Access and Trunk Ports

1. Definition and Purpose

Switch ports operate in one of two fundamental modes that determine how VLAN traffic is handled. Understanding this distinction is one of the most foundational concepts in Cisco switching and a core CCNA topic.

Access Port: A switch port configured to carry traffic for exactly one VLAN. Frames entering and leaving an access port are untagged — end devices such as PCs, printers, IP phones, and cameras never see or process VLAN tags. The switch internally tracks which VLAN the port belongs to and handles tagging transparently.
Trunk Port: A switch port configured to carry traffic for multiple VLANs simultaneously. Each frame is tagged with an 802.1Q header identifying its VLAN, allowing a single physical link to transport traffic from many VLANs between switches, to routers, or to virtualization hosts.

Analogy: Think of an access port as a single-lane road serving one neighbourhood (VLAN), and a trunk port as a multi-lane highway with road signs (VLAN tags) telling traffic which exit to take.

2. Access Port vs. Trunk Port — Full Comparison

Aspect	Access Port	Trunk Port
VLANs carried	Single VLAN	Multiple VLANs (plus native VLAN untagged)
Frame tagging	None — frames always untagged to/from device	802.1Q tags added/removed per VLAN (except native)
Typical connected device	PC, printer, IP phone, camera, AP	Switch, router, firewall, hypervisor, WLC
Cisco IOS command	`switchport mode access`	`switchport mode trunk`
Native VLAN applies?	No	Yes — untagged frames belong to native VLAN
Default VLAN	VLAN 1 (unless changed)	Allows all VLANs by default; native VLAN 1
VLAN hopping risk	Low (single VLAN, no negotiation)	Higher if DTP enabled or native VLAN misconfigured
DTP involvement	Can negotiate to trunk (if dynamic auto/desirable)	Actively involved in DTP negotiation

3. 802.1Q VLAN Tagging — How It Works

IEEE 802.1Q is the industry-standard protocol for VLAN tagging on trunk links. When a frame enters a trunk port from the wired network, the switch inserts a 4-byte 802.1Q tag into the Ethernet frame header — after the source MAC address.

802.1Q Tag Structure

  Original Ethernet Frame:
  ┌──────────┬──────────┬──────────┬──────────────────────┐
  │ Dst MAC  │ Src MAC  │ EtherType│ Payload              │
  │ (6 bytes)│ (6 bytes)│ (2 bytes)│                      │
  └──────────┴──────────┴──────────┴──────────────────────┘

  802.1Q Tagged Frame (trunk):
  ┌──────────┬──────────┬──────────────┬──────────┬───────────────────┐
  │ Dst MAC  │ Src MAC  │ 802.1Q Tag   │EtherType │ Payload           │
  │ (6 bytes)│ (6 bytes)│ (4 bytes)    │ (2 bytes)│                   │
  └──────────┴──────────┴──────┬───────┴──────────┴───────────────────┘
                                │
                    ┌───────────┴────────────┐
                    │ TPID: 0x8100 (2 bytes) │  Identifies 802.1Q frame
                    │ TCI:                   │
                    │  PCP: 3 bits (QoS)     │  Priority Code Point
                    │  DEI: 1 bit            │  Drop Eligible Indicator
                    │  VID: 12 bits          │  VLAN ID (0–4094)
                    └────────────────────────┘

TPID (Tag Protocol Identifier): Always 0x8100 — identifies this as an 802.1Q-tagged frame.
PCP (Priority Code Point): 3 bits for 802.1p QoS marking — used to prioritize time-sensitive traffic like VoIP.
DEI (Drop Eligible Indicator): 1 bit indicating whether the frame can be dropped during congestion.
VID (VLAN Identifier): 12 bits — supports VLAN IDs 0–4095 (0 and 4095 reserved; usable range is 1–4094).

Frame size impact: The 4-byte 802.1Q tag increases the Ethernet frame size from 1518 to 1522 bytes. Older NICs and switches that don't support 802.1Q may drop these "oversized" frames — always verify hardware compatibility in legacy environments.

4. Native VLAN — Concept and Security

The native VLAN is a special concept that applies only to trunk ports. Frames belonging to the native VLAN are transmitted untagged across the trunk link — no 802.1Q tag is added. When a trunk port receives an untagged frame, the switch places it in the native VLAN.

