What occurs when ports are configured as access or trunk?

I have recently configured a Pepwave Surf SOHO MK3 device that is running firmware version 8.0.0 build 1429. All the ports are currently configured as “trunk”.

The devices connected to the ports are generally devices such as PCs and printers which I understand do not support 802.1Q.

What is the impact if the ports are configured as “trunk” and not “access”? My understanding is that an access port sends and receives untagged frames (i.e. all frames are in the same VLAN), while a trunk port supports tagged frames and thus allows to switch multiple VLANs.

What is the impact if the ports are configured as “access” and not “trunk” if the devices support 802.1Q?

When set to access, frames (from the single selected VLAN) are send to the port untagged and no tagged frames (from other VLANS) are passed to the port. A device that supports 802.1Q can only access the untagged frames from the selected VLAN.


To clarify, do you mean to say when a port is configured as “access”, frames from a device is sent to the port untagged?

If yes, does this mean that the port has been configured for a specific VLAN or is set as “untagged”?

If my understanding is correct, this would suggest that the devices do not support 802.1Q or there is no requirement for tagged frames? Devices that support 802.1Q support tagged frames.

It isn’t clear to me as to the issues that can occur if a port is set as “access” and a device that supports 802.1Q is attached to it or vice versa where a port is set as trunk and a device does not support 802.1Q is attached.

Hello @motivated,

If a device does not support 802.1Q (such as a PC or printer) connected to a port, then the device will only use the Native VLAN (also seen in Peplink systems as Untagged). It is possible to set within a Trunk network a default VLAN (i.e. 1234) that will be for devices not using 802.1Q, so they don’t then use the native VLAN (VLAN 0 &/or 1 depending on the brand of routers and switches).

So using your device with “Trunk” on the port will be OK if you are OK with your device using the Native VLAN or Default VLAN in your network.
If you configure the port as “Access”, then you need to have set up your VLANs to use first, and there are several posts already here in the form on doing just that, here is a guide to get you started.

Happy to Help,
Marcus :slight_smile:

1 Like

Thanks Marcus. The current configuration of the ports on the device is as follows. To clarify, if a PC is connected to one of these ports, do you mean to say that the device will be assigned to the native VLAN or the “Untagged” VLAN. If yes, what are the implications of this?

I am unclear on what you mean by " It is possible to set within a Trunk network a default VLAN (i.e. 1234) that will be for devices not using 802.1Q, so they don’t then use the native VLAN (VLAN 0 &/or 1 depending on the brand of routers and switches)"

I am unclear on the implications of the device using the native or default VLAN.

I have been through numerous articles and videos however the use of a trunk and access port remains a mystery. I’ll start with my understanding.

  1. An access port is for host devices that do not support VLANs such as PCs or printers.
  2. An access port is also classified as “untagged”. If yes, I am unsure how this relates to the port being assigned to a VLAN e.g. 10 since I would have thought that the associated ethernet frames would be “tagged”.
  3. To support the ability for a device on an access point to communicate to another device on an access port on the same VLAN connected to second switch requires a trunk to be established between the first and second switch. This is a tagged port or otherwise known as trunk.

Yes - without additional configuration on the device to tell it to use a VLAN it will be on the untagged network. The implications of this vary depending on network design. For example. if your web admin interface is accessible on the untagged LAN then anyone could plugin to your router and access it if they knew the username/password.

This is what your diagram shows - each physical port is a trunk port. Each port has a default untagged VLAN set.

Yes, but also for administrative restrictions. Imagine a school. Your router has four VLANs configured, Admin Office, Teachers, Students, Printers. The router is in the IT office, so local devices there just plug into the untagged LAN. The web admin is only available on the untagged LAN.

  • Port 1 - I want set to Trunk / Any so when I plug in devices they are on the default untagged LAN and as the IT department I can access the router web admin. I also want to be able to access the other VLANs for test purposes.
  • Port 2 - This has a CAT6 link from the IT office up to the headmasters / admin office block. I just want to present the admin office VLAN there and not present any other VLAN.
  • Port 3 - This has a CAT6 link to the core switched network of the school. All the classrooms are linked back to the core switches. So I want the Teachers, Students and Printers VLANs to be available on port 3 but nothing else.
    Further down the switching path - maybe in a computer room / suite, a switch will have the student and teacher computers connected -along with printers. That switch will have the first 2 ports say set to access for the teacher VLAN and the last two as access for the printers, then the reset will be set to student.

Yes. As per Port 2 in the example above, the admin Office VLAN is presented on port 2 which is set as an access port as untagged.

A Trunk port can carry tagged and untagged VLANS - whichever ones are selected (see the Admin Building Port 2 in the example above).

1 Like

Thanks Martin.

Let’s assume I have created VLAN 10 for Students, VLAN 11 for Teachers, VLAN 12 for IT Support Staff and VLAN 13 for Researchers.

I attribute port 1 to VLAN 10, port 2 to VLAN 11, port 3 to VLAN 12 and port 4 to VLAN 13.

If all these ports are set to the port type “trunk”, this would suggest that although each port is associated with a VLAN, any device connected to each port could access another device on a different VLAN. Is this correct? If yes, this would indicate that if the port type is access, each device is essentially in its own broadcast domain?

Is there any reason that at least one of the ports should be a trunk port and be assigned an “untagged” VLAN?

No. The ability for a device on one VLAN to access a device on another VLAN is down to routing / firewall configurations.

When a port is set to trunk, a connected device can become a member / connect to any VLAN presented in the trunk if the VLAN ID is known by the device. When the default untagged VLAN is included in the trunk any device that connects to the port (that is not VLAN aware or configured to use VLANs) will be connected to the untagged VLAN.

