📘 CCNA 200-301 v1.1
2.1 Configure and verify VLANs (normal range) spanning multiple switches
2.1.a Access Ports (Data and Voice)
🔹 What is a VLAN?
Before understanding access ports, we must quickly recall what a VLAN (Virtual Local Area Network) is.
A VLAN is a logical grouping of devices within a switch (or across multiple switches) that allows you to separate network traffic even if devices are physically connected to the same switch.
Each VLAN behaves like a separate network (or broadcast domain).
For example:
- VLAN 10 = Accounting Department
- VLAN 20 = HR Department
- VLAN 30 = Voice Network (IP Phones)
This separation improves security, traffic management, and performance.
🔸 What is an Access Port?
An access port is a switch port that is assigned to a single VLAN.
It carries traffic for only one VLAN — usually used to connect end devices such as:
- Computers
- Printers
- IP Phones
When a device sends traffic to the switch through an access port:
- The switch tags that traffic internally with the VLAN ID.
- When the traffic leaves the switch through another access port, the VLAN tag is removed (the end device doesn’t see VLAN tags).
👉 Important: End devices (like PCs) do not understand VLAN tags. The switch handles the tagging and untagging automatically.
🔹 How Access Ports Work (Step by Step)
- The port is configured with a VLAN ID
Example: PortFastEthernet0/1is assigned to VLAN 10. - A device connects to that port
Example: A PC connects toFa0/1. - When the PC sends traffic
The switch automatically tags the frame with VLAN 10 internally. - When traffic leaves that VLAN
The switch removes the VLAN tag before sending it to the PC.
So from the device’s perspective, it’s just normal Ethernet communication — but inside the switch, traffic is separated per VLAN.
🔸 Data and Voice VLANs on Access Ports
In most networks today, a single access port may carry both data and voice traffic.
This is common where IP phones are used.
An IP phone has two ports:
- One connects to the switch.
- One connects to the user’s PC.
So both the phone and the PC share the same physical port on the switch.
To keep voice and data traffic separate, Cisco allows an access port to have:
- A data VLAN (for the PC traffic)
- A voice VLAN (for the IP phone traffic)
This ensures:
- Voice traffic is prioritized (less delay)
- Security and management are better (voice and data networks stay separate)
🔹 How Voice VLAN Works
When configured correctly:
- The switch port sends special Layer 2 signaling (using CDP or LLDP-MED) to tell the IP phone which VLAN to use for voice traffic.
- The phone tags voice packets with the voice VLAN ID.
- The PC connected to the phone sends normal, untagged data traffic which goes to the data VLAN.
So one physical port carries:
- Tagged frames (voice traffic)
- Untagged frames (data traffic)
🔸 Example: Configuration of Access and Voice VLAN
Let’s see how this is done in Cisco IOS.
✅ Scenario:
- VLAN 10 = Data (PCs)
- VLAN 20 = Voice (IP phones)
- Port FastEthernet 0/1 is connected to an IP phone and a PC
💻 Configuration:
Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# switchport voice vlan 20
Explanation:
switchport mode access
→ Sets the port as an access port (not trunk).switchport access vlan 10
→ Assigns data VLAN 10 to the port.switchport voice vlan 20
→ Assigns voice VLAN 20 for IP phone traffic.
Now:
- The PC connected through the phone will use VLAN 10.
- The IP phone will use VLAN 20.
🔹 Verifying Access and Voice VLAN Configuration
To confirm your configuration, use:
Switch# show interfaces FastEthernet0/1 switchport
You’ll see output like:
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Access Mode VLAN: 10 (Data)
Voice VLAN: 20
This verifies that the port is:
- An access port
- Assigned to VLAN 10 for data
- Assigned to VLAN 20 for voice
🔸 Points to Remember for the Exam
| Concept | Description |
|---|---|
| Access Port | Carries traffic for only one VLAN |
| Voice VLAN | Special VLAN for IP phones to separate voice traffic |
| Data VLAN | The normal VLAN used for computers and other devices |
| Tagging | Voice frames are tagged; data frames are untagged |
| Switchport mode access | Makes the port an access port |
| switchport access vlan X | Assigns the VLAN for data |
| switchport voice vlan X | Assigns the VLAN for voice |
| show interfaces switchport | Verifies VLAN assignment |
🔹 Common Exam Questions and Key Facts
- Can an access port belong to more than one VLAN?
- Normally, no, but with voice VLAN, one additional VLAN (for voice) is allowed.
- Does the PC see VLAN tags?
- No, the PC sends and receives untagged frames.
- Does the IP phone tag its traffic?
- Yes, the phone tags its traffic with the voice VLAN ID.
- Why use a separate voice VLAN?
- To provide better Quality of Service (QoS) for voice traffic and isolate it from data traffic.
- Command to configure voice VLAN?
switchport voice vlan <vlan-id>
🧩 Summary
| Type | Traffic | VLAN Tag | Purpose |
|---|---|---|---|
| Access Port (Data) | PC / Printer | Untagged | Normal data communication |
| Voice VLAN (on Access Port) | IP Phone | Tagged | Voice communication (separate VLAN) |
Access ports are used to connect end devices.
Voice VLAN allows both phone and PC to share the same port while keeping voice and data logically separate.
✅ In short:
An access port is a port on a switch that carries traffic for one VLAN, but it can also support a voice VLAN for IP phones.
This configuration ensures separation of voice and data traffic, maintains proper VLAN segmentation, and supports better performance for real-time voice communication.