Cisco default native VLAN: VLAN 1 on all trunk ports.
Native VLAN must match on both ends of a trunk link. A mismatch causes frames to be placed in the wrong VLAN — a common troubleshooting issue that generates CDP warnings.
Management traffic (CDP, VTP, PAgP, LACP) always travels on VLAN 1, regardless of the native VLAN setting.

Native VLAN Mismatch Behaviour

  Switch A (native VLAN 1)          Switch B (native VLAN 99)
  ┌──────────────────────┐           ┌──────────────────────┐
  │  Trunk port          │           │  Trunk port          │
  │  Native VLAN: 1      │◀─────────▶│  Native VLAN: 99     │
  └──────────────────────┘           └──────────────────────┘

  Result: Untagged frames sent by Switch A (VLAN 1) are received
  by Switch B and placed into VLAN 99 — traffic ends up in the
  WRONG VLAN. CDP will report: "Native VLAN mismatch discovered."

Native VLAN Security Best Practices

Change the native VLAN away from VLAN 1 to an unused, dedicated VLAN (e.g., VLAN 999).
That unused native VLAN should carry no user traffic — it exists solely to handle untagged frames on the trunk.
Ensure native VLAN matches on both ends of every trunk link.
Use vlan dot1q tag native globally to force tagging of native VLAN frames, eliminating the untagged native VLAN entirely.

! Force tagging of native VLAN frames on all trunks (global)
Switch(config)# vlan dot1q tag native

5. Configuring Access Ports

Access ports are straightforward to configure. Every end-device port should be explicitly set to access mode — never leave ports in dynamic auto/desirable mode on user-facing interfaces.

Basic Access Port Configuration

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# description PC - Finance Dept
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport nonegotiate        ! Disable DTP
Switch(config-if)# spanning-tree portfast        ! Enable PortFast for end devices
Switch(config-if)# no shutdown

Configuring Multiple Access Ports at Once

! Configure ports 1–20 as access ports in VLAN 10
Switch(config)# interface range GigabitEthernet0/1 - 20
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan 10
Switch(config-if-range)# switchport nonegotiate
Switch(config-if-range)# spanning-tree portfast

Voice VLAN on an Access Port (IP Phone)

When connecting a Cisco IP phone, the port carries two VLANs: a data VLAN for the PC plugged into the phone's pass-through port, and a voice VLAN for VoIP traffic. The port is still considered an access port from the PC's perspective.

Switch(config)# interface GigabitEthernet0/5
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10         ! Data VLAN for PC
Switch(config-if)# switchport voice vlan 20          ! Voice VLAN for IP phone
Switch(config-if)# spanning-tree portfast
Switch(config-if)# no shutdown

How voice VLAN works: The switch sends CDP to the IP phone telling it to tag its voice traffic with VLAN 20. The phone internally tags VoIP frames with VLAN 20 and passes untagged PC traffic on VLAN 10. The switch port handles both — even though it is classified as an access port.

See: Voice VLAN Explained | Voice VLAN Configuration

6. Configuring Trunk Ports

Trunk ports require slightly more configuration — specifying the encapsulation (on older switches), setting the mode, and controlling which VLANs are allowed.

Full Trunk Port Configuration

Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# description Trunk to Core-SW1
Switch(config-if)# switchport trunk encapsulation dot1q   ! Required on older (3-layer) switches
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 999       ! Change from default VLAN 1
Switch(config-if)# switchport trunk allowed vlan 10,20,30,40,999
Switch(config-if)# switchport nonegotiate                 ! Disable DTP
Switch(config-if)# no shutdown

Managing Allowed VLANs on a Trunk

! Add VLANs to existing allowed list (non-destructive)
Switch(config-if)# switchport trunk allowed vlan add 50,60

! Remove specific VLANs from allowed list
Switch(config-if)# switchport trunk allowed vlan remove 40

! Replace entire allowed list (overwrites — use with caution!)
Switch(config-if)# switchport trunk allowed vlan 10,20,30

! Allow ALL VLANs (default — not recommended in production)
Switch(config-if)# switchport trunk allowed vlan all

Best practice: Always explicitly define the allowed VLAN list on trunk ports — never rely on the default "allow all." Restricting to only required VLANs reduces the blast radius of misconfigurations and limits VLAN hopping attack surface.

Verify Trunk Configuration

Switch# show interfaces GigabitEthernet0/24 trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/24      on           802.1q         trunking      999

Port        Vlans allowed on trunk
Gi0/24      10,20,30,999

Port        Vlans allowed and active in management domain
Gi0/24      10,20,30,999

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/24      10,20,30,999

7. Dynamic Trunking Protocol (DTP)

DTP is a Cisco-proprietary protocol that allows switch ports to automatically negotiate whether to form a trunk link. While convenient in lab environments, DTP poses a security risk in production — it should be disabled on all user-facing and external ports.

