Network traffic on a tagged VLAN port is assigned a ‘tag’ indicating which VLAN the traffic belongs to. This allows the port to handle traffic for multiple VLANs at the same time. The device at the other end can then read this tag for each portion of network traffic to determine which VLAN to forward it to (presuming that the other end is hooked up into a tagged VLAN port too).

Untagged VLAN ports are assigned to a specific VLAN on the device, and all traffic coming and going on these ports are assumed to belong to that VLAN. Thus there’s no need to ‘tag’ the outgoing traffic or check for tags on the incoming traffic on these.

So if you for example had a router with two untagged VLAN ports (1 and 2 respectively) and a tagged VLAN port connected to the tagged VLAN port on another router sitting in front of the destination, incoming traffic from untagged VLAN port 1 would be given the tag ‘VLAN 1’, then forwarded over the tagged VLAN port to the second router. The second router would then read the tag and either remove it and forward the traffic to its own untagged VLAN 1 port, or perhaps send it along over another tagged VLAN port with the tag intact, depending on where the ultimate destination is.