Switching and VLANsIntermediate47 min read

What Is VLAN tagging in Networking?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

VLAN tagging is a way for network switches to label data packets so they know which group they belong to. Imagine a school where students from different classes wear different colored badges, the badge tells the hall monitor which class each student is from. VLAN tagging works like that badge, helping switches sort traffic from different virtual networks, even when they all travel over the same cable.

Common Commands & Configuration

switchport mode trunk

On a Cisco switch, sets a port to permanent trunking mode. This is used on links that carry multiple VLANs (e.g., between two switches or to a router).

CCNA and Network+ exams test the difference between 'switchport mode trunk' (forces trunk) and 'switchport mode access' (forces access). Expect questions about which command disables DTP negotiation.

switchport trunk native vlan 999

Assigns VLAN 999 as the native VLAN on a trunk port. This mitigates VLAN hopping by using an unused VLAN ID instead of the default VLAN 1.

Security+ and CCNA exams ask: 'What is the best practice for securing a trunk against double tagging?' The answer: change the native VLAN to an unused VLAN.

encapsulation dot1Q 10

Router-on-a-stick subinterface command. Applied to a router subinterface (e.g., 'interface fastEthernet 0/0.10') to associate it with VLAN 10 using 802.1Q tagging.

CCNA routing questions often require this command. Exam trick: the native VLAN subinterface should have no 'encapsulation dot1Q' command because native VLAN traffic is untagged.

system mtu 1522

Sets the system MTU to 1522 bytes on a Cisco switch, allowing standard-sized frames with 802.1Q tags to pass without being dropped.

CCNA and Network+ questions: 'What is the minimum system MTU for a switch to support 802.1Q tagged frames?' Answer: 1522 bytes.

switchport nonegotiate

Disables Dynamic Trunking Protocol (DTP) on a Cisco switch port, preventing unauthorized trunk negotiation.

Security+ and CCNA security topics: 'Which command prevents VLAN hopping via DTP?' Answer: 'switchport nonegotiate' on access ports.

vlan 200

Creates VLAN 200 in the switch's VLAN database. This is necessary before assigning ports to that VLAN or using it in trunk configuration.

CCNA and Network+: VLAN creation is mandatory before assignment. Extended-range VLANs (1006-4094) require 'vtp mode transparent' or storage in running-config.

interface vlan 10

Creates a Switch Virtual Interface (SVI) for VLAN 10. Used for inter-VLAN routing on a Layer 3 switch or for management access.

CCNA: SVIs can route between VLANs without a router. The 'no shut' command must be issued. Exam questions test that an SVI must exist for routing to work.

VLAN tagging appears directly in 8exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →

Must Know for Exams

VLAN tagging appears as a key topic in several major IT certification exams, especially those focused on networking. For the CCNA (Cisco Certified Network Associate) exam, VLAN tagging is a fundamental objective. The CCNA exam expects you to know how to configure access and trunk ports, understand the difference between tagged and untagged frames, and know the role of the Native VLAN. You may be asked to troubleshoot a scenario where VLANs are not communicating correctly, and the issue might be a missing allowed VLAN list or a Native VLAN mismatch. The 802.1Q standard is the only tagging method tested on the current CCNA exam (ISL is no longer covered).

For the Network+ exam (CompTIA Network+), VLAN tagging is covered under the networking concepts domain. You need to understand how VLANs work, the purpose of tagging, and the difference between trunk and access ports. Multiple-choice questions often ask about the IEEE 802.1Q standard or the number of VLANs supported (4094 usable). You might also see questions about Native VLAN and why it should be changed from the default for security reasons.

The Security+ exam (CompTIA Security+) includes VLAN tagging in the context of network segmentation and security. Questions may focus on VLAN hopping attacks, where an attacker exploits a misconfigured Native VLAN to gain access to traffic from other VLANs. You need to understand how tagging prevents accidental data leakage and why disabling Dynamic Trunking Protocol (DTP) is a security best practice.

In the AWS-SAA (AWS Solutions Architect Associate) exam, VLAN tagging is less direct but appears in the context of AWS Direct Connect and VLAN attachment. When you connect your on-premises network to AWS via Direct Connect, you create a VLAN interface that is tagged to separate traffic. Understanding 802.1Q tagging helps you understand how private virtual interfaces (VIFs) work.

The Azure AZ-104 exam covers VLAN tagging when discussing Azure ExpressRoute and virtual networks. You may need to understand how VLANs are used to isolate customer traffic over Microsoft's backbone. The Google ACE (Associate Cloud Engineer) exam touches on VLAN tagging in the context of VPC networks and interconnect attachment.

For the A+ exam, VLAN tagging is a light supporting topic. It is not a core objective, but you might see a question about the purpose of VLANs in a network environment. Knowing the basic concept of separating traffic is sufficient.

In exam questions, you should expect scenario-based questions where you are given a network diagram and must determine the correct configuration. For example, "Two switches are connected via a trunk link, but devices on VLAN 10 cannot communicate across the trunk. What is the most likely cause?" The answer could be that the trunk port does not have VLAN 10 in the allowed list. Or "A network administrator wants to allow traffic from multiple VLANs over a single link between two switches. What should be configured?" The answer is a trunk port with 802.1Q tagging.

Simple Meaning

Think of a large office building with several different departments: Sales, Engineering, and HR. Each department has its own private chat channel on the internal messaging system. When people from different departments need to send messages across the building, they still use the same physical hallway and the same network of cables. But without some way to tell the messages apart, a sales message could accidentally end up in the HR chat. That would be a problem.

VLAN tagging solves exactly this problem by adding a small label to each message as it travels. This label works like a sticky note on a document that says, "This is for Sales" or "This is for Engineering." The network switches, which are like the mailroom workers in the building, read that sticky note and know exactly where to deliver the message.

In technical terms, a VLAN (Virtual Local Area Network) is a way to split a physical network into smaller, logical networks. Computers on different VLANs behave as if they are on completely separate physical networks, even if they are plugged into the same switch. This is useful for security and performance: you don't want a guest Wi-Fi user to be able to see the company's finance servers.

Tagging is what makes VLANs work across multiple switches. When a frame (a packet of data) leaves a switch port that is configured as a trunk (a special port that can carry multiple VLANs), the switch inserts a tag into the frame. That tag contains a VLAN ID, like a number from 1 to 4094. When the frame arrives at the next switch, that switch reads the tag and knows which VLAN the frame belongs to, so it can forward it only to ports that are members of that VLAN.

