Loading learning content...
Understanding VLANs conceptually is essential, but truly mastering VLANs requires understanding IEEE 802.1Q—the protocol standard that defines exactly how VLAN information is encoded and transported within Ethernet frames.
802.1Q is what transforms the abstract concept of "virtual LANs" into a concrete, interoperable reality. When a tagged frame arrives at a switch, it's the 802.1Q header that tells the switch: "This frame belongs to VLAN 30, and its priority is level 5." Without this standardized mechanism, multi-vendor VLAN deployments would be impossible.
This page dissects 802.1Q in complete detail—the frame format, the tag structure, the processing rules, and the nuances that network engineers must understand to troubleshoot and optimize VLAN-based networks.
By the end of this page, you will understand the precise structure of 802.1Q-tagged frames, how switches process tagged and untagged traffic, the role of priority tagging (802.1p), native VLAN mechanics in detail, and the implications for frame size and compatibility.
Historical Context:
Before IEEE standardization, VLAN implementations were proprietary. Cisco developed ISL (Inter-Switch Link) in 1998, which encapsulated the entire Ethernet frame with additional headers. Other vendors had incompatible solutions. Networks composed of switches from different manufacturers couldn't share VLAN information.
The IEEE 802.1Q standard, formally titled "IEEE Standard for Local and Metropolitan Area Networks—Bridges and Bridged Networks," was published in 1998 to address this fragmentation. It defined:
Standard Revisions:
The 802.1Q standard has been revised multiple times:
| Year | Revision | Notable Additions |
|---|---|---|
| 1998 | Original 802.1Q | Basic VLAN tagging, 802.1p priority |
| 2003 | 802.1Q-2003 | Multiple Spanning Tree (MSTP) |
| 2005 | 802.1Q-2005 | Incorporated 802.1s (MST), 802.1w (RSTP) |
| 2011 | 802.1Q-2011 | Major consolidation of amendments |
| 2014 | 802.1Q-2014 | Enhanced VLAN operations |
| 2018 | 802.1Q-2018 | Current revision; Time-Sensitive Networking (TSN) integration |
| 2022 | 802.1Qcz, etc. | Ongoing amendments for specific features |
Standard Scope:
802.1Q covers far more than just VLAN tagging:
For this page, we focus on the VLAN tagging aspects—the core functionality that enables virtual LAN operation.
Cisco's proprietary ISL is obsolete. ISL encapsulated the entire frame (26-byte header + 4-byte CRC), allowing original frame preservation but wasting bandwidth. 802.1Q inserts a 4-byte tag into the existing frame—more efficient and now universally supported. All modern Cisco switches use 802.1Q; ISL support has been removed from current platforms.
The 802.1Q standard defines how VLAN tags are inserted into Ethernet frames. Understanding this format is fundamental to troubleshooting and analysis.
Standard Ethernet Frame (Untagged):
A traditional Ethernet II frame without VLAN tagging:
| Preamble | SFD | Dest MAC | Src MAC | EtherType | Payload | FCS |
| 7B | 1B | 6B | 6B | 2B | 46-1500B| 4B |
Total frame size: 64-1518 bytes (excluding preamble and SFD)
802.1Q Tagged Frame:
The 802.1Q tag (4 bytes) is inserted between the Source MAC and the original EtherType:
| Preamble | SFD | Dest MAC | Src MAC | 802.1Q Tag | EtherType | Payload | FCS |
| 7B | 1B | 6B | 6B | 4B | 2B | 46-1500B| 4B |
Total frame size: 64-1522 bytes (4 bytes larger due to tag)
Important: Frame Size Implications
The 4-byte tag increases maximum frame size from 1518 to 1522 bytes. This has implications:
FCS Recalculation:
The Frame Check Sequence (FCS) is a CRC-32 checksum covering the entire frame except preamble, SFD, and FCS itself. When a switch:
This recalculation is performed by switch hardware at wire speed and is transparent to end devices. However, it explains why tagged frames coming from a trunk have different FCS values than the original untagged frame—a consideration for certain packet capture scenarios.
The 4-byte (32-bit) 802.1Q tag contains several fields, each serving a specific purpose.
Tag Components:
| TPID (16 bits) | TCI (16 bits) |
| 0x8100 | PCP|DEI| VID |
| | 3b | 1b| 12b |
1. TPID (Tag Protocol Identifier) - 16 bits:
The TPID identifies the frame as 802.1Q-tagged. Its value is 0x8100 (decimal 33024). When a switch sees 0x8100 in the position normally occupied by EtherType, it recognizes this as a VLAN-tagged frame and knows the next 16 bits are TCI (Tag Control Information).
