Understanding switchport modes is fundamental to VLAN configuration on Cisco Catalyst switches. Each mode determines how a port handles frames, which VLANs are allowed on the port, and how the switch negotiates with neighboring devices. This article explains the four switchport modes and shows you when and why to use each one.
Switchport Modes Overview
A switchport can operate in one of four modes, each with a specific purpose:
- Access mode: Port handles traffic for a single VLAN only
- Trunk mode: Port handles traffic for multiple VLANs simultaneously
- Dynamic auto: Port negotiates with neighbor to become trunk or access
- Dynamic desirable: Port actively negotiates to become trunk if possible
Most production networks use access or static trunk modes; dynamic modes are legacy negotiation mechanisms that create security and operational issues.
Access Mode: Single VLAN per Port
Access mode is the simplest and most common switchport mode. An access port carries traffic for exactly one VLAN. All frames received on an access port are assumed to belong to that VLAN, and all frames transmitted on the port are untagged (no 802.1Q header):
ACC-SW1# configure terminal
ACC-SW1(config)# interface GigabitEthernet 1/0/1
ACC-SW1(config-if)# switchport mode access
ACC-SW1(config-if)# switchport access vlan 10
ACC-SW1(config-if)# description Users-Workstation-1
ACC-SW1(config-if)# no shutdown
ACC-SW1(config-if)# end
When a host on a workstation sends an Ethernet frame to the switch on this port, the switch receives an untagged frame and internally tags it as VLAN 10. When the switch forwards the frame internally, it uses the VLAN tag to route it to other ports in VLAN 10. When forwarding the frame out another access port in VLAN 10, the switch removes the tag before transmitting.
Access Mode Behavior with Multiple VLANs
If you attempt to receive tagged frames on an access port, the switch drops them by default. This is a safety feature:
! A trunk link sends tagged frames. If an access port receives them,
! they are dropped because the port doesn't understand 802.1Q.
ACC-SW1# show interfaces GigabitEthernet 1/0/1 switchport
Name: Gi1/0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Access Mode VLAN: 10 (Users)
Trunking Native Mode VLAN: 1 (default)
The "Trunking Native Mode VLAN" field still exists in access mode. This is where tagged frames with no VLAN tag (or a tag matching the native VLAN on a trunk) would be assigned. In access mode, this is primarily informational and does not affect port behavior.
Trunk Mode: Multiple VLANs per Port
Trunk mode allows a single physical link to carry traffic for multiple VLANs simultaneously. Each frame on the trunk is tagged with a 4-byte 802.1Q header identifying which VLAN it belongs to. Trunks are used between switches, not to end hosts (except in rare multi-VLAN scenarios):
ACC-SW1# configure terminal
ACC-SW1(config)# interface GigabitEthernet 1/0/23
ACC-SW1(config-if)# switchport mode trunk
ACC-SW1(config-if)# switchport trunk encapsulation dot1q
ACC-SW1(config-if)# switchport trunk allowed vlan 10,20,30,40,50,99
ACC-SW1(config-if)# switchport trunk native vlan 99
ACC-SW1(config-if)# description Trunk-to-DIST-SW1
ACC-SW1(config-if)# no shutdown
ACC-SW1(config-if)# end
On a trunk, frames are always tagged with a VLAN ID except for frames in the native VLAN, which are transmitted untagged. This is a critical detail for troubleshooting.
Trunk Configuration Elements
switchport trunk encapsulation:
The encapsulation command specifies which tagging protocol to use. Modern Catalyst switches support only dot1q (802.1Q); ISL (Inter-Switch Link) was Cisco's proprietary protocol and is no longer supported on Catalyst 9000 series. On older platforms that support both, you must explicitly configure dot1q:
ACC-SW1(config-if)# switchport trunk encapsulation dot1q
switchport trunk allowed vlan:
This command specifies which VLANs are permitted to traverse the trunk. VLANs not in this list are pruned (not sent) on the trunk:
ACC-SW1(config-if)# switchport trunk allowed vlan 10,20,30,40,50,99
Only VLAN traffic in this list crosses the trunk link. This reduces bandwidth waste and prevents unintended VLAN communication.
switchport trunk native vlan:
The native VLAN is special on trunks. Frames in the native VLAN are transmitted untagged (no 802.1Q header). This historical design originated when devices didn't support 802.1Q tagging. Modern production networks change the native VLAN from the default (VLAN 1) to an unused VLAN like VLAN 99:
ACC-SW1(config-if)# switchport trunk native vlan 99
Why change native VLAN? VLAN 1 is the default management VLAN on all switches. If the native VLAN is VLAN 1, an attacker could theoretically craft untagged frames to reach management functions on neighboring switches. By changing the native VLAN to an unused VLAN (99 in our topology), you eliminate this attack vector.
