Imagine a switch where every port is a locked door, and you need to decide which keys (VLANs) each door accepts. That's the essence of switchport access and trunk modes. On the CCNA 200-301 exam (objective 2.1), mastering these modes is critical for designing and troubleshooting VLAN-based networks. Real network engineers configure access ports for end devices and trunk ports for inter-switch links every day—getting this wrong can isolate users or create security holes.
Jump to a section
Think of a switch as an office building with many rooms (VLANs). Each room has a color-coded badge that grants access. An access port is like a single door that only accepts one color badge—say, blue for the accounting department. When an employee (device) plugs into that door, they can only enter the blue room; all their traffic stays within that VLAN. The door automatically tags every frame with the blue badge as it enters. This is perfect for end-user devices like PCs or printers that belong to one VLAN. Now, a trunk port is like a main corridor connecting two buildings. This corridor can carry people (frames) with any color badge simultaneously. Each person must display their badge clearly—this is the 802.1Q tag. The trunk doesn't care about the color; it just passes everyone through. But both ends of the corridor must agree on which colors are allowed—that's the allowed VLAN list. If building A says only blue and green, but building B sends a red person, that red person is dropped at the entrance. The native VLAN is like the default color for people who forget their badge—they are treated as if they have a pre-agreed color, usually VLAN 1. However, for security, we often change the native VLAN to an unused one to prevent VLAN hopping attacks. Just like in a building, misconfiguring the corridor (e.g., mismatched native VLANs) causes chaos—frames get tagged with the wrong color or dropped entirely.
What Are Access and Trunk Ports?
In a switched network, VLANs segment broadcast domains. To connect devices to a specific VLAN, switch ports are configured in one of two modes: access or trunk. An access port belongs to a single VLAN and carries traffic for only that VLAN. The switch adds a VLAN tag (if using 802.1Q) only internally; frames sent out an access port are untagged. This is the default mode for most switch ports. A trunk port, on the other hand, carries traffic for multiple VLANs simultaneously. It uses 802.1Q tagging to identify which VLAN each frame belongs to. Trunk ports are typically used between switches, or between a switch and a router (router-on-a-stick), or a switch and a server that supports VLAN tagging.
How It Works Step by Step
When a frame arrives on an access port, the switch associates it with the port's configured VLAN ID. If the frame is untagged (as from a PC), the switch adds an internal tag (or uses the port VLAN ID, PVID) to forward the frame within that VLAN. When the frame leaves the switch via another access port in the same VLAN, the tag is removed before transmission. If it leaves via a trunk port, the switch inserts the 802.1Q tag into the frame header (4 bytes between source MAC and EtherType). The receiving trunk port reads the tag and forwards the frame to the appropriate VLAN. If a trunk port receives an untagged frame (e.g., from a device that doesn't support tagging), the frame is assigned to the native VLAN of that port. By default, the native VLAN is VLAN 1. It is critical that both ends of a trunk agree on the native VLAN; otherwise, frames will be misclassified, causing connectivity issues and potential security risks (VLAN hopping).
Key States, Timers, and Defaults
Default mode: All switch ports are in dynamic auto mode by default, which means they will not actively try to form a trunk but will agree if the other side requests it. However, for the CCNA exam, you should know that switchport mode access forces the port to access mode, and switchport mode trunk forces trunk mode unconditionally.
Dynamic Trunking Protocol (DTP): DTP is a Cisco proprietary protocol that negotiates trunking between switches. Modes include dynamic desirable (actively tries to form a trunk), dynamic auto (passive), trunk (forces trunk), and access (forces access). The exam expects you to know which combinations result in a trunk. For example, dynamic desirable + dynamic desirable = trunk; dynamic auto + dynamic auto = access (both passive).
Allowed VLAN list: By default, a trunk port allows all VLANs (1-4094). You can restrict with switchport trunk allowed vlan command.
Native VLAN: Default is VLAN 1. Change with switchport trunk native vlan command. Both ends must match.
