Vlan Tagging

IEEE 802.1Q (also known as VLAN Tagging) was a project in the IEEE 802 standards process to develop a mechanism to allow multiple bridged networks to transparently share the same physical network link without leakage of information between networks (i.e. trunking). IEEE 802.1Q is also the name of the standard issued by this process, and in common usage the name of the encapsulation protocol used to implement this mechanism over Ethernet networks.

802.1Q does not actually encapsulate the original frame. Instead, for Ethernet frames using Ethernet II framing, it sets the EtherType value in the Ethernet header to Tag Protocol ID (TPID) 0x8100, identifying this frame as an 802.1Q frame. It then inserts an extra two-bytes of Tag Control Information (TCI) after the TPID, followed by another two bytes containing the frame’s original EtherType. Together the four bytes of TPID and TCI are called the VLAN Tag.

The format of the TCI is







The User Priority is a 3-bit field storing the priority level for the frame. Use of this field is defined in IEEE 802.1p.

The Canonical format indicator (CFI): a 1-bit indicator that is always set to zero for Ethernet switches. CFI is used for compatibility between Ethernet and Token Ring networks. If a frame received at an Ethernet port has a CFI set to 1, then that frame should not be bridged to an untagged port.

VLAN ID (VID): a 12-bit field specifying the VLAN to which the frame belongs. A value of 0 means that the frame doesn’t belong to any VLAN; in this case the 802.1Q tag specifies only a priority and is referred to as a priority tag. A value of hex FFF is reserved for implementation use. All other values may be used as VLAN identifiers, allowing up to 4094 VLANs. On bridges, VLAN 1 is often reserved for management.

For frames using IEEE 802.2/SNAP encapsulation with an OUI field of 00-00-00 (so that the protocol ID field in the SNAP header is an EtherType), as would be the case on LANs other than Ethernet, the EtherType value in the SNAP header is set to hex 8100 and the aforementioned extra 4 bytes are appended after the SNAP header.

Because inserting this header changes the frame, 802.1Q encapsulation forces a recalculation of the original FCS field in the Ethernet trailer. It also increases the maximum frame size by 4 bytes.

Double-tagging can be useful for Internet Service Providers, allowing them to use VLANs internally while mixing traffic from clients that is already VLAN-tagged. The outer tag comes first, followed by the inner tag. In such cases, an alternate TPID such as hex 9100, or even 9200 or 9300, sometimes may be used for the outer tag; however this is being deprecated by 802.1ad, which specifies 88a8 for service-provider outer tags. Triple-tagging is also possible.


Configuring an IEEE 802.1Q Tunneling Port

Beginning in privileged EXEC mode, follow these steps to configure a port as an IEEE 802.1Q tunnel port:





configure terminal

Enter global configuration mode.


interface interface-id

Enter interface configuration mode for the interface to be configured as a tunnel port. This should be the edge port in the service-provider network that connects to the customer switch. Valid interfaces include physical interfaces and port-channel logical interfaces (port channels 1 to 48).


switchport access vlan vlan-id

Specify the default VLAN, which is used if the interface stops trunking. This VLAN ID is specific to the particular customer.


switchport mode dot1q-tunnel

Set the interface as an IEEE 802.1Q tunnel port.



Return to global configuration mode.


vlan dot1q tag native

(Optional) Set the switch to enable tagging of native VLAN packets on all IEEE 802.1Q trunk ports. When not set, and a customer VLAN ID is the same as the native VLAN, the trunk port does not apply a metro tag, and packets could be sent to the wrong destination.



Return to privileged EXEC mode.



Sw3#conf ter

Enter configuration commands, one per line. End with CNTL/Z.

Sw3(config)#vtp mode transparent

Device mode already VTP TRANSPARENT.

Sw3(config)#vlan 666

Sw3(config-vlan)#name Transport-VLAN


Sw3(config)#int range f0/21 – 22


Sw3(config-if-range)#switchport mode dot1q-tunnel

Sw3(config-if-range)#switchport access vlan 666

Sw3(config-if-range)#no sh


Sw3(config)#system mtu 1504

Sw3(config)#int range f0/19 – 20

Sw3(config-if-range)#sw tr en do

Sw3(config-if-range)#sw mo tr


Sw4#conf ter

Enter configuration commands, one per line. End with CNTL/Z.

Sw4(config)#vlan 666

Sw4(config-vlan)#name Transport-VLAN

Sw4(config)#int range f0/19 – 20

Sw4(config-if-range)#sw tr en do

Sw4(config-if-range)#sw mo tr


Sw4(config)#int range f0/21 – 22

Sw4(config-if-range)#sw mo do

Sw4(config-if-range)#sw a vlan 666


Sw4(config)#vtp mode tra

Setting device to VTP TRANSPARENT mode.

Sw4(config)#system mtu 1504

Sw4(config)#do show int trunk

Port Mode Encapsulation Status Native vlan

Fa0/19 on 802.1q trunking 1

Fa0/20 on 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/19 1-4094

Fa0/20 1-4094

Port Vlans allowed and active in management domain

Fa0/19 1,666

Fa0/20 1,666

Port Vlans in spanning tree forwarding state and not pruned

Fa0/19 1,666

Fa0/20 1,666

Sw4(config)#do show int f0/21 sw

Name: Fa0/21

Switchport: Enabled

Administrative Mode: tunnel

Operational Mode: tunnel

Administrative Trunking Encapsulation: negotiate

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 666 (VLAN0666)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none


Sw1(config-if)#int po 1

Sw1(config-if)#no sw

Sw1(config-if)#ip add

Sw1(config-if)#int range f0/21 – 22

Sw1(config-if-range)#no sw

Sw1(config-if-range)#channel-group 1 mode on

Sw2#conf ter

Enter configuration commands, one per line. End with CNTL/Z.

Sw2(config)#int range f0/21 – 22


Sw2(config)#int po1

Sw2(config-if)#no sw

Sw2(config-if)#ip add

Sw2(config-if)#no sh


Sw2(config)#int range f0/21 – 22

Sw2(config-if-range)#no sw

Sw2(config-if-range)#channel-group 1 mode on



Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


A Networker Blog

3 thoughts on “Vlan Tagging

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s