switchport mode access
Configures an interface as a Layer 2 access port, placing it in a single VLAN and removing any trunking behavior.
Overview
The 'switchport mode access' command is fundamental in Cisco NX-OS for configuring a Layer 2 interface as an access port. An access port belongs to a single VLAN and carries traffic for that VLAN only, typically used to connect end devices such as workstations, printers, or IP phones. The networking concept behind this command is VLAN segmentation: by assigning each access port to a specific VLAN, network administrators can isolate traffic, improve security, and reduce broadcast domains. On Cisco Nexus switches, this command is used within interface configuration mode and is often paired with 'switchport access vlan <vlan-id>' to specify the VLAN. It is important to note that on NX-OS, the default switchport mode is 'access', but it is a best practice to explicitly configure it to avoid unintended trunking behavior. This command is typically used during initial switch deployment, when adding new devices, or when re-purposing ports. In troubleshooting workflows, verifying the switchport mode is a first step when an end device cannot communicate or when VLAN membership issues arise. The command is straightforward but critical for proper Layer 2 operation.
switchport mode accessWhen to Use This Command
- Connecting end devices like PCs, printers, or IP phones to a switch port.
- Isolating traffic from different departments by assigning each port to a specific VLAN.
- Configuring a port for a security camera system that requires a dedicated VLAN.
- Setting up a port for a wireless access point that should be in a specific management VLAN.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| mode access | switchport mode access | Sets the interface to operate as a non-trunking access port. This is a fixed keyword; no additional parameters are needed. |
Command Examples
Basic Access Port Configuration
interface ethernet 1/1
switchport mode access
switchport access vlan 10interface ethernet1/1 switchport mode access switchport access vlan 10
The interface is set to access mode and assigned to VLAN 10. The output confirms the configuration.
Verifying Access Port Status
show interface ethernet 1/1 switchportName: Ethernet1/1 Switchport: Enabled Administrative Mode: access Operational Mode: access Access Mode VLAN: 10 (VLAN0010) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL
Shows the interface is in access mode, assigned to VLAN 10, and operational mode matches administrative mode.
Understanding the Output
The 'show interface switchport' output displays the Layer 2 configuration of an interface. Key fields include 'Administrative Mode' (configured mode) and 'Operational Mode' (actual running mode). For an access port, both should show 'access'. 'Access Mode VLAN' indicates the VLAN assigned to the port. A healthy access port will have matching administrative and operational modes, and the access VLAN should be the intended VLAN. Problem values include 'Operational Mode: trunk' if the port is incorrectly configured or if DTP negotiates trunk mode, or 'Access Mode VLAN: 1' if the port is not explicitly assigned to a VLAN, which may be a security concern.
Configuration Scenarios
Configuring an Access Port for a Workstation
A workstation in the Engineering department needs to be placed in VLAN 20.
Topology
[Workstation] --- [Ethernet1/2] --- [Nexus Switch]Steps
- 1.Enter global configuration mode.
- 2.Enter interface configuration mode for Ethernet1/2.
- 3.Configure the port as an access port.
- 4.Assign the port to VLAN 20.
configure terminal interface ethernet 1/2 switchport mode access switchport access vlan 20
Verify: Use 'show interface ethernet 1/2 switchport' to confirm Administrative Mode is 'access' and Access Mode VLAN is 20.
Watch out: If the port was previously a trunk, you must first shut it down before changing modes to avoid configuration conflicts.
Troubleshooting with This Command
When troubleshooting connectivity issues on an access port, start by verifying the switchport mode with 'show interface <interface> switchport'. Ensure the 'Administrative Mode' and 'Operational Mode' both show 'access'. If the operational mode is 'trunk', Dynamic Trunking Protocol (DTP) may have negotiated trunking; disable DTP with 'switchport nonegotiate' or explicitly set the mode to access. Next, check the 'Access Mode VLAN' – it should match the intended VLAN. If it shows VLAN 1, the port may not have been explicitly assigned. Use 'show vlan brief' to verify the VLAN exists and is active. Also, check the interface status with 'show interface <interface>' – if the line protocol is down, the cable or end device may be faulty. For IP phones, ensure the voice VLAN is configured separately. On NX-OS, note that the 'switchport' command is required to enable Layer 2 switching on an interface; if omitted, the interface may be in Layer 3 mode. Finally, use 'show mac address-table interface <interface>' to see if the switch is learning MAC addresses on the correct VLAN.
CCNA Exam Tips
Remember that 'switchport mode access' disables trunking and is required before assigning an access VLAN.
On NX-OS, the default switchport mode is 'access' but it's best practice to explicitly configure it.
Know that 'switchport access vlan' must be configured after 'switchport mode access' to take effect.
Common Mistakes
Configuring 'switchport access vlan' before 'switchport mode access' – the access VLAN command will be rejected if the port is in trunk mode.
Forgetting to set the port to access mode when connecting an end device, leaving it in trunk mode which can cause VLAN hopping or connectivity issues.
Using 'switchport mode access' on a port that should be a trunk, breaking connectivity to switches or routers.
Platform Notes
On Cisco NX-OS, the 'switchport mode access' command behaves similarly to Cisco IOS, but there are nuances. NX-OS does not support the 'switchport nonegotiate' command on all models; instead, DTP is disabled by default on some Nexus platforms. Additionally, on NX-OS, the default switchport mode is 'access', but the default access VLAN is 1. Unlike IOS, NX-OS requires the 'switchport' command to be entered before configuring switchport mode; if the interface is in Layer 3 mode, you must first enter 'switchport' to convert it to Layer 2. On Nexus 9000 series, the command is identical. For equivalent commands on other platforms, on Cisco IOS, the same syntax applies. On Juniper Junos, the equivalent is 'set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access' and 'set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members <vlan-id>'. On Arista EOS, the command is 'switchport mode access' as well, but the VLAN assignment is 'switchport access vlan <vlan-id>'.
Related Commands
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions