802.1Q VLAN Tagging Explained

1. Why Frame Tagging Is Needed

When a single physical link carries traffic for multiple VLANs — a trunk link — the receiving switch must be able to identify which VLAN each frame belongs to. Without a tagging mechanism, all frames would look identical at Layer 2 and the switch would have no way to sort them into the correct broadcast domains.

The IEEE 802.1Q standard (published 1998, continuously revised) solves this by defining a 4-byte tag field that is inserted directly into the Ethernet frame. This tag carries the VLAN identifier and a QoS priority value. The process is transparent to end devices — tags are inserted by the ingress switch and stripped by the egress switch before the frame is delivered to any end device.

Scenario Is Tagging Used? Reason
PC → switch access port No — frame is untagged End devices do not understand 802.1Q tags; the access port accepts the frame and internally associates it with the configured VLAN
Switch → switch (trunk link) Yes — frame is tagged (except native VLAN) The trunk carries multiple VLANs; the tag tells the far-end switch which VLAN this frame belongs to
Switch → router sub-interface (ROAS) Yes — frame is tagged The router sub-interface uses encapsulation dot1q <vlan-id> to identify which sub-interface handles which VLAN
Switch → end device (access port egress) No — tag is stripped Switch removes the 802.1Q tag before sending the frame out an access port so the end device receives a standard Ethernet frame

Related pages: VLANs – Concepts & Overview | Access vs Trunk Ports | VLAN Tagging Overview | Inter-VLAN Routing | Layer 3 Switch Routing | show vlan | show interfaces | show running-config | show cdp neighbors | PVST+ (Per-VLAN STP) | QoS Overview | Voice VLAN | Inter-VLAN Routing | Router-on-a-Stick | Trunk Port Configuration Lab | VLAN Creation & Management Lab

2. The Standard Ethernet Frame — Before Tagging

To understand what 802.1Q changes, it helps to first know the structure of a standard (untagged) Ethernet II frame — the frame format used on virtually all modern LANs. 

  Standard Ethernet II Frame (untagged) — total: 64 to 1518 bytes

  ┌─────────────┬─────────────┬───────────┬──────────────────────┬─────────┐
  │  Preamble   │  Dest MAC   │  Src MAC  │ EtherType / Length   │Payload  │  FCS
  │  + SFD      │  6 bytes    │  6 bytes  │     2 bytes          │46–1500B │  4B
  │  8 bytes    │             │           │                      │         │
  └─────────────┴─────────────┴───────────┴──────────────────────┴─────────┘
  (Preamble and SFD are added/removed by the physical layer; not part of the
   "frame" in most Layer 2 discussions)

  Without Preamble/SFD the frame is:
  ┌─────────────┬─────────────┬──────────┬──────────────────────┬─────┐
  │  Dest MAC   │   Src MAC   │EtherType │       Payload        │ FCS │
  │  (6 bytes)  │  (6 bytes)  │ (2 bytes)│    (46–1500 bytes)   │(4B) │
  └─────────────┴─────────────┴──────────┴──────────────────────┴─────┘
  Minimum frame: 64 bytes   Maximum frame: 1518 bytes

  EtherType examples:
    0x0800  =  IPv4
    0x0806  =  ARP
    0x86DD  =  IPv6
    0x8100  =  802.1Q tagged frame  ← this value signals a VLAN tag is present
FCS recalculation: When a switch inserts the 802.1Q tag, the original FCS (Frame Check Sequence) is invalid because the frame content has changed. The switch recalculates and replaces the FCS after tag insertion. The same happens when the tag is stripped on egress.

3. The 802.1Q Tagged Frame — Structure After Tag Insertion

When a switch needs to send a frame out a trunk port, it inserts the 4-byte 802.1Q tag between the Source MAC address field and the EtherType/Length field. This is a frame modification at Layer 2 — not encapsulation (the original frame fields are preserved around the tag). 

