A Virtual Local Area Network, or VLAN, is a logical construct that can be configured within a switch that can be used to create distinct broadcast domains, which are partitioned and isolated in a computer network at the Data Link Layer, or Layer 2 of the OSI model.
A VLAN enables the segmentation of a physical network into these smaller logical networks, or VLANs, based on factors other than physical location, such as by department, project, or application.
Now when switches are connected to each other within the infrastructure of a network, Ethernet frames that are sent over these links must maintain the VLAN information associated with each particular frame. This is achieved using VLAN tagging.
In this article we’ll compare and discuss Tagged Vs Untagged Vs Native VLANs in Ethernet Networks, so let’s get started.
Trunk Ports
In most enterprise networks, any deployed layer 2 switch will have multiple VLANs configured on it.
Each port that connects to an end device, called an access port, is assigned to a particular VLAN. Each access port belongs to a single VLAN.
Switches that connect to each other in such a network must be connected using a trunk port.
A trunk port is configured in such a way so that it can carry frames from multiple VLANs.
The following diagram illustrates this:
The devices on VLAN 5 can communicate with each other at Layer 2, without the need for a router.
Similarly, those on VLAN 6 and VLAN 7 can also communicate with devices in the same VLAN.
In order for this to occur, the link between the switches must be capable of including the VLAN information of each frame as it traverses the link. Only ports configured as trunk ports can achieve this (i.e carry multiple VLANs).
What are Tagged and Untagged Frames?
By definition, frames on the data plane that exit a trunk port are always tagged. If Laptop 1 sends a frame to the PC1, when the frame exits the trunk port on SW1, a tag containing the VLAN ID with a value of 5 will be added. Such a frame is known as a tagged frame.
The following illustrates the difference between a normal Ethernet frame (untagged), which you would see coming from an access port, and a tagged Ethernet frame, which is expected to come from a trunk port:
Normal “untagged” Ethernet frame
“Tagged” Ethernet frame
Notice that in the tagged Ethernet frame, an extra field appears with four further sub-fields. We won’t detail the other subfields, but we will look at the VLAN ID subfield. This is a 12-bit field that contains the value of the VLAN ID to which that particular frame belongs.
Looking at our original diagram, imagine Laptop 1 sends a frame to PC 1. That frame will exit Laptop 1 as an untagged Ethernet frame, and will enter the access port on SW1.
That access port is configured to be on VLAN 5. That frame will exit the trunk port of SW1. It is upon egress of the trunk port that the VLAN tag of 5 is added to the Ethernet frame, as shown in the diagram below.
Untagged and tagged frames in the communication between Laptop 1 and PC 1
The tagged frame reaches the trunk port of SW2, and on ingress, the tag is read, removed, and the frame is placed on VLAN 5. When the frame exits the access port connected to PC1 you can see once again that the frame is untagged.
Notice that tagged frames exist only on the trunk link. Tags are added upon egress, and stripped upon ingress.
From this example, it is quite clear that the purpose of tags on Ethernet frames is to allow for switches to send and receive frames from all of their configured VLANs over a single physical link.
Otherwise, you would have to configure multiple access ports with discrete physical links between the switches, one for every configured VLAN. Of course, this is not scalable, efficient, or convenient, which is why trunks and tagged frames are used.
The process of tagging Ethernet frames is standardized in IEEE’s 802.1Q standard, and is used by Cisco switches as well as switches belonging to other vendors.
What is a Native VLAN?
Now there is an interesting conundrum that has developed regarding trunk ports. What would happen if an untagged frame was received on a trunk port? Remember, a trunk port expects to see a VLAN ID in the tag so that it knows on what VLAN the frame will be placed. If there is no tag, the switch does not know to which VLAN the frame belongs.
That’s where the native VLAN comes in. Trunk ports are configured with a parameter called the native VLAN.
If an untagged frame arrives on a trunk port, it will be placed on the configured native VLAN. By default, the native VLAN on Cisco switches is VLAN 1. However, you can change this configuration, and it is actually best practice to do so.
But this begs the question, under what circumstances would you receive an untagged frame on a trunk port? Well, here’s a scenario:
Scenario where untagged frames enter a trunk port
Here we’ve added a hub between the two switches. Remember a hub sends traffic out of all of its ports. If Laptop 2 sends frames onto the hub, the hub will regenerate those frames and send them to both trunk ports on both switches, resulting in untagged frames entering a trunk port.
Now the above topology should never be implemented under any circumstances. Even so, it does demonstrate how an ill-conceived design or an accidental connection can result in such situations.
In certain valid situations, we may encounter untagged frames entering a trunk port, typically in cases involving the control plane.
An instance of this is when Dynamic Trunking Protocol (DTP) utilizes the pre-set native VLAN for communication between switches.
Unlike DTP, other protocols like Spanning Tree Protocol (STP), VLAN Trunking Protocol (VTP), Cisco Discovery Protocol (CDP), and Port Aggregation Protocol (PAgP), always communicate through untagged messages.
Interestingly, these protocols will always use VLAN 1, irrespective of whether the native VLAN is set to something else.
A Note on Terminology
Strictly speaking, VLANs themselves are not tagged or untagged, it is the Ethernet frames that have this characteristic.
However, we often use the term tagged VLAN and untagged VLAN loosely to refer to approximately the same thing. Based on the context in which they are used, one can determine the meaning more clearly.
Comparison Table of Tagged, Untagged, Native VLANs
The following table compares the concepts of tagged, untagged, and native, with an explanation of each.
| Characteristic | Tagged VLAN | Untagged VLAN | Native VLAN |
| VLAN Identifier | Yes | No | Usually, but can be tagged if configured that way |
| Associated With | Multiple VLANs | Single VLAN | Single VLAN |
| Use of VLAN ID | Uses VLAN ID to identify which VLAN packet belongs to | Does not use VLAN ID, assumes all packets belong to the associated VLAN | Does not tag packets with the native VLAN ID (if untagged), otherwise it uses the assigned VLAN ID |
| Frame Format | VLAN ID is added to the frame | The frame is sent as is without any VLAN ID | Typically, the frame is sent as is, but it can also be sent with a VLAN ID if configured that way |
| Common Uses | In trunk links, connecting switches, or connecting to devices that support VLANs | Usually, in access links, connecting to devices that do not understand VLANs | Used for untagged traffic over a trunk link |
| Switch Communication | Can communicate across switches | Typically, does not communicate across switches | Can communicate across switches |
Related Posts
- Discussion and Explanation of OSPF Graceful Restart and Shutdown
- Explanation and Configuration of OSPF MD5 Authentication on Cisco Networks
- Comparison of BGP Confederations vs Route Reflectors
- What are BGP Confederations-Explanation and Discussion (With Cisco Example)
- What is BGP Route Reflector – Explanation and Discussion (with Cisco Example)