VLAN tagging is something you do on trunk ports. These go between different switches or between a switch and a firewall or server. The problem is that you want to keep each vLAN separate not only on a switch but also between multiple switches, but you do not want to use one cable for each vLAN to connect your switches. So the switch can add a tiny header to the ethernet package containing a number to indicate which VLAN that package belongs to. The switch in the other end can remove this header to restore the original package and make sure it is in the correct internal vLAN.

For example lets say you have a router that is connected to a switch with a private vLAN and a guest vLAN. You do not want the computers in the guest vLAN to communicate with the computers in the private vLAN but you want them both to be able to communicate with the router. This is fairly easy to set up in the switch with two different vLANs, you set up each port to be in either the private vLAN or the guest vLAN and then two ports to the router, one in each vLAN. But lets say you do not have enough spare ports to do this, maybe the router only have one usable port that can be connected to the switch or the cable between the switch and router is very long and you do not want to have to lay down two cables. What you can do is to set this port in the switch as a trunk port and then tag the private vLAN with say 100 and the guest vLAN with 200. On the router you can set up two vLAN interfaces with the physical port as parent and make sure it also have the private vLAN interface tagged with 100 and the guest vLAN interface with 200. You then have two virtual interfaces in the router that is each connected to its own vLAN in the switch but using a single port and cable. If you want to add another vLAN in the future, lets say for a printer, you can do this all in the software of the switch and router without having to run another cable.