VLAN Tagging (802.1Q) – Detailed Explanation

1. What Is VLAN Tagging?

VLAN tagging is the mechanism by which a switch embeds a VLAN identifier directly inside an Ethernet frame so that receiving devices know which VLAN the frame belongs to. This allows a single physical link (a trunk) to carry traffic for many different VLANs simultaneously while keeping each VLAN's traffic logically isolated.

  Without VLAN tagging (access port):
  [Dst MAC | Src MAC | EtherType | Data | FCS]  <-- No VLAN info

  With 802.1Q VLAN tagging (trunk port):
  [Dst MAC | Src MAC | TPID 0x8100 | TCI (PCP+CFI+VID) | EtherType | Data | FCS]
                       |<------- 4 bytes added -------->|
                              VLAN ID lives here (12 bits, 1-4094)

Related pages: Access vs Trunk Ports | VLAN Creation & Management | VLANs Overview | show vlan | show interfaces trunk | Router-on-a-Stick | Layer 3 Switch Routing | Port Security | Port Security Violation Modes | Step-by-Step: Trunk Configuration | Step-by-Step: Assigning VLANs to Switch Ports | Step-by-Step: Layer 2 VLAN Troubleshooting

2. IEEE 802.1Q Standard Overview

IEEE 802.1Q is the open industry standard for VLAN tagging, supported by all modern switch vendors (Cisco, Juniper, Aruba, HPE, etc.). It was defined to replace the earlier Cisco-proprietary ISL (Inter-Switch Link) protocol, which is now obsolete.

ProtocolStandardVendor SupportStatus
802.1QIEEE open standardAll vendorsCurrent — use this
ISLCisco proprietaryCisco onlyObsolete — do not use

3. The 802.1Q Tag Structure

The 802.1Q tag is a 4-byte (32-bit) field inserted into the Ethernet frame between the Source MAC address and the original EtherType/Length field:

FieldSizeValuePurpose
TPID (Tag Protocol Identifier)16 bits0x8100 (always)Signals to the receiving switch that a VLAN tag follows — distinguishes a tagged frame from an untagged one
PCP (Priority Code Point)3 bits0–7802.1p QoS priority — 0 = best effort, 7 = highest priority (used for voice/video)
CFI (Canonical Format Indicator) / DEI1 bit0 or 1Legacy token ring compatibility indicator (always 0 on Ethernet). In modern 802.1ad, repurposed as DEI (Drop Eligible Indicator)
VID (VLAN Identifier)12 bits1–4094Identifies the VLAN — the core purpose of the tag. 0 and 4095 are reserved.
The 12-bit VID field allows VLAN IDs from 1 to 4094 (0 and 4095 are reserved). VLAN 1 is the default VLAN on Cisco switches and is also the default native VLAN — both should be changed in production for security reasons.

4. How 802.1Q Tagging Works — Step by Step

  1. Host A (in VLAN 10) sends an untagged Ethernet frame to its access port on Switch1
  2. Switch1 identifies the incoming port as belonging to VLAN 10 (access port assignment)
  3. When forwarding out the trunk port toward Switch2, Switch1 inserts the 802.1Q tag with VID=10 into the frame
  4. Switch2 receives the tagged frame, reads VID=10, and knows to forward it to VLAN 10 ports
  5. Before delivering to Host B's access port, Switch2 strips the tag — the end device receives a normal, untagged Ethernet frame
  Host A (VLAN 10)                                     Host B (VLAN 10)
  Untagged frame                                       Untagged frame
      |                                                     ^
      v                                                     |
  Switch1 Access Port                               Switch2 Access Port
  (adds tag VID=10)                                (strips tag)
      |                                                     |
      +---------- Trunk Link -- Tagged [VID=10] -----------+

5. Trunk Ports vs Access Ports

FeatureAccess PortTrunk Port
VLANs carriedOne VLAN onlyMultiple VLANs simultaneously
FramesUntagged — no 802.1Q tagTagged (except native VLAN)
Connected toEnd devices (PCs, printers, phones)Other switches, routers, servers (multi-VLAN)
Configurationswitchport mode access + switchport access vlan Xswitchport mode trunk + allowed VLAN list

See Access vs Trunk Ports for the complete configuration guide and Assigning VLANs to Switch Ports for a hands-on lab.

