The 802.1Q VLAN tag is a 4-byte field that gets inserted into Ethernet frames to carry VLAN identity across switch boundaries. It is the mechanism that makes VLAN trunking possible. If you are studying for CCNA, troubleshooting a trunk that "should be working", or trying to understand why double-tagging is a real attack, you need to understand this field byte by byte.
This article walks through the 802.1Q tag format, what each field means, how the tag interacts with native VLANs, the difference between 802.1Q and the older Cisco ISL encapsulation, and the operational implications (MTU, QoS, security). It is the reference you will come back to.
The Problem 802.1Q Solves
A standard Ethernet frame has no VLAN identifier. The destination MAC, source MAC, EtherType, payload, and FCS are all the frame carries. When two switches are connected by a single physical link and need to exchange traffic for many VLANs across that link, plain Ethernet has no way to say which VLAN a frame belongs to.
The pre-standard solutions varied. Cisco's ISL (Inter-Switch Link) encapsulated the entire Ethernet frame inside a new ISL header. 3Com had its own proprietary tagging. None of them interoperated.
IEEE 802.1Q standardized the answer in 1998: instead of encapsulating, insert a 4-byte tag into the existing Ethernet header. The tag carries the VLAN ID, plus a few extra fields. The result is that any 802.1Q-capable switch from any vendor can interpret the tag, the frame format is otherwise familiar, and the overhead is minimal.
The 802.1Q Frame Format
An untagged Ethernet frame looks like this:
+-------------+-------------+-----------+----------+-----+
| Dest MAC | Src MAC | EtherType | Payload | FCS |
| 6 bytes | 6 bytes | 2 bytes | 46-1500B | 4 B |
+-------------+-------------+-----------+----------+-----+An 802.1Q-tagged frame inserts 4 new bytes between Src MAC and EtherType:
+-----------+-----------+----------+----------+----------+----------+-----+
| Dest MAC | Src MAC | TPID | TCI | EtherType| Payload | FCS |
| 6 bytes | 6 bytes | 2 bytes | 2 bytes | 2 bytes | 46-1500B | 4 B |
+-----------+-----------+----------+----------+----------+----------+-----+
\---- 802.1Q tag ----/The 4-byte tag splits into two 2-byte fields: TPID (Tag Protocol Identifier) and TCI (Tag Control Information). Total frame size grows from 1518 bytes max (1522 if you count FCS) to 1522 bytes (1526 with FCS), which is why you see "baby giant" support of 1522-byte frames on switch ports that handle trunks.
TPID: Tag Protocol Identifier
The TPID is always 0x8100. It tells the receiving device "this is an 802.1Q-tagged frame, parse the next 2 bytes as TCI."
By placing the TPID where the EtherType normally lives, the tag is detectable: a switch that does not understand 802.1Q sees 0x8100 and either drops the frame (because there is no protocol called 0x8100 it knows about) or, worse, treats the rest of the frame as having an unknown protocol. This is one reason you do not connect 802.1Q-tagged trunks to non-802.1Q-capable equipment.
For QinQ (provider-edge double tagging), an outer TPID of 0x88A8 is used by the standard, with vendors historically using 0x9100 or 0x9200. The inner TPID stays 0x8100. Private VLAN contexts are unrelated to QinQ but worth knowing about.
TCI: Tag Control Information
The TCI is 2 bytes (16 bits) split into three fields:
3 bits 1 bit 12 bits
+--------+-----------+-----------------+
| PCP | DEI | VID |
+--------+-----------+-----------------+| Field | Bits | Purpose |
|---|---|---|
| PCP (Priority Code Point) | 3 | QoS priority, values 0-7. Higher = higher priority. |
| DEI (Drop Eligible Indicator) | 1 | Drop preference; 1 means this frame is preferentially dropped under congestion. |
| VID (VLAN ID) | 12 | The VLAN this frame belongs to. Values 0-4095, with 0 and 4095 reserved. |
PCP: How VLAN Priority Carries QoS
The 3-bit PCP field gives 8 priority levels (0-7). This is IEEE 802.1p's class-of-service mechanism layered on top of 802.1Q. Higher numerical values mean higher priority for queueing decisions on the switch.