DTP Mode Negotiation Matrix

Local Port Mode	Remote: Access	Remote: Dynamic Auto	Remote: Dynamic Desirable	Remote: Trunk
Access	Access ✅	Access	Access	Access (misconfigured!)
Dynamic Auto	Access	Access ⚠️	Trunk	Trunk
Dynamic Desirable	Access	Trunk	Trunk	Trunk
Trunk	Access (misconfigured!)	Trunk	Trunk	Trunk ✅

Key exam fact: Two ports both set to dynamic auto will NOT form a trunk — both are passively waiting for the other to initiate. You need at least one side set to dynamic desirable or trunk for a trunk to form automatically. Always use spanning-tree portfast on access ports facing end devices — see PortFast & BPDU Guard.

Disabling DTP — Best Practice Configuration

! On user-facing access ports — explicitly set mode and disable DTP
Switch(config-if)# switchport mode access
Switch(config-if)# switchport nonegotiate

! On trunk ports — explicitly set trunk mode and disable DTP
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate

switchport nonegotiate stops the port from sending DTP frames entirely. This is required when connecting to non-Cisco devices that do not understand DTP and may misinterpret DTP frames.

8. Frame Handling — Access vs. Trunk Ports Step by Step

Understanding exactly what happens to a frame as it enters and exits each port type is critical for the CCNA exam.

Frame Path: PC → Access Port → Trunk → Access Port → PC

  PC-A (VLAN 10)
      │
      │  Untagged Ethernet frame
      ▼
  ┌─────────────────────┐
  │ Switch A — Gi0/1    │  Access port, VLAN 10
  │ (Access Port)       │  Switch tags frame internally as VLAN 10
  └──────────┬──────────┘
             │
             │  802.1Q tagged frame [VLAN 10]
             ▼
  ┌─────────────────────┐
  │ Switch A — Gi0/24   │  Trunk port
  │ (Trunk Port)        │  Adds 802.1Q tag: VLAN ID = 10
  └──────────┬──────────┘
             │
             │  Tagged frame travels across trunk link
             ▼
  ┌─────────────────────┐
  │ Switch B — Gi0/24   │  Trunk port
  │ (Trunk Port)        │  Reads VLAN ID = 10, forwards to VLAN 10 ports
  └──────────┬──────────┘
             │
             │  802.1Q tag removed
             ▼
  ┌─────────────────────┐
  │ Switch B — Gi0/3    │  Access port, VLAN 10
  │ (Access Port)       │  Strips 802.1Q tag — sends untagged frame
  └──────────┬──────────┘
             │
             │  Untagged Ethernet frame
             ▼
  PC-B (VLAN 10)

Native VLAN Frame Handling on Trunk

A frame arriving on a trunk port without a tag is placed into the native VLAN.
A frame being sent out a trunk port belonging to the native VLAN is sent untagged.
All other VLANs on a trunk port are always tagged with their respective VLAN IDs.

9. Router-on-a-Stick — Trunk to Router

Router-on-a-Stick (ROAS) is an inter-VLAN routing method where a single router interface is configured as a trunk, with sub-interfaces for each VLAN acting as the default gateway for that VLAN. The physical switch port connected to the router is configured as a trunk.

Router-on-a-Stick Architecture

  ┌─────────┐  Trunk (VLANs 10,20,30)  ┌─────────────────────────┐
  │ Switch  │◀─────────────────────────▶│ Router                  │
  │         │  Gi0/0 (trunk port)       │  Gi0/0.10 — VLAN 10 GW │
  └─────────┘                           │  Gi0/0.20 — VLAN 20 GW │
       │                                │  Gi0/0.30 — VLAN 30 GW │
  Access ports:                         └─────────────────────────┘
   Gi0/1  VLAN 10 (Finance)
   Gi0/2  VLAN 20 (HR)
   Gi0/3  VLAN 30 (IT)

Router Sub-Interface Configuration

! Router — sub-interfaces for each VLAN
Router(config)# interface GigabitEthernet0/0
Router(config-if)# no shutdown

Router(config)# interface GigabitEthernet0/0.10
Router(config-subif)# encapsulation dot1Q 10
Router(config-subif)# ip address 192.168.10.1 255.255.255.0

