Skip to content
Industrial Networking for Busy Professionals

2.4 PVID and Native VLAN

The previous section explained that access ports assign incoming untagged frames to a VLAN. The specific setting that controls this assignment is the PVID. Getting it wrong is the most common VLAN misconfiguration in industrial networks — and the hardest to diagnose because the link stays up and no error counters increment.

Why PVID Mismatches Are Dangerous

Section titled “Why PVID Mismatches Are Dangerous”

The PVID (Port VLAN ID) determines which VLAN an untagged incoming frame is assigned to. A PVID mismatch is one of the most common and hardest-to-diagnose VLAN problems in industrial networks.

The reason it is hard to diagnose: the link is up, frames are being sent, and no error counters increment. The only symptom is that connectivity does not work. The frames arrive at the switch, get assigned to the wrong VLAN, and are forwarded to devices in that wrong VLAN. The intended recipient never sees them. To understand why, you need to see exactly what the switch does with an untagged frame.

What PVID Does

Section titled “What PVID Does”

When an untagged frame arrives on a port, the switch stamps it with the PVID as its VLAN membership.

On access ports, the PVID is the only VLAN the port belongs to. On trunk ports, the PVID defines which VLAN receives untagged frames. This is the native VLAN. When two switches have different PVIDs on the same link, the result is a silent failure.

PVID Mismatch: A Silent Failure

Section titled “PVID Mismatch: A Silent Failure”

The link shows as UP. No error counters increment. The only symptom is that connectivity does not work. Check PVID on both ends of every link when diagnosing connectivity problems. On trunk ports, the native VLAN mismatch has an additional security implication.

Native VLAN on Trunk Ports

Section titled “Native VLAN on Trunk Ports”

On a trunk port, the native VLAN is the VLAN whose frames are sent untagged. The native VLAN must match on both ends of a trunk.

A native VLAN mismatch is also a security vulnerability called VLAN hopping. An attacker sends a frame with two 802.1Q tags. The outer tag matches the native VLAN of the first switch (stripped on ingress). The inner tag targets the victim VLAN. The second switch delivers the frame to the victim VLAN.

Set the native VLAN to an unused VLAN (for example, VLAN 999) on all trunk ports. Never carry production traffic untagged on trunks. With the risk understood, the next step is to detect mismatches before they cause problems in production.

Hirschmann HiOS PVID Configuration

Section titled “Hirschmann HiOS PVID Configuration”

Navigate to: Switching → VLAN → Port

Each port shows:

  • Port VLAN ID (PVID) — the VLAN for untagged ingress frames
  • Acceptable Frame Types — All / Tagged only / Untagged only
  • Ingress Filtering — enable to drop frames for VLANs not in the port’s membership list

Enable ingress filtering on all ports. A frame tagged with VLAN 30 arriving on a port that is not a member of VLAN 30 is dropped immediately.

Detecting PVID Mismatches

Section titled “Detecting PVID Mismatches”

After a cabling change or switch replacement, a PVID mismatch can be introduced without any visible error. The following script reads the PVID from every port on every switch in the ring and compares it against the expected design:

# pip install netmiko
from netmiko import ConnectHandler
import re


EXPECTED = {
    "SW-Cell1-MRM":  {"1/1": 10, "1/2": 10, "1/3": 20, "1/4": 50},
    "SW-Cell1-MRC1": {"1/1": 10, "1/2": 10, "1/3": 20},
}
SWITCHES = [
    {"host": "192.168.1.100", "name": "SW-Cell1-MRM"},
    {"host": "192.168.1.101", "name": "SW-Cell1-MRC1"},
]


def get_pvids(host: str) -> dict[str, int]:
    conn = ConnectHandler(device_type="hirschmann_ssh", host=host,
                          username="admin", password="private")
    output = conn.send_command("show vlan port")
    conn.disconnect()
    pvids = {}
    for line in output.splitlines():
        m = re.match(r"(\d+/\d+)\s+(\d+)\s+(access|trunk|hybrid)", line)
        if m:
            pvids[m.group(1)] = int(m.group(2))
    return pvids


for sw in SWITCHES:
    actual = get_pvids(sw["host"])
    for port, expected_pvid in EXPECTED.get(sw["name"], {}).items():
        actual_pvid = actual.get(port)
        if actual_pvid != expected_pvid:
            print(f"{sw['name']} port {port}: PVID={actual_pvid} expected {expected_pvid}")

Run this script before every production startup. A PVID mismatch found before startup takes 30 seconds to fix. The same mismatch found during production requires a maintenance window.

Key Takeaways

Section titled “Key Takeaways”

PVID mismatches are silent

The link is up, frames are sent, no errors appear. The only symptom is that connectivity does not work. Check PVID on both ends of every link when diagnosing VLAN problems.

Set native VLAN to an unused VLAN

Use VLAN 999 or similar as the native VLAN on all trunks. Never carry production traffic untagged on trunks.

What Comes Next

Section titled “What Comes Next”

VLANs and tagging operate at Layer 2. The next chapter covers IP addressing and routing — how devices communicate across VLAN boundaries and across multiple network segments.

References

Section titled “References”
  • IEEE 802.1Q-2022 — Bridges and Bridged Networks, Section 8.6 (Port VLAN Identifier)
  • Hirschmann. (2023). User Manual — HiOS: VLAN Port Configuration. Belden/Hirschmann.