VLAN-tagged ports are configured to carry multiple VLANs, but VLAN Untagged ports carry traffic for a single VLAN on a switch. Let’s get into more details.
VLAN tagged vs Untagged Comparison
| Technology Area | VLAN Tagged | VLAN Untagged |
|---|---|---|
| Definition | A switch port that carries traffic for one VLAN is known as an Access port by Cisco and an Untagged port by other vendors. | A switch port that carries multiple VLANs is a Trunk port by Cisco and a Tagged port by other vendors. |
| VLAN Quantity can be configured on a single port | A VLAN tagged port can be configured to carry multiple VLANs simultaneously. | A VLAN Untagged port can carry One Data VLAN and one Voice VLAN at maximum. |
| Frame Type | Frame with a VLAN tag. | Frame without a VLAN tag. |
| Cisco Terminology | Trunk Port | Access Port |
| Cisco Configuration Example | interface Fast Ethernet 0/3 switchport mode trunk switchport trunk encapsulation dot1q switchport trunk allowed vlan 100,200,300 | interface Fast Ethernet 0/1 switchport mode access switchport access vlan 100 switchport voice vlan 300 |
| Ingress Rule for packet | Only tagged packets can pass; other or untagged packets will be dropped. An Untagged packet can be marked if switchport is configured to tag the untagged packet by "switchport access vlan 100" command on cisco switches. | The switch must be configured with VLAN Tag to mark the Untagged packet coming from the end device. |
| Egress Rule for Packet | The packets will be passed unchanged. | Switch strips the VLAN before sending it to the end device. |
Let’s briefly discuss the VLAN and VLAN tag and then dive into the difference between Vlan tagged vs. Untagged.
VLANs:- Virtual LANs, or Virtual Local Area Networks, works on the Data link layer of the OSI model. VLANs help create virtual separations within a switch that provide distinct logical LANs or segregated broadcast domains that each behaves as if they were configured on a separate physical switch.
Before the invention of VLANs, a switch used to serve a single LAN and maintained a single broadcast domain, due to which broadcast packets were sent to all ports.
VLAN ethernet tags enabled a single switch to serve multiple LANs by dividing a single broadcast domain into multiple broadcast domains.
Learn how to manage VLANs centrally through VTP.
What is a VLAN tag, and why do we need a VLAN tag in the network?
- VLAN tags are a core part of the VLANs. Therefore, packets must be “tagged.” to support VLANs.
- IEEE 802.1Q is the widely used standard for setting VLAN tags on switches.
- 802.1Q adds a 32-bit field (4 bytes) to each Ethernet frame.
- The first 16 bits identify the frame as an 802. 1Q. The remaining 16 bits are split into two parts: 12 for VLAN tags and 4 for QoS operations.
- The VLAN ID is 12 bits long so that the switch can handle 4096 VLANs (2^12 = 4096), with usable numbers between 1 and 4094.
Let us look further into Untagged Port, Tagged Port, Default, and Native VLAN.
What is VLAN untagging, and what does Untagged packet mean?
Ports on the switches normally connect to the end devices that don’t understand VLAN tags, so the switch performs VLAN untagging before forwarding packets from the switch to the end device. The switch strips the VLAN tag from the frame before sending it out from the port.
Also, when a packet comes from the end device to the switchport, it is Untagged. “Untagged” traffic means that the connected host or Workstation doesn’t know which VLAN is connected to the switch port .
Frames don’t have dot1Q tags on them when they come into the switch port. Instead, the switch adds the VLAN tag, such as “200,” to the frame and sends it across the network.
In Cisco terms, the port is called Access port, and this VLAN is called Access VLAN.
In Short:- A switch port that carries traffic for one VLAN is known as an Access port by Cisco and Untagged ports by other vendors.
What is VLAN tagging?
VLAN tagging refers to understanding tagged VLAN information and carrying multiple VLANs on a single switch port.