Router(config)# interface GigabitEthernet0/0.20
Router(config-subif)# encapsulation dot1Q 20
Router(config-subif)# ip address 192.168.20.1 255.255.255.0

Router(config)# interface GigabitEthernet0/0.30
Router(config-subif)# encapsulation dot1Q 30
Router(config-subif)# ip address 192.168.30.1 255.255.255.0

Switch Trunk Port to Router

! Switch — trunk port connecting to the router
Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30
Switch(config-if)# switchport trunk native vlan 999
Switch(config-if)# switchport nonegotiate

See: Router-on-a-Stick Explained | Inter-VLAN Routing — Router-on-a-Stick (Step-by-Step) | Inter-VLAN Routing — Layer 3 Switch

10. VLAN Hopping Attacks and Prevention

VLAN hopping is a Layer 2 attack where a malicious device sends traffic to a VLAN it should not have access to, bypassing network segmentation. There are two primary methods:

Attack Method 1 — Switch Spoofing

An attacker's device sends DTP frames pretending to be a switch, tricking the legitimate switch into forming a trunk. Once the trunk forms, the attacker's device can send and receive traffic on any VLAN carried by the trunk — bypassing access control entirely.

Prevention: Disable DTP on all user-facing ports with switchport mode access and switchport nonegotiate. A port in explicit access mode cannot be tricked into forming a trunk regardless of what DTP frames it receives.

Attack Method 2 — Double Tagging

The attacker sends a frame with two 802.1Q tags — an outer tag matching the native VLAN and an inner tag for the target VLAN. The first switch strips the outer (native VLAN) tag and forwards the frame with the inner tag still intact onto the trunk. The second switch reads the inner tag and delivers the frame to the target VLAN — which the attacker should not have access to.

  Attacker sends double-tagged frame:
  ┌──────────┬──────────┬─────────────┬─────────────┬──────────┐
  │ Dst MAC  │ Src MAC  │Outer Tag    │ Inner Tag   │ Payload  │
  │          │          │VLAN 1(native│ VLAN 99     │          │
  └──────────┴──────────┴──────┬──────┴─────────────┴──────────┘
                                │
                    Switch 1 strips outer tag
                    (VLAN 1 = native, sent untagged)
                                │
                                ▼
  ┌──────────┬──────────┬─────────────┬──────────┐
  │ Dst MAC  │ Src MAC  │ Inner Tag   │ Payload  │
  │          │          │ VLAN 99     │          │
  └──────────┴──────────┴──────┬──────┴──────────┘
                                │
                    Switch 2 delivers to VLAN 99 ← Attacker wins

Prevention: Change the native VLAN away from VLAN 1 to an unused VLAN. Ensure the native VLAN is not the same as any user VLAN. Double tagging only works when the attacker's VLAN matches the native VLAN — changing the native VLAN defeats this attack.

Complete VLAN Security Hardening Checklist

Set all user-facing ports explicitly to switchport mode access.
Disable DTP on all ports: switchport nonegotiate.
Change native VLAN from VLAN 1 to an unused, dedicated VLAN (e.g., VLAN 999).
Shutdown and assign all unused ports to a "black hole" VLAN (e.g., VLAN 999) that has no routing or active traffic.
Restrict allowed VLANs on trunks to only those explicitly required.
Do not use VLAN 1 for any user, management, or native traffic.
Enable vlan dot1q tag native globally to tag native VLAN frames.

See: DHCP Snooping & Dynamic ARP Inspection | VLAN Creation & Management

11. Common Use Cases

Scenario	Port Type	Configuration Notes
PC / workstation	Access — single data VLAN	Explicit access mode + nonegotiate + PortFast
IP phone with PC passthrough	Access — data VLAN + voice VLAN	`switchport access vlan 10` + `switchport voice vlan 20`
Printer / IoT device	Access — single VLAN	Isolate in a dedicated VLAN for security
Switch uplink (access layer → distribution)	Trunk — multiple VLANs	Explicit trunk mode + restricted allowed VLANs + nonegotiate
Router-on-a-Stick (inter-VLAN routing)	Trunk — to router	Router sub-interfaces with `encapsulation dot1Q <vlan>`
Wireless LAN Controller (WLC)	Trunk — multiple SSIDs/VLANs	Each SSID maps to a VLAN; WLC port carries all SSIDs as a trunk
VMware / Hyper-V hypervisor	Trunk — virtual machine VLANs	Hypervisor handles tagging internally for each VM's VLAN
Firewall DMZ interface	Trunk — multiple security zones	Each firewall interface or sub-interface represents a VLAN/zone