Without tagging, you would need a separate cable for every VLAN between two switches. That would be expensive and messy. With tagging, you can run just one cable between switches and carry dozens or hundreds of VLANs over it. It is like having a single highway with multiple lanes: each lane is a VLAN, and the tag tells the cars which lane to use.

Tagging is defined by the IEEE 802.1Q standard, which is supported by almost all modern network equipment. It works at Layer 2 of the OSI model (the data link layer), meaning it happens at the Ethernet frame level, before the data is even passed up to higher network layers. This makes it very efficient, the switches do not need to look inside the packet to see the destination IP address. They just look at the tag.

One very important thing to understand is that VLAN tagging is not encryption. It does not hide the data or protect it from being read. It is simply a label for organization. If someone taps the cable, they can see the tag, but that is not a security problem by itself. The real security comes from the fact that devices on different VLANs cannot talk to each other without going through a router or firewall.

Full Technical Definition

VLAN tagging is the process of inserting a VLAN identifier into an Ethernet frame to indicate which VLAN the frame belongs to. This is standardized under IEEE 802.1Q, which is the industry standard for VLAN tagging on Ethernet networks. The tag is inserted between the Source MAC Address field and the EtherType/Length field in the Ethernet frame header.

The IEEE 802.1Q tag is 4 bytes (32 bits) long and consists of two main parts. The first 2 bytes are the Tag Protocol Identifier (TPID), which is set to the value 0x8100. This value tells the receiving switch that the frame is tagged and to look for the additional information. The second 2 bytes are the Tag Control Information (TCI), which contains three subfields. The Priority Code Point (PCP) is 3 bits used for Class of Service (CoS) prioritization. The Drop Eligible Indicator (DEI) is 1 bit, formerly known as the Canonical Format Indicator (CFI). The most important part is the VLAN Identifier (VID), which is 12 bits. This allows for 4096 possible VLAN IDs (0 through 4095), but VLAN 0 and VLAN 4095 are reserved, so usable VLANs are 1 through 4094.

When a switch receives an untagged frame on an access port (a port that belongs to a single VLAN), it inserts the appropriate tag internally for processing. When the frame is forwarded out a trunk port, the switch may keep the tag or remove it depending on the configuration. The term "tagged" is used to describe a frame that carries the 802.1Q header, while "untagged" describes a standard Ethernet frame without the tag.

Trunk ports are the key component in VLAN tagging. A trunk port is a switch port configured to carry traffic for multiple VLANs. In contrast, an access port carries traffic for only one VLAN and typically strips the tag when sending frames out to end devices. End devices like computers, printers, and servers usually do not understand 802.1Q tags, so the switch must remove the tag before sending the frame to them. Only specialized devices like other switches, routers, or virtualization hosts typically handle tagged frames directly.

Another important concept is the Native VLAN. On a trunk port, the Native VLAN is the VLAN that carries untagged traffic. By default, the Native VLAN is usually VLAN 1 on most Cisco switches. When a switch sends a frame belonging to the Native VLAN out a trunk port, it does not add an 802.1Q tag. The receiving switch must be configured with the same Native VLAN on the corresponding trunk port; otherwise, frames can be mismatched, leading to a security vulnerability known as VLAN hopping.

VLAN tagging is fundamental to modern network design. It allows network administrators to segment traffic without adding physical hardware. For example, a company might have separate VLANs for voice traffic (VoIP), data traffic, guest Wi-Fi, and management traffic. All of these can run over the same physical infrastructure. Tagging also enables Virtual Router Redundancy Protocol (VRRP) and Hot Standby Router Protocol (HSRP) to work across multiple VLANs.

There is also a Cisco-proprietary protocol called Inter-Switch Link (ISL) which was used before 802.1Q became the standard. ISL encapsulated the entire Ethernet frame with a new header, including a 30-byte tag. ISL is largely obsolete today and is not supported on modern equipment. The industry has fully moved to 802.1Q.

In virtualized environments like VMware vSphere or Microsoft Hyper-V, VLAN tagging is often handled by the hypervisor. The virtual switch inside the hypervisor can apply tags to frames coming from virtual machines. This is known as Virtual Guest Tagging (VGT). Alternatively, the physical switch can handle tagging through Virtual Switch Tagging (VST), where the hypervisor presents trunk ports to the virtual machines.

Understanding VLAN tagging is critical for network troubleshooting. Misconfigured trunk ports, mismatched Native VLANs, or incorrect allowed VLAN lists can cause connectivity issues that are difficult to diagnose. Tools like Wireshark can capture and display the 802.1Q tags in frames, which helps in verifying that tagging is working correctly.

Real-Life Example

Imagine you are moving into a large apartment building with many tenants. Each tenant lives in a different apartment, but they all use the same front door, the same elevator, and the same hallway. The mail is delivered to a central mailbox area in the lobby. Each mailbox has a number that corresponds to an apartment. When the mail carrier arrives, they sort the letters by the apartment number and put each letter into the correct mailbox. The apartment number on the envelope is like a VLAN tag.

Now, suppose the building manager decides to have separate mail deliveries for packages, newspapers, and personal letters. Instead of having three different mail carriers and three different sets of mailboxes, they simply add a color-coded sticker to each item. A red sticker means it is a package, blue means it is a newspaper, and green means it is a personal letter. The carriers all use the same set of mailboxes, but the stickers tell them which delivery route to use. That sticker is the VLAN tag.

In a computer network, the apartment building is the physical network infrastructure, the cables, switches, and routers. Each apartment is a VLAN. The mail carrier is the network switch forwarding data. The letter is the Ethernet frame. Without the sticker (VLAN tag), the mail carrier would have to know the exact apartment for every single piece of mail, which would be slow and confusing. With the sticker, the carrier just looks at the color and knows immediately which group it belongs to.

Now consider that the building has a basement, a first floor, and a second floor, each with its own mailroom. A letter that arrives at the first floor mailroom might need to go to the second floor. The tag ensures that when the letter is sent upstairs via a dumbwaiter (the trunk link), the mailroom on the second floor knows exactly which apartment it belongs to, even though the dumbwaiter is shared by all the apartments.