Verifying Trunk Configuration
The show interfaces trunk command displays trunk-specific information:
ACC-SW1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/23 on 802.1q trunking 99
Port Vlans allowed on trunk
Gi1/0/23 10,20,30,40,50,99
Port Vlans allowed and active in management domain
Gi1/0/23 10,20,30,40,50,99
Port Vlans in spanning-tree forwarding state and not pruned
Gi1/0/23 10,20,30,40,50,99
Each line provides specific information:
- Mode on: The port is in trunk mode
- Encapsulation 802.1q: Uses 802.1Q tagging
- Status trunking: The link is up and operational
- Native vlan 99: Untagged frames belong to VLAN 99
- Vlans allowed: Which VLANs are permitted on the trunk
- Vlans allowed and active: Which allowed VLANs actually exist on the switch
- Vlans in spanning-tree forwarding state: Which VLANs are not blocked by Spanning Tree Protocol
Dynamic Trunking Protocol (DTP): Negotiation Fundamentals
Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol that allows switches to automatically negotiate whether a link should be a trunk or an access port. Three commands control DTP behavior:
switchport mode dynamic auto
A port in dynamic auto mode will become a trunk only if the neighboring port is configured as: - switchport mode trunk - switchport mode dynamic desirable
Otherwise, it remains in access mode:
ACC-SW1# configure terminal
ACC-SW1(config)# interface GigabitEthernet 1/0/24
ACC-SW1(config-if)# switchport mode dynamic auto
ACC-SW1(config-if)# end
! If Gi1/0/24 on ACC-SW1 connects to Gi1/0/23 on DIST-SW1
! and Gi1/0/23 is configured with 'switchport mode trunk',
! the link will become a trunk.
switchport mode dynamic desirable
A port in dynamic desirable mode actively negotiates to become a trunk. It will become a trunk if the neighbor is: - switchport mode trunk - switchport mode dynamic auto - switchport mode dynamic desirable
ACC-SW1# configure terminal
ACC-SW1(config)# interface GigabitEthernet 1/0/24
ACC-SW1(config-if)# switchport mode dynamic desirable
ACC-SW1(config-if)# end
Negotiation Matrix
| Local Config | Remote is trunk | Remote is auto | Remote is desirable | Remote is access |
|---|---|---|---|---|
| trunk | trunk | trunk | trunk | trunk |
| dynamic auto | trunk | access | trunk | access |
| dynamic desirable | trunk | trunk | trunk | access |
| access | access | access | access | access |
Why Static Configuration is Best Practice
Although DTP allows automatic negotiation, production networks universally disable it and use static trunk configuration:
! Disable DTP on a specific port
ACC-SW1(config)# interface GigabitEthernet 1/0/23
ACC-SW1(config-if)# switchport nonegotiate
ACC-SW1(config-if)# end
! Global command to disable DTP on all ports
ACC-SW1(config)# no feature dtp
Reasons to avoid DTP:
- Unpredictable behavior: A misconfiguration on one switch can cause an entire link to change modes unexpectedly
- Security risk: An attacker who gains access to the network could change a device's DTP mode to create unauthorized trunks
- Operational clarity: Static configurations are visible in running-config and are easier to audit
- Troubleshooting simplicity: A link is either a trunk or access by explicit configuration, not by negotiation outcome
- No benefit: Modern networks use orchestration and infrastructure-as-code; automatic negotiation provides no operational value
Access vs. Trunk: Decision Tree
Use this decision tree to determine the correct switchport mode:
Is this link connecting to an end host (server, workstation, IP phone, printer)? - Yes → Use switchport mode access + switchport access vlan <id> - No → Continue
Is this link connecting to another switch? - Yes, and multiple VLANs need to cross the link → Use switchport mode trunk + switchport nonegotiate - Yes, and only one VLAN needs to cross → Use switchport mode access (unusual but valid) - No → Use access mode
Verification and Troubleshooting
Symptom: Link should be trunk but is in access mode
Cause: The port was configured with switchport mode access or with dynamic modes that resulted in access mode negotiation.
Fix: Explicitly configure the port as trunk:
ACC-SW1# configure terminal
ACC-SW1(config)# interface GigabitEthernet 1/0/23
ACC-SW1(config-if)# switchport mode trunk
ACC-SW1(config-if)# switchport nonegotiate
ACC-SW1(config-if)# end
ACC-SW1# show interfaces GigabitEthernet 1/0/23 switchport | include Mode
Administrative Mode: static trunk
Operational Mode: trunk
Symptom: Unexpected frames received on access port
Cause: A neighboring device sent tagged frames (802.1Q) to an access port, or a trunk port sent untagged frames that don't match the native VLAN.
Fix: Verify the neighboring port is in the correct mode:
ACC-SW1# show interfaces GigabitEthernet 1/0/23 switchport | include Mode
Administrative Mode: static access
! If this should be a trunk, reconfigure it
ACC-SW1(config-if)# switchport mode trunk
ACC-SW1(config-if)# switchport nonegotiate
Symptom: DTP negotiation unstable (link flaps between trunk and access)
Cause: DTP is enabled and the neighbor's configuration is incompatible with the DTP negotiation matrix.
Fix: Disable DTP globally and use static trunk configuration on all switch-to-switch links:
! On all switches
ACC-SW1(config)# no feature dtp
! Then explicitly configure trunks
ACC-SW1(config)# interface GigabitEthernet 1/0/23
ACC-SW1(config-if)# switchport mode trunk
ACC-SW1(config-if)# switchport trunk allowed vlan 10,20,30,40,50,99
ACC-SW1(config-if)# switchport trunk native vlan 99
ACC-SW1(config-if)# switchport nonegotiate
ACC-SW1(config-if)# end
Key Takeaways
- Access mode is for end hosts; each port carries one VLAN without 802.1Q tagging
- Trunk mode carries multiple VLANs on a single link using 802.1Q tagging
- Dynamic modes (auto/desirable) use DTP to negotiate but are rarely used in production due to complexity and security concerns
- Always use
switchport nonegotiatewith trunk mode to disable DTP and prevent unexpected mode changes - Change the native VLAN from default (VLAN 1) to an unused VLAN (like VLAN 99) for security
- Verify switchport configuration with
show interfaces switchport(for access ports) andshow interfaces trunk(for trunks)