1. Library
  2. Routing and Networks
  3. Vlans

VLAN Tagging (802.1Q)

Updated 10 hours ago

Every Ethernet frame faces a question the moment it hits a switch: which network do you belong to?

On a simple network, the answer is obvious—there's only one network. But the moment you create VLANs to segment traffic, frames need identification. When a frame from VLAN 10 and a frame from VLAN 20 both travel down the same cable between switches, something has to distinguish them.

IEEE 802.1Q is that something. It's a 4-byte tag inserted into every frame, whispering its VLAN membership to every switch it passes through.

The Problem 802.1Q Solves

Imagine two switches connected by a single cable. Each switch has devices in VLAN 10 (Engineering) and VLAN 20 (Marketing). When an Engineering computer on Switch A sends a frame to an Engineering computer on Switch B, that frame must travel down the shared cable.

Without tagging, Switch B has no idea which VLAN the frame belongs to. It might deliver an Engineering frame to Marketing, violating the entire point of having separate VLANs.

802.1Q solves this by stamping each frame with its VLAN number before it crosses between switches. Switch B reads the tag, knows the frame belongs to VLAN 10, and forwards it only to VLAN 10 ports.

A trunk port is a wire that speaks every language at once—it carries frames from dozens of VLANs, each one tagged with its identity, coexisting on the same copper or fiber.

What the Tag Contains

The 802.1Q tag is 4 bytes inserted between the source MAC address and the EtherType field:

Tag Protocol Identifier (TPID): 2 bytes, always 0x8100. This value tells switches "an 802.1Q tag follows."

VLAN Identifier (VID): 12 bits identifying which VLAN (0-4095, with 0 and 4095 reserved, leaving 4094 usable VLANs).

Priority Code Point (PCP): 3 bits for QoS priority (0-7), letting switches prioritize voice and video over bulk data.

Drop Eligible Indicator (DEI): 1 bit marking frames that can be dropped first during congestion.

The tag adds 4 bytes to every frame, increasing the maximum frame size from 1518 to 1522 bytes. Modern equipment handles this without issue.

Access Ports vs. Trunk Ports

Switches handle VLAN tags differently depending on port type:

Access ports connect to end devices—computers, phones, printers. These devices don't understand VLAN tags and shouldn't need to.

  1. An untagged frame arrives from a laptop
  2. The switch adds an 802.1Q tag based on the port's configured VLAN
  3. The frame travels through the switch with its tag
  4. When exiting another access port in the same VLAN, the switch removes the tag
  5. The destination device receives an untagged frame, never knowing VLANs exist

VLANs are invisible to devices on access ports. The switch handles all the tagging.

Trunk ports connect switches to each other (or to routers doing inter-VLAN routing). They carry multiple VLANs simultaneously.

  1. A tagged frame arrives from another switch
  2. The switch reads the VLAN tag to determine where to forward it
  3. The frame exits on a trunk (tag preserved) or access port (tag removed)

Trunk ports preserve tags. Access ports strip them.

The Native VLAN Exception

Here's where 802.1Q gets strange. We invented this tagging system to identify VLAN membership, then immediately created an exception: the native VLAN.

Traffic in the native VLAN travels across trunk ports untagged. Why? Backward compatibility with devices that don't understand 802.1Q.

This creates problems:

Mismatch danger: Both ends of a trunk must agree on the native VLAN. If Switch A uses VLAN 1 as native and Switch B uses VLAN 99, untagged frames from each switch land in different VLANs on the other side. Connectivity breaks in confusing ways.

Security hole: The native VLAN enables "double tagging" attacks. An attacker crafts a frame with two 802.1Q tags. The first switch strips the outer tag (thinking it's native VLAN traffic), and the second switch reads the inner tag—potentially forwarding the frame into a VLAN the attacker shouldn't reach.

Best practices:

  • Change the native VLAN from the default (usually VLAN 1) to an unused VLAN
  • Never put user traffic in the native VLAN
  • Some administrators configure trunks to tag all VLANs, including native

Priority and QoS

The 3-bit Priority Code Point field provides eight priority levels:

PriorityTypical Use
7Network control (routing protocols)
6Voice (< 10ms latency)
5Video (< 100ms latency)
4Controlled load
3Excellent effort
2Spare
1Background
0Best effort (default)

When a switch's queues fill up, it serves higher-priority frames first. Voice calls stay clear while file transfers absorb the congestion.

You'll sometimes see "802.1p" mentioned separately—it's just the priority portion of 802.1Q, not a different standard.

Double Tagging (Q-in-Q)

Double tagging adds a second 802.1Q tag for legitimate purposes:

Service provider networks: A customer uses VLANs 1-100 internally. The provider wraps all that customer's traffic in an outer tag (say, VLAN 500). The customer's VLAN numbering doesn't conflict with other customers or the provider's infrastructure.

Metro Ethernet: Extending layer 2 networks across metropolitan areas while keeping customer traffic separated.

The outer tag uses TPID 0x88A8 (defined in 802.1ad) to distinguish it from standard 802.1Q tags.

When End Devices Tag Their Own Traffic

Most devices connect to access ports and never see VLAN tags. But some scenarios require end-device tagging:

IP phones act as tiny switches. They tag voice traffic into a voice VLAN while passing computer traffic through untagged. One cable serves both phone and computer, with traffic properly separated.

Virtualization hosts run dozens of VMs that need different VLAN membership. The hypervisor tags each VM's traffic appropriately on a single physical uplink.

Servers with multiple roles might tag management traffic into VLAN 10, production into VLAN 20, and storage into VLAN 30—all on one physical interface.

Every major operating system supports creating tagged virtual interfaces on top of physical adapters.

Wireless Networks and VLAN Tagging

Wireless networks rely heavily on 802.1Q:

Multiple SSIDs map to VLANs: Corporate WiFi → VLAN 10, Guest → VLAN 20, IoT → VLAN 30. One access point, three separate networks.

Access points trunk to switches: The AP tags each client's traffic into the appropriate VLAN based on which SSID they joined.

Roaming preserves VLAN membership: As a laptop moves between access points, it stays in the same VLAN, keeping its IP address and network connectivity.

Troubleshooting

Native VLAN mismatch: Untagged traffic lands in wrong VLANs. Some switches warn about this; others fail silently. Verify both trunk ends agree.

Allowed VLAN lists don't match: If Switch A allows VLANs 10, 20, 30 on the trunk but Switch B only allows 10, 20—VLAN 30 traffic gets dropped. Both sides must allow every VLAN that needs to cross.

Wrong port mode: An access port receiving tagged traffic drops it. A trunk port doesn't behave as expected for end devices. Verify the port mode matches its purpose.

Packet captures: On trunk ports, you'll see VLAN tags in captured frames. On access ports, tags are stripped before transmission—captures won't show them.

Configuration Example

Cisco trunk setup:

interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
 switchport trunk native vlan 999

Linux tagged interface:

ip link add link eth0 name eth0.10 type vlan id 10
ip addr add 192.168.10.1/24 dev eth0.10
ip link set dev eth0.10 up

Frequently Asked Questions About VLAN Tagging

Was this page helpful?

😔
🤨
😃