  802.1Q Tagged Ethernet Frame:

  ┌─────────────┬─────────────┬──────────┬──────────┬──────────────────────┬─────┐
  │  Dest MAC   │   Src MAC   │  TPID    │   TCI    │       Payload        │ FCS │
  │  (6 bytes)  │  (6 bytes)  │ (2 bytes)│ (2 bytes)│    (46–1500 bytes)   │(4B) │
  └─────────────┴─────────────┴──────────┴──────────┴──────────────────────┴─────┘
                               ◄───────── 4-byte 802.1Q tag ──────────►

  Maximum tagged frame size:  1518 + 4 = 1522 bytes
  (NICs and switches must support "baby giant" frames on trunk links)

  TPID = Tag Protocol Identifier  (2 bytes / 16 bits)
  TCI  = Tag Control Information  (2 bytes / 16 bits)
         └─► contains PCP + DEI + VID

Comparing Untagged vs Tagged Frame Size

Frame Type Maximum Size Minimum Size Notes
Standard Ethernet (untagged) 1518 bytes 64 bytes IEEE 802.3 baseline
802.1Q tagged frame 1522 bytes 68 bytes 4 bytes added for the tag; IEEE 802.3ac amendment
Double-tagged (QinQ / 802.1ad) 1526 bytes 72 bytes Two 802.1Q tags; used in service provider networks

4. The Four Tag Fields — TPID, PCP, DEI, VID

The 4-byte 802.1Q tag is divided into two 2-byte sub-fields: the TPID and the TCI. The TCI is itself divided into three sub-fields: PCP, DEI, and VID. 

  The 4-byte 802.1Q Tag — bit-level layout (32 bits total):

  Bits:  15–0 (TPID, 16 bits)       15–13 (PCP)  12 (DEI)  11–0 (VID, 12 bits)
         ◄────────────────────────►  ◄──────────────────────────────────────────►
  ┌─────────────────────────────────┬──────────┬────┬──────────────────────────┐
  │           TPID                  │   PCP    │DEI │           VID            │
  │       16 bits = 0x8100          │  3 bits  │ 1b │         12 bits          │
  └─────────────────────────────────┴──────────┴────┴──────────────────────────┘
  ◄─────────────────── 2 bytes ─────────────────────►◄──────── 2 bytes ────────►

4.1 TPID — Tag Protocol Identifier (16 bits)

The TPID occupies the same position as the EtherType field in an untagged frame. Its value is always 0x8100 for standard 802.1Q tagging. When a switch or NIC reads 0x8100 in the EtherType position, it knows the next 2 bytes are the TCI (containing PCP, DEI, and VID) rather than the start of the payload. The actual EtherType of the payload (e.g., 0x0800 for IPv4) follows after the tag.

TPID Value Standard Meaning
0x8100 IEEE 802.1Q Standard single VLAN tag — used in enterprise networks
0x88A8 IEEE 802.1ad (QinQ) Outer tag in double-tagging (Provider Bridging / QinQ) — used in service provider networks to tunnel customer VLANs
0x9100 Proprietary Older vendor-proprietary QinQ outer tag (Cisco, others) — used before 802.1ad standardisation

4.2 PCP — Priority Code Point (3 bits)

The PCP field provides Layer 2 QoS (Quality of Service) prioritisation, also known as Class of Service (CoS). It is a 3-bit field supporting values 0–7. Higher values indicate higher priority. The PCP value is used by switches to make queuing and forwarding decisions for time-sensitive traffic such as voice and video.

