[ CCNA · DOMAIN 2 · SWITCHING · PLAIN-ENGLISH ANSWER ]
ACCESS PORT vs TRUNK PORT_
One carries a single VLAN to an end device; the other carries many VLANs between switches. Here's the difference and when to use each.
[ ▶ SHORT ANSWER ]
An access port belongs to exactly one VLAN and sends/receives untagged frames — it's used for end devices like PCs, printers, and access points. A trunk port carries traffic for many VLANs at once and tags each frame with its VLAN ID using IEEE 802.1Q — it's used for links between switches, or between a switch and a router. The key difference: access = one VLAN, untagged, to a host; trunk = many VLANs, 802.1Q-tagged, between network devices.
Every switch port operates in one of two main modes: access or trunk. Picking the wrong one is one of the most common reasons a lab "won't work."
Access ports
An access port is a member of one VLAN. Frames leave it untagged — the end device (a PC, printer, IP phone, or access point) has no idea VLANs even exist. You use access ports for the edge of the network, where hosts plug in.
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Trunk ports
A trunk port carries many VLANs over a single link. To keep them separate, the switch tags each frame with its VLAN ID using the 802.1Q standard. Trunks connect switches to other switches, or a switch to a router (for inter-VLAN routing).
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
The native VLAN
One VLAN on every trunk is the native VLAN (VLAN 1 by default), and its frames cross the trunk untagged. Both ends of a trunk must agree on the native VLAN or CDP will flag a "native VLAN mismatch." This is a classic exam gotcha.
Quick comparison
Access: one VLAN · untagged · to end devices · switchport mode access.
Trunk: many VLANs · 802.1Q tagged (except native) · between switches/routers · switchport mode trunk.
★ RELATED QUESTIONS
[ What is 802.1Q? ]
IEEE 802.1Q is the standard for VLAN tagging on a trunk. It inserts a 4-byte tag into the Ethernet frame containing the VLAN ID, so the receiving switch knows which VLAN the frame belongs to.
[ What is the native VLAN? ]
The native VLAN is the one VLAN whose frames cross a trunk untagged. It defaults to VLAN 1. Both ends of the trunk must use the same native VLAN, or you'll get a mismatch warning and potential traffic leaks.
[ Can a port be both access and trunk? ]
No — a port is either an access port (one VLAN) or a trunk (many VLANs) at a time. Dynamic modes (dynamic auto/desirable via DTP) can negotiate which one, but the resulting operational mode is still one or the other.
★ READ NEXT
[ ▶ RELATED PLAIN-ENGLISH ANSWERS ]
[ ★ PRACTICE IT, DON'T JUST READ IT ]
Concepts stick when you drill them. Run
today's Daily CCNA Drill to build a streak, or jump straight into the related labs and tools: