A switch port can be in one of two modes: access and trunk. There are two ways a switch port can settle down into one of these two modes: static and dynamic. You can manually configure a switch port to be in the access or trunk mode in the static method. You can also let Dynamic Trunking Protocol (DTP) run on an interface to negotiate trunking in the dynamic method. Cisco switches exchange DTP messages to dynamically learn whether the device at the other end of the link wants to perform trunking and, if so, which trunking protocol (ISL or 802.1Q) to use.

Access Ports 

A switch port in access modes belongs to one specific VLAN and sends and receives regular Ethernet frames in untagged form. The switch interfaces connected to devices such as desktops, laptops, printers etc. are typically configured as access ports. By default, a Cisco switch port is assigned to the default VLAN 1 in access mode. You can explicitly set the switch port to access mode using command switchport mode access in interface configuration mode. The VLAN that certain switch port is assigned to can be changed using command switchport access vlan vlan-id, in interface configuration mode.

SW1#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#int fa0/1
SW1(config-if)#switchport mode ?
access        Set trunking mode to ACCESS unconditionally
dot1q-tunnel  Set trunking mode to TUNNEL unconditionally
dynamic       Set trunking mode to dynamically negotiate access or                   trunk mode
private-vlan  Set private-vlan mode
trunk         Set trunking mode to TRUNK unconditionally

SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10

We just configured interface FastEthernet 0/1 of switch SW1 in access mode assigning it to VLAN 10. 

Trunk Ports 

The distinguishing feature of trunk ports is that they carry traffic from multiple VLANs at the same time. Such interfaces are most commonly configured between two switches but they can also be configured between a switch and a router, and even between a server and a switch. The range of VLAN IDs that can be configured on a Cisco switch is 1 to 4094 which is divided into normal-range VLAN IDs of 1 to 1005 and extended-range VLAN IDs of 1006 to 4094.

In fact trunking is a great feature because a single physical link is shared by multiple VLANs while still allowing traffic isolation between different VLANs. In the absence of such feature we would have required one inter-switch link per VLAN which would simply not scale to a large number of VLANs. By default the full range of VLAN IDs 1 to 4094 is allowed on a trunk port which means traffic belonging to all VLANs can be carried across the trunk port. It is also possible to allow only a subset of the full range of VLAN IDs on the trunk while blocking the others. Trunking allows a VLAN to span multiple switches with access ports belonging to the VLAN spread across multiple switches in different parts of the switched network. This provides great flexibility when creating VLANs and a host can be assigned to a VLAN regardless of its physical location on the switched network.

Exam Concept – A trunk link must operate at 100 Mbps or greater speeds.  This is a common CCNA question.

A switch port can be configured as trunk using command switchport mode trunk in interface configuration mode.

SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface FastEthernet 0/1
SW1(config-if)#switchport mode trunk 

We will learn more about trunking protocols ISL and 802.1Q in a later section. 

Voice Access Ports

Voice access ports are a special case of access ports with modified behavior suited for connecting IP phones. Most corporate users these days use two network devices: a desktop or laptop computer and an IP phone. Typically just one LAN cable runs from the desk or cubicle to the switch that carries data traffic from the computer and voice traffic from the IP phone. Voice access ports allow you to add a second VLAN to an access port on a switch for your voice traffic which is called the voice VLAN. In fact a voice access port is like a hybrid of an access port and a trunk port carrying some characteristics of each type, but it is still considered an access port that can be configured for both data and voice VLANs. So what we get is the ability to use the same physical interface and the same physical cable run for both data and voice traffic yet compartmentalizing each type of traffic in its own VLAN.