OK — phone ready"
Note over SW: "PC behind phone sends untagged → VLAN 10 (data)"
Post-Quiz: Voice VLAN and LLDP-MED
1. Which LLDP-MED TLV tells an IP phone its VLAN, 802.1p priority, and DSCP?
Chassis ID TLV
Network Policy TLV
Inventory TLV
System Capabilities TLV
2. In the standard "phone + PC daisy chain" port design, how is VLAN tagging handled?
Voice and data both untagged on the access VLAN
Voice tagged on the voice VLAN, data untagged on the access VLAN
Voice untagged, data tagged with VLAN 1
Both voice and data tagged with the same VLAN
3. Typical recommended QoS markings for voice RTP traffic are:
Priority 0, DSCP 0
Priority 7, DSCP 56
Priority 5, DSCP 46 (EF)
Priority 3, DSCP 24 (CS3)
4. After plugging in an IP phone, show lldp neighbor-info ... detail shows no Network Policy block. Which fix is most likely needed?
Enable DTP on the access port
Apply lldp med network-policy voice vlan ... priority ... dscp ... on the interface and ensure the voice VLAN is in the trunk's allowed list