PCP Value CoS Name Typical Use
0 Best Effort (default) Normal data traffic — no priority treatment
1 Background Bulk data, backups — lower than best effort
2 Spare General use
3 Excellent Effort Critical data applications
4 Controlled Load Streaming video, important business data
5 Video (<100ms latency) VoIP bearer (voice payload) — default CoS for IP phone voice traffic
6 Voice (<10ms latency) VoIP signalling (call setup/teardown); interactive video
7 Network Control Routing protocol traffic (OSPF, EIGRP, BGP hellos)
PCP vs DSCP: PCP is a Layer 2 QoS marking carried in the 802.1Q tag and only meaningful within the LAN (it is lost when a packet crosses a routed boundary). DSCP (Differentiated Services Code Point) is a Layer 3 marking in the IP header that survives routing. In a typical enterprise, IP phones mark voice at CoS 5 (PCP) at Layer 2 and DSCP EF (Expedited Forwarding) at Layer 3. See: QoS Marking | QoS Overview

4.3 DEI — Drop Eligible Indicator (1 bit)

The DEI bit (formerly called the CFI — Canonical Format Indicator in older 802.1Q revisions) is a single bit. In modern usage it indicates whether a frame is eligible to be dropped during periods of network congestion. A value of 0 means the frame should be treated normally; a value of 1 marks the frame as drop-eligible — it may be discarded by a congested switch before frames with DEI = 0.

Historical note: The original name CFI (Canonical Format Indicator) was used when 802.1Q needed to bridge between Ethernet and Token Ring networks, indicating whether MAC addresses were in canonical (little-endian) or non-canonical format. Token Ring is obsolete; the field was repurposed and renamed DEI in the 802.1Q-2011 revision.

4.4 VID — VLAN Identifier (12 bits)

The VID is the core of the 802.1Q tag — the 12-bit field that identifies which VLAN the frame belongs to. 12 bits can represent values from 0 to 4095, giving a theoretical maximum of 4096 VLANs. 

  VID = 12 bits:
  Bit values:  2048  1024  512  256  128  64  32  16   8   4   2   1
  Binary:         0     0    0    0    1    0   1   0   0   0   1   0  =  VLAN 34

  VID = 0     : Reserved — used when only PCP/CoS is carried (no VLAN membership)
  VID = 1     : Default VLAN (factory default on all Cisco switch ports)
  VID = 2–4094: Configurable VLANs (normal range 2–1001; extended range 1006–4094)
  VID = 4095  : Reserved — not configurable

  12 bits = 4096 possible values → practical usable range = 4094 VLANs (1–4094)

5. Tag Insertion and Stripping — Step by Step

The 802.1Q tagging process is entirely handled by switches. End devices send and receive standard untagged Ethernet frames — they are never aware that VLAN tagging is occurring.

5.1 Tag Insertion — Ingress Access Port to Trunk

  Scenario: PC (VLAN 10) sends a frame that must travel across a trunk to another switch.

  Step 1 — PC sends an untagged Ethernet frame:
  ┌─────────────┬─────────────┬──────────┬──────────────────────┬─────┐
  │  Dest MAC   │   Src MAC   │EtherType │       Payload        │ FCS │
  │ AA:BB:CC:.. │ 11:22:33:.. │  0x0800  │     (IPv4 data)      │     │
  └─────────────┴─────────────┴──────────┴──────────────────────┴─────┘

  Step 2 — Frame arrives at Switch A on access port Fa0/1 (configured: VLAN 10).
           Switch associates the frame with VLAN 10 internally.

  Step 3 — Switch A's MAC address table lookup:
           Destination is reached via trunk port Gi0/1 → tag insertion required.

  Step 4 — Switch A inserts 802.1Q tag (VID = 10, PCP = 0, DEI = 0):
  ┌─────────────┬─────────────┬──────────┬──────────┬──────────────────────┬─────┐
  │  Dest MAC   │   Src MAC   │  0x8100  │VID=10    │       Payload        │ FCS │
  │ AA:BB:CC:.. │ 11:22:33:.. │  (TPID)  │PCP=0 DEI=0│     (IPv4 data)     │(new)│
  └─────────────┴─────────────┴──────────┴──────────┴──────────────────────┴─────┘
           FCS is recalculated to cover the modified frame.

  Step 5 — Tagged frame is sent out trunk port Gi0/1 to Switch B.

