VLAN Tagging

Hi, today I am going to dive into VLAN tagging and how it works. First let’s break down what access and trunk ports are. Access ports are ports that are connected to end devices such as PCs or laptops. When a switch port  is configured as an access port, it carries traffic for one VLAN (usually the VLAN of the device connected) and carries that traffic untagged. So if a port is configured with “switch port  mode access VLAN 10,” it will carry untagged traffic only for VLAN 10. A trunk port on the other hand is a port that carries tagged traffic for multiple VLANs. They are usually configured on switch to switch links so the multiple VLANs can exist in the topology. So if PC1 on VLAN 2 wants to send traffic to PC3 on VLAN2, the switch will add a tag and it will be forwarded to its destination without any issue. Another PC which is on VLAN5, can send a frame and it will be able to share the same path and links that VLAN2 took because trunk links can carry multiple at a time.

So what is a VLAN tag? VLAN tags are tags that identify the specific VLAN that the host is sending from. When a frame is sent from a host on a VLAN, a VLAN tag is added at the sending switch so the receiving switch knows which VLAN the host sent the frame from. Two types of VLAN tagging methods are ISL and IEEE 802.1Q. 802.1Q is mostly used today in modern networks, while Cisco’s ISL is mostly obsolete. Today we are going to talk about the 802.1Q tag fields and functions, here is a picture of the whole header below. The VLAN tag starts after the Source MAC and before the Type/Length field.

The 802.1Q tag starts out with the TPID which stands for Tag Protocol Identifier. This field is 16 bits and its purpose is to announce to switches that a frame has a VLAN tag. It allows the receiving switch to know that it needs to process an ethernet frame with a VLAN tag instead of just a regular ethernet frame. If the TPID wasn’t there switches would have no way of distinguishing tagged frames from untagged frames. The TPID value is 0x8100 and when a switch sees that value it knows that the next 16 bits are going to be the TCI (Tag Control Information).

TCI consists of 16 bits of vital information such as 3 bits for PCP (Priority Code Point), 1 bit for DEI (Drop Eligible Indicator) and the last 12 bits for VID (VLAN ID). PCP is a QOS section of the 802.1Q tag. This allows the switch to classify and prioritize certain traffic at Layer 2. When traffic from a host on a VLAN arrives at a switch, depending on the configuration some traffic will have higher priority than others. A higher PCP score means that the traffic is more important than traffic with a low PCP score. The PCP scores can range from 0 to 7, with video or voice usually having higher scores.

DEI is a 1 bit field of the TCI, that determines the drop eligibility of an ethernet frame. It is also a QOS field and when the network starts to get congested and the egress queue gets filled up, DEI is implemented. An egress queue is a storage buffer in devices like a switch, where outgoing ethernet frames are held before being sent out. When congestion occurs and the egress queue fills up, DEI determines whether the frame should be dropped or not. DEI operates with two modes, 1 being drop-eligible and 0 being not drop-eligible. As you can probably predict, important traffic will have a DEI of 0 and less important traffic will have a DEI of 1. When congestion is heavy, and the egress queue is full, when a frame comes in with a DEI of 1 it will get dropped.

The last but not least is the VLAN ID which is 12 bits. This is the main identifier of which VLAN the ethernet frame belongs to. With the VID switches can forward traffic to the right destination. This allows traffic to go smoothly, and allows different end devices on separate interconnected switches to communicate as if they are on the same LAN. Say there’s two interconnected switches with 10 VLANs. If a PC on VLAN 3 on one switch sends an ARP request (broadcast), if VLAN 3 devices are connected to both switches devices that reside on VLAN 3 will receive that ARP request regardless of which switch they are connected to. And every other device will never get to see the ARP request as if they are on separate switches physically. VLAN IDs are vital for trunk ports, because multiple VLANs can share that same physical link without any interference or worry of the ethernet frame going to the wrong VLAN.

VLAN tags allow for multiple VLANs to coexist on the same topology without any physical changes, only with configurations all while keeping traffic isolated and separated despite sharing the same switches and links.