Ethernet Port Types (Access, Trunk, Hybrid) and Frame Tagging

The Core Concept: Why VLANs and Tagging Exist
Ethernet networks originally had a single broadcast domain. Every device saw every broadcast packet, leading to security concerns and inefficient traffic. Virtual LANs (VLANs) were created to logically segment a physical network into multiple broadcast domains. This improves security, traffic management, and performance.
However, a physical link often needs to carry traffic for multiple VLANs (e.g., a single cable connecting two switches). This is where frame tagging comes in. The IEEE 802.1Q standard defines a method to add a "tag" (a 4-byte header) into the Ethernet frame to identify which VLAN the frame belongs to.
Deep Dive: Tagged vs. Untagged Frames
[strong]Untagged Frame:[/strong] This is a standard, plain Ethernet frame as sent by an end-device (computer, printer, IP phone, server). These devices are typically "VLAN-unaware"; they have no concept of VLAN tags. They expect to send and receive standard frames.
[strong]Tagged Frame:[/strong] This is a standard Ethernet frame that has been modified by a network switch. A 4-byte 802.1Q tag is inserted between the Source MAC address and the EtherType/Length fields.
oThe tag contains a 12-bit VLAN ID (VID) field, which identifies the VLAN (number 1-4094).
oSwitches use this VID to make forwarding decisions—determining which ports are allowed to receive the frame based on their VLAN memberships.
[strong]General Rule:[/strong] An end-device (like a computer) typically sends and expects to receive untagged frames. A network switch adds, reads, and removes tags as frames move between devices to enforce VLAN segregation while sharing physical wiring.
Detailed Port Type Behaviors
1. Access Port (The Endpoint Specialist)
[strong]Purpose:[/strong] To connect to a single end-device that is VLAN-unaware (e.g., a computer, printer, server) or to a device configured for a single VLAN. It provides access to a single VLAN.
[strong]VLAN Handling:[/strong] It is assigned to one and only one Data VLAN (often called the "Access VLAN").
[strong]Frame Processing:[/strong]
Incoming (from device to switch): The switch receives an untagged frame. The switch adds a tag corresponding to the port's Access VLAN.
Outgoing (from switch to device): Before the frame is transmitted out the port, the switch strips the VLAN tag, converting it back to a standard, untagged Ethernet frame. The end-device never sees a tag.
Key Characteristic: It only ever handles traffic for one VLAN. Frames from any other VLAN are dropped if they try to egress out an Access port.
•Typical Use Case: A computer is connected to an Access port on a switch. The port is configured as access port VLAN 10



2. Trunk Port (The Inter-Switch Highway)
Purpose: To carry traffic for multiple VLANs between network devices, such as between two switches, or from a switch to a router or a VLAN-aware server (e.g., a virtualization host).
VLAN Handling: It is configured with a list of allowed VLANs (e.g., VLANs 10, 20, 30-50). It also has a critical parameter: the Native VLAN.
The Native VLAN: This is a special VLAN on a trunk port designed for compatibility with old, VLAN-unaware devices. Frames belonging to the Native VLAN are sent untagged across the trunk.
Incoming (to switch): If a switch receives an untagged frame on a trunk port, it assigns that frame to the Native VLAN and adds the corresponding tag internally.
Outgoing (from switch): If a frame belongs to the Native VLAN and is being sent out a trunk port, the switch removes the tag before transmission. For all other allowed VLANs, the frame is sent with its 802.1Q tag intact.
Security Note: The Native VLAN on both ends of a trunk must match. A mismatch can cause traffic leaks between VLANs and is a potential security risk.
Typical Use Case: The link between two switches in a network core.



3 Hybrid Port (The Flexible Specialist)
Purpose: A hybrid port is a versatile port type that combines the behaviors of both Access and Trunk ports. It can send frames for some VLANs tagged and for other VLANs untagged.
VLAN Handling: Like a trunk, it is configured with multiple tagged VLANs and untagged VLANs. It does not use the "Native VLAN" concept in the same way; instead, you explicitly define which VLANs egress tagged vs. untagged.
Frame Processing:
Incoming (to switch): Handled identically to a trunk port. Tagged frames are accepted based on the allowed VLAN list. Untagged frames are assigned to a specific "PVID" (Port VLAN ID), which functions like the Native VLAN.
Outgoing (from switch): This is the key difference. The switch consults its configuration for that specific Hybrid port:

• For VLANs in the "untagged" list, the switch strips the tag before transmission.
• Typical Use Cases:[/strong]
  

Connecting an IP Phone and a Computer: The phone is VLAN-aware and expects tagged voice traffic (e.g., VLAN 20). The computer behind the phone is unaware and expects untagged data traffic (e.g., VLAN 10). A Hybrid port can be configured to send VLAN 20 tagged and VLAN 10 untagged to the same phone port.

IV Summary

Feature	Access Port	Trunk Port	Hybrid Port
Purpose	Connect end-users	Connect network devices	Connect multi-VLAN devices or special endpoints
VLANs	One Data VLAN	Multiple Allowed VLANs	Multiple Allowed VLANs
Frame Handling	Always untags egress frames	Tags all egress frames except for Native VLAN	Can tag or untag egress frames per VLAN
Incoming Untagged	Assigned to Access VLAN	Assigned to Native VLAN	Assigned to PVID
Incoming Tagged	Dropped (unless tag matches Access VLAN)	Accepted if VLAN is allowed	Accepted if VLAN is allowed
Typical Device	Computer, Printer	Switch, Router	IP Phone, Advanced Server