Switching and Layer 2
netverdict models Layer 2 as deterministic forwarding state. The goal is to make access-layer labs, loop-prevention checks, trunk mistakes, and neighbour visibility reproducible, not to emulate a particular switching ASIC.
For narrower pages, see VLAN, STP, EtherChannel, Discovery, and Layer-2 Security.
Support level
Section titled “Support level”| Area | Level | What this means |
|---|---|---|
| Ethernet MAC learning | Supported | Source MAC learning, unknown-unicast flooding, known-unicast forwarding, and ageing-style state. |
| VLAN access ports | Supported | Access VLAN assignment and per-VLAN broadcast domains. |
| 802.1Q trunks | Supported | Allowed VLAN lists, native VLAN handling, tagged forwarding, and trunk show output. |
| SVIs and routed VLANs | Supported | interface VlanX can provide a routed gateway for a VLAN. |
| Router subinterfaces | Supported | Dot1Q subinterfaces participate in VLAN-aware routing. |
| STP / PVST | Behaviour model | Root election and blocked/forwarding state are deterministic. |
| RSTP / MST | Behaviour model | Common lab outcomes are represented; not a full BPDU timer replay. |
| BPDU guard / inconsistent state | Behaviour model | Edge-protection and blocked/error state can affect forwarding. |
| EtherChannel | Supported | Port-channel interfaces and member selection. |
| LACP | Behaviour model | Active/passive eligibility and selected/unselected member state. |
| PAgP | Behaviour model | Auto/desirable-style bundle outcome. |
| CDP | Behaviour model | Neighbour discovery and IOS-style show output. |
| LLDP | Behaviour model | Standards-style neighbour discovery and show output. |
| VTP | Behaviour model | VLAN propagation/status surfaces for supported modes. |
| UDLD | Behaviour model | UDLD shutdown/reset-style behaviour in supported scenarios. |
| Port security | Supported | Static/sticky MACs, maximum, and violation actions. |
| DHCP snooping | Behaviour model | Trusted ports and binding table state used by security labs. |
| 802.1X / MAB | Behaviour model | Port authorization from fixture users and fallback policy. |
Standards coverage
Section titled “Standards coverage”| Standard / feature family | Coverage | Notes |
|---|---|---|
| IEEE 802.3 behaviour | Supported | Ethernet frame forwarding outcome, MAC learning, and flooding. |
| IEEE 802.1Q | Supported | VLAN tags, access/trunk membership, native VLAN, and SVI/subinterface interactions. |
| IEEE 802.1D / PVST-style STP | Behaviour model | Deterministic root and port-state selection. |
| IEEE 802.1w / RSTP | Behaviour model | Rapid-STP mode and common state outcomes. |
| IEEE 802.1s / MST | Behaviour model | MST configuration surface and lab-level outcomes. |
| IEEE 802.1AX / LACP | Behaviour model | Bundle negotiation outcome and member eligibility. |
| IEEE 802.1AB / LLDP | Behaviour model | Neighbour table and selected TLV-style state. |
| Cisco CDP / VTP / UDLD / PAgP | Behaviour model | Vendor-specific access-layer behaviour where supported by labs and command tree. |
| Cisco port security | Supported | Sticky/static MACs, max count, violation actions, and show output. |
| DHCP snooping / DAI family | Behaviour model | Binding/trust model for supported security checks. |
| IEEE 802.1X | Behaviour model | Port authorization rather than a byte-level EAPOL supplicant. |
Feature matrix
Section titled “Feature matrix”| Feature | Status | Notes |
|---|---|---|
| MAC address table | Supported | Learns and resolves per-switch forwarding state. |
| Broadcast flooding | Supported | Flooding is scoped to VLAN membership and STP state. |
| Unknown unicast flooding | Supported | Unknown destination MACs flood within the VLAN domain. |
| VLAN database | Supported | VLAN IDs/names are stored and emitted. |
| Access VLAN | Supported | Untagged ingress maps to the configured access VLAN. |
| Trunk allowed list | Supported | VLANs not allowed on a trunk are filtered. |
| Native VLAN | Supported | Untagged trunk traffic maps to the native VLAN. |
| SVI gateway | Supported | VLAN interfaces can route traffic from the L2 domain. |
| Dot1Q subinterfaces | Supported | Router-on-a-stick scenarios are represented. |
| STP root election | Behaviour model | Priority and bridge ID influence the deterministic root. |
| STP blocked ports | Behaviour model | Blocked links are removed from forwarding paths. |
| PortFast / edge intent | Supported | Stored and reflected in STP/access-layer state. |
| BPDU guard | Behaviour model | Edge-protection failures can block/shutdown forwarding. |
| EtherChannel static bundle | Supported | Port-channel participates as a logical interface. |
| LACP / PAgP member selection | Behaviour model | Bundle eligibility is calculated from configured mode. |
| CDP / LLDP neighbours | Behaviour model | Neighbour tables are derived from topology and config. |
| VTP VLAN propagation | Behaviour model | Supported modes can propagate VLAN state in labs. |
| UDLD failure | Behaviour model | Supported scenarios can represent a unidirectional-link shutdown. |
| Port security sticky MAC | Supported | Learns/stores sticky MAC intent and enforces maximum where modelled. |
| DHCP snooping trust | Behaviour model | Trusted/untrusted port state feeds binding/security checks. |
| 802.1X / MAB authorization | Behaviour model | Interface authorization controls forwarding for supported clients. |
Vendor command matrix
Section titled “Vendor command matrix”| Command | IOS-style | Junos-style | VyOS-style | Notes |
