Tagged VLANS vs Untagged VLANS (what's the difference?)

In networking when we talk about untagged VLANs, or untagged traffic, we’re referring to ethernet frames that don’t carry any VLAN tag information e.g., traffic that contains no VLAN tag information for a receiving switch port or device to read. In contrast, tagged traffic includes a VLAN tag inside the ethernet frame that can be viewed and read by switches and devices as a way of identifying what VLAN network it belongs to, and then make a forwarding decision based on that information.

Untagged:

Untagged traffic refers to ethernet frames that contain no VLAN tags or info in their headers. When a switch port is configured as untagged for a specific VLAN (let’s say VLAN 10), and has a PVID (Port VLAN ID) of 10, any untagged traffic entering the network through that port is automatically assigned internally to VLAN10. It is assumed by the switch to be destined for VLAN 10. The switch internally associates the traffic with VLAN 10, meaning that up until this point, no VLAN tags are added to the headers of these frames.

In a typical set up, anything other than untagged traffic hitting an untagged port should be dropped. Similarly, as mentioned previously, untagged switch ports have internal VLAN mappings, e.g., They do not add VLAN tags to outgoing traffic. This ensures that all untagged traffic associated with the PVID remains untagged.

Tagged:

Tagged traffic refers to Ethernet frames with VLAN information embedded in their headers as per the IEEE 802.1Q standard. These VLAN tags identify the VLAN that frame belongs to.

Switch ports configured as tagged or “trunk” ports can read this VLAN information and make forwarding decisions to direct the frame to the correct VLAN. When a tagged frame arrives on a tagged port, the switch forwards the frame with its VLAN tag intact unless the frame is destined for an untagged port, in which case the VLAN tag is removed before forwarding. So, VLAN tags are used to transfer VLAN traffic between devices, ensuring that traffic is correctly distributed, and separated across the network.

In a typical setup, tagged ports are configured to handle specific VLANs, such as VLANs 10 and 20. This configuration allows traffic tagged with VLAN 10 or VLAN 20 to be received on those ports.

Hybrid:

Hybrid ports accept VLAN tagged and untagged traffic. This can be used to allow an untagged/default VLAN to span across tagged ports if required.

To keep things secure and simple, its best to explicitly define which tagged VLANs are allowed over your tagged ports. Complex configs can be useful in some situations, but adding complexity and overhead to the network is never ideal.

Lets explore some scenarios. For instance, consider a switch port configured as follows:

Port 1: Untagged PVID = 10
Port 2: Untagged PVID - 10

When an untagged packet arrives on Port 1, the switch internally assigns it to VLAN 10. The switch then forwards it towards its destination within the VLAN 10 network. Any other port on the network (in this case port 2) that’s set with the PVID of VLAN 10 will be able to receive VLAN 10 traffic from Port 1 and vice versa.

Now take a look at this example:

Port 1: Untagged PVID = 10
Port 2: Untagged PVID = 20
Port 3: Tagged VLAN 10, VLAN 20

Port 3 is our tagged port, which is being use as an uplink. This uplink is usually a router port, or another switch/other VLAN aware device.

When untagged traffic from ports 1 and 2 associated with a PVID needs to leave through Port 3, the PVID must match one of the VLANs that are set as tagged on Port 3. The switch will assign a VLAN tag to the untagged traffic based on the PVID association of that traffic before forwarding it on through its tagged port, now as tagged traffic. This tagging process happens as the traffic is leaving the tagged port. Traffic leaving a tagged port destined for another tagged port will remain tagged as it travels between tagged ports. With this in mind we know that:

When traffic arrives at Port 3 from Port 1, the switch checks the PVID of that traffic, which is internally associated with VLAN 10. It then adds a VLAN 10 tag to the traffic before forwarding it out. Similarly, when traffic arrives at Port 3 from Port 2, the switch checks the PVID of that traffic, which is internally associated with VLAN 20. The switch then tags the traffic as VLAN 20 before forwarding it out.

This way, traffic is correctly tagged from Port 1 and Port 2 with the appropriate VLAN IDs, ensuring proper segregation and forwarding of traffic to the correct VLANs via the uplink port.

Key Takeaways:

1. Untagged Traffic and Untagged Ports:

What is untagged traffic?
Traffic that does not have a VLAN tag in its Ethernet frame.
How does the switch handle it?
When untagged traffic enters an untagged port (commonly called an access port), the switch assigns it to a VLAN based on the port’s PVID (Port VLAN ID).
Example:
- Port 1 has a PVID of 10.
- Untagged traffic entering Port 1 is assigned to VLAN 10.
- That traffic can now be forwarded to other ports in VLAN 10.
Security Note:
Access ports should be configured to drop any incoming tagged traffic for better security.

2. Tagged Traffic and Tagged Ports:

What is tagged traffic?
Traffic that already has a VLAN tag in its Ethernet frame, indicating which VLAN it belongs to.
How does the switch handle it?
When tagged traffic reaches a tagged port (commonly called a trunk port):
- The switch checks the VLAN tag in the frame.
- If the VLAN tag matches one of the VLANs allowed on the port, the switch forwards the traffic.
- If there’s no match, the switch drops the traffic.
Example:
- Port 3 is tagged for VLANs 10 and 20.
- A frame with VLAN 10 is forwarded.
- A frame with VLAN 30 is dropped.

3. How VLAN Membership is Determined:

For Untagged Ports:
The port’s PVID determines the VLAN association for incoming untagged traffic.
- Example: Port 2 has PVID 20. All untagged traffic entering this port is assigned to VLAN 20.
For Tagged Ports:
The VLAN tag in the traffic determines its VLAN membership.
- Example: A frame tagged with VLAN 10 is assigned to VLAN 10.

4. Default Behavior for Unconfigured Ports:

Devices like PCs and printers typically send untagged traffic.
If a switch is unmanaged or unconfigured, traffic is usually assigned to VLAN 1 (the “Default VLAN”) for communication across all ports.

Important Points:

Untagged ports (access ports) assign traffic to a VLAN using the PVID.
Tagged ports (trunk ports) forward traffic based on the VLAN tag in the frame.
For proper operation, ports should be configured to allow only the necessary VLANs.
Default VLAN (VLAN 1) is used when no other configuration is applied.

Welcome to the official TheseBytes webpage

Tagged VLANS vs Untagged VLANS (what’s the difference?)

Related Articles.

Daily Mikrotik Backups with Files Delivered to Your Email – Fully Automated Setup:

How to Set Up Login Messages on MikroTik with System Notes

WireGuard VPN with MikroTik and Windows Setup Guide

How To Setup Time Based Firewall Rules on Mikrotik RouterOS

MikroTik V7 NTP Client Setup: Connect and Sync to Global Time Servers