VLANs: To Tag or Not To Tag

So you work in IT, and you’re configuring a managed production network switch, but you don’t exactly know the difference between a TAGGED VLAN and an UNTAGGED VLAN, which ones to put on a port, and why. Your manager is in the room and will probably be looking over your shoulder soon. Do you start crying and damage the switch with your tears? Do you tell your boss you don’t know what you’re doing? NO. Fake it ‘till you make it, Google it, or use this simple analogy.

TAGGED = I need to know what you are

UNTAGGED = I don’t need to know what you are

If you’re wondering whether you should TAG VLAN(s) on a port, ask yourself: if something is plugged into this port, will I need to know what type of device is on the other end? In a majority of production environments, the answer is YES.

Some (not all) things you’d probably want to know if they were connected to a port:

  • Phone
  • Security Camera
  • Wi-Fi Access Point
  • Server
  • Guest Device
  • Uplink to another switch

If you think one or more of these devices will connect to this port, TAG the necessary VLAN(s) on the port. Otherwise, DON’T TAG. For example, you don’t need to tag a port on the security camera VLAN if you know that a security camera will not be plugged into that port. Try to configure switch ports on a need-to-know basis.

If a port is UNTAGGED on a VLAN, it means you’re telling the switch not to worry as much about what’s connected on the other end. So, if Jane in Marketing plugs in her PC, laptop, TV, gaming console, streaming player, etc., the switch doesn’t necessarily need to know in order to move that traffic through the network.

Common scenario: A port is plugged into a phone, a PC is plugged into that phone. Common sense might tell you to UNTAG the phone (voice) VLAN and TAG the data (PC) VLAN, because the port is directly plugged into a phone first, then a PC. If you go back to the idea that the port needs to know if a phone is plugged in, but doesn’t need to know that a PC is plugged in, then you know to UNTAG the data VLAN and TAG the phone (voice) VLAN. Why does the port need to know if a phone is plugged in? Phones do different things than PCs. Sending voices over your network requires extra work, and your network needs to know that. TAGGING the phone VLAN on that port will allow the voice traffic to be treated differently (QoS). The same concept and thought process applies to the other previous devices mentioned.

Can I UNTAG the phone VLAN on a port if I know only a phone will be plugged into it? Yes, but make sure to TAG it on the Uplink port.

Can I UNTAG VLANs and TAG no VLANs if I know what’s plugged into every port? Yes, that’s inefficient, but make sure to TAG all necessary VLANs on the Uplink port. Also, make sure no one touches that switch but you, and make sure you memorized what’s plugged into every port, and don’t show your boss that config.

Rule of thumb on Uplink ports: Usually uplinks need to know. UNTAG your default/mgmt VLAN, and TAG the rest. If you know you tagged a VLAN on a port but it’s not behaving as expected, check the TAGs on the Uplink ports at both ends.

Written by: Sam, Network Engineer

Sam is originally from Oconomowoc. Previous to being hired at CCCP, Sam was the IT director at Manawa Schools. In this role he was a jack of all trades, and really desired to be in a position that focused on his interest in IT. He has a degree in Sociology and Criminal Justice. When he graduated and was hired onto a police department, he was their IT person. Discovering his passion, he got certifications and continued to pursue his career in IT. Sam is excited about working at CCCP to be able to focus on IT, and learn more from our team. He also looks forward to working with both the IT and AV teams. Outside of work, Sam loves sports and of course the Green Bay Packers. He also likes to be outside.