802.1Q: The IEEE standard for VLAN tagging. It inserts a 4-byte tag with a 12-bit VLAN ID (0-4095, with 0 and 4095 reserved). The tag also includes a 3-bit Priority Code Point (PCP) for QoS.
IOS CLI Verification Commands
To verify switchport mode and VLAN information, use the following commands:
show interfaces status
show interfaces switchport
show interfaces trunkExample output for show interfaces switchport:
Switch# show interfaces gigabitethernet0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: noneKey fields: Administrative Mode (configured mode), Operational Mode (actual mode), Access Mode VLAN, Trunking Native Mode VLAN, Trunking VLANs Enabled.
How It Interacts with Related Protocols
VLAN Trunking Protocol (VTP): VTP propagates VLAN information across switches. Trunk ports carry VTP advertisements. However, VTP is largely deprecated in modern networks due to risks of VLAN deletion. The exam focuses on manual VLAN configuration.
Spanning Tree Protocol (STP): STP runs on trunk ports as well. Trunk ports can be designated, root, or blocked. STP treats the trunk as a single link, but per-VLAN spanning tree (PVST+) runs separate instances per VLAN.
EtherChannel: Multiple trunk ports can be bundled into an EtherChannel. The trunk configuration must be consistent across all member ports.
Voice VLAN: An access port can be configured with a separate voice VLAN (using switchport voice vlan). The phone uses 802.1Q tagging, while the PC uses the access VLAN untagged. This is a common exam scenario.
Configure an Access Port
Enter interface configuration mode and set the mode to access. Then assign the VLAN. Example: ``` Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 ``` This forces the port to operate as an access port in VLAN 10. Any device plugged in will be placed in VLAN 10. If the VLAN does not exist, the port will be inactive until the VLAN is created. Verify with `show interfaces switchport`.
Configure a Trunk Port
Enter interface configuration mode and set the mode to trunk. Optionally set the native VLAN and allowed VLAN list. Example: ``` Switch(config)# interface gigabitethernet0/2 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk native vlan 99 Switch(config-if)# switchport trunk allowed vlan 10,20,30 ``` This forces the port to trunk unconditionally. The native VLAN is changed to 99 (for security). Only VLANs 10, 20, and 30 are allowed. The other end must have matching native VLAN and allowed VLANs. Verify with `show interfaces trunk`.
Verify Trunk Status
Use `show interfaces trunk` to see all trunk ports and their properties. Example output: ``` Switch# show interfaces trunk Port Mode Encapsulation Status Native vlan Gi0/2 on 802.1q trunking 99 Port Vlans allowed on trunk Gi0/2 10,20,30 Port Vlans allowed and active in management domain Gi0/2 10,20,30 Port Vlans in spanning tree forwarding state and not pruned Gi0/2 10,20,30 ``` Check that the port is trunking and the allowed VLANs match your design.
Troubleshoot Access Port Issues
If a device cannot communicate, verify the access VLAN exists and the port is in access mode. Use `show vlan brief` to see VLANs. If the VLAN is missing, create it with `vlan <vlan-id>`. Also check if the port is err-disabled (e.g., due to port security). Use `show interfaces status` to see the port state. If the port is down, check cabling and the device.
Troubleshoot Trunk Issues
Common trunk issues: mismatched native VLAN, mismatched allowed VLAN list, or DTP negotiation failure. Use `show interfaces trunk` and `show interfaces switchport` to compare both ends. If the trunk is not forming, check DTP modes: both sides must result in trunk (e.g., trunk/trunk, trunk/dynamic desirable, dynamic desirable/dynamic desirable). If native VLANs differ, the trunk may still come up but will cause misrouting. Always match native VLANs. Also ensure encapsulation is dot1q (Cisco switches default to 802.1Q).
Configure Voice VLAN on Access Port
For a phone and PC on one port, configure access VLAN for PC and voice VLAN for phone. Example: ``` Switch(config)# interface gigabitethernet0/3 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 Switch(config-if)# switchport voice vlan 20 ``` The phone uses 802.1Q tagging with VLAN 20; the PC uses untagged VLAN 10. The switch automatically trusts the CoS from the phone. Verify with `show interfaces switchport`.