Trunk Port Configuration Example

interface GigabitEthernet0/1
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30,40
 switchport trunk native vlan 99
 switchport nonegotiate

switchport nonegotiate disables DTP (Dynamic Trunking Protocol) negotiation — strongly recommended on all trunk ports to prevent VLAN hopping attacks (see Section 12).

6. Native VLAN

The native VLAN is the one VLAN on a trunk port whose frames are sent and received without an 802.1Q tag. Any untagged frame arriving on a trunk port is automatically assigned to the native VLAN.

  • Cisco default native VLAN: VLAN 1
  • Best practice: Change native VLAN to an unused, dedicated VLAN (e.g., VLAN 99) on all trunk links
  • Both ends of a trunk must be configured with the same native VLAN

Native VLAN Mismatch

If the two ends of a trunk have different native VLANs configured, Cisco switches will generate a CDP warning:

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (99), with Switch2 GigabitEthernet0/1 (1).

The result is misrouting of untagged traffic — frames from the native VLAN on one switch arrive in the wrong VLAN on the other. This is a connectivity and security issue. Verify with show interfaces trunk and show vlan brief.

7. DTP — Dynamic Trunking Protocol

DTP is a Cisco-proprietary protocol that automatically negotiates trunk formation between adjacent switches. While convenient, DTP poses a significant security risk because an attacker can send DTP frames to negotiate a trunk link with a user-facing port, then access all VLANs.

DTP ModeBehaviour
dynamic autoPassively waits for the other end to initiate trunking
dynamic desirableActively tries to form a trunk with the neighbour
trunkForces trunk mode — sends DTP frames
accessForces access mode — sends DTP frames to disable trunking
nonegotiateForces the configured mode WITHOUT sending DTP frames — most secure

Security best practice: Always disable DTP on both access ports (switchport mode access) and hardcoded trunk ports (switchport nonegotiate). Never leave ports in dynamic auto or dynamic desirable mode.

8. Q-in-Q Double Tagging (IEEE 802.1ad)

Q-in-Q (IEEE 802.1ad, also called Provider Bridging) stacks two 802.1Q tags on a single frame: an outer provider tag (S-TAG) and an inner customer tag (C-TAG). This allows service providers to transport customer VLANs transparently across their MPLS/Metro-Ethernet backbone while using their own VLAN namespace.

[Dst MAC | Src MAC | S-TAG 0x88A8 | C-TAG 0x8100 | EtherType | Data | FCS]
                     Provider VID    Customer VID
                     (outer tag)     (inner tag)

Use case: A customer with VLANs 10, 20, 30 connects to an ISP. The ISP wraps all customer traffic in a single provider VLAN tag (e.g., PVID 200) across their network, preserving the customer's VLAN tags inside.

9. MTU Considerations

The 802.1Q tag adds 4 bytes to every tagged Ethernet frame. Standard Ethernet maximum frame size is 1518 bytes — tagged frames can be up to 1522 bytes.

  • Switches must support "baby giant" frames (up to 1522 bytes) to handle tagged frames without dropping them
  • Q-in-Q frames (double tagged) can be up to 1526 bytes — requires jumbo frame support on the network path
  • Misconfigured MTU settings can cause silent packet drops on trunk links — especially noticeable for large transfers or VoIP

10. Impact on Switch Processing

The 802.1Q VLAN tag fundamentally changes how switches handle frames:

  • Switches use the VID in the tag to select the correct per-VLAN forwarding table (MAC address table is per-VLAN)
  • Frames tagged with different VIDs are Layer-2 isolated — VLAN 10 traffic never appears to VLAN 20 hosts without routing through a Layer 3 device (router or Layer 3 switch)
  • The PCP field (3 bits) in the TCI enables 802.1p QoS prioritisation — voice and video frames can be marked high priority (PCP=5–6) for preferential treatment through the network

11. Cisco IOS Configuration Reference

! Trunk port configuration
interface GigabitEthernet0/1
 switchport mode trunk
 switchport trunk encapsulation dot1q         ! Needed on older IOS to specify 802.1Q
 switchport trunk allowed vlan 10,20,30
 switchport trunk native vlan 99
 switchport nonegotiate                       ! Disable DTP

