In this topic, I will talk about switch access ports and VLAN tagging on a Trunk port.
Access ports are configured when we allow only a single VLAN through switch ports. Trunk Links are used when we pass multiple VLANs through a single Physical connection. Vlan keeps traffic from different networks separate when traversing through Shared links. Tagging different VLAN through the same physical trunk link known as VLAN Tagging.
Common Terms
VLAN– Virtual Local Area Network, a logical identifier for isolating a network
TRUNK-A port enabled for passing multiple VLANs – VLAN tagging
ACCESS-A port that does not tag and only accepts a single VLAN
ENCAPSULATION– The process of modifying frames of data to include additional information
802.1Q – The most common encapsulation method for VLAN tagging.
Native VLAN – The VLAN is associated with all untagged traffic on a trunk.
Switch ports different modes:
| switchport mode access | Puts the interface (access port) into permanent non trunking mode and negotiates to convert the link into a nontrunk link. The interface becomes a nontrunk interface regardless of whether or not the neighboring interface is a trunk interface. This is the default mode. |
| switchport mode trunk | Puts the interface into permanent trunking mode and negotiates to convert the neighboring link into a trunk link. The interface becomes a trunk interface even if the neighboring interface is not a trunk interface. |
| switchport mode dot1q-tunnel | Configures the interface as a tunnel (non trunking) port to be connected in an asymmetric link with an 802.1Q trunk port. The 802.1Q tunneling is used to maintain customer VLAN integrity across a service provider network. |
| switchport mode private-VLAN | Configure the interface as a private VLAN host or promiscuous port (only NNIs can be configured as promiscuous ports). For information about private VLANs, |
- VLAN enabled ports are generally categorized in one of two ways, tagged (Trunk ) or untagged (Access). The trunk is mostly used to link switches to pass traffic for multiple VLANs, and access ports will link to end devices which only need one Vlan.
- Trunk ports need additional parameters to successfully negotiate as a trunk.Both ends of the link must have the following in common:
- Encapsulation
- Allowed VLAN’s
- Native VLAN
Trunk Link Configuration to Load Share between Two links:
Switch# configure terminal
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# port-type nni
Switch(config-if)# switchport mode trunk
Switch(config-if)# spanning-tree vlan 8-10 port-priority 16
Switch(config-if)# end
Switch# show interfaces gigabitethernet 0/1 switchport
Switch# configure terminal
Switch(config)# interface gigabitethernet 0/2
Switch(config-if)# port-type nni
Switch(config-if)# switchport mode trunk
Switch(config-if)# spanning-tree vlan 3-6 port-priority 16
Switch(config-if)# end
Switch# show interfaces gigabitethernet 0/2 switchport
Native VLAN on Trunk Link
Mismatched native VLAN’s on opposite sides of a trunk can inadvertently create “VLAN hopping”. This is often a method of intentional attack used to sneak into a network and is an open security risk.