So in my example above for Port 3, no device connected to Port 3 can join the untagged or admin office VLAN. They might be able to route to those VLANs from whichever VLAN (teachers / students/ printers) that they have joined, but if they can that’s because of a firewall configuration on the router - not because of how the trunk is configured.

No. In fact I do lots of installs where I disable all the LAN ports on the router, and others where the untagged VLAN is never presented on a LAN port.

1 Like

Thanks @MartinLangmaid. To clarify, what’s the benefit of assigning an untagged VLAN? Why have it at all?

Its about keeping things simple. I work with partners who have hundreds of sites and don’t have a single VLAN configured for the user devices. They don’t need them, they just want to present a flat untagged network.

It also helps new users get connected fast. Most networking devices need additional config / settings changed to connect to a VLAN.

1 Like

Thanks Martin. I have a clear understanding of the value or benefit of VLANs. I am unclear on the benefit or disadvantage of have an untagged VLAN and tagged VLAN at the same time.

That’s use case dependent. In some situations an untagged LAN is a disadvantage and potentially a security issue. In other cases, using VLANs is operationally or functionally challenging and untagged VLANS are preferred.


Thanks Martin. Would you be able to share examples of these use cases so that it’s clear when to consider using untagged VLANs?


it’s easy to say…
If you want to seperate a network into smaller pieces, then you can use exta switches or you can use VLANs. VLANs are really good, to transmit different datas over one cable, and split it on the other end for example.
BUT, if you have no knowledge about VLANs, you can run into problems.
the difficulty ranking in my opinion

  1. easiest is one big network
  2. seperate the network with extra switches
  3. masterclass, using VLANs

Big companies for example seperate printers from clients to prevent the client from multicasts. In my old yompany we had more than 30 different VLANs. Without a good documentation it’s hard to understand.



To add briefly to what @dennis.hofheinz and @MartinLangmaid said: Two primary considerations for using VLANs are to partition users from each other and to reduce the number of broadcast packets on the network. The first is primarily a security issue and the second improves network performance. - Rick

1 Like

Hello @motivated,
We’ve not seen someone in the forum with so many engaging questions for a while; it is refreshing if a little daunting, reminds us of when we started with the Peplink/Pepwave range.

@MartinLangmaid, @dennis.hofheinz @Rick-DC plus many others are all sharing some excellent insights and experience; there is one thing more that we recommend. Create yourself a system (the Balance One & Balance 30 Pro are great models to train on) and see what you can do from both InControl2 and the routers web admin. Make it, break it, reset it and make it better. VLANs are incredibly useful and powerful once you get some practice in, and with the systems from Peplink/Pepwave you do not need a Masters Degree in Networking to set them up, the Peplink Engineering team have worked diligently to make it as simple as can be while ticking all the boxes from home use through to massive enterprise and government organisations.

There are several examples/guides within the Peplink Forum to have a go with, the guide mentioned previously on setting up VLANs for Printing with Firewall Isolation you have at your fingertips an excellent way to get some practice in. As you do work through the guide, you will notice that the systems from Peplink/Pepwave have evolved since publishing that guide, giving you more abilities and options to explore and work into your solutions.

Happy to Help,
Marcus :slight_smile:


Thanks @mldowling, @Rick-DC and @dennis.hofheinz. I appreciate the support and the guidance. I should further clarify my confusion.

My understanding is that the physical ports on the router can be configured and assigned to specific VLANs. For example, on the SOHO router, I can assign ports 1 - 2 to VLAN 10, port 3 to VLAN 20 and port 4 to VLAN 30.

I am aware that I can subsequently configure each port to be a trunk port or an access port. My understanding is that a trunk port is a tagged port i.e. it is tagged with the VLAN ID at the point of egress. Equally, my understanding is that an access port is untagged i.e. it is also tagged with the VLAN ID at the point of egress. This is where my confusion stems from. If both trunk and access ports are “tagged”, how do they differ? When should one be elected over another?

Note I am aware that if I were to connect a managed switch to one of these ports and assuming that the managed switch had corresponding VLANs, the port that the managed switch is connected to would be a trunk port to communicate all VLAN IDs.

True. You can also assign the untagged default VLAN.

Yes. But it is more than that. A trunk port can carry multiple tagged VLANs and a single untagged vlan at the same time.


No. When a port is set to access a single VLAN is presented and It is untagged.

They are not both tagged. If you want to present a single untagged VLAN use access. If you want to present one or more tagged VLANs and also include an untagged VLAN (or not) on a port use trunk.

Yes, but if you wanted to communicate all VLANs you would have to select them all as members of the trunk.


Thanks Martin. To clarify, if I assign VLAN 10 to port 1 and define it as an access port, I take it that it presents the single untagged VLAN you are referring to.

If yes, when a switch is connected to the port, it would suggest that all ports on the switch would only be associated with VLAN 10 assuming that the switch has been configured for VLAN 10. If it is setup to only accept traffic from VLAN 20, it would drop all the traffic. The guide suggests that an untagged port still inserts a VLAN tag/ID.

If I expand on the example, if I subsequently assign VLAN 20 to port 2, VLAN 30 to port 3 and VLAN 40 to port 4 and define these as access ports, my understanding from your feedback is that these would be distinct single VLANs.


Yes in that the switch doesn’t know the VLAN number its just presenting a normal untagged network.

*to only accept tagged traffic from VLAN 20 it would drop all other traffic - yes

Yes. With just traffic from those VLANs presented as untagged traffic on those ports.

1 Like