If you’re just getting into networking, one of the first switch concepts you’ll run into is the difference between access ports and trunk ports. At first glance, they both just look like Ethernet ports on a switch, but they serve very different purposes.

                          SW1#sh int status
                          Port      Name    Status      Vlan   Duplex  Speed  Type
                          Gi1/0/1           notconnect  305    auto    auto   10/100/1000BaseTX
                          Gi1/0/2           connected   trunk  a-full  a-1000 10/100/1000BaseTX
                          
                      

What is an access port?

An access port is the type of switch port you’ll most commonly see connected to field devices like computers, printers, or phones. In most cases, an access port only carries traffic for a single VLAN. For example, if you plug your computer into a port assigned to VLAN 10, all of your traffic will belong to VLAN 10 while connected to that port. The switch handles the VLAN tagging internally, so the end device usually has no idea VLANs even exist. That simplicity is exactly why access ports are commonly used for user-facing devices.

One thing that sometimes throws newer engineers off is voice VLANs. Phones are a very common exception to the “one VLAN” rule. A switchport can have a regular access VLAN for the attached computer and a separate voice VLAN for the IP phone traffic. Even then, those VLANs are usually predefined and tightly controlled by the switch configuration. The phone understands how to tag its voice traffic while the connected computer continues operating normally on the standard access VLAN. This setup helps keep voice traffic separated and prioritized without complicating things for the user.

An example of a access port configuration on Cisco:

                          interface GigabitEthernet1/0/1
                              desc User Port
                              switchport mode access
                              switchport access vlan 10
                              switchport voice vlan 30
                          
                      

What is a trunk port?

Trunk ports work very differently. Instead of carrying traffic for just one VLAN, trunk ports are designed to carry multiple VLANs across a single connection. Think of it like a multi-lane highway instead of a single-lane road. With trunk ports, the connected device usually adds VLAN tags to frames so the receiving device knows which VLAN each piece of traffic belongs to. Trunks are what make it possible for VLANs to extend between switches, access points, or firewalls without needing a separate physical cable for every VLAN.

You’ll typically see trunk ports used for switch uplinks, virtualization hosts, servers, wireless access points, firewalls, and other infrastructure devices. Wireless access points are a great example because they often need to carry several VLANs at once. Maybe one VLAN is for employee Wi-Fi, another is for guest wireless, and another is for IoT devices. Instead of running multiple cables to the AP, a single trunk port can transport all of those VLANs together. The same idea applies to servers running virtualization platforms where multiple networks may need to exist on a single physical interface.

An example of a trunk port configuration:

                        interface GigabitEthernet1/0/2
                            desc Access Point
                            switchport mode trunk
                            switchport trunk native vlan 10
                            switchport trunk allowed vlan 10,20,30
                        
                    

Another important trunk port concept is the native VLAN. The native VLAN is the VLAN that untagged traffic gets placed into if no VLAN tag exists on the frame. By default, many switches use VLAN 1 as the native VLAN, although in production environments it’s very common to change that for security and design reasons. Seome enviornments may place the traffic on a standard data VLAN, and others may place the untagged traffic on a black hole VLAN, which doesn't exist, essentially stopping the packet. Understanding native VLANs becomes especially important when troubleshooting trunk mismatches between switches, because if the native VLANs don’t match correctly, strange connectivity issues can happen that are sometimes difficult to track down.

By default, some switch vendors allow all VLANs across a trunk, but you can also restrict which VLANs are allowed. This is a really common best practice in enterprise environments. Instead of allowing every VLAN everywhere, you can define an allowed VLAN list and only permit the VLANs that device actually needs. It keeps configurations cleaner, improves security, and can help reduce unnecessary broadcast traffic flowing through the network.

An example of all VLANs being allowed on the port:

                        interface GigabitEthernet1/0/2
                            desc Access Point
                            switchport mode trunk
                            switchport trunk native vlan 10
                            switchport trunk allowed vlan all
                        
                    

An example of certain VLANs being allowed:

                        interface GigabitEthernet1/0/2
                            desc Access Point
                            switchport mode trunk
                            switchport trunk native vlan 10
                            switchport trunk allowed vlan 10,20,30
                        
                    

Summary

• access ports are usually for end-user devices
• trunk ports are usually for infrastructure

Access ports keep things simple by carrying one primary VLAN, while trunk ports are built to move many VLANs between networking devices. Once you start thinking about VLANs as separate lanes of traffic, the distinction between access and trunk ports becomes a lot easier to visualize — and honestly, it’s one of those foundational concepts that you’ll use constantly throughout a networking career.