So in a nutshell, VLAN tagging is a way to tell traffic apart based on where it should go. Think of your network like a street and a specific VLAN is a club on that street. (Like your management network) You don’t want just any data on the street to get into your club so you give it a wristband with your clubs name on it. That data is now tagged and can access the club. Data without a wristband is untagged and can’t get in.

If you’re asking this I assume you already know what a VLAN actually is but I’ll quickly try and put it in simple terms – A VLAN is a virtual-LAN (Local Area Network). It’s used as a way of segregating one physical network in to multiple logically-isolated networks.

A classic example is on a network switch. On a default configuration where all ports are on the default VLAN, all the devices connected to the switch can see each other and communicate. If you then assign one of the switch ports to a different VLAN than the default, that port will no longer be able to communicate with the other devices on the switch as it’s now essentially in a different network. This can be useful for various security or admin reasons.

A lot of the time you don’t want your VLANs just to be limited to one switch though. You might want VLANs that span across your whole network. That’s where VLAN tagging comes in. Using VLAN tagging you can essentially stamp the VLAN number on to a network packet before it is sent out of the switch. This means that when it arrives at its destination the receiving device knows which VLAN the packet belongs to.

The upside of tagging is it means you can jumble up all the data being sent from every VLAN on a switch and send it all together through one port, known as a “trunk” port and when it gets to its destination, the device can read the VLAN tag and easily know where the packet needs to be sent.

If you want to create two separate networks that don’t communicate with each other, you need two physical hardware switches to do this. Eventually we realized that having a separate switch for every single network wasn’t really practical. It can still be done and is a totally valid way of doing it, but most network engineers would say it’s a waste. We created vlans so we can have two separate networks inside the SAME hardware switch. Tagged or untagged simply means this packet is tagged with a vlan or is not tagged with a vlan. You can tag a packet with a vlan a bunch of different ways.. maybe the wireless network you connect to tags your traffic with a vlan, maybe the computer it self is tagging the traffic with a vlan, or maybe we tag ALL traffic received on a port with a vlan. The biggest issues with vlans and learning is some vendors will call ports different things.. Cisco will call a port that can pass multiple vlans a Trunk port, other vendors will call this a tagged port.

LAN is a local network where every connected computer can communicate with each other openly using ethernet. To route traffic between different networks you would typically use a router that is connected to both LANs and can copy the IP package inside the ethernet package from one to the other based on the destination IP address. By default all ports of a switch is part of the same LAN.

You would typically have multiple LANs for security reasons or when there is too much traffic on one LAN. Because of the broadcast nature of a LAN you will typically have problems when you connect more then 100 devices to the same LAN.

A virtual LAN is a feature in some switches where it can act as multiple switches at once. Each port is only a member of one vLAN and you can have multiple vLAN on one switch. This way you can for example have one vLAN for your printers and one vLAN for your workstations on the same switch. This means workstations and printers can not communicate directly with each other through the switch.

When connecting switches with vLANs together it can become hard if each vLAN needs a seperate cable. So instead we “tag” each ethernet package with the vLAN id when sending the package out on a single port acting as a trunk. That allows the receiving switch to put the package in the correct vLAN. Normal ports would still not have this tag on it and only send and receive traffic on a single vLAN. This allows you to stretch several vLANs through multiple switches located in different location. For example if you have both workstations, wifi and printers throughout the building in different floors, or even in different buildings on the campus.

But you can also use the vLAN tags between switches and computers, typically servers and routers. One trunk cable will then split into multiple vLAN network interfaces in the software. This is how a router with a single downlink cable can be connected to all the vLANs and route traffic between these.

Without tags, VLANs are entirely based on physical Ethernet ports. Switches can assign a different VLAN to each port. If a computer wants to be on more than one untagged VLAN, it needs more than one Ethernet port. Each physical Ethernet port has just the one untagged VLAN.

Tags are just an extra value in the Ethernet packet header, outside the IP packet. Tagged packets allow multiple VLANs to go through a single Ethernet port on either a switch or a computer. Packets with no tag belong to the VLAN assigned to the physical port.

Assuming Ethernet, but same principle for other protocols.

untagged packet – ordinary, everyday ethernet packet. No info in it to say what VLAN it should be in.

tagged packet – has an extra 2 bytes added to the header. These are defined by IEEE 802.1q and contain the VLAN number this packet should be in.

Note: The whole packet is commonly called “802.1q”, or “dot1q” even though that’s only actually the spec for the tag. However, it’s well understood to use the term like that.

​

So, why? ….

Imagine you have 2 switches (SW1 & SW2) and you want to connect the same VLANS on each. How can you connect them and stop traffic from one VLAN “leaking” into the other?

You could use a cable to connect a port on each VLAN on SW1 to a port on the corresponding to each VLAN on the SW2, but that’s not practical if you have a lot of VLANs or a large network.

The other option is to send all of the traffic, from all VLANs over a single connection. But how does each switch know which VLAN incoming packets should be assigned to? That’s where VLAN tagged packets come in.

You configure the switch interconnect ports to be trunk ports that support IEEE 802.1q (aka “dot1q”). This tells the switch that each incoming packet will have a number at a specific place in its header. That number is the VLAN that is originated from on the sending switch (inserted by the sending switch), and the receiving switch should place the packet into it’s local VLAN of the same number. The 802.1q tag is typically removed at this point and the packet becomes untagged again.