This analogy also helps to understand the Native VLAN. The Native VLAN is like the default mail that does not have a sticker. In the building, maybe the weekly newsletter goes out without a sticker because everyone gets the same one. But if someone moves out and a new tenant moves in, the newsletter could end up in the wrong mailbox if the mailing list is not updated. That is why network administrators are careful about the Native VLAN.

Finally, the security aspect: just because the mail has a sticker does not mean the envelope is sealed. Someone in the elevator could peek at the letter. VLAN tagging does not provide encryption; it is just an organizational tool. If you want privacy, you need to encrypt the letter itself, which is like using a VPN or HTTPS.

Why This Term Matters

VLAN tagging is a core concept in modern networking that directly impacts network efficiency, security, and scalability. In any organization that uses more than a few computers, VLANs are almost certainly in use, and understanding how tagging works is essential for anyone managing or troubleshooting the network.

From a practical standpoint, VLAN tagging allows network administrators to make the most of their physical infrastructure. Without tagging, each VLAN would need its own dedicated cable between switches, which is expensive and wasteful. With 802.1Q tagging, a single trunk link can carry traffic for dozens of VLANs. This reduces cabling costs, simplifies the physical layout, and makes the network easier to manage.

Security is another huge reason why VLAN tagging matters. By separating traffic into different VLANs, you can prevent unauthorized access. For example, a company can put its finance department on VLAN 10, its HR department on VLAN 20, and its guest Wi-Fi on VLAN 100. Even if someone plugs a laptop into a guest Wi-Fi access point, they cannot see the finance servers because the traffic is tagged differently and the switch will not forward it between VLANs without a router or firewall.

Performance also benefits from VLAN tagging. Broadcast traffic (like ARP requests) is limited to the VLAN in which it originated. In a flat network without VLANs, a broadcast from one computer would reach every device on the network, wasting bandwidth. With VLANs, broadcasts stay within the VLAN, reducing unnecessary traffic and improving network speed.

For IT professionals, understanding VLAN tagging is essential for configuring switches, troubleshooting connectivity issues, and planning network expansions. Misconfigurations like mismatched Native VLANs or incorrect trunk encapsulation can cause outages that are difficult to diagnose. Knowing how to set up and verify tagging is a critical skill for network technicians and administrators.

In cloud and virtualized environments, VLAN tagging is also used to isolate tenant networks. For example, in AWS, VLAN tagging is part of how Virtual Private Clouds (VPCs) communicate over the underlying physical network. Even though you as a user don't see the tags, they are present in the infrastructure. Understanding tagging helps you grasp how cloud networking works at a deeper level.

How It Appears in Exam Questions

Exam questions about VLAN tagging come in several patterns. The most common is the direct definition question: "Which IEEE standard defines VLAN tagging?" The answer is 802.1Q. Another variant asks about the number of VLANs supported: "How many VLANs can be configured using the 802.1Q standard?" The answer is 4094 usable VLANs (out of 4096).

Scenario-based questions are very frequent. For example, "A network administrator connects two switches with a single cable. Devices on VLAN 10 on the first switch can communicate with devices on VLAN 10 on the second switch, but devices on VLAN 20 cannot. What is the likely issue?" You need to know that the trunk port must have VLAN 20 enabled in the allowed VLAN list. Another scenario: "A company wants to separate voice and data traffic on the same switch. What feature should be used?" The answer is VLANs, and you might need to specify that the voice VLAN should be tagged on the trunk.

Troubleshooting questions often involve the Native VLAN. For instance, "After connecting a new switch, devices in VLAN 1 can communicate across the link, but devices in other VLANs cannot. What is the most likely cause?" If the Native VLAN mismatches or the trunk is not properly configured, you would need to check the trunk configuration. Another common trap is that the Native VLAN should be changed from the default (VLAN 1) to an unused VLAN to prevent VLAN hopping attacks.

Configuration questions appear in the CCNA exam where you might be asked to select the correct command to configure a trunk port. For example, "Which command configures an interface as a trunk port on a Cisco switch?" The answer is 'switchport mode trunk'. Another question might ask about the command to set the Native VLAN: 'switchport trunk native vlan <vlan-id>'. You might also need to know the command to add a VLAN to the allowed list: 'switchport trunk allowed vlan add <vlan-id>'.

In Security+, questions may present a scenario where an attacker is able to capture traffic from multiple VLANs by sending a double-tagged frame. This is called a double-tagging VLAN hopping attack. You need to understand how this works: the attacker sends a frame with two 802.1Q tags, the first tag is stripped by the first switch, and the second tag is then processed by the next switch, causing the frame to be delivered to a different VLAN. The fix is to change the Native VLAN to an unused VLAN and disable DTP.

For AWS and Azure exams, questions are less hands-on but still test your understanding. For example, "When setting up AWS Direct Connect, what networking standard is used to separate traffic on the virtual interface?" Answer: 802.1Q VLAN tagging. Or "In Azure ExpressRoute, how is customer traffic isolated on the shared infrastructure?" Answer: VLAN tagging.

In Network+, you might see a question asking about the difference between a trunk port and an access port. The correct answer is that an access port belongs to a single VLAN and sends untagged frames, while a trunk port can carry multiple VLANs and sends tagged frames (except for the Native VLAN).

Practise VLAN tagging Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You work as a junior network administrator for a small company called GreenTech Solutions. The company has 50 employees spread across two floors of an office building. The network consists of two switches, one on each floor, connected by a single Ethernet cable. The company wants to separate traffic into three VLANs: VLAN 10 for the Sales team, VLAN 20 for the Engineering team, and VLAN 30 for the Finance team. All employees are physically located on both floors.

You are tasked with configuring the switches so that Sales employees on the first floor can communicate with Sales employees on the second floor, but not with Engineering or Finance. Similarly, Engineering and Finance should be isolated from each other.

To achieve this, you configure each switch with the three VLANs. On the first-floor switch, you assign the ports that Sales people use to VLAN 10, Engineering ports to VLAN 20, and Finance ports to VLAN 30. You do the same for the second-floor switch. Then, you configure the port that connects the two switches as a trunk port. On the trunk port, you enable tagging for all three VLANs. You also set the Native VLAN to an unused VLAN, say VLAN 999, to improve security.

