Switch Configuration Concepts – CompTIA Network+ N10-009 Study Guide

Switch Configuration for CompTIA Network+ N10-009

Switch configuration is central to CompTIA Network+ N10-009 Network Implementation domain. Switches require configuration to implement VLANs, trunking, port security, STP, and PoE correctly. Unlike plug-and-play hubs, managed switches require deliberate configuration to enable their security and segmentation capabilities — misconfigured switches are a common source of network problems.

9 min

3 sections · 7 exam key points

1 practice questions

VLAN and Trunking Configuration

VLAN creation and assignment: on a managed switch, create VLANs and assign access ports to VLANs. Access port: carries traffic for a single VLAN, untagged — connected to end devices (computers, printers, phones). The switch adds and removes the 802.1Q tag transparently to the end device. Trunk port: carries tagged traffic for multiple VLANs on a single link — used between switches and between switch and router.

802.1Q trunking: adds a 4-byte VLAN tag to Ethernet frames (12-bit VLAN ID, allowing VLANs 1–4094). Native VLAN: the VLAN that is untagged on a trunk port — frames from the native VLAN are sent without a tag. Native VLAN must match on both ends of a trunk — mismatch causes traffic to cross into the wrong VLAN (native VLAN mismatch vulnerability).

DTP (Dynamic Trunking Protocol): Cisco proprietary, automatically negotiates trunk links. Modes: auto (passive, waits for negotiation), desirable (actively negotiates), trunk (always trunk), access (always access). Security: disable DTP on access ports with 'switchport nonegotiate' — prevents unauthorized trunk negotiation. Always configure port mode explicitly; do not rely on DTP in production.

VTP (VLAN Trunking Protocol): Cisco proprietary, synchronizes VLAN databases between switches in a VTP domain. Modes: server (creates/modifies VLANs, propagates), client (receives, cannot modify), transparent (local only, forwards but ignores VTP), off. VTP can cause catastrophic VLAN deletion if a switch with a higher revision number propagates an empty VLAN database — understand VTP risks.

Port Security and Layer 2 Security

Port security: limits which MAC addresses can use a switch port. Maximum MAC addresses per port: configurable (1 for a single device, more for IP phones with attached computers). Violation modes: protect (drop, no notification), restrict (drop + SNMP trap/syslog), shutdown (err-disable the port — must be manually re-enabled or auto-recovery configured).

Sticky MAC: port security learns and saves the MAC address of the first device to connect — automatically creates a secure MAC entry without manual configuration. Combined with violation mode shutdown: if a different device connects, the port shuts down. Provides easy per-port device locking.

DHCP snooping: validates DHCP messages on untrusted ports. Trusted ports: uplinks to legitimate DHCP servers. Untrusted ports: all access ports. Drops DHCP Offer and DHCP Acknowledgment messages arriving on untrusted ports — prevents rogue DHCP servers. Builds a binding table (MAC, IP, port, VLAN) used by Dynamic ARP Inspection.

Dynamic ARP Inspection (DAI): validates ARP messages against the DHCP snooping binding table. ARP packets with unexpected MAC/IP mappings are dropped — prevents ARP spoofing and ARP cache poisoning. Works in conjunction with DHCP snooping.

802.1X port-based access control: devices must authenticate (EAP over LAN — EAPOL) before the switch port allows network access. The switch (authenticator) forwards credentials to a RADIUS server. Unauthenticated devices are in a restricted VLAN or blocked entirely. Prevents unauthorized devices from connecting to the network.

STP and Redundancy Configuration

Spanning Tree Protocol (STP 802.1D): prevents Layer 2 loops by blocking redundant paths. States: blocking, listening, learning, forwarding, disabled. Root bridge election: lowest bridge priority wins (default 32768 + VLAN); tie broken by lowest MAC. Root ports: port with best path to root bridge. Designated ports: best port on each segment. Non-designated ports: blocked.

Rapid STP (RSTP 802.1w): faster convergence than STP. New port roles: Alternate (backup for root port) and Backup (backup for designated port). Edge ports (connected to end devices) move directly to forwarding without waiting — configure with PortFast. RSTP converges in 1–2 seconds vs STP's 30–50 seconds.

PortFast: enables edge ports to skip STP listening/learning states and go directly to forwarding. Only enable on ports connected to end devices (not switches) — enabling PortFast on switch-to-switch links can create loops. BPDU Guard: if a BPDU is received on a PortFast port, immediately err-disable the port — prevents unauthorized switch connection on access ports.

Loop Guard and Root Guard: Loop Guard prevents alternate ports from becoming designated ports if BPDUs stop arriving (prevents loops from unidirectional link failures). Root Guard prevents a port from becoming the root port — keeps the root bridge location controlled.

Key exam facts — Network+

Access port: single VLAN, untagged; Trunk port: multiple VLANs, 802.1Q tagged

Native VLAN: untagged on trunk — must match both ends to prevent VLAN mismatch

Port security: restrict (drop + log), shutdown (err-disable) violation modes

DHCP snooping: blocks rogue DHCP on untrusted ports; DAI: validates ARP against snooping table

802.1X: EAP authentication required before port access — RADIUS server validates credentials

PortFast: skip STP states on edge ports; BPDU Guard: err-disable if BPDU received on PortFast port

STP root bridge: lowest priority (default 32768 + VLAN ID), tie-break by MAC address

Common exam traps

PortFast disables Spanning Tree on the port

PortFast skips the listening and learning states to immediately move a port to forwarding — STP still runs on the port. BPDUs are still sent and received. The only difference is faster transition to forwarding for edge ports. BPDU Guard, not PortFast, actually protects against unauthorized switches by shutting the port if a BPDU arrives

Practice questions — Switch Configuration

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A user connects an unmanaged switch to their access port to add more connections at their desk. The network team wants the port to automatically shut down if this happens. Which two features should be enabled on the access port?

A.PortFast and root guard

B.PortFast and BPDU Guard

C.Trunk mode and DTP

D.DHCP snooping and DAI

Explanation: PortFast enables the port to immediately forward traffic (appropriate for end-device ports). BPDU Guard monitors for BPDUs — if an unmanaged switch is connected, it may or may not send BPDUs, but if it does (or a managed switch is connected), BPDU Guard immediately err-disables the port. This combination is the standard approach for access ports. Port security with a maximum of one MAC address would also help catch the unmanaged switch by detecting multiple MACs.

Frequently asked questions — Switch Configuration

What is an err-disabled port and how do you recover it?

An err-disabled port is a switch port that has been administratively disabled by the switch itself in response to a security or protocol violation — BPDU Guard detection, port security violation (shutdown mode), or other triggers. The port LED is typically amber. To recover: identify the cause, resolve the underlying issue (remove the unauthorized device), then manually re-enable the port with 'shutdown' followed by 'no shutdown' on the interface, or configure 'errdisable recovery' for automatic recovery after a configurable interval.