Differences Between Access ports and Trunk ports
A switch port can work in two modes: access mode and trunk mode. In access mode, it removes vlan information from frames before forwarding them. In trunk mode, it forwards them with the vlan information. Based on the configured mode, it is known as either an access port or a trunk port. If configured in access mode, it is called an access port. If configured in trunk mode, it is known as a trunk port.
Broadcast and VLANs
A broadcast is a Layer 3 message that reaches all devices within the local segment. Various network functions rely on broadcast messages. End devices generate many broadcast messages every minute. Broadcast messages consume a significant portion of network bandwidth, as all devices on the local segment receive them regardless of relevance.
To limit broadcast traffic, networks are divided into subnets. Each subnet has a different broadcast address. Since each subnet has a separate broadcast address, broadcasts generated in one subnet do not reach another subnet.
Subnets are defined using Layer 3 addresses. Switches operate in Layer 2. They do not understand Layer 3 addresses. Since they do not understand Layer 3 addresses, they forward broadcast messages from all ports. This default behaviour wipes out the advantages of using subnets. To deal with such a situation, switches support a feature called VLANs.
VLANs workflow
- Create the necessary VLANs using a unique VLAN ID for each VLAN.
- Add switchports to VLANs.
- Use the same VLAN ID on all switchports that belong to the same subnet.
Controlling broadcasts
A switch forwards broadcast messages only from the ports that belong to the same VLAN ID. For example, a switch has two VLANs. When it receives a broadcast message, it forwards the message only from ports that belong to the VLAN of the incoming frame.
VLANs on multiple switches
Switches do not forward frames with VAN information on access ports. If you have the same VLANs across multiple switches, you need to set all connecting ports to trunk mode. Switches forward frames with VLAN information only on trunk ports. Changing all connecting ports to trunk enables communication between devices that belong to the same VLAN but are attached to different switches. If you do not change connecting ports into trunk ports, only devices that belong to VLANs configured on the connecting port will be able to communicate across the switches. In this case, you need to create connections equal to the number of configured VLANs on the switches, and configure a connection for each VLAN.
Let us take an example.
A network has two switches (S1 and S2) and two VLANs (V10 and V20). On both switches, V10 is configured on port 1, and V20 is configured on port 6. If you use access ports to connect these switches, you need two connections, one in each VLAN.
In this setup, switches do not modify frames. They remain in their original state throughout the path. For instance, suppose PC1 sends a frame to PC3. The frame reaches S1 on port1. Port1 belongs to V10. S1 forwards this frame from all ports in VLAN V10. Port 7 connects S1 to S2. It belongs to V10. S1 forwards this frame from Port 7. The frame reaches S2 on port 7. Port 7 on S2 belongs to V10. S2 forwards this frame from all ports in VLAN V10. Port 1 belongs to V10. S1 forwards this frame from Port 1. Port 1 connects to PC3. The frame reaches PC3.
Alternatively, you can use a single connection and change its mode to trunk. If you use a port in its trunk mode, the switch adds VLAN information to all outgoing frames and removes it from all incoming frames. In this setup, switches modify frames to exchange VLAN information. However, end devices receive frames in their original states.
For example, suppose PC1 sends a frame to PC3. The frame reaches S1 on port1. Port1 belongs to V10. S1 forwards this frame from all ports in VLAN V10. If any port is configured as a trunk port, it also forwards this frame from this port. However, it adds VLAN information to the frame before forwarding it from the trunk port.
S2 receives the modified frame on the trunk port. It reads the VLAN information and learns that it belongs to V10.
It removes VLAN information from the frame and forwards it from all ports that belong to V10. Port 1 belongs to V10. S1 forwards this frame from Port 1. Port 1 connects to PC3. The frame reaches PC3. Since S2 has removed VLAN information from the frame, PC3 receives it in its original state.
Differences between access ports and trunk ports
The following table lists the differences between access ports and trunk ports.
| An access port belongs to only one VLAN. | A trunk port belongs to all VLANs. |
| An access port forwards the frame in its original format. | A trunk port forwards the frame after adding the VLAN header. |
| An access port connects an end device to the network. | A trunk port extends the network. |
| By default, all switch ports are access ports. | By default, no switch port is a trunk port. |
Conclusion
An Ethernet switch port can operate in either access or trunk mode. In access mode, the port connects an end device to the network and functions within a single VLAN. In trunk mode, the port connects a switch or router to the network and supports all VLANs. End devices do not understand VLAN information. If an end device is connected to a trunk port, it receives frames containing VLAN information. Since it does not interpret frames with VLAN information, it discards them. End devices accept frames only when received in their original formats, which are forwarded by access ports. Therefore, end devices should be connected exclusively to access ports. Trunk ports are used to connect switch ports to other switches or routers.
By ComputerNetworkingNotes Updated on 2026-01-21