Switchport Mode Access

Mjeffe10Mjeffe10 ■□□□□□□□□□ Posts: 2Registered Users ■□□□□□□□□□
Hey everyone,

I am self studying for my CCNA (taking the two test route) and I have a quick question. Is it required to use the switchport mode access port command on a port? From what I am reading in my CCNA book, all ports by default are access ports for vlan 1. So if i did use the switchport access vlan 2 command (sorry I am trying to practice while I type) on int fa0/2, wouldn't it still be an access port? Do I need to use the switchport mode access command as well?

Thanks for the help.



  • anuragaks10anuragaks10 ■■□□□□□□□□ Posts: 60Member ■■□□□□□□□□
    Using "switchport access vlan 2" on Interface Fa0/2 will assign that interface to vlan 2.
    "switchport mode access" on Interface Fa0/2 will make it an 'access port'

    It is required to use the "switchport mode access" command on some switches , as I have seen that some switches have interfaces in a 'dynamic desirable' mode by default, which basically means that 'it desires to be in a trunk state'.

    So, my advice - Assign it manually :)
    A smooth sea never made a skilled sailor
  • gorebrushgorebrush Posts: 2,741Member
    Not sure what book you are reading, but for some switches - this is not the default command - so in my opinion it is always best to hard code ports that you *know* are going to be access and those that are trunks.

    On a Cisco 3550 for example, the poer default is switchport dynamic desirable - which is a pretty horrible default. As anuragaks above points out - it actively tries to negotiate a trunk port with what ever device is on the other end of the CAT5 cable out that port.

    This is a potentially massive security hole, because you could get some unsavoury person who can get their PC to negotiate a trunk, and if successful - they now at least have L2 access to all of the VLANs that have been configured...

    And yes, you should use both the

    switchport mode access
    switchport access vlan xx

    commands together :)
  • Mjeffe10Mjeffe10 ■□□□□□□□□□ Posts: 2Registered Users ■□□□□□□□□□
    Thanks. I appreciated the help. The fact that not all ports on switches are defaulted to be access ports is new information. In that case, it does make sense to make all ports that are known to be access ports, manually configured to only be access ports. Thanks again.
  • theodoxatheodoxa Posts: 1,340Member
    If you connect a switchport to a host device (non-trunking), it should function as an Access Port by default (VLAN 1), but if you connect it to another switch or a host device that supports 802.1Q trunking, there is a chance the 2 ends could negotiate a trunk. This can open your network up to attacks where a person connects a laptop and negotiates a trunk with the switch, allowing them to potentially access other VLANs, and/or launch attacks using STP, VTP, etc...
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
  • HeeroHeero Posts: 486Member
    Cisco has their dynamic trunking protocol (DTP) where basically, the port will communicate with the other port it is plugged into to determine whether or not to run as access mode, or as trunk mode. "Switchport mode access" sets the port to run ONLY as an access port. "Switchport mode trunk" sets the port to ONLY run as a trunk port. Also, there is the "switchport nonegotiate" command which will completely disable DTP.

    The "switchport access vlan [VLAN-ID]" command tells the port to use that VLAN as the access vlan IF the port is currently operating as an access port. So if the port is set to trunk mode, this command would have no effect until you turned it back to access mode.
Sign In or Register to comment.