When an interface expects frames with VLAN tags, it is referred to as a ‘tagged port’ or “trunk” port in Cisco terminology. Tagged ports or Trunk ports connect two switches to pass multiple VLAN tags on a single port.
In Short – A switch port that carries multiple VLANs is known as a Trunk port by Cisco and VLANs Tagged ports by other vendors.
So to summarize VLAN tagging vs. Untagging, the terms “Access port” and “Trunk port” are frequently used in the context of the Cisco network. On the other hand, VLANs are an open standard, which means that other vendors will also implement them. And other Vendors call it Untagged (Access port) and Tagged (Trunk Port) ports simultaneously.
What is a Native VLAN?
A native VLAN is used to identify or mark all untagged packets on a tagged or a trunk port.
Native VLANs are generally the same as the switch’s default VLAN, e.g., VLAN 1, unless you change it something else, e.g., 999.
What is Default VLAN?
Most switches that support VLANs come pre-installed with a default VLAN. Therefore, all ports on that switch will belong to the default VLAN by default.
Devices connected to the default VLAN on switch ports can access one another without configuration, creating hacking possibilities for the network. So you should always make sure you change the default VLAN to something different as per your company policies.
For example:- All cisco switches mostly come with VLAN 1 preconfigured as default VLAN on all ports.
VLAN Tagging and Untagging Example and Traffic Flow
Let’s take a scenario when Laptop-1 tries to ping Laptop-2. Both laptops are part of VLAN 200, so communication will work without using any layer3 device.
Laptop-1 and Laptop-2 are part of VLAN 200 and subnet 192.168.200.0/24 and their IP Address are 192.168.200.10/24 and 192.168.200.20/24 respectively.
Both switches have populated their MAC Address tables with all laptops/devices MAC addresses and their corresponding connected ports.
I have used the cisco 2900 series switches to demonstrate VLAN Tagged vs Untagged concept. But, of course, you can take any switch vendor of your choice, and the idea will remain the same.
Ports 1 on both switches (layer2 switch-1, layer2 switch-2) are Untagged port or Access ports.
Sample config
- interface Fa0/1
- switchport mode access
- switchport access vlan 200
Ports 2 on both switches (layer2 switch-1, layer2 switch-2) are Tagged port or Trunk ports.
Sample config
- interface Fa0/2
- switchport mode trunk
- switchport encapsulation dot1q
- switchport Trunk allowed vlan 200
- Laptop-1 will forward an Untagged packet to layer2 switch-1 port1.
- layer2 switch-1 port1 will Tag the frame with VLAN tag 200.
- layer2 switch-1 will open the frame and look at the destination mac in its MAC Address table. It will find the mac address entry and forward the packet to port2.
- layer2 switch-1 port2 will check the VLAN tag of the frame, and if it matches with the configured VLAN Tag on port2, it will forward the frame to layer-2 switch-2 port2.
- Layer2 switch-2 port2 will repeat the above process.
- Layer2 switch-2 will open the frame and look at the destination mac in its MAC Address table. It will find the mac address entry and forward the packet to port1.
- Layer2 switch-2 port1 will remove the VLAN 200 tag or Untag the packet and send it over to Laptop-2.
- Laptop-2 will receive an Untag packet.
The result of the above process will be that ping will work from Laptop-1 to Laptop-2.
Acronyms Used in the Blog
- LAN:- Local Area Network
- VLAN:- Virtual Local Area Network
- DTP:- Dynamic Trunking Protocol
Conclusion
In conclusion, in this blog post, we started with a basic understanding of VLAN and VLAN tags, then we discussed the difference between VLAN tagged vs. Untagged. Finally, we finished the article with the traffic flow.
I hope you liked the article, please share for maximum reach.
- Epson EpiqVision Flex CO-W01 Projector Review - February 21, 2025
- How to Log in to Your Netgear Router - January 17, 2025
- Gaimoo GM200 Mini Projector Review - January 12, 2025
