2.3 Trunk and Access Ports

The previous section covered the 802.1Q tag structure. The next question is: which ports add tags and which ports strip tags? End devices like PLCs send untagged frames. Switch-to-switch links carry multiple VLANs simultaneously. 2 port types — access and trunk — each serve a specific role.

Why 2 Port Types Exist

End devices — PLCs, HMIs, PCs — send and receive standard Ethernet frames. End devices have no knowledge of VLANs. End devices have no ability to read or generate 802.1Q tags. If a switch sends a tagged frame to a PLC, then the PLC sees an unexpected EtherType (0x8100) and discards the frame.

At the same time, a link between 2 switches needs to carry traffic for multiple VLANs simultaneously. Without tags, the receiving switch has no way to determine the VLAN membership of a frame.

The solution is 2 port types. Access ports connect to end devices and handle the tagging transparently. Trunk ports connect switches to each other and carry tagged frames for multiple VLANs. The behavior of each port type is straightforward.

Access Ports

An access port belongs to exactly 1 VLAN. The switch assigns incoming untagged frames to the configured VLAN of the port (the PVID). The switch strips the VLAN tag from outgoing frames. The end device never sees a tag.

The PLC sends and receives normal Ethernet frames. The switch handles VLAN logic invisibly. Trunk ports work differently — trunk ports carry the tags explicitly.

Trunk Ports

A trunk port carries traffic for multiple VLANs simultaneously. The switch tags outgoing frames with the VLAN ID. The switch reads the VLAN tag from incoming frames to determine the VLAN membership.

Configure an allowed VLAN list on every trunk port. The switch drops frames for VLANs outside the list. The allowed VLAN list reduces unnecessary broadcast traffic and limits the exposure surface.

The most common mistakes with trunk and access ports are easy to make and hard to notice until connectivity breaks.

Common Mistakes

Mistake	Symptom	Fix
Access port in incorrect VLAN	Device has no path to the gateway	Set correct PVID
Trunk missing a VLAN	Traffic for that VLAN does not cross the trunk	Add VLAN to allowed list on both ends
Native VLAN mismatch	Frames appear in incorrect VLAN	Match native VLAN on both ends
Trunk connected to non-VLAN-aware device	Device receives tagged frames the device has no ability to parse	Use access port instead

After adding a new VLAN to the network, verify that the trunk ports on every switch carry the new VLAN. A trunk missing the new VLAN silently drops traffic for that VLAN on that segment:

# pip install netmiko
from netmiko import ConnectHandler
import re

def get_trunk_vlans(host: str, trunk_port: str) -> set[int]:
    conn = ConnectHandler(device_type="hirschmann_ssh", host=host,
                          username="admin", password="private")
    output = conn.send_command(f"show vlan port {trunk_port}")
    conn.disconnect()
    return set(int(v) for v in re.findall(r"\b(\d{1,4})\b", output)
               if 1 <= int(v) <= 4094)

REQUIRED = {10, 20, 50}
TRUNKS = [("192.168.1.100", "1/24"), ("192.168.1.101", "1/24"), ("192.168.1.102", "1/24")]

for host, port in TRUNKS:
    missing = REQUIRED - get_trunk_vlans(host, port)
    if missing:
        print(f"{host} port {port}: missing VLANs {missing}")
    else:
        print(f"{host} port {port}: OK")

Key Takeaways

Access ports hide VLANs from end devices

The switch handles tagging transparently. PLCs and HMIs send and receive standard untagged frames.

Trunk ports carry multiple VLANs

Configure the allowed VLAN list explicitly. Verify the list after adding any new VLAN to the network.

What Comes Next

Trunk and access ports control how frames are tagged. The next section covers PVID — the specific setting determining which VLAN an untagged frame belongs to, and why an incorrect PVID causes silent connectivity loss.

References

IEEE 802.1Q-2022 — Bridges and Bridged Networks
Hirschmann. (2023). User Manual — HiOS-2S/3S/3A: VLANs. Belden/Hirschmann.