This article will focus on how you can configure various Layer 2 features on Cisco switches, which you will need to learn to pass the CCNA exam.

After going through this article, you will be able to configure:

  • * VLANs
  • * VTP(VLAN Trunk Protocol)
  • * DTP(Dynamic Trunking Protocol)
  • * Port Security
  • * Portchannel

The goal of the article is to show practical examples on how you can configure any of the above features and how to check if they are working as expected or not. A short theoretical introduction of every feature will also be provided.

All configuration examples will be done based on the below topology:


But first, a short introduction about VLAN, DTP and VTP.

A VLAN (Virtual LAN) is a logical broadcast domain. This logical domain can span across many switches, rooms, buildings. A VLAN is a logical IP network. Using VLANs, you can have multiple IP networks on the same switched network. As long as two hosts have IP addresses that are part of the same subnet and the ports where they are connected in the switch are part of the same VLAN, then the hosts can communicate with each other.

A trunk is a point to point link between two networking devices; they can be two switches, one switch and one router or two routers. An Ethernet trunk can carry multiple VLANs through a process called VLAN tagging. When a switch sends a frame through a trunk interface, it adds a header to the frame prior to sending it. This header contains among others a VLAN identifier (VLAN ID). When the receiving switch analyzes the frame, it will know which VLAN that frame belongs to based on the VLAN ID.

Cisco supports two trunking protocols: ISL (Inter-Switch Link) and 802.1Q. The first one is Cisco proprietary with all the drawbacks that come with this: you cannot use it in a multi vendor network. The second is an IEEE standard. Another difference between the two is that ISL encapsulates the whole Ethernet frame whereas 802.1Q only adds a header to the original Ethernet frame right after the Source Address field.

The 802.1Q has a field (12 bits) which specifies that a VLAN ID can be in the range of 1 to 4095.

802.1Q provides the concept of native VLAN. 802.1Q does not add a 802.1Q header to frames in native VLAN. By default, on Cisco devices, the native VLAN is VLAN ID 1. So whenever a switch receives untagged traffic over a trunk interface, it assumes that the traffic is part of the native VLAN.

DTP (Dynamic Trunk Protocol) is a Cisco proprietary protocol and is used to negotiate trunk interfaces. DTP has to be enabled on both sides of the link. A Cisco switch supports multiple trunking modes. Each mode dictates how the port will negotiate to set up a trunk link with the other peer.

VTP (VLAN Trunk Protocol) is a Cisco proprietary protocol which switches use to exchange information about the VLAN configured. Also, VTP can add, delete, and change VLANs on a switch.

A switch running VTP can be in server mode, client mode or transparent mode. VTP starts with a switch in server mode creating a VLAN. The switch then transmits this configuration change to other switches using VTP messages. Every time a switch in server mode makes a modification, the revision number increases by 1.

In order for two switches to exchange VTP messages and interpret them, the following conditions have to be met:

  • * A 802.1Q or ISL link must exist between them.
  • * The VTP domain must match.
  • * If configured, the password should match.

What happens if you don’t want to have a switch modifying the VLAN configuration on all switches in the network? You can use the third mode: transparent mode. The switches in transparent mode can modify its own VLAN configuration, but they don’t react upon receiving VTP advertisement. However, these VTP messages are forwarded to neighbouring devices.

A feature which comes in handy with regards to limiting the broadcast and unknown unicasts flooding over trunk links is VTP pruning. VTP pruning determines what VLANs are not needed on switches (because there are no ports configured in those VLANs) and then prunes those VLANs from the trunk links.

So let’s start configuring all that we’ve talked about.

Task 1.

You are asked to put Host 1 and Host 2 in the same VLAN (VLAN 10) so that they will be able to communicate. Make sure that the links between the switches can carry traffic for multiple VLANs (use additional VLAN 20 and VLAN 30) using a standard trunking encapsulation.

Let’s configure VLAN 10, VLAN 20 and VLAN 30 on SW-1:


To check if the VLANs were created, you should use the command “show vlan”:


A similar configuration is done on SW-2 and SW-3.

Now it’s time to configure the ports where Host 1 and Host are connected in SW-1 and SW-2 in VLAN 10:


And for SW-2:


It’s time to configure the links between the switches. Because the task is asking for a standard encapsulation between 802.1Q and ISL, we have to choose 802.1Q since ISL is Cisco proprietary.

So let’s configure the link between SW-1 and SW-2 as trunk. Before doing that, it’s worth mentioning that when you configure a trunk interface, you have the option to specify for which VLANs the interface can carry traffic. You can either configure the trunk to allow all VLANs or you can specify exactly which VLANs are permitted on the trunk interface. In our case, SW-1 will be configured to allow all VLANs, whereas SW-2 will be configured to allow only VLAN 10,VLAN 20 and VLAN 30:



The links between SW-1 and SW-3, and SW-2 and SW-3, are configured in a similar way for redundancy.

Now that we have configured the VLANs on the switches, placed the interfaces where the hosts are connected in the proper VLAN, and configured the links between the switches as trunk, let’s check the connectivity between the two hosts.

Ping from Host-1 to Host-2 should be successful:


I was talking above about redundancy. If the direct link between SW-1 and SW-2 breaks and the VLANs are permitted on all trunk interfaces between SW-1, SW-2 and SW-3, then the traffic will take the alternate path.