! Verify trunk configuration
Switch# show interfaces trunk
Switch# show interfaces GigabitEthernet0/1 switchport

! Check all VLAN and port assignments
Switch# show vlan brief

! Set native VLAN for security (both switches must match)
Switch(config-if)# switchport trunk native vlan 99

See show interfaces trunk for full output annotation, show vlan brief to verify VLAN assignments, and Step-by-Step: Trunk Configuration for a full hands-on walkthrough.

12. Security: VLAN Hopping Attack and Mitigation

A VLAN hopping attack allows an attacker to send traffic to VLANs they shouldn't have access to. There are two main techniques:

Switch Spoofing

An attacker sends DTP frames from a user port, causing the switch to form a trunk link with the attacker's machine. The attacker's machine then has access to all VLANs on the trunk.

Double Tagging

An attacker on the native VLAN sends a frame with two 802.1Q tags. The outer tag matches the native VLAN (and is stripped by the first switch without being checked). The inner tag contains a target VLAN ID. The second switch sees the inner tag and forwards the frame to the target VLAN — a one-way attack that works even if DTP is disabled.

Mitigations

! 1. Disable DTP on ALL user-facing (access) ports
Switch(config-if)# switchport mode access
Switch(config-if)# switchport nonegotiate

! 2. Change native VLAN away from VLAN 1 (and any user VLAN)
Switch(config-if)# switchport trunk native vlan 999

! 3. Explicitly tag native VLAN traffic (removes untagged native VLAN)
Switch(config)# vlan dot1q tag native

! 4. Place all unused ports in an unused VLAN and disable them
Switch(config-if)# switchport access vlan 999
Switch(config-if)# shutdown

! 5. Restrict trunk allowed VLANs to only what's needed
Switch(config-if)# switchport trunk allowed vlan 10,20,30

For broader Layer 2 security hardening, also see Port Security, DHCP Snooping, Dynamic ARP Inspection, and Firewalls.

13. Troubleshooting VLAN Tagging Issues

ProblemLikely CauseDiagnostic Command
Devices in same VLAN can't communicate across switchesVLAN not in trunk allowed list, or trunk not formedshow interfaces trunk — check VLANs in "VLANs allowed and active"
CDP native VLAN mismatch warningDifferent native VLANs on each end of trunkshow interfaces [int] switchport — check "Trunking Native Mode VLAN"
Large file transfers failing on trunkMTU mismatch — switch not handling 1522-byte tagged framesshow interfaces [int] — check for "input errors" or "giants"
Host can't communicate, port is access but in wrong VLANAccess port assigned to wrong VLANshow vlan brief — verify port is in correct VLAN
Trunk not forming between switchesDTP mode mismatch (auto/auto won't form trunk)show interfaces [int] switchport — check "Administrative Mode"

For a full guided troubleshooting scenario see Step-by-Step: Layer 2 VLAN & Trunk Troubleshooting.

14. Complete Summary

Aspect802.1Q Behaviour
Tag size4 bytes added to the Ethernet frame
Tag locationInserted after Source MAC address, before original EtherType
TPID value0x8100 — identifies the frame as 802.1Q tagged
VLAN ID range1–4094 (12-bit VID field; 0 and 4095 reserved)
Native VLANFrames sent and received untagged; default is VLAN 1 (change it)
Trunk portCarries multiple VLANs tagged; one native VLAN untagged
Access portCarries one VLAN; all frames untagged
MTU impactFrame grows to 1522 bytes (single tag); 1526 bytes (Q-in-Q)
Security riskVLAN hopping via DTP or double-tagging; mitigate with nonegotiate + native VLAN change. See Port Security.
QoSPCP field (3 bits) provides 802.1p priority marking

VLAN Tagging (802.1Q) Quiz

1. What is the primary purpose of 802.1Q VLAN tagging?

Correct answer is C. VLAN tagging inserts a 4-byte 802.1Q header into Ethernet frames, embedding the VLAN ID. This allows a single physical trunk link between switches to simultaneously carry traffic from multiple VLANs while keeping each VLAN's traffic logically isolated from the others.

