Computer Networking
November 2025

A Simple Guide to IEEE 802.1Q

profile photo-22.png
Author:Khaled Alshibani
david-farkas-RcfSYf4r0lE-unsplash (1).jpg

IEEE 802.1Q (also known as Dot1q), is the official standard that enables virtual local area networks (VLANs) to operate on Ethernet networks (VLAN is a logical subdivision of a physical network, allowing different departments or services to share the same hardware infrastructure while keeping their traffic isolated from one another).
In a normal ethernet network, all connected devices are part of the same broadcast domain, meaning every computer can see all network traffic. While with VLANs, a switch can divide this traffic into separate groups so that devices in one VLAN cannot directly communicate with another unless allowed through a router or firewall.
IEEE 802.1Q achieves this by inserting a small VLAN tag (a four-byte label) inside each ethernet frame (a data unit that carries information across a local network). The tag identifies which VLAN the frame belongs to. This helps the switch/router send the data to the right group and keeps the network organized, faster and more secure.

To understand why IEEE 802.1Q was developed, it is important to look at the problems that existed in traditional Ethernet networks before VLAN tagging was introduced.

Problem Addressed by 802.1Q

Before IEEE 802.1Q was created, computer networks worked in a very simple way. Every device connected to the same switch was treated as part of one big group. This meant that all the computers, printers, and servers could hear each other’s communication, even when it was not relevant to them.
This design caused several problems in large organizations. The first problem was too much unnecessary traffic. When one computer sent out a message to find another device on the network, every other computer received it. As more people and departments were added, this traffic grew and started to slow down the network for everyone.
The second problem was a lack of security and privacy. Since all devices were in the same network, it was possible for one person or department to accidentally (or even intentionally) see information meant for someone else. For example, a computer in the marketing department could capture or access traffic from the finance department because there was no separation between them.
The third problem was rigidity. Without VLANs, the only way to separate traffic was to buy more switches and cables, creating a completely separate physical network for each department. That was expensive, messy, and hard to change if people moved offices or if new teams were created.
IEEE 802.1Q was developed to fix all these issues. It allows a single switch to act as if it were multiple smaller switches. Each department or group can have its own “virtual” network inside the same physical system. These smaller virtual networks are called VLANs (Virtual Local Area Networks).
So using it, traffic from the accounting department can stay private, the IT team can manage its own VLAN, and the overall network runs faster because each VLAN only deals with its own communication. In simple terms, the 802.1Q standard made networks more organized, more secure, and much easier to expand or change later on.

Benefits of Using 802.1Q VLANs

Understanding the problems makes it easier to see why IEEE 802.1Q became such a core networking standard. Using VLANs through 802.1Q brings several key advantages to modern networks.
First, it provides traffic separation, which increases security by isolating departments, services, or devices from one another. For example, office computers, printers, and servers can each be placed in different VLANs to prevent unwanted communication
Second, it improves network performance by reducing unnecessary broadcast traffic. Since each VLAN is its own broadcast domain, frames are only sent where they are needed, lowering congestion and improving response time.
Third, it makes network management easier. Administrators can group users logically (such as by team or floor) rather than physically rewiring switches whenever changes occur.
Finally, 802.1Q allows cost savings and add more flexibility. As an example, instead of buying separate switches for each dept, one switch can support multiple VLANs using the same cabling and infrastructure which makes networks easier to scale and maintain without large hardware costs.

How 802.1Q Tagging Works

The 802.1Q standard adds this information by inserting a 4-byte VLAN tag into the ethernet frame header between the source MAC address and the EtherType field. The header is the part of the frame that carries control information such as addressing and protocol type.
When a device that understands 802.1Q receives the frame, it reads the tag and knows exactly which VLAN it belongs to. This makes VLANs possible without changing how Ethernet itself works.

Structure of the VLAN Tag:

The VLAN tag is divided into two parts:

  1. TPID (Tag Protocol Identifier): 2 bytes that mark the frame as VLAN-tagged. The standard value is 0x8100.

0x8100: VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility. (Wikipedia - EtherType)

EtherType values for some notable protocols - Wikipedia

  1. TCI (Tag Control Information): 2 bytes that hold:

    • PCP (Priority Code Point, 3 bits): Used for Quality of Service (traffic priority)
    • DEI (Drop Eligibility Indicator, 1 bit): Shows if the frame may be dropped when congested
    • VID (VLAN ID, 12 bits): Identifies the VLAN number (1-4094 usable IDs)

Together, these fields let switches identify, prioritize, and properly route traffic between VLANs.

Here’s what happens step by step:

  1. A computer sends an ethernet frame to a switch.
  2. The switch checks which port the frame came from and what VLAN that port belongs to.
  3. If the frame needs to cross another switch through a trunk link (a connection that carries many VLANs), the switch adds an 802.1Q tag showing the correct VLAN ID.
  4. The frame travels across the network with its tag.
  5. The next switch reads the tag, recognizes the VLAN ID, and sends it only to devices in that VLAN.
  6. Before the frame reaches the final device such as a PC or printer, the tag is removed so the device receives a normal untagged frame.

Access and Trunk Ports (Port Modes)

It’s important to see how switches handle the VLAN tags. Switch ports operate in two main modes: access and trunk.

Access Ports:

An access port connects to a single end device such as a computer or printer. These ports send and receive untagged frames because most end devices do not understand VLANs. The switch automatically assigns every untagged frame from an access port to a specific VLAN called the PVID (Port VLAN ID). This simply means “the VLAN for untagged traffic.” Access ports are used for normal office connections.

Trunk Ports:

A trunk port connects switches or a switch and a router. A trunk carries the traffic of several VLANs over one physical connection. Each frame sent through a trunk is tagged with an 802.1Q header that contains the VLAN ID, so the receiving switch knows which VLAN it belongs to.
Trunk ports can also have a native VLAN, which handles untagged frames on the link. Both sides of the trunk must have the same configuration, including which VLAN is native, otherwise network problems will occur.
Trunking is what allows many VLANs to share the same link. A link is the physical or logical connection between two network devices, such as switches, routers, or servers. It may be a copper Ethernet cable, a fiber-optic line, or a virtual network connection. Trunking makes that single link carry traffic from multiple VLANs by tagging each frame with its VLAN ID, reducing cable use and keeping the network clean and efficient.

Trunking Protocols

Two trunking protocols have existed. The first is IEEE 802.1Q, the open standard now used by all networking vendors. The second is ISL (Inter-Switch Link), an older Cisco-proprietary system that has been replaced by 802.1Q. Today, 802.1Q is the universal and preferred protocol for VLAN trunking.

Native VLANs and Hybrid Links

A native VLAN is the VLAN that sends and receives untagged traffic on a trunk. By default, most switches use VLAN 1 as the native VLAN, but this is not recommended. VLAN 1 is often used for internal management, and keeping it as native can cause confusion or security risks. A better practice is to assign another unused VLAN as native or configure all VLANs to be tagged.
Some switches support hybrid ports, which can send both tagged and untagged frames. This is helpful when a device needs one untagged VLAN as its default plus additional tagged VLANs for special purposes. For example, an IP phone may use an untagged VLAN for regular data and a tagged VLAN for voice traffic. Both devices on the link must be configured the same way to communicate properly.

IEEE 802.1Q remains one of the most important standards in networking because it changed how Ethernet networks are designed and managed. Before it, separating traffic meant building entirely new physical networks. While nowadays, almost every enterprise network relies on 802.1Q in some way.

profile photo-22.png
Author:Khaled Alshibani
Recent Articles: