Assuming Ethernet, but same principle for other protocols.

untagged packet – ordinary, everyday ethernet packet. No info in it to say what VLAN it should be in.

tagged packet – has an extra 2 bytes added to the header. These are defined by IEEE 802.1q and contain the VLAN number this packet should be in.

Note: The whole packet is commonly called “802.1q”, or “dot1q” even though that’s only actually the spec for the tag. However, it’s well understood to use the term like that.

​

So, why? ….

Imagine you have 2 switches (SW1 & SW2) and you want to connect the same VLANS on each. How can you connect them and stop traffic from one VLAN “leaking” into the other?

You could use a cable to connect a port on each VLAN on SW1 to a port on the corresponding to each VLAN on the SW2, but that’s not practical if you have a lot of VLANs or a large network.

The other option is to send all of the traffic, from all VLANs over a single connection. But how does each switch know which VLAN incoming packets should be assigned to? That’s where VLAN tagged packets come in.

You configure the switch interconnect ports to be trunk ports that support IEEE 802.1q (aka “dot1q”). This tells the switch that each incoming packet will have a number at a specific place in its header. That number is the VLAN that is originated from on the sending switch (inserted by the sending switch), and the receiving switch should place the packet into it’s local VLAN of the same number. The 802.1q tag is typically removed at this point and the packet becomes untagged again.