NetForge-AI
Networking CourseAI-ledLessonsCommunityFeaturesProtocolsPricing
Sign inSign up
NetForge-AI
Networking CourseAI-ledLessonsCommunityFeaturesProtocolsPricing
Sign inSign up
All lessons
Intermediate·25 minute read

VLANs: access ports vs trunks

A VLAN (Virtual LAN) lets a single physical switch behave like several independent switches, separating broadcast domains without any additional hardware. This lesson explains access ports, trunk ports, and the 802.1Q tagging that lets multiple VLANs cross a single cable.

Open this lab

Why VLANs exist

Every port on a switch belongs to exactly one broadcast domain. By default, that is VLAN 1 — every port. A broadcast frame received on any port floods to every other port.

VLANs let you group ports into separate broadcast domains. Ports in VLAN 10 are isolated from ports in VLAN 20 even though both groups share the same physical switch. Hosts in different VLANs cannot communicate directly — they need a router (or an L3 switch) to forward between them.

Access vs trunk

An access port carries traffic for exactly one VLAN — the access VLAN. Frames enter and leave untagged, so the connected host is unaware that VLANs exist.

A trunk port carries traffic for many VLANs over a single cable. Frames are tagged with a 4-byte 802.1Q header that names their VLAN. The receiving switch reads the tag, strips it, and delivers the frame to the right VLAN's broadcast domain.

Configure access ports in the lab

In NetForge-AI, every switch port defaults to access mode in VLAN 1. Click a switch on the canvas, find the interface row, and you can edit the VLAN number directly. Or drop into the CLI:

Switch> enable
Switch# configure terminal
Switch(config)# interface Fa0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# end

When you absolutely need a router

Two PCs in VLAN 10 ping each other through a switch — works. Move PC2 to VLAN 20 — the ping fails. Even though they're plugged into the same switch, they are now in different broadcast domains. Adding a router with two interfaces (or one trunked router-on-a-stick interface) restores reachability via inter-VLAN routing.

Note: VLAN segmentation is a security and scalability tool — it limits broadcast scope and prevents accidental cross-talk between organizational groups.

Practice this in the lab

Reading helps. Wiring it up yourself and breaking it makes it stick.

Open the lab
NetForge-AI

A browser-native network lab and networking course, beginner to advanced. Free account opens Module 1 + a 3-device lab; Pro unlocks the rest.

Product

  • Lab
  • Networking Course
  • Lessons
  • Community
  • Features

Course modules

  • 1 · Fundamentals
  • 2 · Addressing
  • 3 · Access (L2)
  • 4 · Connectivity
  • Mock exam

Resources

  • FAQ
  • Privacy Policy
  • Terms of Service

NetForge-AI is an independent educational platform and is not affiliated with, endorsed by, or sponsored by any networking vendor or certification body. All product names, protocols, and standards referenced are the property of their respective owners and are used for descriptive, educational purposes only.

© 2026 NetForge-AI. All rights reserved.Built for networking learners worldwide.