When you get into VLANs, you immediately run into two terms: access port and trunk port. Without them you cannot set up VLANs correctly. Let us explain clearly what they mean, how tagging works and when to use which port. If you do not yet know what a VLAN is, start with the article on separating a network with VLANs.

In brief: what a VLAN is

A VLAN is a virtual network that creates several separate logical networks on one physical switch, networks that do not see each other. For this to work, the switch must know which port belongs to which VLAN and how to carry several VLANs over one cable. That is exactly what access and trunk ports are for.

Access port

An access port belongs to a single VLAN. An end device connects to it, for example a computer, camera, printer or IP phone. The device knows nothing of any VLAN, it receives ordinary, untagged data and behaves as if it were on a normal network. So an access port is the “front door” for one device into one VLAN.

Trunk port

A trunk port carries several VLANs at once over one cable. It is used to connect switches to each other or a switch to a router or access point. So that the switch on the other side knows which data belongs to which VLAN, the trunk tags each frame with the VLAN number. Thanks to this, one cable between two switches carries, for example, tills, cameras and guests, and each stays in its own VLAN.

802.1Q tagging

The tagging of frames has its standard, called 802.1Q. It works simply: when a frame enters the trunk, a small tag with the VLAN number is added. When it exits through an access port to an end device, the tag is removed, so the device gets clean data. There is also a so-called native VLAN, which stays untagged on the trunk.

An analogy to remember

Picture it as roads. An access port is a single-lane road for one, leading to one neighborhood (VLAN). A trunk is a highway with several lanes, where each lane belongs to a different VLAN and is color-coded, so that at the end a car can be sent to the right neighborhood.

When to use which

  • An access port wherever you connect an end device (computer, camera, printer). Each belongs to its VLAN.
  • A trunk port where you need to carry several VLANs at once: between two switches, from a switch to a router (so-called router-on-a-stick) or to an access point that broadcasts several networks (SSIDs) in different VLANs.

A real-world example

In a hotel or restaurant network, a trunk runs between the switches, carrying the VLANs for tills, cameras and guests at the same time. Each computer, camera or wifi point is connected through an access port in its VLAN. That way a guest never reaches the till, even though everything physically runs over the same cabling.

Dealing with network segmentation in a company or venue? Get in touch, we will design and set up VLANs correctly as part of IT support for companies. The article on a router, a switch and a hub also helps.

This article is part of our Computer networks overview.