Skip to content
Industrial Networking for Busy Professionals

2.4 PVID and Native VLAN

The previous section explained that access ports assign incoming untagged frames to a VLAN. The specific setting controlling the assignment is the PVID. An incorrect PVID is the most common VLAN misconfiguration in industrial networks — and the hardest to diagnose because the link stays up and no counters increment.

Why PVID Mismatches Are Dangerous

Section titled “Why PVID Mismatches Are Dangerous”

The PVID (Port VLAN ID) determines which VLAN receives an untagged incoming frame. A PVID mismatch is 1 of the most common and hardest-to-diagnose VLAN issues in industrial networks.

The reason the mismatch is hard to diagnose: the link is up, frames are being sent, and no counters increment. The only symptom is that connectivity does not work. The frames arrive at the switch, receive the incorrect VLAN assignment, and are forwarded to devices in the incorrect VLAN. The intended recipient never sees the frames. To understand why, examine what the switch does with an untagged frame.

What PVID Does

Section titled “What PVID Does”

When an untagged frame arrives on a port, the switch stamps the frame with the PVID as the VLAN membership.

On access ports, the PVID is the only VLAN the port belongs to. On trunk ports, the PVID defines which VLAN receives untagged frames. This VLAN is the native VLAN. When 2 switches have different PVIDs on the same link, the result is a silent connectivity loss.

PVID Mismatch: A Silent Connectivity Loss

Section titled “PVID Mismatch: A Silent Connectivity Loss”

The link shows as UP. No counters increment. The only symptom is that connectivity does not work. Check PVID on both ends of every link when diagnosing connectivity issues. On trunk ports, the native VLAN mismatch has an additional security implication.

Native VLAN on Trunk Ports

Section titled “Native VLAN on Trunk Ports”

On a trunk port, the native VLAN is the VLAN whose frames are sent untagged. The native VLAN setting on both ends of a trunk link needs to match.

A native VLAN mismatch is also a security vulnerability called VLAN hopping. An attacker sends a frame with 2 802.1Q tags. The outer tag matches the native VLAN of the first switch (stripped on ingress). The inner tag targets the victim VLAN. The second switch delivers the frame to the victim VLAN.

Set the native VLAN to an unused VLAN (for example, VLAN 999) on trunk ports. Never carry production traffic untagged on trunks. With the vulnerability understood, the next step is to detect mismatches before production startup.

Hirschmann HiOS PVID Configuration

Section titled “Hirschmann HiOS PVID Configuration”

Navigate to: Switching → VLAN → Port

Each port shows:

  • Port VLAN ID (PVID) — the VLAN for untagged ingress frames
  • Acceptable Frame Types — All / Tagged only / Untagged only
  • Ingress Filtering — enable to drop frames for VLANs outside the membership list of the port

Enable ingress filtering on every port. A frame tagged with VLAN 30 arriving on a port outside the VLAN 30 membership is dropped immediately.

Detecting PVID Mismatches

Section titled “Detecting PVID Mismatches”

After a cabling change or switch replacement, a PVID mismatch appears without any visible indication. The following script reads the PVID from every port on every switch in the ring and compares the PVID against the expected design:

# pip install netmiko
from netmiko import ConnectHandler
import re


EXPECTED = {
    "SW-Cell1-MRM":  {"1/1": 10, "1/2": 10, "1/3": 20, "1/4": 50},
    "SW-Cell1-MRC1": {"1/1": 10, "1/2": 10, "1/3": 20},
}
SWITCHES = [
    {"host": "192.168.1.100", "name": "SW-Cell1-MRM"},
    {"host": "192.168.1.101", "name": "SW-Cell1-MRC1"},
]


def get_pvids(host: str) -> dict[str, int]:
    conn = ConnectHandler(device_type="hirschmann_ssh", host=host,
                          username="admin", password="private")
    output = conn.send_command("show vlan port")
    conn.disconnect()
    pvids = {}
    for line in output.splitlines():
        m = re.match(r"(\d+/\d+)\s+(\d+)\s+(access|trunk|hybrid)", line)
        if m:
            pvids[m.group(1)] = int(m.group(2))
    return pvids


for sw in SWITCHES:
    actual = get_pvids(sw["host"])
    for port, expected_pvid in EXPECTED.get(sw["name"], {}).items():
        actual_pvid = actual.get(port)
        if actual_pvid != expected_pvid:
            print(f"{sw['name']} port {port}: PVID={actual_pvid} expected {expected_pvid}")

Run the script before every production startup. A PVID mismatch found before startup takes 30 seconds to fix. The same mismatch found during production requires a maintenance window.

Key Takeaways

Section titled “Key Takeaways”

PVID mismatches are silent

The link is up, frames are sent, no indications appear. The only symptom is that connectivity does not work. Check PVID on both ends of every link when diagnosing VLAN issues.

Set native VLAN to an unused VLAN

Use VLAN 999 or similar as the native VLAN on trunks. Never carry production traffic untagged on trunks.

What Comes Next

Section titled “What Comes Next”

VLANs and tagging operate at Layer 2. The next chapter covers IP addressing and routing — how devices communicate across VLAN boundaries and across multiple network segments.

References

Section titled “References”
  • IEEE 802.1Q-2022 — Bridges and Bridged Networks, Section 8.6 (Port VLAN Identifier)
  • Hirschmann. (2023). User Manual — HiOS: VLAN Port Configuration. Belden/Hirschmann.