Now, when a Sales employee on the first floor sends a message to a Sales employee on the second floor, the first-floor switch receives the frame on an access port in VLAN 10. The switch knows that the frame belongs to VLAN 10, so when it forwards the frame out the trunk port, it adds an 802.1Q tag with VLAN ID 10. The second-floor switch receives the tagged frame on its trunk port, reads the tag, and forwards the frame out only to ports that are also in VLAN 10. The message reaches the correct Sales employee on the second floor.

If a Sales employee tries to send a message to an Engineering employee on the second floor, the first-floor switch will not forward it directly because the switch sees that the destination MAC address is not in VLAN 10. The frame is dropped unless there is a router or layer-3 switch configured to route between VLANs. In this scenario, without inter-VLAN routing, the message is blocked, providing the desired isolation.

This scenario illustrates how VLAN tagging enables network segmentation over a single physical link. It is efficient, secure, and easy to manage once configured correctly.

Common Mistakes

Thinking that VLAN tagging encrypts the data.

VLAN tagging only adds a label to the frame; it does not change the payload. The data is still sent in plaintext unless encrypted by another means like IPsec or TLS.

Understand that tagging is for organization and isolation, not for confidentiality. Use encryption separately if needed.

Assuming that the Native VLAN does not matter for security.

The Native VLAN carries untagged traffic on a trunk. If it is left as VLAN 1 (the default), an attacker can potentially send frames that will be processed on the Native VLAN, resulting in a VLAN hopping attack.

Always change the Native VLAN to an unused VLAN on every trunk port. Also disable Dynamic Trunking Protocol (DTP) on switch ports that should not become trunks.

Forgetting to add a VLAN to the allowed list on a trunk port.

By default, some switches only allow VLAN 1 on a trunk. If you create a new VLAN but do not add it to the trunk's allowed VLAN list, that VLAN's traffic will be dropped on the trunk.

After creating a new VLAN, use the command 'switchport trunk allowed vlan add <vlan-id>' on both ends of the trunk to ensure the VLAN is forwarded.

Confusing access ports and trunk ports.

An access port belongs to a single VLAN and sends untagged frames to the end device. A trunk port carries multiple VLANs and sends tagged frames. Plugging a computer into a trunk port usually will not work because most computers do not understand 802.1Q tags.

Use access ports for end devices and trunk ports only for connections between switches, routers, or other infrastructure devices.

Assuming that all switches use the same VLAN numbering by default.

VLAN numbers are not globally standardized; they are locally significant on each switch. VLAN 10 on one switch might be a different VLAN on another switch if not coordinated.

Create the same VLANs with the same IDs on all switches, or use a VLAN Trunking Protocol (VTP) if supported, but be careful with VTP as it can cause widespread issues if misconfigured.

Believing that VLANs provide complete security between users.

VLANs separate traffic at Layer 2, but an attacker on one VLAN can still reach devices on another VLAN if a router or layer-3 switch is configured to route between them without proper access control lists (ACLs).

Combine VLANs with proper firewall rules or ACLs at the routing point to control inter-VLAN traffic.

Exam Trap — Don't Get Fooled

{"trap":"The exam shows a scenario where a new VLAN is created on a switch, and devices in that VLAN can communicate within the same switch but not across a trunk to another switch. The trap answer often suggests that the trunk encapsulation is wrong or that the Native VLAN is mismatched. Many learners pick 'Native VLAN mismatch' because it is a common issue."

,"why_learners_choose_it":"Learners recall that Native VLAN mismatches cause problems, and they may not remember that the allowed VLAN list is a separate configuration. The scenario often does not mention the Native VLAN, so they default to that answer.","how_to_avoid_it":"Always think step by step.

First, verify that the new VLAN exists on both switches. Then, check if the trunk port allows the VLAN. The most common cause is that the new VLAN was not added to the allowed list.

The Native VLAN only affects untagged traffic, and a new VLAN would likely be tagged, so a Native VLAN mismatch would not prevent tagged traffic from passing."

Commonly Confused With

VLAN taggingvsVLAN hopping

VLAN tagging is the mechanism that identifies VLAN membership. VLAN hopping is an attack method where an attacker exploits misconfigurations to gain access to traffic from other VLANs. The two are related but opposite: tagging is a solution, hopping is a problem.

VLAN tagging is like having a keycard that grants access to certain floors. VLAN hopping is like finding a way to use a stolen keycard to access floors you are not allowed on.

VLAN taggingvs802.1X

802.1Q is the standard for VLAN tagging. 802.1X is a standard for port-based network access control, used to authenticate devices before they can use the network. They are entirely different protocols but sometimes confused because of the similar numbering.

802.1Q is like a label on a package; 802.1X is like an ID check at the door before the package is allowed in.

VLAN taggingvsSubnetting

Subnetting is a Layer 3 concept that divides IP address ranges into smaller networks. VLANs are a Layer 2 concept that divides broadcast domains. They often map one-to-one (one VLAN equals one subnet), but they are not the same thing. VLAN tagging operates at Layer 2, while subnetting operates at Layer 3.

A VLAN is like a separate room in a house; subnetting is like assigning different postal codes to different parts of the same room.

VLAN taggingvsTrunking (EtherChannel)

Trunking in the context of VLANs refers to a port that carries multiple VLANs using 802.1Q tagging. Trunking can also refer to EtherChannel, which is a technology that bundles multiple physical links into a single logical link for increased bandwidth and redundancy. These are different concepts that share the word 'trunk'.

VLAN trunking is like a single highway with multiple lanes (VLANs). EtherChannel trunking is like multiple parallel highways that work together as one.

Step-by-Step Breakdown

1

Ethernet frame preparation

A device, such as a computer, sends a standard Ethernet frame out of its network interface card. This frame has no VLAN tag at this point. The frame contains source and destination MAC addresses, along with the payload (the actual data).

2

Frame received on access port

The switch receives the frame on an access port. Each access port is configured with a specific VLAN ID (for example, VLAN 10). The switch internally assigns that VLAN ID to the frame, but does not yet insert a tag into the frame if the frame is staying within the same switch.

3

Switch determines forwarding path

The switch looks up the destination MAC address in its MAC address table. If the destination is on the same VLAN and on another port on the same switch, the switch forwards the frame directly. If the destination is on a different switch, the switch must send the frame out a trunk port.

4

Insertion of the 802.1Q tag

If the frame must travel over a trunk link, the switch adds a 4-byte 802.1Q tag between the Source MAC Address and the EtherType field. The tag includes the TPID (0x8100) and the TCI, which contains the 12-bit VLAN ID. The switch also recalculates the Frame Check Sequence (FCS) to account for the changed frame size.