In enterprise networks, access and trunk ports are the foundational building blocks of VLAN segmentation. A typical scenario: a company has multiple departments (Engineering, Sales, HR) each in separate VLANs. Access ports connect user PCs to their respective VLANs. For inter-switch links, trunk ports carry all VLANs between switches. For example, a distribution switch connects to multiple access switches via trunk ports. The allowed VLAN list is pruned to only necessary VLANs to reduce broadcast traffic and improve security. Another scenario: a data center server with multiple virtual machines (VMs) may require a trunk port to the hypervisor, allowing each VM to be in a different VLAN. The server's NIC must support 802.1Q tagging. A common misconfiguration is forgetting to create the VLAN on the switch before assigning it to an access port. The port remains in a down state until the VLAN exists. Another pitfall: leaving the native VLAN as default (VLAN 1) on trunks, which is a security risk because VLAN 1 is the default management VLAN and can be exploited for VLAN hopping attacks. Best practice is to change the native VLAN to an unused VLAN (e.g., 999) and disable DTP on trunk ports with switchport nonegotiate to prevent unauthorized trunking. At scale, with hundreds of switches, consistent trunk configuration is enforced via templates or automation. Performance-wise, trunk ports add 4 bytes per frame, which is negligible. However, excessive allowed VLANs can increase CPU usage for STP and VTP (if used). In production, network engineers always verify trunk status after changes using show interfaces trunk and often use show interfaces switchport to catch misconfigurations like an access port accidentally left in dynamic auto mode.
The CCNA 200-301 exam tests objective 2.1 'Configure and verify switch port configurations including access and trunk modes' with scenario-based questions and command outputs. You must know the difference between administrative and operational mode. Common traps: 1) Dynamic auto + dynamic auto = access, not trunk. Many candidates think two auto ports form a trunk, but both are passive. 2) Native VLAN mismatch: The trunk may still come up, but frames on the native VLAN will be misdelivered. The exam may show a symptom like intermittent connectivity and ask you to identify the cause. 3) Allowed VLAN list: If a trunk does not allow a VLAN, traffic for that VLAN will not cross. A question might show a trunk that allows only VLANs 1-100, but a host in VLAN 200 cannot ping another host in VLAN 200 on the other side. 4) Voice VLAN: An access port with voice VLAN is still an access port, but the phone uses tagging. The exam may ask which VLAN is untagged (the access VLAN). 5) Default port mode: All ports are dynamic auto. If you configure switchport mode access on one side and leave the other as dynamic auto, the link becomes access (since dynamic auto will not initiate trunk). But if you configure switchport mode trunk on one side and the other is dynamic auto, it becomes trunk (dynamic auto agrees). Know the DTP negotiation outcomes. Decision rule: For trunk formation, at least one side must be desirable or trunk. For access, both sides must be access or one access and the other dynamic auto. Always check native VLAN and allowed VLAN lists for consistency. Memorize the output of show interfaces trunk and show interfaces switchport to identify mismatches.
Access ports belong to a single VLAN and send untagged frames; trunk ports carry multiple VLANs using 802.1Q tags.
Default switchport mode is dynamic auto; to force access use 'switchport mode access', to force trunk use 'switchport mode trunk'.
Native VLAN on trunk ports carries untagged frames; default is VLAN 1; both ends must match to avoid misrouting.
DTP negotiation: dynamic desirable + dynamic desirable = trunk; dynamic auto + dynamic auto = access; trunk + dynamic auto = trunk.
Use 'show interfaces trunk' to see trunk status, allowed VLANs, and native VLAN; use 'show interfaces switchport' for detailed port configuration.
Voice VLAN on an access port allows a phone to use a separate tagged VLAN while the PC uses the untagged access VLAN.
Always create the VLAN before assigning it to an access port; otherwise the port stays down.
