VLAN Tagging

VLAN tagging is the mechanism by which a switch marks an Ethernet frame with a VLAN ID so that other switches know which VLAN the traffic belongs to. The 802.1Q standard defines how this tag is inserted into the frame header.

When traffic crosses a trunk port — a link carrying multiple VLANs between switches, or between a switch and a router — each frame needs to carry a label identifying which VLAN it belongs to. That label is the 802.1Q tag: a small field added to the frame header that carries the VLAN ID and a priority value used for QoS.

Access ports (the ports your endpoints plug into) don't use tags. A PC doesn't know or care about VLANs — the switch adds the tag when the frame enters and strips it when the frame leaves toward the endpoint. Tagging is a switch-to-switch and switch-to-router concern.

The native VLAN is the exception: traffic on the native VLAN travels untagged across a trunk. By default this is VLAN 1 on most switches, which is a security risk — VLAN hopping attacks exploit the native VLAN. Standard practice is to set the native VLAN to an unused ID that carries no production traffic.

Tagging matters most when you're configuring switches, troubleshooting mismatched VLANs, or setting up virtualization where the host has to pass tagged traffic through to its VMs.