5

Frame transmitted on trunk port

The now-tagged Ethernet frame is transmitted out the trunk port onto the physical cable. The frame may traverse one or more intermediate switches, each of which reads the VLAN tag to make forwarding decisions.

6

Receiving switch processes the tag

The next switch receives the tagged frame on its trunk port. It reads the VLAN ID from the tag. It then looks up the destination MAC address in its MAC address table, but only for that specific VLAN. This ensures that the frame is only forwarded to ports that belong to the same VLAN.

7

Tag removal on access port

If the destination port is an access port, the switch removes the 802.1Q tag before sending the frame to the destination device. End devices typically do not understand tagged frames, so the tag must be stripped to avoid confusion.

8

Frame delivered to destination

The destination device receives a standard untagged Ethernet frame and processes it normally. From the device's perspective, there is no awareness that VLAN tagging ever occurred. The entire process is transparent to the end user.

Practical Mini-Lesson

VLAN tagging is a practical skill that every network professional must master. In a real-world environment, you will work with switches that have multiple VLANs configured across many ports. Here is how it works in practice.

When you configure a switch, you start by creating the VLANs. On a Cisco switch, you use the 'vlan' command in global configuration mode. For example, 'vlan 10' then 'name Sales'. You repeat this for each VLAN. After the VLANs exist, you assign switch ports to them. For access ports, you use 'switchport mode access' and 'switchport access vlan 10'. This configures the port to belong to VLAN 10, and any device plugged into that port will automatically be part of that VLAN.

For trunk ports, the configuration is different. You set the port to trunk mode with 'switchport mode trunk'. By default, on many Cisco switches, a trunk port carries all VLANs, but you can restrict which VLANs are allowed using 'switchport trunk allowed vlan' commands. You should also set the Native VLAN to a non-default value for security: 'switchport trunk native vlan 999' (where 999 is an unused VLAN). It is also a good practice to shut down unused ports and put them in a dead VLAN to prevent unauthorized access.

What can go wrong? A common issue is that the two ends of a trunk link are configured differently. For example, one switch might have the Native VLAN set to 10, and the other to 20. This mismatch will cause control traffic like CDP (Cisco Discovery Protocol) to have issues, and some frames may be silently dropped or misdelivered. Another issue is that the trunk port might be set to 'dynamic desirable' or 'dynamic auto', which uses DTP to negotiate trunking. If the other switch does not have DTP enabled, the trunk may fail to form. It is safer to set both ends to 'mode trunk' and 'nonegotiate' to prevent negotiation.

In virtualized environments, the hypervisor must also understand VLAN tagging. For example, in VMware ESXi, you can set the VLAN ID on a virtual machine's network adapter. If you set it to 0, the traffic is untagged and the physical switch's access port VLAN applies. If you set it to a specific VLAN ID, the hypervisor tags the frames before sending them out. This is useful when the physical switch port is a trunk and you want the VM to be on a specific VLAN.

Troubleshooting VLAN tagging requires using the right tools. The 'show vlan' command displays all VLANs and their assigned ports. 'show interfaces trunk' shows which ports are trunks, the allowed VLANs, and the Native VLAN. 'show mac address-table' shows MAC addresses and their associated VLANs. If you have connectivity issues, check these outputs first.

Another advanced consideration is the MTU (Maximum Transmission Unit). When you add a 4-byte 802.1Q tag, the frame size increases. Standard Ethernet frames have an MTU of 1500 bytes, but a tagged frame can be 1504 bytes. Most modern switches can handle this, but if you have older equipment or jumbo frames configured, you need to ensure the switches support the larger frame size.

practical VLAN tagging requires careful planning of VLAN IDs, consistent configuration across all switches, and a solid understanding of the difference between access and trunk ports. Always document your VLAN scheme and test connectivity after making changes.

VLAN Tagging Fundamentals: The 802.1Q Standard

VLAN tagging is the core mechanism that allows a single physical Ethernet link to carry traffic for multiple virtual local area networks (VLANs). Without tagging, each VLAN would require its own dedicated cable and switch port, defeating the purpose of network segmentation and efficiency. The industry-standard protocol for VLAN tagging is IEEE 802.1Q, which inserts a 4-byte tag into the Ethernet frame header. This tag resides between the Source MAC address and the EtherType/Length field, effectively increasing the maximum frame size from 1518 bytes to 1522 bytes (not counting the preamble).

The 802.1Q tag contains two critical fields: the Tag Protocol Identifier (TPID) and the Tag Control Information (TCI). The TPID is set to 0x8100, signaling to receiving switches that the frame is tagged. The TCI contains a 3-bit Priority Code Point (PCP) for Quality of Service (QoS), a 1-bit Drop Eligible Indicator (DEI), and the 12-bit VLAN ID (VID). The VID ranges from 0 to 4095, with 0 and 4095 reserved. VLANs 1 through 1001 are normal-range VLANs, while 1006 through 4094 are extended-range VLANs. VLAN 1 is the default VLAN on most Cisco switches and cannot be deleted.

Understanding 802.1Q is essential for any networking professional. Exam questions frequently test the tag's location, the purpose of the TPID, and the VLAN ID range. For example, a question might ask: 'Which field in an Ethernet frame identifies the frame as 802.1Q-tagged?' The correct answer is the TPID with value 0x8100. Another common question involves the maximum number of VLANs supported by the 802.1Q standard: 4094 usable VLANs (1 to 4094, excluding 0 and 4095).

VLAN tagging is not just a switch function-it is critical for trunk links between switches, router-on-a-stick configurations, and virtualized environments like AWS and Azure. In AWS, VLAN tagging is used with Direct Connect, where 802.1Q trunks carry multiple virtual interfaces (VLANs) over a single physical connection. Understanding the tag structure and its placement allows you to troubleshoot connectivity issues when frames are misconfigured or when MTU mismatches occur. Because the 4-byte tag increases the frame size, switches and routers must support an MTU of at least 1522 bytes on trunk ports. If a device is set to a standard 1500-byte MTU, tagged frames will be dropped. This is a common exam trap: 'What happens when a switch receives a 1522-byte frame on a port configured with an MTU of 1500?' The answer: the frame is dropped because it exceeds the interface MTU.

