This chapter covers the critical distinction between access and trunk switch port modes, a foundational topic for the CompTIA Network+ N10-009 exam. Understanding these modes is essential for segmenting network traffic, enforcing security policies, and ensuring efficient broadcast domain management. Approximately 5-10% of exam questions will touch on VLAN configuration, port modes, or related troubleshooting, making this a high-yield area. You will learn the exact mechanisms, default behaviors, configuration commands, and common pitfalls tested on the exam.
Jump to a section
Imagine a large office building with multiple departments, each occupying a separate floor. The building has a main lobby with a security desk. Every person entering the building is an Ethernet frame. The security desk represents a switch port. In Access mode, the desk is set to only allow people who are wearing a specific color badge (e.g., blue for the sales floor). Anyone with a different badge is turned away. The desk doesn't care about the person's destination floor; it only checks the badge color. This is like an access port that only accepts frames with a specific VLAN tag (or untagged frames belonging to that VLAN) and strips the tag before sending them into the floor. In Trunk mode, the desk is set to allow people with any badge color, but it requires them to show their badge (tag) when entering and exiting. The desk records the badge color and lets them pass. When they leave the floor, the desk re-checks the badge. This ensures that people from the red badge floor can only go to the red badge floor, and similarly for blue and green. The trunk desk can handle multiple badge colors simultaneously, just as a trunk port carries multiple VLANs using 802.1Q tags. The trunk desk does not strip badges; it keeps them visible so that the next security desk (another switch) knows which floor the person belongs to. If a person tries to enter without a badge (untagged frame), the trunk desk assigns them a default badge (native VLAN), which is usually a specific color (VLAN 1). This analogy directly mirrors how access ports assign a single VLAN and strip tags, while trunk ports carry multiple VLANs with tags and handle untagged traffic via a native VLAN.
What Are Switch Port Modes and Why Do They Exist?
Switch port modes define how a switch port handles VLAN tagging. VLANs (Virtual Local Area Networks) logically segment a physical network into multiple broadcast domains. Without VLANs, all devices on the same switch would share a single broadcast domain, leading to inefficiency and security risks. Port modes determine whether a port belongs to a single VLAN (access) or can carry traffic for multiple VLANs (trunk).
Access ports are used to connect end devices such as PCs, printers, and IP phones. They assume the connected device is unaware of VLAN tagging (i.e., it sends and receives untagged frames). The switch assigns the port a single VLAN ID (PVID) and strips any VLAN tag from outgoing frames, so the end device sees only untagged traffic. Incoming untagged frames are tagged with the PVID. This ensures simplicity for devices that do not support 802.1Q.
Trunk ports connect switches, routers, or servers that understand VLAN tagging. They carry traffic for multiple VLANs simultaneously, preserving VLAN tags across the link. Trunk ports use the IEEE 802.1Q standard, which inserts a 4-byte tag into the Ethernet frame header. The tag contains a 12-bit VLAN ID (0-4095, with 0 and 4095 reserved), allowing up to 4094 VLANs. Trunk ports also have a native VLAN concept: untagged frames received on a trunk are assigned to the native VLAN (default VLAN 1). The switch may also strip tags from frames belonging to the native VLAN before sending them out the trunk, depending on configuration.
How It Works Internally — Step Through the Mechanism
Consider a switch with two access ports (port 1 in VLAN 10, port 2 in VLAN 20) and a trunk port (port 3) connecting to another switch.
A PC on port 1 sends an untagged Ethernet frame destined for a PC on port 2. The switch receives the frame on port 1. Because port 1 is an access port with PVID 10, the switch tags the frame with VLAN 10 internally. It then consults the MAC address table and finds that the destination MAC is on port 2, which is also an access port but with PVID 20. Since the frame's VLAN (10) does not match the port's VLAN (20), the switch drops the frame. This illustrates VLAN isolation.
Now consider a frame from port 1 destined for a server connected to another switch via the trunk. The switch tags the frame with VLAN 10. It looks up the destination MAC and finds it reachable via port 3 (trunk). The switch forwards the frame to port 3. Since port 3 is a trunk, the switch does not strip the VLAN 10 tag; it sends the frame with the tag intact across the trunk. The receiving switch sees the tag, determines it belongs to VLAN 10, and forwards it to the appropriate access port.
If the trunk port receives an untagged frame (e.g., from a misconfigured device), the switch assigns it to the native VLAN (default VLAN 1). The frame is then treated as belonging to VLAN 1. This is a common source of VLAN hopping attacks if not secured.