12. Troubleshooting Access and Trunk Ports

Common Issues and Solutions

Problem	Likely Cause	Solution
Trunk not forming between switches	Both ports set to `dynamic auto` — neither initiates	Set at least one side to `switchport mode trunk` or `dynamic desirable`
Native VLAN mismatch warning (CDP)	Native VLAN configured differently on each end of trunk	Set same native VLAN on both sides: `switchport trunk native vlan 999`
VLAN traffic not passing through trunk	VLAN not in the allowed list on one or both sides	Add VLAN: `switchport trunk allowed vlan add <vlan-id>`
PC cannot communicate across trunk link	VLAN exists on one switch but not the other (VTP or manual mismatch)	Create VLAN on both switches; verify with `show vlan brief`
Port shows as access when trunk was expected	Remote end is in access mode; DTP negotiation resulted in access	Explicitly set both ends to `switchport mode trunk`
Device cannot get IP address (DHCP fails)	Access port assigned to wrong VLAN; DHCP helper not configured on VLAN SVI	Verify `show interfaces switchport`; check VLAN SVI and `ip helper-address`

Key Verification Commands

Command	What It Shows
`show interfaces switchport`	Port mode (access/trunk), access VLAN, voice VLAN, native VLAN, allowed VLANs
`show interfaces trunk`	All active trunk ports, encapsulation, native VLAN, allowed VLANs, active VLANs in STP
`show vlan brief`	All VLANs on the switch and which ports are assigned to each VLAN
`show interfaces Gi0/1 switchport`	Detailed switchport config for a specific interface
`show mac address-table vlan 10`	MAC addresses learned on VLAN 10 and which ports they are on
`show cdp neighbors detail`	Reveals native VLAN mismatch warnings between CDP-capable neighbors

See: show vlan Explained | Troubleshooting Layer 2 — VLAN & Trunk Issues

13. Multi-Vendor Considerations

While 802.1Q is a universal standard, the CLI commands and negotiation behavior differ across vendors. DTP is Cisco-proprietary and does not exist on non-Cisco equipment.

Vendor	Trunk Command Example	Notes
Cisco IOS	`switchport mode trunk`	DTP available; use `nonegotiate` with non-Cisco peers
Aruba / HP	`tagged vlan 10,20,30`	No DTP — trunking always manual; "tagged" = trunk, "untagged" = access
Juniper EX	`set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk`	No DTP; VLANs listed explicitly per interface
Fortinet / other	GUI-based or vendor-specific CLI	Always use `switchport nonegotiate` on Cisco side when connecting to non-Cisco devices

14. Common Misconceptions

"An access port only carries its assigned VLAN — all other VLANs are blocked."
Correct in terms of forwarding, but the reason is that the switch simply does not tag or forward any other VLAN's frames on that port — it's not an active block, just isolation by design.
"Two switches set to dynamic auto will form a trunk automatically."
No — both sides are passively waiting for the other to initiate. Two dynamic auto ports result in an access link, not a trunk. At least one side must be trunk or dynamic desirable.
"The native VLAN on a trunk can be any VLAN, and it doesn't need to match the other side."
The native VLAN must match on both ends. A mismatch causes untagged frames to land in the wrong VLAN — a logic error that CDP will warn about but the switch will not automatically fix.
"A port in trunk mode always carries all VLANs."
By default yes, but the allowed VLAN list can restrict which VLANs traverse the trunk. Additionally, a VLAN must exist on the switch (in the VLAN database) AND be in the allowed list to actually be trunked. show interfaces trunk shows the distinction between "allowed" and "active."
"Hiding management traffic on VLAN 1 is safe because VLAN 1 is not routed."
VLAN 1 is the default native VLAN and carries CDP, VTP, STP, and other control traffic. Using VLAN 1 for management makes it a high-value target and exposes management traffic to double- tagging attacks. Always move management to a dedicated, non-default VLAN.

