switchport access vlan [id]
Assigns a specific VLAN to an access port, placing the interface in that VLAN for untagged traffic.
Overview
The 'switchport access vlan' command is fundamental in Cisco NX-OS for assigning a Layer 2 access port to a specific VLAN. An access port carries traffic for only one VLAN, and frames are transmitted untagged (without a VLAN header). This command sets the Port VLAN ID (PVID) for the interface, meaning all untagged frames received on the port are assumed to belong to that VLAN, and frames sent out are stripped of their VLAN tag. This is essential for connecting end devices like PCs, printers, or servers that do not understand VLAN tagging.
In Cisco NX-OS (Nexus), the command syntax is straightforward: 'switchport access vlan {vlan-id | dynamic}'. The vlan-id is a number from 1 to 3967, with VLANs 1-1005 being standard (though VLAN 1 is default). The 'dynamic' option is rarely used and relies on VTP or VMPS, which are not commonly deployed on Nexus switches. When you issue this command, the interface is automatically placed in Layer 2 mode (if not already) and set to access mode if it was in trunk mode. However, it's recommended to explicitly configure 'switchport mode access' for clarity.
This command is used extensively in campus networks, data center access layers, and any scenario where end devices need to be segmented into different broadcast domains. It is a key part of VLAN configuration and is often verified with 'show interface switchport' or 'show running-config interface'. Troubleshooting involves checking that the VLAN exists, the port is not err-disabled, and that the operational VLAN matches the administrative VLAN. NX-OS behaves similarly to IOS, but note that NX-OS does not support the 'switchport access vlan' command on port-channels unless the port-channel is in access mode. Also, NX-OS uses a default VLAN of 1, and changing the access VLAN immediately affects traffic flow.
switchport access vlan {vlan-id | dynamic}When to Use This Command
- Assigning a user-facing port to a specific VLAN for end-device connectivity.
- Configuring a port for a VoIP phone with a data VLAN on the same switch.
- Setting up a management access port on a dedicated VLAN.
- Migrating a port from one VLAN to another during network reconfiguration.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| vlan-id | 1-3967 | Specifies the VLAN number to assign to the access port. The VLAN must exist in the VLAN database. If the VLAN does not exist, the command is accepted but the port remains operationally down until the VLAN is created. |
| dynamic | dynamic | Enables dynamic VLAN assignment via VTP or VMPS. This is rarely used on NX-OS as VTP is deprecated and VMPS is not supported. It is included for backward compatibility. |
Command Examples
Assign VLAN 10 to an access port
interface ethernet 1/1
switchport access vlan 10interface ethernet 1/1 switchport access vlan 10
The command assigns VLAN 10 to interface Ethernet 1/1. No output is shown if successful; the configuration is applied silently.
Verify access VLAN assignment
show interface ethernet 1/1 switchportName: Ethernet1/1 Switchport: Enabled Administrative Mode: access Operational Mode: access Administrative Access VLAN: 10 Operational Access VLAN: 10 Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Operational Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode: disabled Capture VLANs Allowed: ALL
The output shows the interface is in access mode with VLAN 10 assigned both administratively and operationally. The native VLAN is default (1) but not used in access mode. The voice VLAN is none.
Understanding the Output
The 'show interface switchport' command provides detailed VLAN configuration for an interface. Key fields include 'Administrative Mode' (access or trunk), 'Operational Mode' (actual state), 'Administrative Access VLAN' (configured VLAN), and 'Operational Access VLAN' (active VLAN). A healthy access port shows both administrative and operational access VLANs matching the intended VLAN. If they differ, the port may be in a different VLAN due to misconfiguration or dynamic VLAN assignment. The 'Trunking Native Mode VLAN' is irrelevant for access ports. The 'Voice VLAN' field indicates if a separate voice VLAN is configured. 'Trunking VLANs Enabled' shows all VLANs allowed if the port were trunking, but for access ports this is not used. Look for any discrepancies between administrative and operational values to identify issues.
Configuration Scenarios
Assigning a user port to VLAN 100
A network administrator needs to connect a new employee's PC to the network. The PC should be in VLAN 100 (Data VLAN).
Topology
[PC] --- [Ethernet1/2] --- [Nexus Switch]Steps
- 1.Create VLAN 100 if not already present: 'vlan 100'
- 2.Enter interface configuration mode: 'interface ethernet 1/2'
- 3.Set the port to access mode: 'switchport mode access'
- 4.Assign VLAN 100: 'switchport access vlan 100'
- 5.Verify with 'show interface ethernet 1/2 switchport'
! Create VLAN vlan 100 name Data_VLAN ! Configure interface interface ethernet 1/2 switchport mode access switchport access vlan 100
Verify: Use 'show interface ethernet 1/2 switchport' to confirm 'Administrative Access VLAN' and 'Operational Access VLAN' are both 100. Also check 'show vlan id 100' to see the port listed.
