VLAN tagging is something you do on trunk ports. These go between different switches or between a switch and a firewall or server. The problem is that you want to keep each vLAN separate not only on a switch but also between multiple switches, but you do not want to use one cable for each vLAN to connect your switches. So the switch can add a tiny header to the ethernet package containing a number to indicate which VLAN that package belongs to. The switch in the other end can remove this header to restore the original package and make sure it is in the correct internal vLAN.

For example lets say you have a router that is connected to a switch with a private vLAN and a guest vLAN. You do not want the computers in the guest vLAN to communicate with the computers in the private vLAN but you want them both to be able to communicate with the router. This is fairly easy to set up in the switch with two different vLANs, you set up each port to be in either the private vLAN or the guest vLAN and then two ports to the router, one in each vLAN. But lets say you do not have enough spare ports to do this, maybe the router only have one usable port that can be connected to the switch or the cable between the switch and router is very long and you do not want to have to lay down two cables. What you can do is to set this port in the switch as a trunk port and then tag the private vLAN with say 100 and the guest vLAN with 200. On the router you can set up two vLAN interfaces with the physical port as parent and make sure it also have the private vLAN interface tagged with 100 and the guest vLAN interface with 200. You then have two virtual interfaces in the router that is each connected to its own vLAN in the switch but using a single port and cable. If you want to add another vLAN in the future, lets say for a printer, you can do this all in the software of the switch and router without having to run another cable.

Network traffic on a tagged VLAN port is assigned a ‘tag’ indicating which VLAN the traffic belongs to. This allows the port to handle traffic for multiple VLANs at the same time. The device at the other end can then read this tag for each portion of network traffic to determine which VLAN to forward it to (presuming that the other end is hooked up into a tagged VLAN port too).

Untagged VLAN ports are assigned to a specific VLAN on the device, and all traffic coming and going on these ports are assumed to belong to that VLAN. Thus there’s no need to ‘tag’ the outgoing traffic or check for tags on the incoming traffic on these.

So if you for example had a router with two untagged VLAN ports (1 and 2 respectively) and a tagged VLAN port connected to the tagged VLAN port on another router sitting in front of the destination, incoming traffic from untagged VLAN port 1 would be given the tag ‘VLAN 1’, then forwarded over the tagged VLAN port to the second router. The second router would then read the tag and either remove it and forward the traffic to its own untagged VLAN 1 port, or perhaps send it along over another tagged VLAN port with the tag intact, depending on where the ultimate destination is.