Position: Bytes 13-14 (immediately after Source MAC)
Value: 0x8100 (for 802.1Q)
Purpose: Identifies presence of VLAN tag
Note on other TPIDs:
0x8100 — Standard 802.1Q0x88A8 — 802.1Q-in-Q (Service VLAN, Q-in-Q tunneling)0x9100 — Some vendors' proprietary Q-in-Q implementation2. PCP (Priority Code Point) - 3 bits:
Formerly known as 802.1p priority or CoS (Class of Service), PCP provides 8 priority levels (0-7):
| PCP Value | Priority Name | Typical Use Case |
|---|---|---|
| 0 | Best Effort | Default traffic, general data |
| 1 | Background | Bulk transfers, backups |
| 2 | Excellent Effort | Business applications |
| 3 | Critical Applications | Signaling (SIP, H.323) |
| 4 | Video | Video conferencing, streaming |
| 5 | Voice | VoIP voice traffic |
| 6 | Internetwork Control | Routing protocols (OSPF, BGP) |
| 7 | Network Control | Network management, STP BPDUs |
PCP and QoS:
PCP values enable differentiated handling within switches:
3. DEI (Drop Eligible Indicator) - 1 bit:
Formerly CFI (Canonical Format Indicator), this bit indicates frames that can be dropped during congestion:
This enables switches to selectively drop less important traffic within the same priority class.
4. VID (VLAN Identifier) - 12 bits:
The VID identifies which VLAN the frame belongs to. With 12 bits:
Bit layout of 12-bit VID:
| 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
| MSB | | | | | | | | | | | LSB |
VID 0 has special meaning: the frame is 'priority tagged' but not VLAN-tagged. The frame carries QoS information (PCP) but belongs to no specific VLAN—it's treated as belonging to the port's native/access VLAN. This allows QoS marking on access ports that don't otherwise use VLANs.
Switches follow precise rules for processing 802.1Q tags based on port mode and frame characteristics.
Access Port Processing:
Ingress (frame arriving at access port):
If tagged frame arrives:
Egress (frame leaving access port):
Trunk Port Processing:
Ingress (frame arriving at trunk port):
If frame is tagged:
If frame is untagged:
| Port Mode | Frame Type | Ingress Action | Egress Action |
|---|---|---|---|
| Access | Untagged | Assign to access VLAN | Transmit untagged |
| Access | Tagged | Drop (usually) | N/A |
| Trunk | Untagged | Assign to native VLAN | Transmit untagged |
| Trunk | Tagged (native) | Extract VID, process | Transmit untagged |
| Trunk | Tagged (other) | Extract VID, process | Transmit tagged |
Egress (frame leaving trunk port):
If frame belongs to native VLAN:
If frame belongs to other VLAN:
The Native VLAN Decision Tree:
Frame arrives on trunk port
|
├── Frame has 802.1Q tag?
| |
| ├── Yes → Extract VID from tag
| | |
| | └── Is VID allowed on trunk?
| | ├── Yes → Process in VID's context
| | └── No → Drop frame
| |
| └── No → Assign to native VLAN
| └── Process in native VLAN's context
Special Case: Tagged Native VLAN:
Some configurations tag even native VLAN traffic (Cisco: vlan dot1q tag native):
If Switch A's native VLAN is 1 and Switch B's is 999, untagged frames get misrouted. Frame from Switch A (native 1) arrives untagged at Switch B, which assigns it to VLAN 999. The frame ends up in the wrong VLAN. CDP and other protocols will log warnings when they detect this mismatch.
Some network architectures require multiple VLAN tags on a single frame. IEEE 802.1ad (Provider Bridges) defines this capability, commonly called Q-in-Q or double tagging.
Use Cases for Double Tagging:
1. Service Provider Networks: Service providers deliver Layer 2 connectivity to customers (Metro Ethernet). Each customer's traffic already has VLAN tags. The provider adds their own outer tag to transit customer traffic through the provider network.
Customer A: VLAN 100, 200, 300
Customer B: VLAN 100, 200 ← Same VLANs, different customer!
Provider adds outer tag:
Customer A: S-VLAN 1001 + C-VLAN 100/200/300
Customer B: S-VLAN 1002 + C-VLAN 100/200
Now customer VLANs don't conflict—they're distinguished by the outer (Service) VLAN.
2. Large Enterprise Networks: With only 4,094 VLANs available, very large networks may exhaust VLAN space. Q-in-Q provides hierarchy (though VXLAN is more common today).
3. Data Center Interconnection: Extending VLANs between data centers over service provider networks.
Q-in-Q Frame Format:
| Dest MAC | Src MAC | Outer Tag | Inner Tag | EtherType | Payload | FCS |
| 6B | 6B | 4B | 4B | 2B | data | 4B |
Outer Tag (S-Tag / Service Tag):
0x88A8 (identifies this as a service provider tag)Inner Tag (C-Tag / Customer Tag):
0x8100 (standard customer VLAN tag)Frame Size Impact:
Equipment in Q-in-Q deployments must be configured to handle these larger frames.
Provider Bridge Terminology:
| Term | Meaning | Function |
|---|---|---|
| C-VLAN | Customer VLAN | VLAN tags originating from customer network |
| S-VLAN | Service VLAN | VLAN tags added by provider for transit |
| C-Tag | Customer Tag | Inner 802.1Q tag (TPID 0x8100) |
| S-Tag | Service Tag | Outer 802.1ad tag (TPID 0x88A8) |
| UNI | User Network Interface | Customer-facing port on provider equipment |
| NNI | Network-to-Network Interface | Provider backbone interconnection |
Double tagging can be exploited for VLAN hopping. An attacker crafts a frame with two tags: outer = native VLAN, inner = target VLAN. The first switch strips the outer tag (native). The next switch sees only the inner tag and forwards to the attacker's target VLAN. Mitigation: Never use VLAN 1, change native VLAN, or tag native VLAN traffic explicitly.