|---|---|---|---|---|
vlan 10 | Supported | Partial | Partial | VLAN creation. |
name USERS | Supported | Supported | Supported | VLAN metadata. |
switchport mode access | Supported | n/a | Partial | Access-port mode. |
switchport access vlan 10 | Supported | n/a | Partial | Access VLAN membership. |
switchport mode trunk | Supported | n/a | Partial | Trunk-port mode. |
switchport trunk allowed vlan 10,20 | Supported | n/a | Partial | Allowed VLAN filtering. |
switchport trunk native vlan 99 | Supported | Supported | Partial | Native VLAN intent. |
interface Vlan10 | Supported | Supported | Partial | SVI routed interface. |
encapsulation dot1q 10 | Supported | n/a | Partial | Router subinterface VLAN tag. |
spanning-tree vlan 10 priority 4096 | Supported | n/a | Partial | STP root influence. |
spanning-tree mode rapid-pvst | Supported | n/a | n/a | STP mode selection. |
spanning-tree portfast | Supported | n/a | Partial | Edge-port intent. |
spanning-tree bpduguard enable | Supported | n/a | Partial | BPDU guard. |
channel-group 1 mode active | Supported | n/a | Partial | LACP bundle membership. |
channel-group 1 mode desirable | Supported | n/a | n/a | PAgP bundle membership. |
cdp enable / no cdp enable | Supported | n/a | n/a | CDP interface control. |
lldp transmit / lldp receive | Supported | Supported | Supported | LLDP interface control. |
vtp mode server/client/transparent | Supported | n/a | n/a | VTP mode surface. |
udld port aggressive | Supported | n/a | n/a | UDLD protection intent. |
switchport port-security | Supported | n/a | Partial | Port-security enablement. |
switchport port-security mac-address sticky | Supported | n/a | Partial | Sticky MAC learning. |
ip dhcp snooping trust | Supported | n/a | Partial | DHCP snooping trusted port. |
authentication port-control auto | Supported | Partial | n/a | 802.1X interface control. |
show mac address-table | Supported | Vendor-shaped view | Vendor-shaped view | Learned MAC state. |
show vlan brief | Supported | Partial | Partial | VLAN membership. |
show interfaces trunk | Supported | Partial | Partial | Trunk state. |
show spanning-tree | Supported | Partial | Partial | Model-derived STP state. |
show etherchannel summary | Supported | Partial | Partial | Bundle state. |
show cdp neighbors | Supported | n/a | n/a | CDP neighbours. |
show lldp neighbors | Supported | Supported | Supported | LLDP neighbours. |
Behaviour notes
Section titled “Behaviour notes”Layer-2 forwarding is VLAN-scoped. A frame is first classified into a VLAN from access, trunk, subinterface, or native-VLAN context. Forwarding then uses the MAC table and the active STP/EtherChannel state for that VLAN.
STP is a deterministic solver. It decides stable root and forwarding/blocking state from the configured topology. It does not replay every BPDU, proposal, agreement, or timer transition. This is deliberate: labs should test the final network outcome, not timing noise.
EtherChannel is represented as a logical forwarding interface when member ports are eligible. LACP and PAgP are modelled at the selection/outcome level, not as full packet exchanges.
Discovery protocols are topology and configuration views. They are useful for show-command reasoning, audits, and lab tasks, but the simulator does not try to emit every vendor TLV variant.
Examples
Section titled “Examples”Access VLAN with SVI gateway
configure terminalvlan 10 name USERSinterface GigabitEthernet0/1 switchport mode access switchport access vlan 10interface Vlan10 ip address 10.0.10.1 255.255.255.0 no shutdownendshow vlan briefshow mac address-tableVendor styles
IOS-style
vlan 10 name USERSinterface GigabitEthernet0/1 switchport mode access switchport access vlan 10interface Vlan10 ip address 10.0.10.1 255.255.255.0Junos-style
set vlans USERS vlan-id 10set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode accessset interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members USERSset interfaces irb unit 10 family inet address 10.0.10.1/24set vlans USERS l3-interface irb.10VyOS-style
set interfaces ethernet eth1 vif 10 address 10.0.10.1/24set interfaces ethernet eth2 bridge-group bridge br10set interfaces bridge br10 vif 10Trunk with native VLAN
configure terminalinterface GigabitEthernet0/24 switchport mode trunk switchport trunk allowed vlan 10,20,30 switchport trunk native vlan 99endshow interfaces trunkEtherChannel with LACP
configure terminalinterface range GigabitEthernet0/1 - 2 channel-group 1 mode activeinterface Port-channel1 switchport mode trunk switchport trunk allowed vlan 10,20endshow etherchannel summaryPort security on an access port
configure terminalinterface GigabitEthernet0/3 switchport mode access switchport access vlan 10 switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security violation restrictendshow port-security interface GigabitEthernet0/3Known limits
Section titled “Known limits”STP, RSTP, and MST are solver models. They are stable and useful for topology outcomes, but they do not emulate every transient timer or per-vendor state transition.
LACP, PAgP, VTP, UDLD, DHCP snooping, and 802.1X/MAB are represented at the configuration and behaviour-outcome level. Full packet exchanges and every vendor TLV/state variant are not modelled.
Switch ASIC behaviours such as platform-specific hashing, CAM resource limits, storm-control counters, QoS queueing, and hardware errata are outside the current model.