VLAN tagging also interacts with Spanning Tree Protocol (STP). When a trunk link carries multiple VLANs, STP runs separately for each VLAN (Per-VLAN Spanning Tree, or PVST+). The BPDU frames are sent untagged on the native VLAN (default VLAN 1), while tagged frames for other VLANs are forwarded normally unless blocked by STP. This nuance is often tested: 'Which VLAN forwards BPDUs untagged on a trunk?' Answer: the native VLAN.

802.1Q tagging is the backbone of modern switched networks. It enables efficient bandwidth usage, logical segmentation, and seamless integration with cloud services. Mastering the tag format, VLAN ID ranges, and interaction with other protocols is fundamental for passing the CCNA, Network+, Security+, and cloud vendor exams.

When studying for exams like AWS-SAA or AZ-104, remember that cloud-based VLAN tagging (e.g., with AWS Direct Connect) uses the same 802.1Q standard. Exam questions may present scenarios where you need to configure a trunk or interpret a packet capture showing 0x8100. Always check the EtherType field: if you see 0x8100, it is a tagged frame.

VLAN Tagging and the Native VLAN: Common Pitfalls and Exam Traps

The native VLAN is a cornerstone of 802.1Q trunking, yet it is the source of countless misconfigurations and security vulnerabilities. By definition, the native VLAN (default VLAN 1) carries untagged traffic on an 802.1Q trunk. This means that frames belonging to the native VLAN are sent without an 802.1Q tag. All other VLANs are tagged. The purpose of the native VLAN is to allow legacy devices that do not understand 802.1Q tagging to communicate across a trunk link without modification.

One of the most common exam questions is: 'What happens if two switches have different native VLANs on their trunk port?' The answer is that a native VLAN mismatch occurs. The switches will send untagged frames (native VLAN) but they will be received on a different VLAN than intended. This can cause traffic from the native VLAN to be misdirected, or worse, create a bridging loop because the switches may interpret the untagged frames as belonging to their own native VLAN. The symptom is that some devices on VLAN 1 can communicate, but others cannot, and you may see 'Native VLAN mismatch' log messages. On Cisco switches, CDP (Cisco Discovery Protocol) will report 'Native VLAN mismatch discovered on ...'. This is a classic CCNA troubleshooting scenario.

From a security perspective, the native VLAN is a favorite attack vector in VLAN hopping attacks. An attacker can craft frames with a double 802.1Q tag (a technique called 'double tagging' or 'VLAN hopping'). By sending a frame with two tags-one for the native VLAN (often VLAN 1) and a second for a target VLAN-the attacker can bypass VLAN segmentation. The first switch strips the outer tag (believing it is the native VLAN) and forwards the frame out a trunk, where the second tag becomes the effective tag. This allows traffic to reach a VLAN that should be isolated. The recommended mitigation is to change the native VLAN to an unused VLAN ID (not VLAN 1) and disable trunking on access ports. Exam questions for Security+ and CCNA often ask: 'Which attack exploits the native VLAN to gain unauthorized access?' The correct answer: double tagging or VLAN hopping.

Another native VLAN issue arises with DTP (Dynamic Trunking Protocol). By default, Cisco switch ports are in 'dynamic desirable' or 'dynamic auto' mode, which can negotiate a trunk without administrative intent. If an attacker connects a switch to an access port and encourages DTP negotiation, they can create a trunk and then use the native VLAN to send traffic to other VLANs. The solution is to explicitly set switchport mode access on user-facing ports and disable DTP with 'switchport nonegotiate'. On exam questions, look for scenarios where an administrator finds unexpected VLAN traffic and you must identify that DTP negotiation is the root cause.

In cloud environments like AWS Direct Connect, the native VLAN concept applies to virtual interfaces (VIFs). Each VIF is associated with a VLAN ID. If you configure a public VIF with the wrong VLAN ID, traffic will not be forwarded. Similarly, for router-on-a-stick (ROAS) configurations, the router's subinterface must match the VLAN ID on the trunk. The native VLAN is often used for management traffic (e.g., SSH to the switch). If the management VLAN is the native VLAN, ensure that the router or firewall's default gateway is reachable without tags. Exam questions may give you a diagram showing a router connected to a switch with subinterfaces for VLAN 10, 20, and native VLAN 1. They may ask: 'Which subinterface should have no encapsulation command?' The answer: the subinterface for the native VLAN (e.g., interface fastEthernet0/0.1 with no 'encapsulation dot1Q 1').

careful management of the native VLAN prevents misconfigurations and security breaches. Always use an unused VLAN as the native VLAN, set trunk ports to 'switchport trunk native vlan <vlan-id>', and ensure consistency across all switches. Monitor logs for 'native VLAN mismatch' messages, and disable DTP on all ports that should not be trunks. This is a high-yield topic for multiple exams, including CCNA, Network+, Security+, and even cloud certifications when dealing with hybrid connections.

VLAN Tagging and MTU: How Frame Size Impacts Connectivity

When you add an 802.1Q tag to an Ethernet frame, the frame size increases by exactly 4 bytes. Standard Ethernet frames have a maximum size of 1518 bytes (including the MAC addresses, EtherType, and FCS). A tagged frame can be up to 1522 bytes. This 4-byte increase may seem trivial, but it has profound implications for network performance and troubleshooting. If any device in the path does not support jumbo frames or has an interface MTU set to exactly 1500 (Layer 3 payload), a tagged frame that is 1501 bytes or larger will be dropped. This is one of the most common cause of 'mysterious' connectivity issues in trunked networks.

Exam questions frequently present a scenario: 'Users on VLAN 20 cannot access a server on VLAN 30 through a router-on-a-stick. The router interface is set to MTU 1500. What is the most likely problem?' The answer is that the router drops the tagged frames because the combined IP packet plus the 802.1Q tag exceeds 1500 bytes. The solution is to increase the router's MTU to at least 1504 bytes (or use 'ip mtu' commands that account for the tag). However, note that 'ip mtu' on a Cisco router affects only IP packets, not the entire frame. Actually, the correct approach is to ensure that all interfaces on the path have a Layer 2 MTU (system MTU) of at least 1522 bytes. On Cisco switches, you can set the system MTU with 'system mtu 1522' or 'system mtu jumbo 9198' for jumbo frames. This is a key configuration for data center environments.

