- <p>A bridge port must be configured for VLANs in one of two
- mutually exclusive ways:
- <ul>
- <li>A ``trunk port'' has an empty value for <ref
- column="tag"/>. Its <ref column="trunks"/> value may be
- empty or non-empty.</li>
- <li>An ``implicitly tagged VLAN port'' or ``access port''
- has an nonempty value for <ref column="tag"/>. Its
- <ref column="trunks"/> value must be empty.</li>
- </ul>
- If <ref column="trunks"/> and <ref column="tag"/> are both
- nonempty, the configuration is ill-formed.
+ <p>Bridge ports support the following types of VLAN configuration:</p>
+ <dl>
+ <dt>trunk</dt>
+ <dd>
+ <p>
+ A trunk port carries packets on one or more specified VLANs
+ specified in the <ref column="trunks"/> column (often, on every
+ VLAN). A packet that ingresses on a trunk port is in the VLAN
+ specified in its 802.1Q header, or VLAN 0 if the packet has no
+ 802.1Q header. A packet that egresses through a trunk port will
+ have a 802.1Q header if it has a nonzero VLAN ID (or a nonzero
+ 802.1Q priority).
+ </p>
+
+ <p>
+ Any packet that ingresses on a trunk port tagged with a VLAN that
+ the port does not trunk is dropped.
+ </p>
+ </dd>
+
+ <dt>access</dt>
+ <dd>
+ <p>
+ An access port carries packets on exactly one VLAN specified in the
+ <ref column="tag"/> column. Packets ingressing and egressing on an
+ access port have no 802.1Q header.
+ </p>
+
+ <p>
+ Any packet with an 802.1Q header that ingresses on an access port
+ is dropped, regardless of whether the VLAN ID in the header is the
+ access port's VLAN ID.
+ </p>
+ </dd>
+
+ <dt>native-tagged</dt>
+ <dd>
+ A native-tagged port resembles a trunk port, with the exception that
+ a packet without an 802.1Q header that ingresses on a native-tagged
+ port is in the ``native VLAN'' (specified in the <ref column="tag"/>
+ column).
+ </dd>
+
+ <dt>native-untagged</dt>
+ <dd>
+ A native-untagged port resembles a native-tagged port, with the
+ exception that a packet that egresses on a native-untagged port in
+ the native VLAN not have an 802.1Q header.
+ </dd>
+ </dl>
+ <p>
+ A packet will only egress through bridge ports that carry the VLAN of
+ the packet, as described by the rules above.