VLAN Tagging (802.1Q) – Detailed Explanation

1. What is VLAN Tagging?

VLAN tagging embeds VLAN information in Ethernet frames, allowing network devices to know to which VLAN each frame belongs.
Purpose: Enables logical separation and isolation of network traffic over a single physical link, especially on trunk connections between switches.
Example: A trunk between Switch1 and Switch2 can carry both VLAN 10 and VLAN 20, keeping traffic separated using tags.

2. 802.1Q Standard Overview

IEEE 802.1Q is the open industry standard for VLAN tagging on Ethernet networks.
It adds a Tag Control Information (TCI) field into Ethernet frames to carry VLAN information.

3. Tag Structure in Ethernet Frames

Field	Size	Description
TPID (Tag Protocol ID)	16 bits	Set to 0x8100 to signal a VLAN tag is present
TCI (Tag Control Info)	16 bits	3 subfields: Priority Code Point (3 bits, QoS), Canonical Format Indicator (1 bit), VLAN ID (12 bits, 1–4094)

Example: A frame tagged with VLAN ID 20 will have the 802.1Q tag inserted after the source MAC address, identifying it as VLAN 20.

4. How 802.1Q Tagging Works

Switch inserts the 802.1Q tag when sending frames out a trunk port.
The tag increases frame size by 4 bytes (may impact MTU).
The receiving switch reads the tag and determines the VLAN.
Before sending to an access port, the tag is removed (frames become untagged).

5. Native VLAN Concept in 802.1Q

Native VLAN on a trunk is the VLAN for which frames are not tagged (untagged frames).
By default, Cisco uses VLAN 1 as native VLAN. Best practice: change this for security reasons.
Example: Native VLAN = 99. Any untagged frame arriving on the trunk is put into VLAN 99.
Native VLAN mismatch: If both trunk ends have different native VLANs, untagged frames can be misrouted or dropped.

6. Trunk Ports and VLAN Tagging

Trunk ports carry multiple VLANs simultaneously. All VLANs except the native VLAN are tagged.
You can restrict which VLANs are allowed on a trunk link.

interface GigabitEthernet0/1
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30
 switchport trunk native vlan 99

7. Access Ports and Untagged Frames

Access ports are assigned to a single VLAN.
All traffic entering and leaving is untagged. Switch handles VLAN assignment internally.

8. Double Tagging (Q-in-Q) Overview

Q-in-Q (802.1ad) stacks two VLAN tags in one frame (provider tag + customer tag).
Use Case: Enterprises with multiple internal VLANs can traverse a provider’s MPLS network using Q-in-Q encapsulation.

9. Impact on Switch Processing

Switches use the VLAN tag to pick the correct forwarding table.
VLAN tags isolate traffic at Layer 2, preventing inter-VLAN traffic without a Layer 3 device.

10. MTU Considerations

Standard Ethernet frame: 1518 bytes. 802.1Q tag adds 4 bytes (tagged frame = 1522 bytes).
Switches may need "baby giant" or jumbo frame support. MTU issues can cause dropped packets if not configured correctly.

11. Interoperability with Other VLAN Tagging Protocols

Protocol	Type	Vendor
802.1Q	Open Standard	All vendors
ISL	Cisco Proprietary	Cisco only (obsolete)

802.1Q is recommended and supported by all modern devices. ISL is now obsolete.

12. Security Considerations

VLAN Hopping Attack: An attacker tries to inject frames with double tags to jump into other VLANs.
Mitigation:
- Set unused ports to access mode and assign to unused VLAN.
- Change the native VLAN to an isolated, unused VLAN.
- Disable DTP on all user-facing ports (switchport nonegotiate).

13. Troubleshooting VLAN Tagging Issues

Useful Commands:

show interfaces trunk
show vlan
show interface [interface] switchport

Common Problems:
- Native VLAN mismatch: Causes security and connectivity issues.
- Dropped packets: May result from MTU or allowed VLAN problems.
- End device can't communicate: Usually due to untagged/tagged frame misalignment.

📘 Example Scenario

Switch1 and Switch2 are trunked, allowing VLANs 10 and 20, native VLAN 99.
Host A in VLAN 10 (on Switch1) sends a frame to Host B in VLAN 10 (on Switch2):
– Frame is tagged with VLAN 10 across the trunk.
– Switch2 uses the tag to forward only to VLAN 10 ports.
If an untagged frame arrives, it's assigned to VLAN 99.

📑 Summary Table

Aspect	802.1Q Tagging Behavior
Tagging Location	After source MAC, before EtherType
VLAN ID	12 bits (4094 VLANs)
Native VLAN	Frames sent untagged for native VLAN
Trunk Port	Carries multiple tagged VLANs, one native
Access Port	Sends/receives only untagged frames
MTU Impact	Frame increases by 4 bytes
Security	Native VLAN config, avoid VLAN hopping

When to Use 802.1Q Tagging

Required for all trunk links between switches, routers (router-on-a-stick), and virtual hosts.
Enables secure, logical traffic segmentation over shared links.

VLAN Tagging (802.1Q) Quiz

1. What is VLAN tagging used for?

A. Encrypting Ethernet frames B. Compressing network traffic C. Embedding VLAN information inside Ethernet frames D. Assigning IP addresses to VLANs

Correct answer is C. VLAN tagging inserts VLAN IDs into frames to separate traffic logically.

2. What IEEE standard defines VLAN tagging?

A. 802.1Q B. 802.3af C. 802.11ac D. 802.1X

Correct answer is A. IEEE 802.1Q is the industry standard for VLAN tagging.

3. How many bytes does the 802.1Q VLAN tag add to an Ethernet frame?

A. 2 bytes B. 8 bytes C. 6 bytes D. 4 bytes

Correct answer is D. The VLAN tag is 4 bytes inserted after the source MAC address.

4. What is the default VLAN for untagged frames on a trunk port called?

A. Tagged VLAN B. Native VLAN C. Management VLAN D. Default VLAN

Correct answer is B. The native VLAN carries untagged frames on a trunk.

5. What VLAN ID range is available in 802.1Q tagging?

A. 0–4095 B. 1–1000 C. 1–4094 D. 1–1024

Correct answer is C. VLAN IDs range from 1 to 4094 in 802.1Q.

6. What happens if the native VLAN is mismatched between two trunk ports?

A. The trunk shuts down B. VLAN tags are removed from all frames C. VLAN 1 is used as fallback D. Connectivity and security issues may occur

Correct answer is D. Native VLAN mismatch causes untagged frames to be misdirected or dropped.

7. Which protocol enables stacking two VLAN tags on a single Ethernet frame?

A. Q-in-Q (802.1ad) B. ISL C. DTP D. RSTP

Correct answer is A. Q-in-Q tagging allows double VLAN tagging, useful for service providers.

8. How does 802.1Q tagging affect the Ethernet frame size?

A. Frame size decreases by 4 bytes B. Frame size remains the same C. Frame size increases by 4 bytes D. Frame size doubles

Correct answer is C. VLAN tagging adds a 4-byte header to the frame.

9. What is a key security risk related to VLAN tagging?

A. IP spoofing B. VLAN hopping attacks C. MAC flooding D. DHCP starvation

Correct answer is B. VLAN hopping exploits misconfigured trunks or native VLANs.

10. Which command is recommended to prevent unauthorized trunk negotiation?

A. switchport mode trunk B. switchport trunk allowed vlan none C. switchport mode dynamic desirable D. switchport nonegotiate

Correct answer is D. Disabling DTP with "switchport nonegotiate" stops automatic trunk negotiation, improving security.

← Back to Home