PVID (port vlan id) vs Native VLAN - What's the difference?

I was hoping this to be little more clear. But as far as I have learned it it’s like this:

In essence it’s all about untagged traffic on a port.

Cisco requires you to define a port as trunk or access. When a port is a trunk port they will call the untagged traffic the native vlan. On an access port you have to set the PVID.

Some switches have their own way (like Cisco) with defining trunk or access ports.

Some switches like Ubiquiti’s don’t differentiate between trunk and access ports and simply allow 1 untagged vlan per port, whether that port is carrying tagged VLAN’s or not.

Some “smart” switches require you both to define untagged vlan membership and PVID. They also allow multiple VLAN’s to exit the port untagged. PVID in this case defined in what VLAN ingress traffic is being thrown.

Why you would want multiple untagged egress VLAN’s on a port is beyond me. But this is usually the confusing part in semi-managed smart switches like the Netgear GS105E and the TP-link SG108E etc.

Klementoso

Any traffic that does not have a 802.1q tag as it arrives on the trunk will be considered to be on the native vlan. If a port is configured for the native vlan, it will be able to communicate with anything on that vlan on the swirch as well as any untagged traffic that arrives on the trunk. Vlan 1 being the default native vlan on Cisco. Also if you have a native vlan on a trunk port, traffic placed on that trunk from devices in the native vlan will not be tagged. This can lead to the receiving switch interpreting this traffic to be on the native vlan, even if the vlan ids don't match (this will cause a native vlan mismatch on Cisco) Gets even trickier when you have a Cisco switch connected to a non Cisco switch, as the vlan ID can change from switch to switch.

brianmurray

HERE IS THE SIMPLEST EXPLANATION

*Terms*
_Untagged_ A standard Ethernet frame (802.3) that has no VLAN ID field within it.
_Tagged_ Synonymous with *Trunked*. An 802.1q frame that has a VLAN ID set in the appropriate field within the frame.

*Rules*
1. Every port MUST have a single VLAN ID as the Untagged VLAN (default is 1).
2. Every port MUST have a single VLAN ID as the PVID VLAN (default is 1).
3. Every port MUST have the same VLAN ID set for both the Untagged and PVID.
4. Every port MAY have one or more VLAN ID's set as Tagged VLAN's for that port.
5. A port that does not define any Tagged VLAN's is known as an "access port"
6. A port that defines at least one Tagged VLAN is known as a Trunk port.

*Scenario 1 A Switch Receives an Untagged Frame*
It will internally associate that frame with with the PVID set on the port which it was received on.


*Scenario 2 A Switch Receives a Tagged Frame*
It will only receive the frame if the port it was received on has a Tagged VLAN ID that matches the VLAN ID field of the frame, otherwise the frame is dropped/ignored. It will then internally associate the frame with the VLAN ID that it was tagged with.


*Scenario 3 A Switch must decide where to forward an outbound frame*
It will transmit an untagged frame (802.3) out all ports whose Untagged VLAN ID matches the frame. It will simultaneously transmit a tagged frame (802.1q) out all ports whose Trunked VLAN ID matches the frame.

jeffmeyers

I thought you explained it very well! Simply, and to the point. I've heard many people attempt to explain the concepts, but in such complicated fashion, that even if you already understand it, you could get confused.

tac

Yes, thank you! 🙏Finally some one clearly explains the difference and what they are for.
It doesn't help that some manufacturers use different terminology for the same function too!

gh

Hey Willie. Here's the idea for a cool video series... An exampe network setup with a cisco switch, unifi switch, and some sort of a router :) or better yet a L3 switch and a router/gateway. Add a wifi network (or better yet, couple) on a separate vlans just for sh.. and giggles :) Then you can really dive deeper into trunks, tagged vs untagged traffic etc.. Great video, as always! Thank You.

piwozniak

On my main switches in the rack where there is no endpoints connected, all ports are tagged with all VLANs

Only on parts on the switches that are connected to an endpoint device. Do I enable the VLAN? I want them to be on whether it be a camera or a laptop or a desktop.

When it comes to wireless devices, the VLANs are set up specifically for IOT devices and my main VLAN. Everything else is hardwired

resolutepixel

thanks mr howe.
pvid / native / trunks what a mangle going from cisco to hpe aruba trunks. agggh!
cleared it up for me.

martinck

Good job. Whenever you have to use the same words to define other words, you know it's tough.

greggcollins

Is that possible to assign a VLAN ID based on TCP port number?

劉信榮-mr

Hi, thanks for your help, I have a question, what happen if I have one port configured in native vlan mode and another port in pvid port ... are they compatible each other ?

victorseguragonzalez

Very timely. In my experience it's possible to lose management connectivity to your switches if you assign them IP addresses in the non native vlan. Further muddies the waters when I believe best practices says no traffic on untagged vlans. I feel I've have a decent working knowledge of vlan configuration but this aspect has always remained mysterious so I've just worked around it.

ralphiwreckit

More confused now. Since adding a managed switch to my Synology mesh setup I can’t use my guest network due to the VLAN ID. Not a single device can connect to the guest Wi-Fi.

monfrair

Hey is there any email address/business tel over which you can approached?

ovvioimagen

Setting the PVID designates which vlan will be the "default untagged" vlan across all ports, which is by convention, Vlan-1.
Which is why we generally use Vlan-1 as the "Management" vlan for all our switches, servers, APs, in a network..

So, unless you intentional want to change your "default untagged" network to another vlan, don't change the PVID, or you'll be setting that vlan untagged across all the switch ports...

The behavior of this is different for each manufacture, so check before making any hard & fast rules about it.
I can have Vlan-1 as my PVID, and still assign port 10 with Vlan-20 untagged if I want, without changing the PVID...

davesradiorepairs

I'm guilty of using both interchangeably when referring to the native VLAN. Its kind of Ubiquiti's fault though ;). By default every port is somewhat of a "trunk" port.

MitchellEarl

Trunk interfaces should match allowed vlans.. some vendors default pass all defined vlans some do not. If you plug into a defined trunk interface with an undefined interface - what happens?

This is where native (if defined) would “kick in”. Think of it as error checking.. Security wise, creating a vlan for native would let you know that something needs attention as native vlans are patches or band aids.

If you are in charge of managing a switch or network you are tasked with being “in control”. Native allows you to be sloppy or “not in control” and things keep working.. (if defined in that capacity, in a security capacity you are aware of the potential and want the port to act a defined way..)

A correctly defined trunk to trunk, native is never seen. Trunk to “not trunk”, is when native would be seen.

Understanding this situation, or the potential for this situation; this is network design and helping yourself or others. There should be limited “unknowns” - you are tasked with being “in control”..

My 0.02

bcookbsdwebsol

It’s confusing until you learn it. The best way is trail and error. Color drawing a trunk and the default vlan, and a custom trunk with a default untagged vlan and ragged vlan. Mabe I am getting to deep for this video!

rdottwordottwo

Thanks for the video. Would have been even more clearer if you also used diagrams and tagging examples.

MynaIT

Strange, i just did a video about this.

JasonsLabVideos