Key Components, Values, Defaults, and Timers
PVID (Port VLAN ID): The VLAN assigned to untagged frames received on a port. For access ports, the PVID is the configured access VLAN. For trunk ports, the PVID is the native VLAN (default 1).
Native VLAN: On a trunk, the VLAN that carries untagged traffic. Default is VLAN 1. It is recommended to change the native VLAN to an unused VLAN for security (e.g., VLAN 999).
Allowed VLAN List: On a trunk, you can restrict which VLANs are permitted. By default, all VLANs (1-4094) are allowed. Use switchport trunk allowed vlan to prune.
Tagging Behavior: Access ports strip tags on egress and add tags on ingress for untagged frames. Trunk ports keep tags on egress for all VLANs except the native VLAN (if configured to strip native VLAN tags).
802.1Q Tag: 4 bytes: TPID (0x8100), Priority (3 bits), CFI (1 bit), VLAN ID (12 bits).
Default Port Mode: All switch ports are in dynamic auto or static access mode by default, depending on the vendor. Cisco switches default to dynamic auto (DTP) which can negotiate trunking. For security, it's best to hard-set ports to access or trunk and disable DTP.
Configuration and Verification Commands
Cisco IOS configuration:
Set access port: switchport mode access then switchport access vlan 10.
Set trunk port: switchport mode trunk then optionally switchport trunk native vlan 999 and switchport trunk allowed vlan 10,20,30.
Verify: show interfaces switchport shows mode, access VLAN, trunk native VLAN, allowed VLANs.
show interfaces trunk shows trunk ports, native VLAN, allowed VLANs, and active VLANs.
Example output:
Switch# show interfaces gigabitethernet0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 999 (Inactive)
Trunking VLANs Enabled: ALLHow It Interacts with Related Technologies
VTP (VLAN Trunking Protocol): VTP propagates VLAN information across trunk links. If a trunk is misconfigured (e.g., different native VLANs on each end), VTP may fail or cause VLAN mismatches.
DTP (Dynamic Trunking Protocol): DTP negotiates trunking between switches. It can be a security risk (VLAN hopping) if not disabled. Use switchport nonegotiate on trunk ports to disable DTP.
STP (Spanning Tree Protocol): STP runs on trunk ports as well. Trunk ports can carry BPDUs for multiple VLANs (PVST+). Native VLAN mismatch can cause STP issues.
Voice VLAN: Cisco IP phones often use a separate voice VLAN. The port is configured as access for the data VLAN, but the voice VLAN is configured as a secondary VLAN (trunk-like behavior for voice). The phone tags voice traffic, while the PC remains untagged.
Security: Access ports prevent VLAN hopping by dropping tagged frames. Trunk ports should have the native VLAN changed and allowed VLANs pruned. Disable unused ports and set them to access mode with a black-hole VLAN.
Common Configuration Pitfalls
Native VLAN Mismatch: If two switches have different native VLANs on the trunk, untagged traffic will be placed in different VLANs, causing connectivity issues. STP may also fail. Always ensure both ends agree.
Allowed VLAN Mismatch: If one end allows VLAN 10 but the other does not, traffic for VLAN 10 will be dropped.
Trunk Mode Mismatch: One side configured as trunk, the other as access — this results in a misconfiguration and the link will not pass traffic for multiple VLANs. DTP may negotiate to access if one side is dynamic.
Forgetting to Tag Native VLAN: Some administrators mistakenly think the native VLAN is always untagged. By default, Cisco switches do not tag native VLAN frames on a trunk. To change this, use switchport trunk native vlan tag (on some models) to enforce tagging for security.
Exam Relevance
CompTIA Network+ N10-009 objective 2.1 requires you to "Explain the characteristics of network topologies and network types." Within that, you must understand VLANs and trunking. You will be asked to identify correct configurations, interpret show command output, and troubleshoot connectivity issues caused by port mode misconfigurations. Be prepared to calculate which VLANs are allowed on a trunk given a configuration snippet. Know the default native VLAN (1) and that it is a security risk.
Determine Device Type and Requirements
Identify whether the connected device is an end host (PC, printer, IP phone) or a network infrastructure device (switch, router, firewall). End hosts typically do not understand VLAN tagging and require an access port. Infrastructure devices that need to carry multiple VLANs require a trunk port. If the device is a server with a NIC that supports 802.1Q, it may also need a trunk port. This step sets the foundation for the port mode decision.