2. Which IEEE standard defines VLAN tagging for Ethernet networks?

Correct answer is A. IEEE 802.1Q is the open, vendor-neutral standard for VLAN tagging. It replaced the earlier Cisco-proprietary ISL (Inter-Switch Link) protocol, which is now obsolete. All modern switches from all vendors support 802.1Q. The "Q" in 802.1Q refers to its position in the 802.1 bridge standards family.

3. How many bytes does the 802.1Q VLAN tag add to an Ethernet frame?

Correct answer is D. The 802.1Q tag is exactly 4 bytes (32 bits): 16 bits TPID (0x8100) + 3 bits PCP + 1 bit CFI/DEI + 12 bits VLAN ID. This increases the maximum Ethernet frame size from 1518 to 1522 bytes. Switches and network cards must support these "baby giant" frames on trunk links.

4. What is the Native VLAN on an 802.1Q trunk port?

Correct answer is B. The native VLAN is the special VLAN on a trunk whose frames are sent and received WITHOUT an 802.1Q tag. All other VLANs on the trunk carry 802.1Q-tagged frames. The Cisco default native VLAN is VLAN 1, but best practice is to change it to a dedicated, unused VLAN (e.g., VLAN 999) to mitigate VLAN hopping attacks.

5. What is the valid VLAN ID range available with 802.1Q tagging?

Correct answer is C. The VID field is 12 bits, giving a range of 0–4095. However, VID 0 (priority tagging only, no VLAN) and VID 4095 (reserved) are excluded, leaving 1–4094 as valid VLAN IDs for user assignment. On Cisco switches, VLANs 1–1005 are normal range, and 1006–4094 are extended range (requires VTP transparent or off mode). See VLANs Overview.

6. What problem occurs if the native VLAN is mismatched between two ends of a trunk link?

Correct answer is D. A native VLAN mismatch means untagged frames from (e.g.) VLAN 99 on one switch arrive at the other switch and are assigned to its native VLAN (e.g., VLAN 1), causing traffic to "jump" between VLANs. CDP generates a warning message. This is also the basis of the VLAN hopping double-tagging attack. Always match native VLANs on both ends of a trunk. Verify with show interfaces trunk.

7. Which protocol enables stacking two VLAN tags on a single Ethernet frame (as used by service providers)?

Correct answer is A. Q-in-Q (IEEE 802.1ad, also called Provider Bridging or Stacked VLANs) adds a second 802.1Q tag — an outer provider tag (S-TAG, TPID 0x88A8) — around a customer's tagged frame. This allows service providers to transport multiple customers' VLANs across their infrastructure while keeping customer tag namespaces separate.

8. How does 802.1Q tagging affect the Ethernet frame size?

Correct answer is C. The 4-byte 802.1Q tag is inserted into the frame — it does not replace existing fields. This increases the standard maximum Ethernet frame from 1518 bytes to 1522 bytes. Network infrastructure on trunk paths must support "baby giant" frames. MTU misconfigurations can cause silent packet drops on trunk links — check for input errors with show interfaces.

9. What is the main security risk specific to VLAN tagging implementations?

Correct answer is B. VLAN hopping allows an attacker to send frames into VLANs they should not access. It can be achieved by: (1) Switch Spoofing — using DTP to trick a switch into forming a trunk; or (2) Double Tagging — sending a frame with two tags where the outer tag matches the native VLAN. Mitigations: disable DTP with switchport nonegotiate, change native VLAN away from VLAN 1 and all user VLANs. Also use Port Security and DHCP Snooping for comprehensive Layer 2 hardening.

10. Which command prevents unauthorized DTP trunk negotiation on a Cisco switch port?

Correct answer is D. switchport nonegotiate disables DTP frame transmission on the port — the switch will neither send nor respond to DTP negotiation frames. This prevents switch spoofing attacks. It should be applied to all access ports (combined with switchport mode access) and all statically configured trunk ports. It is one of the most important VLAN security hardening steps. For additional Layer 2 security see Dynamic ARP Inspection and Firewalls.

← Back to Home