Jumbo frames (frames larger than 1500 bytes) are commonly used in storage networks and high-throughput applications. When VLAN tagging is used with jumbo frames, the maximum frame size must include the 4-byte tag. For example, if you want to support 9000-byte jumbo frames, the switch must be configured with a system MTU of 9004 bytes (9000 + 4). If one switch has an MTU of 9000 and another has 9004, frames will be silently dropped when they exceed the smaller MTU. Exam questions for Network+ and CCNA may ask: 'What is the maximum frame size when using 802.1Q tagging with jumbo frames?' The answer is the jumbo frame size plus 4 bytes.

Another MTU-related issue is path MTU discovery (PMTUD). When an IP packet is too large to traverse a link without fragmentation, the sender receives an ICMP 'Fragmentation Needed' message. However, if the ICMP message is blocked by a firewall or ACL, the sender will never learn of the smaller path MTU. This is especially problematic when VLAN tagging is present because the tag adds overhead that many network administrators forget to account for. For example, consider an IPSec VPN tunnel where the VPN gateway adds its own headers. If the underlying link also uses VLAN tagging, the total overhead can be significant. If the host's TCP MSS is not adjusted, packets may exceed the path MTU and be dropped. Exam questions may combine VLAN tagging with VPN and MTU issues, asking: 'Which two values must be adjusted to avoid fragmentation?' Answer: the interface MTU and the TCP MSS (maximum segment size).

In the context of AWS Direct Connect, VLAN tagging interacts with MTU in a slightly different way. AWS supports jumbo frames on direct connect virtual interfaces (up to 9001 bytes), but the VLAN tag overhead is included. If you set your on-premises device's MTU to 9001, you must ensure the switch port handling the VLAN tag is set to at least 9005 bytes. A common exam scenario for AWS-SAA: 'Your Direct Connect virtual interface is dropping packets. Your on-premises router has MTU 1500. Which of the following is the likely cause?' Answer: The router's MTU is too small to accommodate both the VLAN tag and the packet. Increase to at least 1504.

To troubleshoot MTU issues, use tools like ping with the 'do not fragment' bit (ping -M do). Send packets of increasing size until fragmentation occurs. On Cisco switches, use 'ping repeat 10 size 1500' and monitor for drops. Also check 'show interface' for input/output errors. If errors increase when sending packets above 1500 bytes, an MTU misconfiguration is likely. This is a common hands-on lab exercise for CCNA and Network+.

always account for the 4-byte 802.1Q tag when calculating frame sizes. Configure system MTU values consistently across all devices on the trunk path. Remember that cloud providers also include the VLAN tag overhead. Adjust MTU and TCP MSS accordingly. This knowledge is frequently tested on all major networking exams and is critical for real-world troubleshooting.

VLAN Tagging Security Risks: VLAN Hopping and Double Tagging Explained

VLAN tagging, while essential for network segmentation, also introduces security vulnerabilities that attackers can exploit to bypass VLAN boundaries. The two primary attacks are VLAN hopping (via double tagging) and attacks that use the native VLAN or DTP (Dynamic Trunking Protocol). Understanding these attacks is crucial for Security+, CCNA, and CompTIA A+ exams, as well as for any professional responsible for network security.

Double tagging is the most infamous VLAN hopping technique. The attacker sends a frame with two 802.1Q tags: the outer tag matches the native VLAN of the trunk (often VLAN 1), and the inner tag is the target VLAN that the attacker wants to reach. When the first switch receives the frame on an access port (which strips any VLAN tag), it assumes the frame is untagged and forwards it out the trunk. Because the outer tag matches the native VLAN, the switch removes that tag (as per standard behavior for native VLAN traffic) and forwards the frame with the remaining inner tag still intact. The receiving switch then sees a frame tagged for the target VLAN and forwards it to that VLAN's endpoints. This allows the attacker to send data to a VLAN that should be isolated. The attack only works if the attacker's switch port is configured with the same native VLAN as the trunk (usually VLAN 1) and if the attacker can create custom frames (e.g., using a tool like Yersinia or a custom Python script).

Mitigation for double tagging is straightforward: (1) Change the native VLAN on all trunk ports to an unused VLAN ID (never VLAN 1). (2) Explicitly prune all unused VLANs from the trunk so that even if a frame arrives, it is not forwarded. (3) Disable DTP on all ports that are not trunks. (4) Use VLAN access control lists (VACLs) to filter traffic at Layer 2. Exam questions often present a scenario where an attacker successfully accesses a server on VLAN 50 from a workstation on VLAN 10. The correct root cause is a native VLAN mismatch or a double tagging attack. The best mitigation is to 'set the native VLAN to an unused VLAN and disable DTP'.

Another VLAN hopping technique involves DTP negotiation. Cisco switches support DTP which can automatically negotiate a trunk link between two switches. If an attacker connects a rogue switch (or a laptop acting as a switch) to an access port that is in 'dynamic desirable' mode, DTP can negotiate a trunk. Once a trunk is established, the attacker can send tagged frames to any VLAN that the trunk carries. This attack is easier to execute than double tagging because the attacker does not need to craft special frames-they can simply send frames with the desired VLAN tag. The solution is to disable DTP on all access ports using 'switchport nonegotiate' and set the port mode explicitly to 'switchport mode access'. For trunk ports, use 'switchport mode trunk' and disable DTP with the same command (though trunk ports typically use DTP only when in dynamic mode). Exam questions for Security+ will ask: 'Which protocol can be exploited to perform VLAN hopping?' Answer: DTP (Dynamic Trunking Protocol).

An additional security concern is the use of VLAN 1 as the default native VLAN. Because VLAN 1 is the default, many administrators never change it. Attackers can send frames tagged with VLAN 1 (the native VLAN) and have them forwarded untagged through the trunk. This can allow Layer 2 control protocols (like CDP, STP, VTP) to be intercepted or manipulated. Even if you change the native VLAN, if you do not prune VLAN 1 from the trunk, it still exists. Best practice is to prune VLAN 1 from all trunk links and assign an unused VLAN as the native.

In cloud environments, VLAN hopping is less of a concern because the virtual switch (e.g., AWS vSwitch or Azure vSwitch) does not use DTP and typically isolates tenants strictly. However, when using Direct Connect or VPNs, the same principles apply: treat the link as a trunk, ensure the native VLAN is not exposed, and use ACLs. For the AWS-SAA exam, you might see a question about 'How to ensure that customer traffic is isolated when using Direct Connect?' The answer often involves using separate virtual interfaces with distinct VLAN IDs and ensuring that the on-premises device's native VLAN does not match any VIF.

