Table of Contents
In networking, particularly in the context of configuring network switches, “switchport access mode” and “switchport trunk mode” are two important concepts used to manage VLANs (Virtual Local Area Networks). In this article, we will refer only to the Cisco platform switches like Catalyst series.
As a general case, freshers in networking domain (like CCNA aspirants etc.) tend to come across TRUNK and ACCESS terminologies in Switching.
Related – CCNA Routing & Switching Interview Questions
In most of Cisco switches, switchports are configured in “dynamic desirable” mode by default. This means if we connect devices, it will negotiate to form a trunk.
We can custom set switchports as either trunk or access mode since by letting default setting in place (the “dynamic desirable”), there will be less control on switch port behaviour.
Trunk ports are generally used in the switch to switch communication or switch to Router (Router on a stick). Trunks carry multiple VLANs across devices and maintain VLAN tags in Ethernet frames for receiving directly connected device differentiates between different VLANs. Access ports are part of only one VLAN and normally used for terminating end devices likes PC, Laptop and printer.
Using the “Switchport mode access” command forces the port to be an access port while and any device plugged into this port will only be able to communicate with other devices that are in the same VLAN.
Using the “Switchport mode trunk” command forces the port to be trunk port.
Switchport Access Mode
This mode is used to connect end devices like computers, printers, and IP phones to a VLAN.
- Single VLAN: The port can only be assigned to one VLAN. All traffic through this port is untagged and belongs to the assigned VLAN.
- Use Case: Typically used for devices that do not need to be aware of VLANs, such as desktop computers and other endpoints.
- Configuration Example (Cisco IOS):
interface FastEthernet0/1
switchport mode access
switchport access vlan 10Related: Troubleshooting Common Issues with Switchport Mode Access
Switchport Trunk Mode
This mode is used to carry traffic for multiple VLANs across a single physical link, typically between switches or between a switch and a router.
- Multiple VLANs: The port can carry traffic for multiple VLANs. Each frame is tagged with a VLAN identifier (except for frames in the native VLAN, which may be untagged).
- Use Case: Used to connect network devices that need to handle traffic from multiple VLANs, such as between switches or from a switch to a router.
- Tagging: Uses IEEE 802.1Q tagging to identify frames from different VLANs.
- Configuration Example (Cisco IOS):
interface FastEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20,30Comparison Table : Access Mode vs Trunk Mode
Below table describes the difference between Trunk port and Access port mode on Cisco Switches-
| PARAMETER | TRUNK MODE | ACCESS MODE |
| Terminology | A trunk port can carry traffic in one or more VLANs on the same physical link. Trunked ports differentiate Vlans by either adding a tag to the packet (802.1Q) or encapsulation the packet (ISL). | Access ports are part of only one VLAN and normally used for terminating end devices likes PC, Laptop and printer. |
| Default Behavior (Cisco Switches) | By default, a trunk interface can carry traffic for all VLANs. | By default, an access port carries only one VLAN |
| Configuration | To designate a port to a trunk mode – “Switchport mode trunk” | To designate a port to access mode – “Switchport mode access” |
| Use case | Switch to Switch connectivity Switch to Router (When using Router on a Stick or dot1q trunk) Switch to Server (specific cases only especially in VM technology) | Switch to PC/laptop Switch to Printer Switch to Router Note – This is typical standard procedure when such switch port serves end users such as PC, printer, or servers. |
| VLAN Tags | Port configured in Trunk mode will carry VLAN tags | Port configured in Access mode will not carry VLAN tags (stripped of VLAN tags) |
| Verification commands | Show Vlan brief show interface x/x switchport | Show interface trunk show interface x/x switchport |
Related FAQs
1. What is the primary function of Switchport Access Mode?
- Switchport Access Mode is used to connect end devices (like computers, printers, or IP phones) to the network. It carries traffic for one VLAN only and is typically used in user-facing ports.
2. What is the main purpose of Trunk Mode?
- Trunk Mode is designed to carry traffic for multiple VLANs across a single link. It is commonly used to connect switches to each other or to routers, supporting multiple VLANs over a single connection.
3. How does VLAN tagging work in Access Mode vs. Trunk Mode?
- In Access Mode, the traffic is untagged because it belongs to a single VLAN, and the switch adds the VLAN tag when it receives traffic.
- In Trunk Mode, VLAN tags are added to the traffic to identify which VLAN the data belongs to. Typically, IEEE 802.1Q is used for VLAN tagging.
4. Can I use Access Mode for multiple VLANs?
- No, Access Mode can only handle one VLAN per port. If you need to carry traffic for multiple VLANs, Trunk Mode must be used.
5. What is a Native VLAN in Trunk Mode?
- A Native VLAN is the VLAN that carries untagged traffic on a trunk port. By default, VLAN 1 is used as the native VLAN, but it can be changed for security or organizational purposes.
6. When should I use Access Mode?
- Use Access Mode when you are connecting devices like PCs or printers that do not need to understand VLAN tagging. It is common for end-user ports in enterprise networks.
7. When should I use Trunk Mode?
- Use Trunk Mode when connecting network infrastructure devices like switches, routers, or firewalls that need to communicate with multiple VLANs over the same physical link.
8. How do I configure a port as an Access or Trunk port?
To configure a port as Access Mode, use:
switchport mode access
switchport access vlan [VLAN_ID]To configure a port as Trunk Mode, use:
switchport mode trunk
switchport trunk allowed vlan [VLAN_IDs]
switchport trunk native vlan [VLAN_ID] (optional)9. What is the default mode for switch ports?
- The default mode depends on the switch model, but typically, most ports are set to Dynamic Auto mode, meaning they negotiate trunking if necessary. However, you should manually configure ports for specific use cases.
10. What are the security risks of using Trunk Mode?
- Trunk Mode can expose your network to VLAN hopping attacks, where an attacker can exploit the VLAN tagging mechanism to gain unauthorized access to other VLANs. Proper security configurations, like disabling unused ports and setting a specific native VLAN, can mitigate this risk.
11. Can Access Mode ports be converted to Trunk Mode, and vice versa?
- Yes, you can change an Access Mode port to Trunk Mode and vice versa with the correct configuration commands. However, this typically requires administrative intervention to avoid unintended traffic issues.
12. What is DTP (Dynamic Trunking Protocol)?
- DTP is used to automatically negotiate the trunking state of a port. It allows ports to dynamically switch between Access Mode and Trunk Mode based on the other device’s configuration.
ABOUT THE AUTHOR
I am here to share my knowledge and experience in the field of networking with the goal being – “The more you share, the more you learn.”
I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.
I am a strong believer of the fact that “learning is a constant process of discovering yourself.”
– Rashmi Bhardwaj (Author/Editor)