These come up on the exam all the time. Here's how to tell them apart.
Access Port
Belongs to a single VLAN
Sends untagged frames
Used for end devices (PCs, printers)
Default mode on most ports (dynamic auto)
No DTP negotiation needed for operation
Trunk Port
Carries multiple VLANs
Sends tagged frames (802.1Q) except native VLAN
Used for inter-switch links, router-on-a-stick, servers
Requires manual configuration or DTP negotiation
Native VLAN concept exists
Mistake
A trunk port can only carry tagged frames.
Correct
A trunk port can carry both tagged and untagged frames. Untagged frames are assigned to the native VLAN.
Many think trunking implies all frames are tagged, but the native VLAN is specifically untagged.
Mistake
Dynamic auto + dynamic auto forms a trunk.
Correct
Both sides are passive, so they will not initiate trunking; the link becomes an access port in VLAN 1.
Candidates confuse 'auto' with 'desirable' and think negotiation always happens.
Mistake
Changing the native VLAN on one side of a trunk is sufficient.
Correct
Both ends must have the same native VLAN; otherwise, frames on that VLAN will be incorrectly tagged or dropped.
People assume the switch can automatically detect the native VLAN, but it doesn't.
Mistake
An access port can carry multiple VLANs if you configure the voice VLAN.
Correct
An access port with voice VLAN still only carries one untagged VLAN (access VLAN) and one tagged VLAN (voice VLAN). It is not a full trunk.
The voice feature is often misunderstood as trunking, but it's a special case for phones.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Administrative mode is what you configure (e.g., 'switchport mode trunk'). Operational mode is what the port actually runs after negotiation (e.g., trunk or access). They can differ if DTP negotiation overrides your setting. For example, if you set trunk but the other side is dynamic auto, the operational mode is trunk. But if you set access and the other side is dynamic desirable, the operational mode is access because access mode does not negotiate. Use 'show interfaces switchport' to see both.
The default native VLAN is VLAN 1, which is also the default management VLAN. Leaving it as VLAN 1 makes the trunk vulnerable to VLAN hopping attacks: an attacker can send double-tagged frames to bypass VLAN segmentation. By changing the native VLAN to an unused VLAN (e.g., 999), you reduce this risk. Also, ensure both ends match; a mismatch causes frames on the native VLAN to be misdelivered.
Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol that negotiates trunking between switches. It can automatically form trunks, but it also poses a security risk because an attacker could potentially negotiate a trunk and gain access to multiple VLANs. Best practice is to disable DTP on trunk ports with 'switchport nonegotiate' and manually set the mode to trunk. On access ports, it's fine to leave DTP enabled, but you can also disable it.
Normally, an access port expects untagged frames. However, if you configure a voice VLAN, the switch will accept tagged frames from a phone on that port. The phone uses 802.1Q tagging with the voice VLAN ID, while the PC behind the phone sends untagged frames. The switch treats the tagged frames as voice traffic and the untagged as data traffic. So in that specific scenario, an access port does carry tagged frames, but only for the voice VLAN.
The port will be in a down state (not forwarding) until the VLAN is created. The switch will not automatically create the VLAN. You must create it with 'vlan <vlan-id>' in global configuration mode. The 'show interfaces status' command will show the port as 'notconnect' or 'down' depending on the switch model.
Use 'show interfaces trunk' to see the allowed VLAN list. Also check 'show interfaces switchport' for the trunking VLANs enabled field. To see which VLANs are actually active and in forwarding state, use 'show spanning-tree vlan <vlan-id>' or 'show interfaces trunk' again (it shows VLANs in spanning tree forwarding state).
The default switchport mode is 'dynamic auto'. This means the port will not actively try to become a trunk, but it will become a trunk if the other side requests it (e.g., if the other side is set to 'trunk' or 'dynamic desirable'). This default can lead to unexpected trunking if the other side is configured aggressively. For security, many administrators change all ports to 'access' or 'trunk' manually.
You've just covered Switchport Access and Trunk Modes — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?