Network engineers regularly capture and analyze VLAN-tagged traffic for troubleshooting and verification. Understanding how 802.1Q appears in packet captures is essential.
Capturing Tagged Traffic:
To see 802.1Q tags in packet captures, you must capture on a trunk link or configure port mirroring that preserves tags:
On regular access ports: Captured traffic is untagged (switch strips tags before delivery)
On trunk ports or SPAN destinations: Tags are visible if configured correctly
Wireshark Analysis:
In Wireshark, 802.1Q-tagged frames display as:
Ethernet II
Destination: aa:bb:cc:dd:ee:ff
Source: 11:22:33:44:55:66
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN
Priority: 5 (Voice)
DEI: 0
ID: 100
Internet Protocol Version 4
... (normal IP header follows)
Wireshark Filters for VLAN Analysis:
vlan # Any VLAN-tagged frame
vlan.id == 100 # Specific VLAN ID
vlan.priority >= 5 # High-priority traffic
vlan.id == 100 && ip.addr == 10.10.100.5 # VLAN + IP filter
vlan.id == 0 # Priority-tagged only (no VLAN)
frame.len > 1518 # Jumbo or tagged frames
Hex Analysis of 802.1Q Tag:
For deep analysis, understanding the raw bytes is valuable:
Byte Offset Value Meaning
----------- ----- -------
0-5 dest MAC Destination MAC address
6-11 src MAC Source MAC address
12-13 81 00 TPID (802.1Q identifier)
14-15 XX XX TCI (Priority + DEI + VID)
16-17 YY YY Original EtherType
18+ payload Frame payload
Example TCI Analysis:
TCI bytes: 0x50 0x64
Binary: 0101 0000 0110 0100
Breakdown:
0101 0 000 0110 0100
^^^^ ^ ^^^^^^^^^^^^
PCP DEI VID
PCP = 010 = 2 (Excellent Effort)
DEI = 1 (Drop Eligible)
VID = 000001100100 = 100 (VLAN 100)
Verification Commands:
! Verify trunk is passing expected VLANs
Switch# show interfaces Gi0/24 trunk
! Verify VLAN tag counts (some platforms)
Switch# show interfaces Gi0/24 counters
! Check for native VLAN mismatch (CDP)
Switch# show cdp neighbors detail
! Detailed VLAN statistics
Switch# show vlan id 100
When configuring SPAN (port mirroring) to capture VLAN traffic, use 'encapsulation replicate' to preserve VLAN tags in the mirrored traffic. Without this option, tags may be stripped and you'll capture untagged frames, losing VLAN visibility.
Beyond basic VLAN tagging, several advanced scenarios leverage 802.1Q capabilities.
1. Voice VLAN Implementation:
Cisco IP phones can use 802.1Q tagging in a special access port configuration:
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 30
switchport voice vlan 100
The phone learns the voice VLAN via CDP/LLDP and tags its traffic with VID 100. The attached PC's traffic remains untagged (assigned to VLAN 30). Technically, this port handles two VLANs, but it's not a full trunk—only specific behavior for phones.
2. Native VLAN Security Configurations:
! Option 1: Tag native VLAN traffic (globally)
vlan dot1q tag native
! This makes all frames tagged on trunks, including native VLAN
! Prevents certain VLAN-hopping attacks
! Both trunk ends must support this
! Option 2: Use an unused native VLAN
interface Gi0/24
switchport trunk native vlan 999
! VLAN 999 has no access ports, no traffic legitimately untagged
! Any untagged traffic is suspicious by definition
3. Private VLANs (PVLAN):
Private VLANs subdivide a VLAN for isolation within shared subnets:
802.1Q tags carry secondary VLAN information within the primary VLAN structure.
4. VLAN Translation:
Some switches can translate VLAN IDs at trunk boundaries:
! Traffic entering with VLAN 100 is processed as VLAN 200 internally
switchport vlan mapping 100 200
Use cases:
5. Selective Q-in-Q:
Service provider equipment can selectively apply outer tags:
! Only add S-tag to specific C-VLANs
switchport vlan mapping 100-199 dot1q-tunnel 1001
Customer VLANs 100-199 get encapsulated with S-VLAN 1001; others might be dropped or handled differently.
IEEE 802.1Q is the foundation that makes virtual LANs operationally possible across multi-vendor, multi-switch environments. Mastering 802.1Q means understanding not just configuration, but the precise mechanics of how frames are tagged, processed, and forwarded.
You now have deep understanding of IEEE 802.1Q—the protocol enabling all VLAN operations. This knowledge enables effective troubleshooting, security hardening, and advanced VLAN design. The final page explores inter-VLAN routing—how traffic flows between VLANs through Layer 3 devices.