5.2 Tag Stripping — Trunk to Egress Access Port

  Step 6 — Switch B receives tagged frame on trunk port Gi0/1.
           Reads TPID = 0x8100 → this is a tagged frame.
           Reads VID = 10 → this frame belongs to VLAN 10.

  Step 7 — Switch B looks up destination MAC in VLAN 10's MAC table.
           Destination PC is on access port Fa0/3 (VLAN 10).

  Step 8 — Switch B STRIPS the 802.1Q tag:
  ┌─────────────┬─────────────┬──────────┬──────────────────────┬─────┐
  │  Dest MAC   │   Src MAC   │EtherType │       Payload        │ FCS │
  │ AA:BB:CC:.. │ 11:22:33:.. │  0x0800  │     (IPv4 data)      │(new)│
  └─────────────┴─────────────┴──────────┴──────────────────────┴─────┘
           FCS recalculated again after tag removal.

  Step 9 — Untagged frame delivered to destination PC.
           PC receives a standard Ethernet frame — completely unaware of VLANs.
Where does tagging/stripping happen? Tagging occurs when a frame moves from an access port (or internal VLAN association) onto a trunk port. Stripping occurs when a frame moves from a trunk port onto an access port. A frame is never tagged when it stays within the same switch between two access ports in the same VLAN.

6. Native VLAN — The Untagged Exception

The native VLAN is the one VLAN on a trunk port whose frames are sent and received without an 802.1Q tag. This is by design in the IEEE 802.1Q standard — it exists to maintain backward compatibility with older devices that do not understand 802.1Q tagging.

Native VLAN Behaviour

  Trunk link between Switch A (native VLAN 1) and Switch B (native VLAN 1):

  Frame in VLAN 10  →  tagged   (VID = 10)   →  received, decoded, placed in VLAN 10
  Frame in VLAN 20  →  tagged   (VID = 20)   →  received, decoded, placed in VLAN 20
  Frame in VLAN 1   →  UNTAGGED              →  received, placed in native VLAN (VLAN 1)

  The switch sending native VLAN traffic omits the 802.1Q tag entirely.
  The receiving switch places any untagged frame into its configured native VLAN.

Native VLAN Mismatch — What Happens

  Switch A native VLAN = 99     Switch B native VLAN = 1 (default)
                         │                            │
  Switch A sends a frame from VLAN 99 → no tag applied (native)
                         │
                         └──── arrives at Switch B as untagged
                                         │
                               Switch B receives it → places it in its native VLAN = 1
                               Frame from VLAN 99 is now in VLAN 1 on Switch B!

  Result:
  - Traffic leaks between VLANs 99 and 1
  - Cisco generates a CDP "Native VLAN mismatch" syslog warning
  - Potential security exposure and connectivity failures
Native VLAN must match on both ends of every 802.1Q trunk link. Use show interfaces trunk to verify. Cisco IOS also reports mismatches via CDP. Both ends must be set to the same native VLAN using switchport trunk native vlan <id>.

Native VLAN Security Best Practice

Recommendation Reason
Change native VLAN from VLAN 1 to an unused VLAN (e.g., VLAN 999) Prevents double-tagging VLAN-hopping attacks. An attacker on a VLAN 1 access port can craft a frame with two tags; the switch strips the outer VLAN 1 tag (native), and the inner tag carries the frame into a different VLAN across the trunk
Assign no user devices to the native VLAN Ensures untagged traffic on trunks carries no real data, limiting the impact of any native VLAN misconfiguration
Use vlan dot1q tag native (global command) Forces the switch to tag native VLAN frames as well, removing the untagged exception entirely — useful in high-security environments 
  Changing the native VLAN on a Cisco trunk port:

  Switch(config)# interface gigabitEthernet 0/1
  Switch(config-if)# switchport trunk native vlan 999

  ! Both ends of the trunk must use the same native VLAN:
  SwitchB(config)# interface gigabitEthernet 0/1
  SwitchB(config-if)# switchport trunk native vlan 999

  ! Optional: tag the native VLAN globally (forces tagging on all native VLAN frames)
  Switch(config)# vlan dot1q tag native

7. Trunk Port Operation — Allowed VLANs and Pruning

A trunk port by default carries traffic for all VLANs (1–4094). In practice, only VLANs that exist on both switches and are assigned to ports need to traverse a given trunk. Carrying unnecessary VLANs wastes bandwidth and can create unnecessary broadcast traffic on links where that VLAN has no active members.

