VLAN Tagging

VLAN tagging is the mechanism by which a switch marks an Ethernet frame with a VLAN ID so that other switches know which VLAN the traffic belongs to. The IEEE 802.1Q standard defines how this tag is inserted into the frame header.

When traffic crosses a trunk port — a link carrying multiple VLANs between switches, or between a switch and a router — each frame needs to carry a label identifying which VLAN it belongs to. That label is the 802.1Q tag: a 4-byte field inserted into the Ethernet frame header containing the VLAN ID (1-4094) and a priority value used for QoS.

Access ports (the ports your endpoints plug into) don't use tags. A PC doesn't know or care about VLANs — the switch adds the tag when the frame enters and strips it when the frame leaves toward the endpoint. Tagging is a switch-to-switch and switch-to-router concern.

The native VLAN is the exception: traffic on the native VLAN travels untagged across a trunk. By default this is VLAN 1 on most switches, which is a security risk — VLAN hopping attacks exploit the native VLAN. Standard practice is to set the native VLAN to an unused ID that carries no production traffic.

Understanding 802.1Q is important if you're configuring switches manually, troubleshooting mismatched VLANs, or setting up hypervisor networking where the host needs to pass tagged traffic through to VMs.