Finally, VLAN tagging security extends to the control plane. Protocols like STP, VTP, and CDP operate over the native VLAN. An attacker on the native VLAN can send forged BPDUs to cause a bridge loop or manipulate the spanning tree topology. This is why the native VLAN should be changed and why BPDU guard and root guard are enabled on access ports. Security+ and Network+ exams frequently test these edge guards: BPDU guard places a port in error-disable state if a BPDU is received; root guard prevents a port from becoming a root port. Both are essential for preventing Layer 2 attacks.

VLAN tagging is a powerful tool that requires careful security hardening. Change the native VLAN, disable DTP, prune unused VLANs, and implement Layer 2 security features. These measures are the foundation of a secure switched network and are heavily emphasized in certification exams.

Troubleshooting Clues

Native VLAN Mismatch

Symptom: Users in VLAN 1 can ping each other across switches, but users in other VLANs cannot. Logs show 'Native VLAN mismatch discovered on GigabitEthernet0/1'.

Each switch expects a different native VLAN ID. Untagged frames from one switch are interpreted by the other as belonging to a different VLAN, causing misrouting or STP issues.

Exam clue: CCNA troubleshooting questions: Given a trunk with mismatched native VLANs, what is the symptom? Answer: VLAN 1 works, but other VLANs fail.

Trunk Port Not Forwarding Traffic

Symptom: Traffic from VLAN 10 cannot reach the other switch, but the trunk port shows up/up. 'show interfaces trunk' shows the trunk is in 'not-trunking' mode.

The port may be in 'dynamic auto' or 'dynamic desirable' mode but the neighboring switch is configured as an access port, so DTP does not form a trunk. The trunk may be administratively down.

Exam clue: Network+ and CCNA: 'Which DTP mode will never initiate trunk negotiation?' Answer: dynamic auto (it waits for the other side to be dynamic desirable or trunk).

Jumbo Frame Drops with VLAN Tagging

Symptom: Large file transfers fail between servers on different VLANs. Ping with size 1500 works, but size 1501 fails when 'don't fragment' bit is set.

The interface MTU is set to 1500 (Layer 3) and cannot accommodate the 4-byte 802.1Q tag. The router or switch drops the frame. The path MTU is effectively 1496 for payload due to tag overhead.

Exam clue: CCNA: 'A switch receives a frame of 1522 bytes on a trunk. What must the system MTU be to forward it?' Answer: at least 1522 bytes.

Double Tagging VLAN Hopping

Symptom: An attacker in VLAN 10 can send packets to a server in VLAN 50. The switch configuration shows the native VLAN is still VLAN 1.

The attacker sends a frame with two tags: outer tag VLAN 1 (native) and inner tag VLAN 50. The first switch strips the outer tag (native VLAN processing) and forwards the frame with the inner tag, which the second switch interprets as belonging to VLAN 50.

Exam clue: Security+: 'Which attack uses two 802.1Q tags to bypass VLAN isolation?' Answer: double tagging (VLAN hopping).

DTP Exploitation for VLAN Hopping

Symptom: A user workstation is able to access servers on multiple VLANs even though it is connected to an access port. The access port's DTP mode is 'dynamic desirable' or 'dynamic auto' without 'nonegotiate'.

DTP negotiation creates a trunk between the workstation (running a rogue switch or software) and the switch. The workstation can then send tagged frames to any VLAN the trunk carries.

Exam clue: Security+ and CCNA: 'Which protocol should be disabled to prevent unauthorized trunk negotiation?' Answer: DTP, using 'switchport nonegotiate'.

Router-on-a-Stick No Inter-VLAN Routing

Symptom: Devices on VLAN 10 and VLAN 20 cannot communicate through the router. 'show ip route' shows no routes for subnets. The router subinterfaces are administratively up.

The subinterface encapsulation may be missing or incorrect (e.g., 'encapsulation dot1Q 10' is absent). Alternatively, the trunk port on the switch may not be forwarding the necessary VLANs (pruning).

Exam clue: CCNA: 'What is the first command to check on a router for inter-VLAN routing?' Answer: 'show running-config interface' to verify 'encapsulation dot1Q'.

VLAN Pruning Blocks Traffic

Symptom: Traffic for VLAN 30 is not forwarded across a trunk. 'show interfaces trunk' shows VLAN 30 is not in the allowed list.

The administrator or VTP pruning has removed VLAN 30 from the trunk allowed VLAN list. This can be intentional or due to misconfiguration of 'switchport trunk allowed vlan'.

Exam clue: CCNA and Network+: 'Which command restricts which VLANs can traverse a trunk?' Answer: 'switchport trunk allowed vlan add <vlan-id>' or 'remove'.

Management Access Lost After VLAN Change

Symptom: After changing the native VLAN on a trunk, the administrator loses SSH access to the switch. The management interface IP is on VLAN 1.

The native VLAN change affected the way untagged frames are processed. If the management VLAN is the native VLAN, the switch expects untagged frames, but the router may still tag them (if misconfigured). Or the management VLAN is no longer reachable via the trunk.

Exam clue: CCNA: 'If the native VLAN is changed from 1 to 100, what must be done to maintain management access?' Answer: Ensure the management interface (SVI) is in VLAN 100 or that the router uses untagged frames for that VLAN.

Memory Tip

Think of 802.1Q as the 'shipping label' for network traffic. Just like a package needs a label to know where it's going inside a building, a network frame needs an 802.1Q tag to know which VLAN it belongs to across the campus.

Learn This Topic Fully

This glossary page explains what VLAN tagging means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.Which field in an 802.1Q tag identifies the frame as tagged?

2.An attacker sends a frame with two 802.1Q tags to a switch. The outer tag matches the native VLAN (VLAN 1). What is this attack called?

3.What is the maximum number of usable VLANs supported by the 802.1Q standard?

4.Which command disables DTP on a Cisco switch port?

5.A network administrator observes that users in VLAN 10 can ping each other, but cannot reach a server in VLAN 20 via a router-on-a-stick. The router subinterface for VLAN 20 is configured. What is the most likely cause?

6.What is the minimum system MTU required on a Cisco switch to forward standard 802.1Q tagged frames without drops?