Configure Access Port for End Devices
On a Cisco switch, enter interface configuration mode and issue `switchport mode access` followed by `switchport access vlan <vlan-id>`. This sets the port to access mode and assigns it to a single VLAN. The switch will strip tags on egress and add tags on ingress for untagged frames. Verify with `show interfaces switchport`. Ensure the VLAN exists in the VLAN database (`vlan <vlan-id>`). For security, consider using a non-default VLAN and disable DTP with `switchport nonegotiate`.
Configure Trunk Port for Inter-Switch Links
On a Cisco switch, enter interface configuration mode and issue `switchport mode trunk`. Optionally, set the native VLAN to an unused VLAN (e.g., `switchport trunk native vlan 999`) and restrict allowed VLANs (e.g., `switchport trunk allowed vlan 10,20,30`). Disable DTP with `switchport nonegotiate`. Verify with `show interfaces trunk` and `show interfaces switchport`. Ensure both ends of the trunk have matching native VLANs and allowed VLAN lists.
Verify Connectivity and Tagging Behavior
Use `ping` and `traceroute` to test connectivity between devices in the same VLAN across the trunk. On the trunk, use a packet analyzer (e.g., Wireshark) to confirm that frames are tagged with the correct VLAN ID. Check that untagged frames on the trunk are assigned to the native VLAN. Use `show mac address-table` to confirm MAC learning on the correct VLAN. If connectivity fails, check for native VLAN mismatch or allowed VLAN mismatch using `show interfaces trunk` on both switches.
Secure Ports and Harden Configuration
For access ports, enable port security (`switchport port-security`) to limit the number of MAC addresses. For trunk ports, change the native VLAN from default (1) to an unused VLAN, prune allowed VLANs to only those necessary, and disable DTP. Also consider using BPDU guard and root guard on access ports to prevent STP manipulation. Regularly audit port configurations with scripts or network management tools to ensure compliance.
In a typical enterprise campus network, access ports are deployed on edge switches connecting end-user devices. For example, a company with multiple departments (Sales, HR, Engineering) uses separate VLANs (10, 20, 30) for each department. Each user's desk port is configured as an access port in their respective VLAN. This ensures that Sales users cannot directly communicate with HR users unless routed through a firewall. The access port configuration is straightforward: switchport mode access and switchport access vlan 10. Often, network engineers use a VLAN management tool (e.g., Cisco ISE) to dynamically assign VLANs based on user authentication (802.1X). In that case, the port is set to dynamic access mode, but the underlying principle remains the same.
Trunk ports are used to interconnect switches, both in the wiring closet and between floors. For instance, a distribution switch connects to multiple access switches via trunk ports. Each trunk carries all department VLANs. To optimize performance, network engineers prune VLANs that are not needed on a particular access switch. For example, if an access switch only serves Sales users, the trunk to that switch should only allow VLAN 10. This reduces unnecessary broadcast traffic. The configuration would be: switchport mode trunk and switchport trunk allowed vlan 10. Additionally, the native VLAN is changed from default VLAN 1 to a dedicated management VLAN (e.g., VLAN 999) to prevent VLAN hopping attacks. This is a common security best practice.
A common issue arises when a new switch is added to the network and the trunk is misconfigured. For example, if the native VLAN on one side is 1 and on the other side is 999, STP may fail, causing loops or loss of connectivity. The symptoms include intermittent connectivity and BPDU guard errors. Troubleshooting involves checking show interfaces trunk on both ends and ensuring native VLANs match. Another scenario is when a trunk port is accidentally configured as an access port, causing all VLANs to be dropped except the access VLAN. This results in users in other VLANs losing connectivity. The fix is to reapply the trunk configuration.
In data center environments, trunk ports are also used for server connections that require multiple VLANs (e.g., a web server in VLAN 100 and a database server in VLAN 200). The server's NIC must support 802.1Q tagging. The switch port is configured as a trunk, and the server's OS is configured to use the appropriate VLAN tags. Performance considerations include ensuring the trunk link has sufficient bandwidth (e.g., 10 Gbps or 40 Gbps) to handle aggregated traffic from multiple VLANs. Misconfiguration here can lead to server isolation or security breaches if VLANs are not properly segregated.
The N10-009 exam tests your understanding of access and trunk ports primarily under Objective 2.1 (Network Topologies and Types) and Objective 3.1 (Configure and Verify Network Technologies). You must be able to:
Identify the correct port mode given a scenario (e.g., connecting a PC vs. connecting a switch).