15. Key Points & Exam Tips

Topic	Key Facts to Remember
Access port	Single VLAN; frames untagged to/from device; use for all end devices; explicit `switchport mode access`
Trunk port	Multiple VLANs; 802.1Q tags; switch-to-switch, switch-to-router, hypervisors; explicit `switchport mode trunk`
802.1Q tag	4-byte tag inserted after Src MAC; contains 12-bit VID (VLAN ID 1–4094); TPID = 0x8100
Native VLAN	Sent untagged on trunk; default is VLAN 1; must match both ends; change to unused VLAN for security
DTP	Cisco-only; auto+auto = access (NOT trunk); disable with `nonegotiate`; never leave enabled on user ports
VLAN hopping	Switch spoofing (DTP exploit) and double tagging (native VLAN exploit); prevent with access mode + nonegotiate + change native VLAN
Voice VLAN	Access port carries data VLAN (untagged) + voice VLAN (tagged to phone via CDP); port still classified as access
Allowed VLANs	Use `add`/`remove` to modify without overwriting; a VLAN must exist on the switch AND be in the allowed list to traverse the trunk

16. Access and Trunk Ports Quiz

1. A network engineer connects two switches with a cable. Switch A's port is set to `dynamic auto` and Switch B's port is also set to `dynamic auto`. What will be the resulting port mode?

A. Both ports will form a trunk — auto negotiates automatically B. The ports will enter an err-disabled state due to DTP conflict C. Switch A becomes trunk and Switch B becomes access D. Both ports remain in access mode — two auto ports do not form a trunk

Correct answer is D. DTP dynamic auto is a passive mode — the port waits for the remote side to initiate trunking. When both sides are passive, neither initiates and both remain in access mode. To form a trunk, at least one side must be set to trunk or dynamic desirable.

2. A security team discovers that an attacker connected to VLAN 10 is receiving traffic from VLAN 99. Investigation shows the attacker's PC was sending frames with two 802.1Q tags. What attack is this and what is the primary prevention?

A. Switch spoofing — disable DTP with switchport nonegotiate B. Double tagging — change the native VLAN to an unused VLAN that does not match any user VLAN C. ARP poisoning — enable Dynamic ARP Inspection (DAI) D. MAC flooding — enable port security

Correct answer is B. This is a double-tagging attack. The attacker sends a frame with an outer tag matching the native VLAN (VLAN 1 by default). The first switch strips the outer tag and forwards the frame with the inner tag (VLAN 99) onto the trunk. The second switch delivers it to VLAN 99. Changing the native VLAN to an unused VLAN that no attacker can legitimately access defeats this attack — the outer tag would have to match a VLAN the attacker does not belong to.

3. An admin configures a trunk port with `switchport trunk allowed vlan 10,20,30`. Later, they run `switchport trunk allowed vlan 40` (without "add"). What is the result?

A. VLAN 40 is added to the existing list — VLANs 10, 20, 30, 40 are all allowed B. The command is rejected — VLAN 40 does not exist yet C. The allowed list is replaced — only VLAN 40 is now allowed, VLANs 10, 20, 30 are removed D. All VLANs are blocked — the trunk goes into err-disabled

Correct answer is C. The

switchport trunk allowed vlan
                  <list>

command (without add or remove) replaces the entire allowed VLAN list. VLANs 10, 20, and 30 are immediately removed from the trunk — this is a common and impactful misconfiguration that drops traffic on those VLANs instantly. Always use switchport trunk allowed vlan add 40 to append to the existing list without overwriting it.

4. A Cisco IP phone is connected to switch port Gi0/5. The port is configured with VLAN 10 as the data VLAN and VLAN 20 as the voice VLAN. How does the switch communicate the voice VLAN to the IP phone?

A. Via CDP — the switch sends CDP messages telling the phone to tag voice traffic with VLAN 20 B. Via DHCP Option 43 — the DHCP server assigns the voice VLAN in the offer C. Via 802.1X — the phone authenticates and receives VLAN assignment from the RADIUS server D. The phone reads the VLAN ID from the 802.1Q tag of the first frame it receives

Correct answer is A. The switch uses CDP (Cisco Discovery Protocol) to communicate the voice VLAN ID to the connected Cisco IP phone. Once the phone receives the CDP message containing the voice VLAN, it begins tagging its VoIP traffic with that VLAN ID. PC traffic passing through the phone's built-in switch remains untagged and is handled by the data VLAN.

5. An admin runs `show interfaces trunk` and sees VLAN 30 is listed as "allowed" but NOT listed as "active in management domain." What is the most likely cause?

A. VLAN 30 is blocked by a spanning tree loop B. VLAN 30 is the native VLAN — native VLANs never appear as active C. VLAN 30 does not exist in the switch's VLAN database — it has not been created D. VLAN 30 has no active ports assigned to it on this switch

Correct answer is C. show interfaces trunk shows three VLAN sections: "allowed on trunk" (the configured allowed list), "allowed and active in management domain" (VLANs that both exist in the VLAN database AND are allowed), and "in spanning tree forwarding state and not pruned." If VLAN 30 is allowed but not active, it most commonly means the VLAN has not been created with vlan 30 in the VLAN database. Create it with Switch(config)# vlan 30.

