Understanding VLAN Port Configuration: Access Ports vs Trunk Ports in Network Switch Programming


2 views

In network switch configuration, ports are primarily categorized as either access ports or trunk ports. Access ports belong to a single VLAN and are typically used to connect end devices like workstations, servers, or printers. Trunk ports, conversely, carry traffic for multiple VLANs and are mainly used for inter-switch connections or switch-to-router links.

Here's how you'd configure each port type on a Cisco switch:

// Configure an access port (VLAN 10)
Switch(config)# interface gigabitethernet 1/0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# spanning-tree portfast

// Configure a trunk port
Switch(config)# interface gigabitethernet 1/0/24
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30

Access ports have these characteristics:

  • Operate on a single VLAN (untagged frames)
  • Typically connect end-user devices
  • Simpler configuration with less overhead

Trunk ports feature:

  • 802.1Q tagging for multiple VLANs
  • Native VLAN for untagged traffic
  • VLAN pruning capabilities

Access port scenario: In a corporate network, all workstations in the accounting department connect to access ports assigned to VLAN 10, while engineering workstations connect to access ports on VLAN 20.

Trunk port scenario: When connecting two switches in different buildings, trunk ports carry both VLAN 10 and VLAN 20 traffic between them while maintaining logical separation.

Misconfiguration can lead to VLAN hopping attacks. Always:

  • Set the native VLAN to an unused VLAN ID on trunks
  • Explicitly define allowed VLANs on trunk ports
  • Disable auto-negotiation of trunking where possible

Use these commands to verify port configurations:

show interfaces switchport
show vlan brief
show interfaces trunk

In Cisco IOS and other network operating systems, ports are configured differently based on their intended traffic handling:

// Example of basic port configuration in Cisco IOS
interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 10
!
interface GigabitEthernet0/24
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30

Access ports belong to a single VLAN and handle untagged traffic. Typical use cases include:

  • End-user devices (PCs, printers, IP phones)
  • Single-VLAN servers
  • Network edge devices
# Python example using netmiko to configure access port
from netmiko import ConnectHandler

device = {
    'device_type': 'cisco_ios',
    'host': '192.168.1.1',
    'username': 'admin',
    'password': 'secret'
}

commands = [
    'interface GigabitEthernet1/0/5',
    'switchport mode access',
    'switchport access vlan 20',
    'spanning-tree portfast'
]

with ConnectHandler(**device) as net_connect:
    output = net_connect.send_config_set(commands)
    print(output)

Trunk ports carry multiple VLANs using IEEE 802.1Q tagging. Key characteristics:

  • Uses VLAN tagging (dot1q)
  • Requires explicit VLAN permission lists
  • Native VLAN handles untagged traffic
# Ansible playbook for trunk port configuration
- name: Configure trunk port
  hosts: switches
  tasks:
    - name: Set trunk port parameters
      cisco.ios.ios_config:
        lines:
          - switchport trunk encapsulation dot1q
          - switchport mode trunk
          - switchport trunk allowed vlan 10,20,30-40
          - switchport trunk native vlan 99
        parents: interface GigabitEthernet1/0/24

When working with VLANs in network automation:

  1. Always configure a non-default native VLAN for security
  2. Use VLAN pruning to limit unnecessary traffic
  3. Implement port-security on access ports
// JavaScript example using node-ssh for VLAN management
const { NodeSSH } = require('node-ssh')

const ssh = new NodeSSH()
ssh.connect({
  host: 'switch1.example.com',
  username: 'admin',
  privateKey: '/path/to/key'
}).then(() => {
  ssh.execCommand(
    configure terminal
    interface range gi1/0/1-10
    switchport mode access
    switchport access vlan 100
    end
  ).then(result => console.log(result.stdout))
})

Use these show commands to verify configurations:

show interfaces trunk       # Verify trunking status
show vlan brief            # Check VLAN assignments
show interface switchport  # Detailed port configuration
show mac address-table     # Verify MAC learning

Remember that modern SDN solutions like Cisco ACI or VMware NSX handle these configurations differently through policy-based models.