VLAN Tagged vs Untagged Tutorial

After reading an in-depth article about VLANs, you might still have questions about the differences between VLAN tagged vs. untagged? This blog post will discuss this topic in easy to understand language. Let’s briefly discuss the VLAN and VLAN tag and then dive into the difference between Vlan tagged vs. Untagged.

VLANs:- Virtual LANs, or Virtual Local Area Networks, works on the Data link layer of the OSI model. VLANs help create virtual separations within a switch that provide distinct logical LANs or segregated broadcast domains that each behaves as if they were configured on a separate physical switch.

Before the invention of VLANs, a switch used to serve a single LAN and maintained a single broadcast domain, due to which broadcast packets were sent to all ports.

VLAN ethernet tags enabled a single switch to serve multiple LANs by dividing a single broadcast domain into multiple broadcast domains.

Learn how to manage VLANs centrally through VTP.

What is a VLAN tag, and why do we need a VLAN tag in the network?

• VLAN tags are a core part of the VLANs. Therefore, packets must be “tagged.” to support VLANs.
• IEEE 802.1Q is the widely used standard for setting VLAN tags on switches. 
• 802.1Q adds a 32-bit field (4 bytes) to each Ethernet frame.
• The first 16 bits identify the frame as an 802. 1Q. The remaining 16 bits are split into two parts: 12 for VLAN tags and 4 for QoS operations.
• The VLAN ID is 12 bits long so that the switch can handle 4096 VLANs (2^12 = 4096), with usable numbers between 1 and 4094.

Let us look further into Untagged Port, Tagged Port, Default, and Native VLAN.

What is VLAN untagging, and what does Untagged packet mean?

Ports on the switches normally connect to the end devices that don’t understand VLAN tags, so the switch performs VLAN untagging before forwarding packets from the switch to the end device. The switch strips the VLAN tag from the frame before sending it out from the port.

Also, when a packet comes from the end device to the switchport, it is Untagged. “Untagged” traffic means that the connected host or Workstation doesn’t know which VLAN is connected to the switch port .

Frames don’t have dot1Q tags on them when they come into the switch port. Instead, the switch adds the VLAN tag, such as “200,” to the frame and sends it across the network.

In Cisco terms, the port is called Access port, and this VLAN is called Access VLAN.

In Short:- A switch port that carries traffic for one VLAN is known as an Access port by Cisco and Untagged ports by other vendors.

What is VLAN tagging?

VLAN tagging refers to understanding tagged VLAN information and carrying multiple VLANs on a single switch port.

When an interface expects frames with VLAN tags, it is referred to as a ‘tagged port’ or “trunk” port in Cisco terminology. Tagged ports or Trunk ports connect two switches to pass multiple VLAN tags on a single port.

In Short – A switch port that carries multiple VLANs is known as a Trunk port by Cisco and VLANs Tagged ports by other vendors.

So to summarize VLAN tagging vs. Untagging, the terms “Access port” and “Trunk port” are frequently used in the context of the Cisco network. On the other hand, VLANs are an open standard, which means that other vendors will also implement them. And other Vendors call it Untagged (Access port) and Tagged (Trunk Port) ports simultaneously.

What is a Native VLAN?

A native VLAN is used to identify or mark all untagged packets on a tagged or a trunk port.

Native VLANs are generally the same as the switch’s default VLAN, e.g., VLAN 1, unless you change it something else, e.g., 999.

What is Default VLAN?

Most switches that support VLANs come pre-installed with a default VLAN. Therefore, all ports on that switch will belong to the default VLAN by default.

Devices connected to the default VLAN on switch ports can access one another without configuration, creating hacking possibilities for the network. So you should always make sure you change the default VLAN to something different as per your company policies.

For example:- All cisco switches mostly come with VLAN 1 preconfigured as default VLAN on all ports.

VLAN tagged vs Untagged head to head comparison Sheet

VLAN Tagging and Untagging Example and Traffic Flow

Let’s take a scenario when Laptop-1 tries to ping Laptop-2. Both laptops are part of VLAN 200, so communication will work without using any layer3 device.

Laptop-1 and Laptop-2 are part of VLAN 200 and subnet 192.168.200.0/24 and their IP Address are 192.168.200.10/24 and 192.168.200.20/24 respectively.

Both switches have populated their MAC Address tables with all laptops/devices MAC addresses and their corresponding connected ports.

I have used the cisco 2900 series switches to demonstrate VLAN Tagged vs Untagged concept. But, of course, you can take any switch vendor of your choice, and the idea will remain the same.

Ports 1 on both switches (layer2 switch-1, layer2 switch-2) are Untagged port or Access ports.

Sample config

• interface Fa0/1
• switchport mode access
• switchport access vlan 200

Ports 2 on both switches (layer2 switch-1, layer2 switch-2) are Tagged port or Trunk ports.

Sample config

• interface Fa0/2
• switchport mode trunk
• switchport encapsulation dot1q
• switchport Trunk allowed vlan 200

1. Laptop-1 will forward an Untagged packet to layer2 switch-1 port1.
2. layer2 switch-1 port1 will Tag the frame with VLAN tag 200.
3. layer2 switch-1 will open the frame and look at the destination mac in its MAC Address table. It will find the mac address entry and forward the packet to port2.
4. layer2 switch-1 port2 will check the VLAN tag of the frame, and if it matches with the configured VLAN Tag on port2, it will forward the frame to layer-2 switch-2 port2.
5. Layer2 switch-2 port2 will repeat the above process.
6. Layer2 switch-2 will open the frame and look at the destination mac in its MAC Address table. It will find the mac address entry and forward the packet to port1.
7. Layer2 switch-2 port1 will remove the VLAN 200 tag or Untag the packet and send it over to Laptop-2.
8. Laptop-2 will receive an Untag packet.

The result of the above process will be that ping will work from Laptop-1 to Laptop-2.

Acronyms Used in the Blog

• LAN:- Local Area Network
• VLAN:- Virtual Local Area Network
• DTP:- Dynamic Trunking Protocol

Conclusion

In conclusion, in this blog post, we started with a basic understanding of VLAN and VLAN tags, then we discussed the difference between VLAN tagged vs. Untagged. Finally, we finished the article with the traffic flow.

I hope you liked the article, please share for maximum reach.

• About
• Latest Posts

Afroz Ahmad

"Hey there, network enthusiasts! My name is Afroz, and I've been a CCIE for over 14 years. I work as a Network Designer, and my true passion is teaching others about the industry and sharing my knowledge through my blog and courses. I know the struggles of navigating the complex world of networking, but I firmly believe that teaching makes you a better learner and reinforces understanding. So, whether you're just starting out or a seasoned veteran, join me on this journey of learning and discovery, it will be worth it, and who knows, you might even have some fun along the way!"

Latest posts by Afroz Ahmad (see all)

• Juggling Connections: Cisco BGP Multihoming with Two Different ISPs - March 28, 2023
• 5 Common BGP Misconfigurations, their impact, and How to Fix Them - March 15, 2023
• BGP Security Best Practices - March 9, 2023