Interpret show interfaces switchport or show interfaces trunk output to determine the current mode, access VLAN, native VLAN, and allowed VLANs.
Troubleshoot connectivity issues caused by native VLAN mismatch or allowed VLAN mismatch.
Understand the default native VLAN (1) and why it is a security risk.
Recognize that DTP can be used to negotiate trunking but should be disabled for security.
Common wrong answers and why candidates choose them:
1. "Access ports can carry multiple VLANs if configured." — This is false. Access ports belong to a single VLAN. Candidates confuse access with trunk because some switch models allow a voice VLAN on an access port, but that is a special case (the voice VLAN is effectively an additional tagged VLAN). The exam expects you to know that an access port is for a single VLAN.
2. "Trunk ports strip all VLAN tags." — This is false. Trunk ports preserve tags for all VLANs except the native VLAN (by default). Candidates may think trunks strip tags because access ports do. The correct understanding is that trunks keep tags for non-native VLANs.
3. "The native VLAN should always be VLAN 1." — This is false. While default is 1, best practice is to change it to an unused VLAN. The exam may ask about security implications.
4. "You cannot restrict VLANs on a trunk." — This is false. The switchport trunk allowed vlan command allows pruning. Candidates may think trunks carry all VLANs by default, which is true only if no pruning is applied.
Specific numbers and terms to memorize:
- 802.1Q tag size: 4 bytes.
- VLAN ID range: 1-4094 (0 and 4095 reserved).
- Default native VLAN: 1.
- Default trunk allowed VLANs: ALL (1-4094).
- Command to set access VLAN: switchport access vlan <vlan-id>.
- Command to set trunk mode: switchport mode trunk.
- Command to set native VLAN: switchport trunk native vlan <vlan-id>.
- Command to restrict allowed VLANs: switchport trunk allowed vlan <vlan-list>.
Edge cases the exam loves:
A trunk port with native VLAN mismatch: both sides have different native VLANs. What happens? Untagged frames are placed in different VLANs, causing connectivity issues. STP may fail.
A trunk port where one side is trunk and the other is access: DTP may negotiate to access, resulting in only one VLAN working.
An access port receiving a tagged frame: The switch drops the frame because access ports expect untagged traffic.
A trunk port with the native VLAN also included in the allowed list: This is fine, but if the native VLAN is not in the allowed list, untagged frames are still accepted? Actually, if the native VLAN is not allowed, the switch may still accept untagged frames and assign them to the native VLAN, but then forward them? The behavior is platform-dependent; on Cisco, if the native VLAN is not allowed, the port will still accept untagged frames but may not forward them correctly. The exam expects you to know that the native VLAN must be in the allowed list for proper operation.
How to eliminate wrong answers: Focus on the fundamental mechanism: access ports = single VLAN, untagged; trunk ports = multiple VLANs, tagged. If a question mentions a device that does not support VLAN tagging, the port must be access. If the question involves multiple VLANs between switches, the port must be trunk. Use the show command outputs to verify mode and VLAN assignments. Remember that DTP is a negotiation protocol; if both sides are set to dynamic desirable or auto, trunking may be established. However, the exam prefers static configuration for security.
Access ports belong to a single VLAN and strip tags; trunk ports carry multiple VLANs with tags.
Default native VLAN on a trunk is VLAN 1 — change it to an unused VLAN for security.
Use `switchport mode access` and `switchport access vlan <vlan-id>` for end devices.
Use `switchport mode trunk` and optionally `switchport trunk native vlan <vlan-id>` and `switchport trunk allowed vlan <vlan-list>` for inter-switch links.
Native VLAN mismatch on a trunk causes untagged traffic to be placed in wrong VLANs and can break STP.
DTP should be disabled on all ports for security; use `switchport nonegotiate`.
The 802.1Q tag is 4 bytes and supports VLAN IDs 1-4094.
Access ports drop tagged frames; trunk ports accept tagged frames for allowed VLANs.
Voice VLAN on an access port is an exception where a second tagged VLAN is allowed for voice traffic.
Always verify port mode with `show interfaces switchport` or `show interfaces trunk`.
These come up on the exam all the time. Here's how to tell them apart.
Access Port
Belongs to a single VLAN (PVID).
Strips VLAN tags on egress (untagged frames).
Adds VLAN tag on ingress for untagged frames.
