Implementing VLANs
What are VLAN access ports?

When an end system is connected to a switch port, it needs to be associated with a VLAN, in accordance with the network design. To associate a device with a VLAN, the switch port to which the device connects will be assigned to a single VLAN and therefore becomes an access port. A switch port can become an access port through Static or Dynamic configuration.

Static Access Port Association
On most switches, VLAN membership results from execution of a specific switchport configuration command. In a local VLAN strategy, the switch port is associated with the VLAN of other devices on that same switch or switch cluster.

Attributes and characteristics of access ports are:

  • An access port is associated with a single VLAN.
  • The VLAN to which the access port is assigned must exist in the VLAN database of the switch or the port will be associated with an inactive VLAN that does NOT forward frames.
  • Because an access switch port is part of a VLAN or Layer 2 domain, that port will receive broadcasts, multicasts, unicast floods, and so forth that are sent to all ports in the VLAN.
  • The end device will typically have an IP address that is common to all other devices on the access VLAN.

Dynamic Access Port Association
Switch ports can be dynamically associated with a given VLAN based upon the MAC address of the device connecting on that port. This requires that the switch query a VLAN Membership Policy Server (VMPS) to determine what VLAN to associate with a switch port, when a specific source MAC address is seen on the switch port.

This might be beneficial with a set of workstations that roved throughout the enterprise. Regardless of what switch or switch port the workstation connected to, that switch port would become an access port on a single, specific VLAN. Some security situations may require Dynamic VLAN associations. However dynamic VLANs are not consistent with the Enterprise Composite model and will not be discussed further in this course.