Configuring and Verifying Allowed VLANs

  ! Allow only specific VLANs on a trunk (best practice):
  Switch(config)# interface gigabitEthernet 0/1
  Switch(config-if)# switchport mode trunk
  Switch(config-if)# switchport trunk allowed vlan 10,20,30,99

  ! Add a VLAN to the existing allowed list (without removing others):
  Switch(config-if)# switchport trunk allowed vlan add 40

  ! Remove a specific VLAN from the allowed list:
  Switch(config-if)# switchport trunk allowed vlan remove 30

  ! Reset to default (all VLANs allowed):
  Switch(config-if)# switchport trunk allowed vlan all

  ! Verify trunk status and allowed VLANs:
  Switch# show interfaces gigabitEthernet 0/1 trunk

Output of show interfaces trunk

  Switch# show interfaces gigabitEthernet 0/1 trunk

  Port        Mode         Encapsulation  Status        Native vlan
  Gi0/1       on           802.1q         trunking      99

  Port        Vlans allowed on trunk
  Gi0/1       10,20,30,99

  Port        Vlans allowed and active in management domain
  Gi0/1       10,20,99

  Port        Vlans in spanning tree forwarding state and not pruned
  Gi0/1       10,20,99

  Key fields:
  - "Vlans allowed on trunk"         : manually configured allowed list
  - "active in management domain"    : VLANs that actually exist on this switch
  - "forwarding state and not pruned": VLANs actively forwarding (STP not blocking,
                                       VTP pruning not applied)

VTP Pruning

VTP Pruning is a mechanism that automatically removes VLANs from trunk links when no ports on the far-end switch belong to that VLAN. Without pruning, a broadcast in VLAN 40 would flood across every trunk in the network even if no device in VLAN 40 exists on the far-end switch. 

  Without VTP Pruning:
  Switch A (has VLAN 40 devices) → broadcasts flood across ALL trunks
  Switch B (no VLAN 40 devices)  → receives and discards VLAN 40 broadcasts
                                    (wasted bandwidth)

  With VTP Pruning enabled:
  Switch A → VTP negotiates: Switch B has no VLAN 40 ports
  Switch A → VLAN 40 traffic pruned from the trunk to Switch B
                                    (bandwidth conserved)

  Enable VTP pruning (VTP server only):
  Switch(config)# vtp pruning

8. 802.1Q in Router-on-a-Stick (Sub-interfaces)

In a Router-on-a-Stick (ROAS) inter-VLAN routing setup, a single physical router interface connects to a trunk port on a switch. The router interface is divided into logical sub-interfaces, each associated with one VLAN using the encapsulation dot1q command. The router reads the 802.1Q tag to determine which sub-interface (and therefore which VLAN's subnet) should process the frame. 

  Topology:
  [PC VLAN 10] ──┐
  [PC VLAN 20] ──┤── [Switch trunk port] ──── [Router Gi0/0]
  [PC VLAN 30] ──┘                              │
                                                ├── Gi0/0.10  (VLAN 10 gateway)
                                                ├── Gi0/0.20  (VLAN 20 gateway)
                                                └── Gi0/0.30  (VLAN 30 gateway)

  Router configuration:

  Router(config)# interface gigabitEthernet 0/0
  Router(config-if)# no shutdown
  Router(config-if)# no ip address              ! Physical interface has no IP