How the switches select which path is better to send the traffic between Host-1 and Host-2 is outside the scope of this article, but as a reference it is based on Spanning Tree Protocol calculations.

One very useful command that can provide you important information about the operational status of an interface is “show interface giX/Y switchport”:


Using this command, you can find out how the interface was configured (Administrative Mode) and how it is acting (Operational Mode), what the trunking encapsulation is, what the native VLAN is and which VLANs are permitted on the trunk interface (Trunking VLANs Enabled).

As you can remember, on SW-2 we configured explicitly that only VLANs 10, 20 and 30 will be allowed.

One other useful command is ‘show interfaces trunk’:


This command will tell you which VLANs are permitted on every trunk interface, and which are active and which are not pruned by VTP.

Sometimes it’s necessary to tag the native VLAN and change the VLAN ID.

Let’s see how is this done and how can we check it.

You will see that the native VLAN changed from VLAN 1 to VLAN 30 (Trunking Native Mode VLAN):


As I said DTP allows negotiating the trunk links.

Task 2.

Configure the link between SW-1 and SW-2 to not negotiate the trunk link, but form a trunk link.

Configure the link between SW-1 and SW-3 to negotiate the link with both peers sending DTP messages wanting to form a trunk link.

Let’s configure the link between SW-1 and SW-3.

Because we shouldn’t have any auto-negotiation between the peers, the command ‘switchport nonegotiate’ must be configured under the interface.

As you can see below, Negotiation of Trunking is Off.

SW-1 has a similar configuration under interface GigabitEthernet8/3.


Let’s continue with the link between SW-1 and SW-3. The wording of the task clearly means that we have to configure the ports as ‘desirable’:


Check the ‘Administrative Mode:’ and ‘Operational Mode:’ to see how the port was configured and how it ended to operate:


Task 3.

Configure SW-1 as VTP server, SW-2 as VTP client and SW-3 in transparent mode. The VTP domain for SW-1 and SW-2 will be DOMAIN-VTP and the password will be PASS-VTP.


The configuration is similar on SW-1, except the mode which should be set to server.



Because SW-1 is the VTP server, any change in the VLAN configuration will be propagated to SW-2 also.

Let’s configure VLAN 50 on SW-1 and check that SW-2 will have this VLAN also.

First let’s check that we don’t have VLAN 50 on SW-2:



Checking again on SW-2, we see that the VLAN was created:


SW-3 was configured in transparent mode:


And because it is in transparent mode, it doesn’t process the VTP messages received from SW-1 and doesn’t have VLAN 50:


The EtherChannel feature is a grouping of ports that act as a single logical connection between two devices. The logical link will load balance the traffic across all members. All the members of the logical connection have to be of the same type. You cannot group 1G links and 10G links in the same logical connection. The purpose of the EtherChannel is to increase the available bandwidth between the devices.

To establish an EtherChannel link, you can use either signalling protocols to bring up the link or you can use a static configuration.

The two protocols are PAGP (Port Aggregation Protocol) which is Cisco proprietary and LACP (Link Aggregation Control Protocol) which follows the standard 802.3ad.

The LACP/PAGP peer can be configured in such way that it will enable EtherChannel unconditionally (the mode is called active for LACP and desirable for PAGP) or it will enable EtherChannel if the other peer is configured for LACP/PAGP (the mode is called passive for LACP and auto for PAGP).

Task 4.

Configure EtherChannel between SW-2 and SW-3 over the two links between them using PAGP and LACP.

We will start with LACP. We need to specify on the physical interfaces the EtherChannel protocol (LACP), the mode (active) and what the name of the logical interface (Portchannel 1) will be. The trunking protocol and the VLANs allowed on the trunk interface are configured only on a Port Channel interface.

These are the steps to configure a Port Channel interface:


Now that we configured the interfaces, let’s check the configuration of the physical and Port Channel interfaces:


As you can see, some of the configuration from Port Channel interface was inherited by the physical interface.

Let’s check if the EtherChannel interface is up using ‘show etherchannel summary:


As you can see, Po1 has two members: gi1/0/9 and gi1/0/10 and it’s using LACP protocol.

Let’s configure EtherChannel using PAGP. The steps are identical with the exception that EtherChannel protocol has to be changed to PAGP:


And this is the check that it’s working as expected:


Port Security limits the number of MAC addresses allowed to be learned on the port and can also restrict what MAC addresses can be learned on a port.

Task 5.

Configure the switches to learn a maximum of one MAC address on the ports connected to the hosts. In case more than one MAC address are learned, then shutdown the port. Additionally, age out any MAC address after 30 minutes, if there is no user activity.

This is the configuration applied on Gi8/12 on SW-1:


As you can see, there is no configuration specifying the number of MAC addresses allowed on the interface, nor is the action to be taken by the switch when the maximum number of MAC addresses is reached.

However, if you check the operational status of port-security:


We can see that the action is ‘Shutdown’ and the maximum number of MAC addresses is 1.

These are the default configuration options and that’s why they don’t appear in the configuration, even though you are configuring them.

In this article, we saw how we can configure VLANs and the features associated with them: DTP, VTP.

Besides these, we saw the necessary steps to configure EtherChannel, which treats multiple links between the same two devices as a logical link for increased bandwidth.

Port-security protects the network edge to make sure that unwanted workstations do not get access to your network.