Watch out: If the VLAN is not created, the port will show 'Operational Access VLAN: 1' (default) even though the configuration is applied. Always create the VLAN first.
Changing an existing access port to a different VLAN
A user is moving to a different department and their port needs to be reassigned from VLAN 10 to VLAN 20.
Topology
[User PC] --- [Ethernet1/5] --- [Nexus Switch]Steps
- 1.Enter interface configuration: 'interface ethernet 1/5'
- 2.Change the access VLAN: 'switchport access vlan 20'
- 3.Optionally, remove the old VLAN if no longer needed.
- 4.Verify the change.
interface ethernet 1/5 switchport access vlan 20
Verify: Use 'show interface ethernet 1/5 switchport' to see the new VLAN. Also, 'show mac address-table interface ethernet 1/5' will show MAC addresses learned in VLAN 20.
Watch out: Changing the VLAN will cause the user to lose connectivity momentarily. Ensure the new VLAN has proper DHCP and routing configured.
Troubleshooting with This Command
When troubleshooting access VLAN issues on Cisco NX-OS, the primary command is 'show interface switchport'. Check if the 'Operational Access VLAN' matches the 'Administrative Access VLAN'. If they differ, the VLAN may not exist or the port may be in a different mode. Use 'show vlan' to verify the VLAN exists and is active. If the VLAN is missing, create it with 'vlan <id>'. Also check if the port is err-disabled due to a security violation or other issues; use 'show interface status err-disabled' to see disabled ports. If the port is in trunk mode, 'switchport access vlan' is ignored; ensure the port is in access mode with 'switchport mode access'. For dynamic VLAN issues, ensure VTP or VMPS is configured correctly, though this is rare. Another common issue is that the port may be in a different VLAN due to a misconfigured voice VLAN; check the 'Voice VLAN' field. If the voice VLAN is set, the data VLAN may be overridden. Use 'show running-config interface' to see the full configuration. Finally, check for any ACLs or port-security that might block traffic. On NX-OS, the 'switchport access vlan' command is applied immediately, but the port may need to be shut/no shut to take effect if there are inconsistencies. Always verify with ping tests from the end device.
CCNA Exam Tips
Remember that 'switchport access vlan' implicitly sets the port to access mode if not already configured; you don't need to explicitly type 'switchport mode access' first.
On NX-OS, the default VLAN is 1; assigning a different VLAN changes the port's PVID.
Be aware that 'dynamic' keyword allows VLAN assignment via VTP or VMPS, but VTP is deprecated on NX-OS.
Common Mistakes
Forgetting to configure 'switchport mode access' before assigning an access VLAN; though NX-OS auto-sets mode, it's good practice to explicitly set it.
Assigning a VLAN that doesn't exist on the switch; the command will succeed but the port will be inactive until the VLAN is created.
Using 'switchport access vlan' on a trunk port; this command is ignored if the port is in trunk mode.
Platform Notes
On Cisco NX-OS (Nexus), the 'switchport access vlan' command behaves similarly to Cisco IOS, but there are nuances. NX-OS does not support the 'switchport access vlan' command on Layer 3 interfaces; the interface must be in Layer 2 mode (switchport). Unlike IOS, NX-OS automatically enables switching on an interface when you enter the 'switchport' command, but it's good practice to explicitly set 'switchport mode access'. NX-OS also does not support the 'dynamic' keyword for VMPS; it is included for compatibility but may not function. In NX-OS, VLANs are created in the VLAN database and are not stored in the running-config by default; they are stored in the VLAN database file. However, when you configure 'switchport access vlan', the VLAN must exist. NX-OS also supports 'vlan configuration' mode for advanced VLAN features. For port-channels, the access VLAN must be configured on the port-channel interface, not on individual member ports. The 'show interface switchport' output on NX-OS includes additional fields like 'Capture Mode' and 'Capture VLANs Allowed' which are not present in IOS. When migrating from IOS to NX-OS, note that the default native VLAN is 1, and the 'switchport access vlan' command does not affect the native VLAN for trunk ports. Also, NX-OS uses a different syntax for some related commands, such as 'vlan dot1q tag native' for native VLAN tagging. Overall, the command is straightforward but requires attention to VLAN existence and interface mode.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions