2.3 Trunk and Access Ports

The previous section covered the 802.1Q tag structure. Now the question is: which ports add tags and which ports strip them? End devices like PLCs send untagged frames. Switch-to-switch links carry multiple VLANs simultaneously. The answer is two port types — access and trunk — each with a specific role.

Why Two Port Types Exist

End devices — PLCs, HMIs, PCs — send and receive standard Ethernet frames. They have no knowledge of VLANs. They cannot read or generate 802.1Q tags. If a switch sent a tagged frame to a PLC, the PLC would see an unexpected EtherType (0x8100) and discard the frame.

At the same time, a link between two switches needs to carry traffic for multiple VLANs simultaneously. Without tags, the receiving switch has no way to know which VLAN a frame belongs to.

The solution is two port types. Access ports connect to end devices and handle the tagging transparently. Trunk ports connect switches to each other and carry tagged frames for multiple VLANs. The behavior of each port type is straightforward once you see it in action.

Access Ports

An access port belongs to exactly one VLAN. The switch assigns all incoming untagged frames to the port’s configured VLAN (the PVID). The switch strips the VLAN tag from all outgoing frames. The end device never sees a tag.

The PLC sends and receives normal Ethernet frames. The switch handles all VLAN logic invisibly. Trunk ports work differently — they carry the tags explicitly.

Trunk Ports

A trunk port carries traffic for multiple VLANs simultaneously. The switch tags outgoing frames with the VLAN ID. The switch reads the VLAN tag from incoming frames to determine which VLAN they belong to.

Configure an allowed VLAN list on every trunk port. The switch drops frames for VLANs not in the list. This reduces unnecessary broadcast traffic and limits security exposure.

The most common mistakes with trunk and access ports are easy to make and hard to notice until something stops working.

Common Mistakes

Mistake	Symptom	Fix
Access port in wrong VLAN	Device cannot reach its gateway	Set correct PVID
Trunk missing a VLAN	Traffic for that VLAN does not cross the trunk	Add VLAN to allowed list on both ends
Native VLAN mismatch	Frames appear in wrong VLAN	Match native VLAN on both ends
Trunk connected to non-VLAN-aware device	Device receives tagged frames it cannot parse	Use access port instead

After adding a new VLAN to the network, verify that the trunk ports on every switch carry the new VLAN. A trunk that is missing the new VLAN silently drops all traffic for that VLAN on that segment:

# pip install netmiko
from netmiko import ConnectHandler
import re

def get_trunk_vlans(host: str, trunk_port: str) -> set[int]:
    conn = ConnectHandler(device_type="hirschmann_ssh", host=host,
                          username="admin", password="private")
    output = conn.send_command(f"show vlan port {trunk_port}")
    conn.disconnect()
    return set(int(v) for v in re.findall(r"\b(\d{1,4})\b", output)
               if 1 <= int(v) <= 4094)

REQUIRED = {10, 20, 50}
TRUNKS = [("192.168.1.100", "1/24"), ("192.168.1.101", "1/24"), ("192.168.1.102", "1/24")]

for host, port in TRUNKS:
    missing = REQUIRED - get_trunk_vlans(host, port)
    if missing:
        print(f"{host} port {port}: missing VLANs {missing}")
    else:
        print(f"{host} port {port}: OK")

Key Takeaways

Access ports hide VLANs from end devices

The switch handles tagging transparently. PLCs and HMIs send and receive standard untagged frames.

Trunk ports carry multiple VLANs

Configure the allowed VLAN list explicitly. Verify it after adding any new VLAN to the network.

What Comes Next

Trunk and access ports control how frames are tagged. The next section covers PVID — the specific setting that determines which VLAN an untagged frame belongs to, and why a wrong PVID causes silent connectivity failures.

References

IEEE 802.1Q-2022 — Bridges and Bridged Networks
Hirschmann. (2023). User Manual — HiOS-2S/3S/3A: VLANs. Belden/Hirschmann.