  Router(config)# interface gigabitEthernet 0/0.10
  Router(config-subif)# encapsulation dot1q 10  ! Tag this sub-interface for VLAN 10
  Router(config-subif)# ip address 192.168.10.1 255.255.255.0

  Router(config)# interface gigabitEthernet 0/0.20
  Router(config-subif)# encapsulation dot1q 20
  Router(config-subif)# ip address 192.168.20.1 255.255.255.0

  Router(config)# interface gigabitEthernet 0/0.30
  Router(config-subif)# encapsulation dot1q 30
  Router(config-subif)# ip address 192.168.30.1 255.255.255.0

  ! For the native VLAN sub-interface, add "native" keyword:
  Router(config)# interface gigabitEthernet 0/0.99
  Router(config-subif)# encapsulation dot1q 99 native
  Router(config-subif)# ip address 192.168.99.1 255.255.255.0
Sub-interface numbering: The sub-interface number (e.g., .10, .20) does not have to match the VLAN ID — it is just a label. However, matching them (Gi0/0.10 for VLAN 10) is a universal best practice for clarity and troubleshooting.

See full guide: Router-on-a-Stick | Inter-VLAN Routing Overview | Layer 3 Switch Routing | ROAS Lab | Layer 3 Switch Lab

9. Double Tagging (QinQ) — 802.1ad

QinQ (802.1ad) — also called Provider Bridging or VLAN stacking — adds a second 802.1Q tag to a frame that already has one. This is used in service provider networks to tunnel a customer's entire VLAN space (VLANs 1–4094) across the provider's infrastructure, using a single provider VLAN (S-VLAN) to carry all of the customer's VLANs (C-VLANs). 

  Double-tagged frame (QinQ / 802.1ad):

  ┌──────────┬──────────┬──────────┬──────────┬──────────┬──────────────┬─────┐
  │ Dest MAC │  Src MAC │S-TPID    │ S-TCI    │C-TPID    │  C-TCI       │Pyld │ FCS
  │ 6 bytes  │  6 bytes │0x88A8    │(S-VLAN)  │0x8100    │ (C-VLAN)     │     │
  └──────────┴──────────┴──────────┴──────────┴──────────┴──────────────┴─────┘
              ◄─── Outer tag (Provider / S-VLAN) ────►◄── Inner tag (Customer / C-VLAN) ──►

  S-TPID = 0x88A8  (Provider tag identifier — IEEE 802.1ad)
  C-TPID = 0x8100  (Customer tag identifier — standard 802.1Q)

  Use case:
  Customer A (VLANs 10, 20, 30) → wrapped in provider S-VLAN 100
  Customer B (VLANs 10, 20, 30) → wrapped in provider S-VLAN 200
  Both use the same VLAN IDs internally — no conflict at the provider level
CCNA scope: QinQ is not a core CCNA topic but understanding that double-tagging exists — and that it is also the mechanism behind the double-tagging VLAN-hopping attack — is useful exam knowledge. The double-tagging attack works because a malicious frame with two 802.1Q tags can cause the native VLAN tag (outer) to be stripped at the first switch, leaving the inner tag to direct the frame into a different VLAN.

10. Common 802.1Q Verification Commands

  ! Show all trunk ports, their encapsulation, and allowed/active VLANs:
  Switch# show interfaces trunk

  ! Show VLAN assignments and access port membership:
  Switch# show vlan brief

  ! Detailed VLAN information including SVI status:
  Switch# show vlan id 10

  ! Verify a specific interface's switchport configuration:
  Switch# show interfaces gigabitEthernet 0/1 switchport

  ! Verify native VLAN, encapsulation type, and trunk status on a specific port:
  Switch# show interfaces gigabitEthernet 0/1 trunk

  ! CDP output will show native VLAN mismatch warnings:
  Switch# show cdp neighbors detail

  ! Verify the running config for trunk and VLAN settings:
  Switch# show running-config interface gigabitEthernet 0/1