6. Switch A has native VLAN 1 on its trunk port. Switch B has native VLAN 99 on its trunk port. Both trunks are connected. A PC on Switch A in VLAN 1 sends an untagged frame. In which VLAN does this frame arrive on Switch B?

A. VLAN 1 — the frame is re-tagged by Switch B using 802.1Q B. The frame is dropped — native VLAN mismatch causes discarding C. The frame is quarantined until an admin resolves the mismatch D. VLAN 99 — Switch B places all untagged frames into its native VLAN (99)

Correct answer is D. Switch A sends the VLAN 1 frame untagged (because it is Switch A's native VLAN). Switch B receives the untagged frame on its trunk port and places it into its native VLAN — which is VLAN 99. The frame has crossed from VLAN 1 to VLAN 99, breaking VLAN segmentation silently. This is why CDP generates a native VLAN mismatch warning and why matching native VLANs on both trunk ends is critical.

7. Which command should be used on a switch port connecting to a non-Cisco switch to prevent potential trunking issues caused by DTP frames?

A. switchport mode dynamic desirable B. switchport mode trunk followed by switchport nonegotiate C. switchport trunk encapsulation isl D. no switchport

Correct answer is B. When connecting to a non-Cisco switch, DTP must be disabled because non-Cisco devices do not understand DTP frames and may behave unpredictably when they receive them. Set the port explicitly to trunk mode with switchport mode trunk, then stop DTP frame transmission with switchport nonegotiate. This forces trunk mode while ensuring no DTP frames are sent to the non-Cisco device.

8. A router-on-a-stick is configured with sub-interfaces for VLANs 10, 20, and 30. Users in VLAN 10 can ping the router's sub-interface but cannot reach users in VLAN 20. The switch trunk port has `switchport trunk allowed vlan 10,30`. What is the issue?

A. VLAN 20 is missing from the trunk's allowed VLAN list — add it with switchport trunk allowed vlan add 20 B. The router sub-interface for VLAN 20 is missing an IP address C. VLAN 20 does not exist in the switch VLAN database D. The native VLAN is set to 20, blocking tagged VLAN 20 traffic

Correct answer is A. The trunk port's allowed VLAN list only includes VLANs 10 and 30 — VLAN 20 is absent. Any VLAN 20 traffic generated by users trying to reach other VLANs is blocked at the trunk and never reaches the router's Gi0/0.20 sub-interface. Fix: switchport trunk allowed vlan add 20 — using "add" is critical to avoid accidentally removing the existing VLANs 10 and 30.

9. What is the purpose of running `vlan dot1q tag native` globally on a Cisco switch?

A. It sets the native VLAN to the 802.1Q reserved VLAN ID B. It enables 802.1Q tagging on access ports C. It forces native VLAN frames to be tagged on trunk ports, eliminating the untagged native VLAN and helping prevent double-tagging attacks D. It changes the native VLAN from VLAN 1 to VLAN 4094

Correct answer is C. By default, the native VLAN is always sent untagged on trunk ports — this is the condition exploited by double-tagging attacks. The vlan dot1q tag native global command forces the switch to tag native VLAN frames with their VLAN ID, just like all other VLANs. Any untagged frame arriving on the trunk is then dropped rather than placed into the native VLAN, providing an additional layer of protection against double-tagging attacks.

10. A network admin is tasked with connecting a new ESXi hypervisor host that runs VMs in VLANs 10, 20, 40, and 50 to a Cisco switch. The hypervisor handles VLAN tagging internally. Which switch port configuration is correct?

A. Configure four separate access ports — one per VLAN — and use four NICs on the hypervisor B. Configure a trunk port with VLANs 10, 20, 40, and 50 in the allowed list and nonegotiate — the hypervisor handles tagging per VM C. Configure an access port in VLAN 10 — VMware automatically tags traffic for other VLANs without a trunk D. Configure the port as dynamic desirable and let DTP negotiate with the hypervisor

Correct answer is B. A hypervisor (VMware ESXi, Hyper-V, Proxmox) that handles multiple VLANs uses a virtual switch (vSwitch) that tags traffic per VM with the appropriate VLAN ID. The physical NIC must connect to a trunk port on the switch so that tagged frames from all four VLANs can traverse the single physical link. Using nonegotiate is correct because hypervisors are not Cisco devices and do not support DTP — sending DTP frames to a hypervisor can cause issues.

