802.1Q: How VLAN Tagging Actually Works

Why This Post Exists

When writing about VLANs and PVID configuration in my home lab, I kept brushing past one question without properly answering it: what is the switch actually doing to the Ethernet frame? PVID, tagged ports, trunk links — all of that sits on top of a mechanism defined in the 802.1Q standard, and understanding that mechanism makes the configuration decisions obvious rather than arbitrary. This post is that missing layer.

Ethernet Frames: The Baseline

A standard Ethernet II frame looks like this:

┌─────────────┬────────────┬───────────┬─────────────┬─────┐
│  Dest MAC   │  Src MAC   │ EtherType │   Payload   │ FCS │
│  (6 bytes)  │  (6 bytes) │ (2 bytes) │ (46–1500 B) │(4 B)│
└─────────────┴────────────┴───────────┴─────────────┴─────┘

The EtherType field at bytes 13–14 tells the receiver what protocol is in the payload — 0x0800 for IPv4, 0x0806 for ARP, and so on. Every device on a network reads this field to decide what to do next.

What 802.1Q Adds

The 802.1Q standard inserts a 4-byte tag between the source MAC and the EtherType field:

┌──────────┬──────────┬───────────────┬───────────┬─────────┬─────┐
│ Dest MAC │ Src MAC  │  802.1Q Tag   │ EtherType │ Payload │ FCS │
│          │          │   (4 bytes)   │           │         │     │
└──────────┴──────────┴───────────────┴───────────┴─────────┴─────┘

The original EtherType is not removed — it is pushed four bytes to the right. The tag takes its place and is split into two fields:

┌──────────────────────┬──────────────────────────────────────────┐
│   TPID  (2 bytes)    │            TCI  (2 bytes)                │
│       0x8100         ├─────────────┬──────┬─────────────────────┤
│                      │     PCP     │ DEI  │        VID          │
│                      │   (3 bits)  │(1 bit│     (12 bits)       │
└──────────────────────┴─────────────┴──────┴─────────────────────┘

TPID (Tag Protocol Identifier) is always 0x8100 — a reserved EtherType value that signals “an 802.1Q tag follows.” A device seeing 0x8100 at bytes 13–14 knows to read the next two bytes as TCI rather than treating them as a normal EtherType.

TCI (Tag Control Information) carries the priority bits (PCP), a drop eligibility flag (DEI), and most importantly the VID — the 12-bit VLAN ID. With 12 bits, VIDs run from 1 to 4094, giving up to 4094 usable VLANs per switching domain.

The 4-byte insertion pushes the maximum frame size from 1518 to 1522 bytes. IEEE 802.3ac was ratified alongside 802.1Q to officially raise this limit, and the FCS is recalculated to cover the tag, so integrity checking works exactly as before.

How Non-802.1Q Devices Tolerate Tagged Frames

A device that does not understand 802.1Q sees 0x8100 at bytes 13–14 and encounters an EtherType it does not recognize. The Ethernet standard’s defined response to an unknown EtherType is to discard the frame gracefully — not crash, not corrupt state. The frame passes hardware validity checks since the MAC addresses and FCS are all where they should be. The device simply drops it silently.

In practice this almost never matters, because end devices on access ports never see tagged frames. The switch strips the tag before delivering a frame to a laptop or phone. Tags live on trunk links between switches and routers — links where both ends are always 802.1Q-aware. Non-aware devices are simply never in that path.

How This Connects to PVID and Port Types

This is where the theory connects directly to the configuration covered in the VLAN and PVID post.

On an access port, the switch adds a tag on ingress (using the PVID to determine which VLAN ID to stamp) and strips it on egress. The end device sees plain Ethernet in both directions and has no knowledge that VLAN segregation occurred.

On a trunk port, frames flow with their tags intact across the link. A single physical cable carries traffic for multiple VLANs simultaneously, each frame carrying its own VLAN ID. PVID is irrelevant here because every arriving frame already has a tag.

The rule that PVID must match the port’s untagged VLAN membership is a direct consequence of this mechanism: when an untagged frame arrives, the switch must stamp it with exactly one VLAN ID. If PVID points to a VLAN the port is not a member of, the internally-tagged frame has no valid forwarding path and is dropped — which is precisely the failure mode that broke wired connectivity in the lab while WiFi on trunk ports continued working fine.

Summary

802.1Q works by inserting a 4-byte tag into the Ethernet frame. The TPID field (0x8100) signals that a tag is present; the VID field carries the VLAN ID. Switches add and remove these tags at the boundary between the trunk fabric and end devices. Non-802.1Q devices tolerate tagged frames by discarding them, and in a correctly designed network they never encounter them anyway. Everything else — PVID, access ports, trunk ports — is the configuration layer controlling when and how those tags are applied.