Key Output Fields to Know

Command / Field What to Look For
show interfaces trunk → Encapsulation Should show 802.1q for standard VLAN tagging
show interfaces trunk → Native vlan Must match on both ends of the trunk — mismatch = traffic in wrong VLAN
show interfaces trunk → Vlans allowed on trunk Manually configured VLAN list — ensure required VLANs are present
show interfaces trunk → Vlans in STP forwarding VLANs actually forwarding — if a VLAN is missing here, check STP or VTP pruning
show interfaces switchport → Operational Mode Should show trunk for trunk ports and static access for access ports
show vlan brief → Ports column Trunk ports do NOT appear here — only access ports are listed per VLAN

See also: show vlan Command | show interfaces Command | show running-config Command | show cdp neighbors | PVST+ (STP) | Access vs Trunk Ports

11. 802.1Q Summary — Key Facts

Topic Key Fact
Tag size 4 bytes (32 bits) inserted between Src MAC and EtherType
TPID value 0x8100 — signals an 802.1Q tagged frame to the receiving device
PCP field 3 bits — CoS values 0–7; higher = higher priority; voice uses CoS 5
DEI field 1 bit — marks frame as drop-eligible during congestion (0 = keep, 1 = drop eligible)
VID field 12 bits — VLAN ID 0–4095; usable range 1–4094
Maximum tagged frame 1522 bytes (1518 + 4-byte tag); requires baby giant frame support
Native VLAN Frames sent untagged on the trunk; default is VLAN 1; must match both ends
Tag insertion Done by the switch when a frame is forwarded out a trunk port
Tag stripping Done by the switch before delivering a frame out an access port
FCS Recalculated by the switch after tag insertion and again after tag stripping
End device awareness End devices never see 802.1Q tags — transparent to PCs, servers, printers
QinQ (802.1ad) Double-tagging using outer S-TPID = 0x88A8; used in service provider networks

12. 802.1Q VLAN Tagging Quiz

1. Where exactly is the 802.1Q tag inserted in an Ethernet frame?

Correct answer is C. The 802.1Q tag is inserted between the Source MAC address (bytes 7–12 of the frame) and the EtherType/Length field. This is why the TPID value 0x8100 occupies the EtherType position — a receiving device reads 0x8100 where it would normally find 0x0800 (IPv4) or another EtherType, and knows the next 2 bytes are the TCI (PCP + DEI + VID) before the real EtherType.

2. What is the total size of the 802.1Q tag, and what are its two main sub-fields?

Correct answer is B. The 802.1Q tag is exactly 4 bytes (32 bits). The first 2 bytes are the TPID (Tag Protocol Identifier) always set to 0x8100 for standard 802.1Q. The second 2 bytes are the TCI (Tag Control Information) subdivided into: PCP (3 bits — CoS priority), DEI (1 bit — drop eligible), and VID (12 bits — VLAN ID). Total: 2 + 3/8 + 1/8 + 12/8... correctly structured as 16 + 16 = 32 bits = 4 bytes.

3. What value does the TPID field always contain in a standard 802.1Q tagged frame, and what is its significance?

Correct answer is D. The TPID value 0x8100 is the IEEE-assigned EtherType that identifies an 802.1Q tagged frame. It occupies the same byte position as the normal EtherType field (right after Src MAC). When a switch or NIC reads 0x8100 here, it knows a 4-byte 802.1Q tag is present and processes the next 2 bytes as TCI. The actual payload EtherType (e.g., 0x0800 for IPv4) follows after the 4-byte tag.

4. An IP phone marks its voice frames with PCP value 5. What does this value mean, and at which OSI layer does PCP operate?

