Why and how are Ethernet Vlans tagged?

69

32

I hear about VLAN tagging, but I don’t quite understand the concept. I know a trunk cannot accept untagged packets without configuring a native VLAN, and that access ports only accept untagged packets. But I don’t understand why packets need to be tagged or untagged. What purpose does it serve?

Vishwanath gowda k

Posted 2014-02-25T09:07:51.200

Reputation: 484

1

Check out this section of this article.

– Eddie – 2017-01-17T16:56:21.250

Answers

96

If you have more than one VLAN on a port (a "trunk port"), you need some way to tell which packet belongs to which VLAN on the other end. To do this you are "tagging" a packet with a VLAN tag (or VLAN header if you like). In reality a VLAN tag is inserted in the Ethernet frame like this:

VLAN Header

The 802.1Q (dot1q, VLAN) tag contains a VLAN-ID and other things explained in the 802.1Q Standard. The first 16 bits contain the "Tag Protocol Identifier" (TPID) which is 8100. This also doubles as the EtherType 0x8100 for devices that don't understand VLANs.

So a "tagged" packet contains the VLAN information in the Ethernet frame while an "untagged" packet doesn't. A typical use case would be if you have one port from a router to a switch which multiple customers are attached to:

VLAN Trunking

In this example customer "Green" has VLAN 10 and Customer "Blue" has VLAN 20. The ports between switch and customers are "untagged" meaning for the customer the arriving packet is just a normal Ethernet packet.

The port between router and switch is configured as a trunk port so that both router and switch know which packet belongs to which customer VLAN. On that port the Ethernet frames are tagged with the 802.1Q tag.

Sebastian

Posted 2014-02-25T09:07:51.200

Reputation: 5 528

4there must be a better way to explain VLANs, Trunkting, Native, Default, etc for complete newbies like me :-( – None – 2015-01-31T15:13:55.393

1@CompleteNewbie There are hundreds of explanations on the Internet -- no point to just repeating them here. As Mike says, if you have a specific question about VLANs or trunking, we're happy to help. – Ron Trunk – 2015-01-31T18:18:14.927

This is a really good answer. Thank you. – Fr0ntSight – 2017-02-11T00:05:31.960

Great explanation, I don't think I have read one as brief and detailed at the same time clearly stating the concept of tagged and untagged. – htm11h – 2018-03-04T18:49:34.807

@user13659 There is =). Check out this article.

– Eddie – 2018-03-29T19:39:39.257

27

The above answers are quite technical. Think of it this way:

In fact VLANs and tagging is nothing more than a logical separation of networks in contrast to a physical one. Now what does that mean?

If there were no VLANs you would need one switch for each broadcast domain. Imagine the cabling involved and also the potential number of NICs required at the hosts. So first, VLANs allow you to have multiple independent layer 2 constructs within the same switch.

Since now you can have multiple networks on each link/port you have to somehow be able to distinguish which packet belongs to which network. That's why they are tagged. If a port carries more than one VLAN it's also usually called a trunk. (for n>1 VLANs, at least n-1 VLANs have to be tagged and there can be one untagged VLAN, the native VLAN)

Generally you have to distinguish packets at port ingress (incoming "from the cable") and egress (outgoing "into the cable"):

Ingress

  • ingress untagged: this is where the native vlan of the port comes in. If the switch has multiple VLANs configured, you have to tell the switch to which VLAN an incoming untagged packet belongs ;

  • ingress tagged: well, if it comes in tagged, then it's tagged, and you can't do much about it. If the switch doesn't know about tagging or about that precise VLAN, it will reject it, sometimes you have to activate some kind of ingress-filter though. You can also force a port to accept untagged or tagged packets only.

Egress

  • egress untagged: for each port you can select one VLAN whose outgoing packets on that port are not tagged (e.g. because the host doesn't support it, or only one VLAN is required for example for a PC, printer, etc.) ;

  • egress tagged: You have to tell the switch which VLANs to make available on the port and if more than one, all but one have to be tagged anyway.

What happens inside the switch

A switch has an FDB (Forwarding DataBase) which

  • in a switch that is not VLAN capable (sometimes called "unmanaged" or "dumb", ...): associates a host (MAC address) to a port: the FDB is a table comprised of tuples of two elements: (MAC, port)

  • in a switch that is VLAN capable (sometimes called "managed" or "smart", ...): associates (VLAN, MAC) tuples to a port: the FDB is a table comprised of tuples of three elements: (MAC, port, VLAN).

    The only restriction here is that one MAC address cannot appear in the same VLAN twice, even if on different ports (essentially the VLAN in VLAN-capable switches replaces the notion of port in non-VLAN-capable switches). In other words:

  • There can be multiple VLANs per port (which is why there need to be tags at some point).
  • There can be multiple VLANs per port and per MAC: the same MAC address can appear in different VLANs and on the same port (although I wouldn't recommend that for sanity purposes).
  • The same MAC address still cannot appear on the same VLAN but on different ports (different hosts having the same MAC address in the same layer 2 network).

Hope this clears the confusion a little bit ;-)

Marki

Posted 2014-02-25T09:07:51.200

Reputation: 691

8

The defacto VLAN encapsulation protocol is 802.1Q (dot1.q). Its most basic function is to retain VLANs across switches. Since VLANs are locally significant to the switch, you have to tag a frame going to near-by switches to let them know what logical grouping that frame belongs to.

Ryan Foley

Posted 2014-02-25T09:07:51.200

Reputation: 5 094

2

By default the Native VLAN is the default VLAN, a trunk port can carry multiple VLANs to route traffic to the router or a switch. VLAN is a layer 2 protocol and it segments a layer 2 network, they can only communicate in a Layer 3 device such as a router or a layer 3 switch.

Native VLAN is used so untagged frames can communicate without the need of a router. It is best security practice to change default/native VLAN to another VLAN using this command: switchport trunk native vlan .

Cisco switches supports IEEE 802.1Q encapsulation, and ISL.

chris

Posted 2014-02-25T09:07:51.200

Reputation: 147