Certified - CompTIA Network +

In Episode One Hundred and Six of the Network Plus PrepCast, we focus on the essential process of port tagging and its foundation—the 802 dot 1 Q standard. Port tagging is the key to making V L A Ns work across multiple switches and routers. Without tagging, a switch has no way to know which V L A N a packet belongs to once it leaves a local port. Tagging ensures that when traffic moves between devices, its V L A N membership travels with it. This enables scalable, segmented networking across large infrastructures, while preserving the integrity of each logical group.
802 dot 1 Q is the industry standard that enables this tagging. Whether you're configuring a basic V L A N on a two-switch setup or building a multi-tiered enterprise topology, 802 dot 1 Q is at the core of trunking and inter-switch communication. It’s universally supported by modern managed switches and routers, making it an essential concept for network engineers. By adding a V L A N ID to each Ethernet frame, the 802 dot 1 Q tag tells downstream devices exactly how to process that frame—ensuring the right packet reaches the right V L A N.
To understand how tagging works, we first need to revisit the concept of V L A N trunking. In a V L A N-enabled network, trunking allows one single physical link to carry traffic from multiple V L A Ns. Rather than running a separate cable for each V L A N between switches, a trunk link aggregates them into a single connection. This is essential for scalability. Tags are used on these trunk links to indicate which V L A N each packet belongs to, so that the receiving switch can properly assign the frame to its appropriate virtual network.
The process of tagging is handled by the 802 dot 1 Q protocol, which inserts a tag directly into the Ethernet frame. This tag comes after the source MAC address and before the EtherType field. It includes a four-byte header with several important fields: a tag protocol identifier, a priority code for Quality of Service, a canonical format indicator, and most importantly, the V L A N ID. This V L A N ID tells the receiving device what virtual network the packet belongs to, enabling correct forwarding and enforcement of V L A N boundaries.
The V L A N ID field in the 802 dot 1 Q tag is twelve bits long. This allows for up to four thousand ninety-six possible values. However, not all of these are usable for standard traffic. V L A N zero is reserved for priority tagging, and V L A N forty ninety-five is reserved for implementation-specific use. That leaves V L A Ns one through forty ninety-four for general use. This wide range allows network designers to segment traffic finely, assigning V L A Ns for departments, traffic types, services, and security zones throughout the organization.
A critical distinction in 802 dot 1 Q tagging is the difference between tagged and untagged frames. Tagged frames include the V L A N header that identifies which V L A N the frame belongs to. Untagged frames, on the other hand, have no such identifier. On trunk links, untagged frames are automatically assumed to belong to the native V L A N. The native V L A N is typically used for management traffic or legacy devices that don’t support tagging. It's important that the native V L A N be configured identically on both ends of a trunk. If not, mismatched native V L A Ns can result in misdirected traffic or security breaches.
This brings us to the role of the native V L A N. In a trunk configuration, the native V L A N is the default V L A N for any untagged traffic that arrives on the link. It is an essential part of trunking behavior. Both switches must agree on what V L A N is used as the native one, or unexpected issues can occur. For example, if one switch assigns untagged traffic to V L A N 1 and the other assigns it to V L A N 10, traffic may bypass expected filtering policies. This can lead to V L A N leakage or worse—unauthorized access to isolated segments.
Another concept critical to V L A N operations is the difference between access ports and trunk ports. Access ports carry traffic for only one V L A N and are typically used to connect end-user devices like workstations or printers. Trunk ports, on the other hand, are configured to carry traffic for multiple V L A Ns and are used for switch-to-switch or switch-to-router connections. This distinction is defined in the switch configuration. Mislabeling a port can prevent V L A N traffic from being recognized properly or may allow unintended traffic to pass through.
In Cisco environments, a feature called Dynamic Trunking Protocol, or D T P, is often used to negotiate trunk links automatically. D T P allows two Cisco switches to determine whether a link should operate in trunk mode. Ports can be set to modes like on, off, auto, or desirable, which influence how they behave when connected to another device. However, relying on D T P can cause problems in mixed-vendor environments or when ports are inadvertently left in dynamic mode. Best practice typically involves disabling D T P and manually configuring trunk ports to avoid trunking mismatches.
Historically, Cisco also supported a proprietary encapsulation called I S L, or Inter-Switch Link. I S L inserted a different type of tag into the frame and was only compatible with Cisco hardware. However, I S L is now obsolete and is no longer used in modern networks. 802 dot 1 Q is the only tagging method supported by current equipment from all major vendors. This universal adoption makes 802 dot 1 Q the standard you’ll see in any exam question or real-world configuration involving V L A N tagging.