Typically connects to end devices (PCs, printers).
Cannot carry multiple VLANs (except voice VLAN special case).
Trunk Port
Carries multiple VLANs simultaneously.
Preserves VLAN tags on egress for non-native VLANs.
Assigns untagged frames to native VLAN.
Connects switches, routers, or servers with 802.1Q support.
Allows VLAN pruning to restrict which VLANs are carried.
Mistake
An access port can be configured to carry multiple VLANs.
Correct
An access port belongs to a single VLAN. It can only carry untagged traffic for that VLAN. The only exception is when a voice VLAN is configured, which effectively allows a second tagged VLAN for voice traffic, but the port is still considered an access port with a separate voice VLAN. For the exam, assume access ports carry one VLAN.
Mistake
Trunk ports always tag all frames.
Correct
Trunk ports do not tag frames belonging to the native VLAN by default. The native VLAN traffic is sent untagged. This can be changed with the `switchport trunk native vlan tag` command on some platforms. The exam expects you to know that native VLAN traffic is untagged unless explicitly configured otherwise.
Mistake
The default native VLAN is always secure.
Correct
VLAN 1 is the default native VLAN and is considered a security risk because it is the default and often used for management traffic. Attackers can perform VLAN hopping attacks if the native VLAN is not changed. Best practice is to change the native VLAN to an unused VLAN and disable DTP.
Mistake
DTP should always be enabled to simplify trunk negotiation.
Correct
DTP is a security risk because it can be exploited for VLAN hopping attacks. CompTIA recommends disabling DTP on all ports and statically setting port modes. Use `switchport nonegotiate` on trunk ports and set access ports to `switchport mode access`.
Mistake
A trunk port automatically allows all VLANs.
Correct
By default, a trunk port allows all VLANs (1-4094). However, you can restrict allowed VLANs using `switchport trunk allowed vlan` command. The exam may test that you can prune VLANs to reduce broadcast traffic and improve security.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An access port belongs to a single VLAN and carries untagged traffic. It is used to connect end devices like PCs and printers. A trunk port carries traffic for multiple VLANs using 802.1Q tagging. It is used to connect switches, routers, or servers that understand VLAN tags. The key difference is that access ports strip tags on egress, while trunk ports preserve tags for non-native VLANs.
The native VLAN is the VLAN that carries untagged traffic on a trunk port. By default, it is VLAN 1. When a trunk port receives an untagged frame, it assigns it to the native VLAN. It is important because if the native VLAN is mismatched on two ends of a trunk, untagged traffic will be placed in different VLANs, causing connectivity issues. For security, you should change the native VLAN to an unused VLAN to prevent VLAN hopping.
Enter interface configuration mode (e.g., `interface gigabitethernet0/1`). Then issue `switchport mode access` followed by `switchport access vlan <vlan-id>`. For example, to assign VLAN 10: `switchport access vlan 10`. Verify with `show interfaces switchport`. Ensure the VLAN exists in the VLAN database.
Enter interface configuration mode and issue `switchport mode trunk`. Optionally, set the native VLAN with `switchport trunk native vlan <vlan-id>` and restrict allowed VLANs with `switchport trunk allowed vlan <vlan-list>`. For example: `switchport trunk native vlan 999` and `switchport trunk allowed vlan 10,20,30`. Disable DTP with `switchport nonegotiate`. Verify with `show interfaces trunk`.
The link will not function as a trunk. Depending on DTP negotiation, the ports may end up in access mode, and only the access VLAN traffic will pass. If DTP is disabled, the link may not pass any traffic because one side expects tagged frames and the other expects untagged. Always ensure both sides are configured consistently.
DTP (Dynamic Trunking Protocol) is a Cisco proprietary protocol that negotiates trunking between switches. It can automatically establish a trunk if both ports are set to dynamic desirable or auto. However, DTP is a security risk because it can be exploited for VLAN hopping. CompTIA recommends disabling DTP on all ports and statically setting port modes. Use `switchport nonegotiate` on trunk ports.
Yes, Cisco switches support a voice VLAN feature on access ports. The port is configured with a data VLAN (access VLAN) and a separate voice VLAN. The IP phone (which supports 802.1Q) tags its traffic with the voice VLAN, while the PC behind the phone sends untagged traffic that is placed in the data VLAN. This allows a single port to carry two VLANs, but the port is still considered an access port.
You've just covered Switch Port Modes: Access vs Trunk — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?