Switchport modes

There are three modes of switchport
1) access
2) dot1q-tunnel
3) trunk

Access mode:

switchport mode access
switchport access vlan <>

When you configure a port to be access mode, the switch will add an additional vlan header of <> configured vlan when sending it out via the trunk ports. If the vlan matches with the native vlan of the trunk port, then the vlan tag will not be added.
When receiving downstream packets, the trunk ports remove the vlan tag and send it to the corresponding ports via. whom the dest mac-address was learnt. If the dest mac-address seem to be unknown, the packet is broadcasted via all the ports in that vlan.

Trunk mode:

switchport mode trunk
switchport native vlan <>

This port sends packets of all vlan tags out to another switch or router. Generally this is the entry/exit port connecting hosts to a big n/w. You can change the default native vlan tag from "1" to any other vlan using the above configuration. You can also limit the vlan tag ranges that can pass through this port via a CLI "switchport trunk allowed vlan <>"

Dot1q-tunnel mode :

switchport mode dot1q-tunnel
switchport access vlan <>

If an already tagged pkt enters an access port, which was configured for a different vlan, the packet will be dropped. It will not enter the switch at all. Whereas the dot1q tunnel mode will add additional tag in addition to the incoming tag. The vlan id configured as access vlan on the port becomes the outer tag, and the original incoming tag becomes inner tag. This way we can have qinq packets flowing through the network. This is called stacking of vlan tags. This is generally done in VPN scenarios.

If there is already an incoming qinq packet with 2 vlan tags, still a third tag will be added to the stack of vlan tags. While sending the downstream packets, in the egress direction, the port will remove the outer-most tag and send out packets.


Hope you got an insight about the various modes of switchport. Get back to me with your thoughts.

Cheers!