One important consideration in frame tagging is how the added header affects the frame size. The 802 dot 1 Q tag adds four bytes to the Ethernet frame, increasing the total frame size from fifteen hundred bytes to fifteen hundred and four. While this seems minor, it can be significant on older or misconfigured equipment. Some devices may discard frames that exceed the maximum transmission unit. This has led to the use of baby jumbo frames—slightly larger frames that can accommodate the tag without loss. Ensuring all network devices support tagged frames is critical to maintaining smooth operation across V L A N trunks.
Configuring trunk ports on switches is a critical step in enabling 802 dot 1 Q tagging. Trunk ports must be explicitly set to trunk mode in most managed switch platforms. This is often done using interface-level commands that define the port’s mode, specify which V L A Ns are allowed on the link, and set the native V L A N for untagged frames. The list of allowed V L A Ns controls which traffic can traverse the trunk. If a required V L A N is not included, devices within that V L A N will be unable to communicate across switches. Proper trunk configuration ensures that V L A N integrity is preserved across the entire infrastructure.
After configuring trunk ports, verification becomes an important task. Network administrators use show interface trunk commands to display trunk port status, including the native V L A N, the list of allowed V L A Ns, and the port's current operating mode. This output helps confirm that trunking is functioning correctly and that V L A Ns are being passed as expected. If a device on one switch can’t reach a peer in the same V L A N on another switch, trunk configuration should be among the first areas examined for misalignment or omissions.
Common trunking errors often arise from inconsistencies in configuration. One such error is a native V L A N mismatch. If the two ends of a trunk link assign different V L A Ns as the native V L A N, untagged traffic may be interpreted incorrectly, leading to data leakage or communication failures. Another frequent issue is missing V L A Ns on the trunk. If a required V L A N is not part of the allowed list, that V L A N’s traffic will not traverse the trunk, even if everything else is configured properly. Port mode mismatches—where one end is set to access mode and the other to trunk—can also prevent successful communication.
Trunking doesn’t apply only to switch-to-switch links. When routing between V L A Ns is required, trunking is used in conjunction with routers as well. This configuration is known as router-on-a-stick. In this setup, a single physical interface on the router is divided into multiple subinterfaces, each assigned to a different V L A N. The switch connected to the router must have its port configured as a trunk, allowing all necessary V L A Ns to reach the router. The router then routes traffic between the V L A Ns, providing inter-V L A N communication on a single cable.
Wireless networks also rely heavily on V L A N tagging. Each SSID broadcast by an access point can be mapped to a unique V L A N, allowing for separation of guest, corporate, and voice traffic. The access point or wireless controller applies the appropriate 802 dot 1 Q tag to each frame before forwarding it to the wired network. This enables wireless traffic to maintain the same logical segmentation as the wired side, ensuring consistent security and performance policies across the entire network. V L A N tagging in wireless setups is a common feature in enterprise deployments and is often tested on the Network Plus exam.
V L A N hopping is a security concern that involves exploiting trunking configurations to gain access to unauthorized V L A Ns. One common technique involves sending double-tagged frames, where the outer tag matches the native V L A N and is stripped by the first switch, leaving the inner tag to be interpreted by the next switch. To mitigate this, administrators should disable Dynamic Trunking Protocol on all non-trunk ports, manually configure trunk links, and avoid using the default V L A N for sensitive traffic. Where possible, access ports should be used instead of trunks for end-user connections, and native V L A Ns should be set to an unused or black-hole V L A N.
V L A N pruning is a technique used to improve security and efficiency by removing unused V L A Ns from trunk links. By default, trunks may allow all V L A Ns, even those not used on the connected switches. This increases unnecessary traffic and opens potential security risks. By explicitly defining which V L A Ns are allowed on each trunk, administrators can reduce the attack surface and prevent broadcast traffic from spreading needlessly. Pruning also makes it easier to audit and troubleshoot V L A N assignments, as the presence of traffic is always intentional and defined.
802 dot 1 Q and port tagging are central to enabling multi-V L A N operation across modern switched networks. By tagging frames with V L A N identifiers, switches can ensure that traffic from different virtual networks remains separate, even when sharing the same physical infrastructure. This tagging makes it possible to segment traffic logically, implement Quality of Service, and enforce access control at scale. Trunking supports this by allowing a single link to carry traffic from many V L A Ns, reducing hardware costs and simplifying cabling. The combination of tagging and trunking provides a scalable and secure framework for enterprise networking.
To recap, port tagging using the 802 dot 1 Q standard is what enables switches to distinguish traffic from multiple V L A Ns as it travels across trunk links. Tagging inserts a small header into the Ethernet frame that carries the V L A N ID, allowing receiving switches to route the packet appropriately. Trunk ports carry traffic from many V L A Ns, and configuration must ensure that allowed V L A Ns and native V L A Ns are matched on both ends. Security features like pruning and disabling D T P help prevent attacks, while router-on-a-stick and wireless tagging extend V L A N functionality across all layers of the network