Access and Trunk Ports – Detailed Explanation

1. Definition and Purpose

  • Access Port: A switch port set to carry traffic for only one VLAN. Connects end devices like PCs, printers, IP phones, etc.
  • Trunk Port: A switch port set to carry traffic for multiple VLANs (using tagging). Used between switches, to routers (router-on-a-stick), or virtualization hosts.

2. Differences in Function and Usage

AspectAccess PortTrunk Port
VLANsSingle VLANMultiple VLANs (plus native VLAN)
Use CaseEnd devices (PC, printer, VoIP)Switch-to-switch, switch-to-router
TaggingNo VLAN tags (frames untagged)802.1Q VLAN tags added

3. VLANs and Port Types

  • Access Ports: Assigned to one VLAN (e.g., VLAN 10). All frames are untagged as they enter/leave.
  • Trunk Ports: Can carry multiple VLANs using 802.1Q tags, preserving VLAN info across trunk links.

4. VLAN Tagging

  • 802.1Q Tagging on Trunk Ports: Ethernet frames include a 4-byte tag identifying the VLAN. This keeps VLAN identity when moving between switches.
  • Access Ports: End devices send/receive untagged frames; the switch adds/removes VLAN info internally.

5. Native VLAN Concept

  • On trunk ports, the native VLAN is sent untagged.
  • By default, Cisco uses VLAN 1 as the native VLAN, but best practice is to change to a non-default VLAN for security.
  • Example: Native VLAN 99 means untagged frames on a trunk are placed in VLAN 99.

6. Configuring Access Ports (Cisco IOS Example)

Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10

This configures the port as an access port in VLAN 10.

7. Configuring Trunk Ports (Cisco IOS Example)

Switch(config)# interface FastEthernet0/24
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30
Switch(config-if)# switchport trunk native vlan 99

Trunking is enabled, only VLANs 10, 20, 30 are allowed, and VLAN 99 is set as native.

8. Dynamic Trunking Protocol (DTP)

  • Cisco proprietary protocol to negotiate trunking automatically.
  • Modes:
    • access: Port will always be access.
    • trunk: Port will always be trunk.
    • dynamic desirable: Tries to actively form trunk if other side allows.
    • dynamic auto: Passively waits for trunk negotiation from the other side.
  • Best Practice: Disable DTP on user ports: switchport nonegotiate

9. Frame Handling on Access vs. Trunk Ports

  • Access Port: Strips VLAN tag before sending to device; expects untagged frames from device.
  • Trunk Port: Adds VLAN tag when forwarding to other trunk ports. Frames for the native VLAN are untagged.

10. Common Use Cases

Port TypeExample Use Case
Access PortConnecting PCs, printers, IP phones, APs
Trunk PortSwitch-to-switch, switch-to-router (router-on-a-stick), hypervisors with multiple VLANs

11. Security Considerations

  • VLAN Hopping Attacks: Exploit misconfigured trunks or native VLANs.
  • Prevention:
    • Set unused ports to access mode and assign to unused VLAN.
    • Avoid VLAN 1 as native VLAN.
    • Disable DTP on user-facing ports.

12. Troubleshooting Access and Trunk Ports

  • Useful Commands: 
    show interfaces switchport
show vlan brief
show interfaces trunk
  • Common Issues:
    • Mismatched trunk settings (one end trunk, other access or dynamic auto)
    • Native VLAN mismatch (must match on both trunk ends!)
    • Allowed VLANs mismatch (only common VLANs are trunked)

13. Multi-Vendor Differences

  • Cisco uses DTP and switchport commands; others (HP/Aruba, Juniper) require manual trunking config.
  • Always verify correct port mode and VLAN assignments per vendor documentation.

📘 Example Scenario

PC1 connects to FastEthernet0/1 (access port, VLAN 10).
Switch1 connects to Switch2 via FastEthernet0/24 (trunk port, VLANs 10, 20, 99 allowed, native VLAN 99).
PC1 can only talk to other VLAN 10 devices. Trunk ports carry inter-switch traffic for all allowed VLANs.

📑 Summary Table

Feature Access Port Trunk Port
VLANs carried One (untagged) Multiple (tagged) plus native VLAN
End device use Yes No
Switch-to-switch No Yes
Tagging None (for device) 802.1Q tag (except native VLAN)
Default config VLAN 1 VLAN 1 native, all VLANs allowed

When to Use Each Port Type

  • Access Port: For all single-VLAN devices (PCs, printers, IP phones, cameras, etc.).
  • Trunk Port: For inter-switch links, switch-to-router links, and virtualization hosts needing multiple VLANs.

Access and Trunk Ports Quiz

1. What is the main characteristic of an Access Port on a switch?

Correct answer is B. Access ports carry traffic for a single VLAN and connect end devices.

2. What type of VLAN traffic does a Trunk Port carry?

Correct answer is C. Trunk ports carry multiple VLANs simultaneously, tagging frames with 802.1Q tags.

3. What is the default native VLAN on Cisco switches?

Correct answer is D. VLAN 1 is the default native VLAN on Cisco switches.

4. How do frames appear on Access Ports?

Correct answer is A. Access ports send and receive untagged frames.

5. Which Cisco IOS command sets a port as an access port assigned to VLAN 10?

Correct answer is B. This command sets the port as access and assigns it to VLAN 10.

6. What does the Dynamic Trunking Protocol (DTP) do?

Correct answer is C. DTP is a Cisco proprietary protocol to negotiate trunking automatically.

7. Which command disables DTP negotiation on a port?

Correct answer is A. The command "switchport nonegotiate" disables DTP on a port.

8. What is the best practice regarding the native VLAN for security?

Correct answer is D. Changing native VLAN from default VLAN 1 improves security against VLAN hopping attacks.

9. Which device typically connects to a trunk port?

Correct answer is C. Trunk ports are typically used to interconnect switches or connect to routers.

10. What happens to VLAN tags on frames sent through an access port?

Correct answer is B. Access ports send and receive untagged frames, so VLAN tags are stripped before forwarding to the device.

← Back to Home