Access port in a switch is a port, which is associated with a single VLAN connecting usually to a host.
Access port in egress (transmit) path will always send untagged packet out.
In ingress (receipt) path, the access port can accept both untagged and tagged packets. But note, not all tagged packets, it is only for that VLAN which is associated with this port.
Note: In some products the requirement may be to only accept untagged packets on access port
Let us take an example to understand it better
In the above diagram it can be seen that host H1(can be a linux host machine) is connected directly to a switch Sw1
Let the port of Sw1 connecting host H1 be an access port of vlan say 10
So if H1 send a packet to Sw1 as untagged ethernet packet, sw1 will accept and it will be treated as a packet belonging to vlan 10.(The Host H1 can remain unaware of the VLAN)
H1(if it is vlan aware) can send a tagged packet with vlan 10 as well and still be accepted by Sw1, as the connecting port in Sw1 is belonging to the same vlan.
However if a packet tagged with vlan 20 arrives Sw1, it will be dropped.
In egress Sw1 will always send out untagged packet for that vlan.
Even if say Sw1 received a tagged packet with vlan 10 from some other port and it needs to switch it out via this port to H1, it will send it out as untagged.
Here is typical diagram involving only access ports
In the above diagram all ports of the switch are access ports of the respective VLANs. VLAN 10 hosts can ping each other and likewise VLAN 20 hosts can ping each other.
But VLAN10 hosts can’t reach VLAN 20 hosts and vice versa.
Question for you
Now that you know what is a access port, I do have a followup question. In the previous example we saw a host connecting a switch via access port. So can we have a switch connecting to another switch via access port ?
Can you think of what are the shortcoming in connecting two switches via access port ?