Correct answer is A. PCP (Priority Code Point) is a 3-bit Layer 2 QoS field in the 802.1Q TCI. Value 5 corresponds to CoS 5, used for voice bearer traffic per IEEE 802.1p. Switches use this value to queue and forward voice frames ahead of lower-priority traffic. PCP operates at Layer 2 only — it is not carried across routed boundaries. The equivalent Layer 3 marking is DSCP EF (Expedited Forwarding, decimal 46) in the IP header. See: QoS Marking | QoS Overview | Voice VLAN

5. What maximum frame size must a network interface support to handle 802.1Q tagged frames, and why?

Correct answer is C. The 4-byte 802.1Q tag is inserted into the frame, increasing the maximum size from 1518 bytes to 1522 bytes. IEEE 802.3ac defines this extended frame size. Network interface cards and switches on trunk links must support these "baby giant" frames. If an interface is configured with a strict 1518-byte maximum and receives a 1522-byte tagged frame, it may incorrectly flag it as a "giant" error and drop it.

6. What happens to the FCS (Frame Check Sequence) when a switch inserts or strips an 802.1Q tag?

Correct answer is B. The FCS is a CRC checksum calculated over the entire frame content. When a switch inserts the 4-byte 802.1Q tag, the frame content changes, making the original FCS invalid. The switch recalculates the FCS for the now-larger tagged frame. When the tag is stripped on egress to an access port, the frame content changes again, and the FCS is recalculated once more. The end device receives a frame with a valid FCS covering the standard (untagged) content.

7. A switch receives an untagged frame on a trunk port. The trunk's native VLAN is configured as VLAN 99. What does the switch do with this frame?

Correct answer is D. The native VLAN is the VLAN to which untagged frames received on a trunk port are assigned. This is the core definition of the native VLAN. Since the native VLAN is configured as 99, any untagged frame arriving on that trunk is placed into VLAN 99. Conversely, when the switch sends VLAN 99 traffic out the trunk, it sends those frames untagged. This is why native VLAN mismatches between two switches cause traffic to end up in the wrong VLAN.

8. What is the double-tagging (VLAN hopping) attack, and which configuration change best prevents it?

Correct answer is A. The double-tagging attack exploits the native VLAN's untagged behaviour. The attacker crafts a frame with an outer tag matching the native VLAN (VLAN 1 by default) and an inner tag for the target VLAN. The first switch strips the outer native VLAN tag and forwards the frame (still carrying the inner tag) across the trunk. The second switch reads the inner tag and delivers the frame to the target VLAN — which the attacker is not a member of. Prevention: configure native VLAN as an unused VLAN (e.g., 999) with no user ports, and optionally use vlan dot1q tag native to force tagging of the native VLAN.

9. In a Router-on-a-Stick configuration, a sub-interface is configured with encapsulation dot1q 20. What does this command do?

Correct answer is C. The encapsulation dot1q <vlan-id> command on a router sub-interface binds that sub-interface to a specific 802.1Q VLAN. Inbound: the router accepts frames tagged with VID = 20 and processes them on this sub-interface (strips the tag, routes the packet). Outbound: the router tags frames leaving this sub-interface with VID = 20 before sending them to the switch trunk port. Without this command, the sub-interface does not know which VLAN to associate with. Adding the keyword native makes this sub-interface handle untagged (native VLAN) traffic.

10. A show interfaces trunk output shows VLAN 30 in the "Vlans allowed on trunk" list but NOT in the "Vlans in spanning tree forwarding state and not pruned" list. What are the two most likely causes?

Correct answer is B. The "Vlans in spanning tree forwarding state and not pruned" section shows only VLANs that are BOTH in STP forwarding state AND not removed by VTP pruning. A VLAN can be allowed on the trunk (in the allowed list) but absent from the forwarding list because: (1) STP has placed that VLAN's port in a blocking state to prevent a Layer 2 loop — check show spanning-tree vlan 30; or (2) VTP pruning has determined no ports on the far-end switch belong to VLAN 30 and removed it from the trunk automatically. Also check that VLAN 30 exists in the VLAN database (show vlan brief). See PVST+ for STP per-VLAN details.

Related Topics & Step-by-Step Tutorials

Continue your VLAN and trunk configuration studies:

← Back to Home