← Back to Home

Access and Trunk Ports

1. Definition and Purpose

2. Access Port vs. Trunk Port — Full Comparison

3. 802.1Q VLAN Tagging — How It Works

802.1Q Tag Structure

4. Native VLAN — Concept and Security

Native VLAN Mismatch Behaviour

Native VLAN Security Best Practices

5. Configuring Access Ports

Basic Access Port Configuration

Configuring Multiple Access Ports at Once

Voice VLAN on an Access Port (IP Phone)

6. Configuring Trunk Ports

Full Trunk Port Configuration

Managing Allowed VLANs on a Trunk

Verify Trunk Configuration

7. Dynamic Trunking Protocol (DTP)

DTP Mode Negotiation Matrix

Disabling DTP — Best Practice Configuration

8. Frame Handling — Access vs. Trunk Ports Step by Step

Frame Path: PC → Access Port → Trunk → Access Port → PC

Native VLAN Frame Handling on Trunk

9. Router-on-a-Stick — Trunk to Router

Router-on-a-Stick Architecture

Router Sub-Interface Configuration

Switch Trunk Port to Router

10. VLAN Hopping Attacks and Prevention

Attack Method 1 — Switch Spoofing

Attack Method 2 — Double Tagging

Complete VLAN Security Hardening Checklist

11. Common Use Cases

12. Troubleshooting Access and Trunk Ports

Common Issues and Solutions

Key Verification Commands

13. Multi-Vendor Considerations

14. Common Misconceptions

15. Key Points & Exam Tips

16. Access and Trunk Ports Quiz

1. A network engineer connects two switches with a cable. Switch A's port is set to dynamic auto and Switch B's port is also set to dynamic auto. What will be the resulting port mode?

2. A security team discovers that an attacker connected to VLAN 10 is receiving traffic from VLAN 99. Investigation shows the attacker's PC was sending frames with two 802.1Q tags. What attack is this and what is the primary prevention?

3. An admin configures a trunk port with switchport trunk allowed vlan 10,20,30. Later, they run switchport trunk allowed vlan 40 (without "add"). What is the result?

4. A Cisco IP phone is connected to switch port Gi0/5. The port is configured with VLAN 10 as the data VLAN and VLAN 20 as the voice VLAN. How does the switch communicate the voice VLAN to the IP phone?

5. An admin runs show interfaces trunk and sees VLAN 30 is listed as "allowed" but NOT listed as "active in management domain." What is the most likely cause?

6. Switch A has native VLAN 1 on its trunk port. Switch B has native VLAN 99 on its trunk port. Both trunks are connected. A PC on Switch A in VLAN 1 sends an untagged frame. In which VLAN does this frame arrive on Switch B?

7. Which command should be used on a switch port connecting to a non-Cisco switch to prevent potential trunking issues caused by DTP frames?

8. A router-on-a-stick is configured with sub-interfaces for VLANs 10, 20, and 30. Users in VLAN 10 can ping the router's sub-interface but cannot reach users in VLAN 20. The switch trunk port has switchport trunk allowed vlan 10,30. What is the issue?

9. What is the purpose of running vlan dot1q tag native globally on a Cisco switch?

10. A network admin is tasked with connecting a new ESXi hypervisor host that runs VMs in VLANs 10, 20, 40, and 50 to a Cisco switch. The hypervisor handles VLAN tagging internally. Which switch port configuration is correct?

1. A network engineer connects two switches with a cable. Switch A's port is set to `dynamic auto` and Switch B's port is also set to `dynamic auto`. What will be the resulting port mode?

3. An admin configures a trunk port with `switchport trunk allowed vlan 10,20,30`. Later, they run `switchport trunk allowed vlan 40` (without "add"). What is the result?

5. An admin runs `show interfaces trunk` and sees VLAN 30 is listed as "allowed" but NOT listed as "active in management domain." What is the most likely cause?

8. A router-on-a-stick is configured with sub-interfaces for VLANs 10, 20, and 30. Users in VLAN 10 can ping the router's sub-interface but cannot reach users in VLAN 20. The switch trunk port has `switchport trunk allowed vlan 10,30`. What is the issue?

9. What is the purpose of running `vlan dot1q tag native` globally on a Cisco switch?