Standard mappings (informational, not strict):
| PCP value | Traffic class | Typical use |
|---|---|---|
| 7 | Network control | STP, OSPF, BGP, BFD |
| 6 | Internetwork control | Routing protocol updates |
| 5 | Voice | RTP voice payload |
| 4 | Video | RTP video payload |
| 3 | Critical applications | Signaling (SIP, H.323) |
| 2 | Excellent effort | Bulk applications with priority |
| 1 | Background | Lower than best-effort |
| 0 | Best effort | Default |
On a Cisco switch, the PCP value is automatically derived from the DSCP value of the inner IP packet via a configurable mapping. show mls qos maps on Catalyst, or show platform hardware fed switch active qos dscp-cos counters on Catalyst 9000. The PCP is what carries QoS across switch hops; once the frame is decapsulated to a router, the IP DSCP takes over.
DEI: The 802.1Q-2011 Drop Eligible Indicator
Originally this bit was the "Canonical Format Indicator" (CFI), used to signal whether MAC addresses were in canonical (Ethernet) or non-canonical (Token Ring) format. With Token Ring effectively extinct, IEEE 802.1Q-2011 redefined the bit as DEI: Drop Eligible Indicator.
DEI = 1 means "this frame is preferentially dropped under congestion." It is used in service provider QinQ environments where the provider network uses DEI to mark frames that exceed contract rates. In most enterprise environments DEI is 0 always.
VID: The VLAN ID
12 bits give 4096 possible values (0-4095), but the standard reserves both ends:
| VID | Meaning |
|---|---|
| 0 | "Priority tag" - no VLAN, frame uses port VLAN, but PCP/DEI carry meaning |
| 1-1001 | Normal range; VLAN 1 is the default; VLANs 1002-1005 are FDDI/Token Ring legacy |
| 1006-4094 | Extended range (Cisco needs VTP transparent or VTP v3) |
| 4095 | Reserved by the standard; never used as a real VLAN |
So the practical range is 1-4094. Most enterprises use the normal range (1-1001) for the bulk of their VLANs.
The Native VLAN: One VLAN That Doesn't Get Tagged
On an 802.1Q trunk, every VLAN gets a tag except one: the native VLAN. Frames in the native VLAN traverse the trunk untagged, exactly like a regular access-port frame.
Why? Backwards compatibility with hubs and old equipment that did not understand 802.1Q. If you connected a hub between two switches, the hub would forward 802.1Q-tagged frames as opaque data, and the receiving switch would still know what VLAN they belonged to. Frames in the native VLAN, untagged, would also work on the hub because they look like regular Ethernet.
By default, the native VLAN is VLAN 1. This is dangerous for two reasons:
- Mixing of control and data. CDP, VTP, PAgP, DTP all use VLAN 1 by default. Leaving the native VLAN as VLAN 1 means your management/control plane and user data share the same untagged segment.
- Double-tagging attacks. An attacker in the native VLAN can inject a frame with two 802.1Q tags. The first switch strips the outer tag (because it matches the native VLAN), then forwards the frame to the trunk. The next switch sees the inner tag and treats the frame as belonging to that VLAN, regardless of where the attacker actually is. VLAN Security Hardening covers the full attack and the mitigation.
The PingLabz default: change the native VLAN to a dedicated unused VLAN (e.g. VLAN 999), never let a host port be in it. The classic configuration:
Switch(config)# vlan 999
Switch(config-vlan)# name UNUSED-NATIVE
Switch(config-vlan)# exit
Switch(config)# interface range GigabitEthernet1/0/24-26
Switch(config-if-range)# switchport mode trunk
Switch(config-if-range)# switchport trunk encapsulation dot1q
Switch(config-if-range)# switchport trunk native vlan 999Both ends of every trunk must agree on the native VLAN, or you get a CDP warning and possibly STP issues. Native VLAN Configuration and Security on Cisco Switches walks through the change.
802.1Q vs ISL: Why Cisco's Original Tagging Lost
| Trait | 802.1Q | ISL |
|---|---|---|
| Standard | IEEE 802.1Q (1998) | Cisco-proprietary |
| Approach | Inserts 4-byte tag inside the Ethernet header | Encapsulates the entire Ethernet frame in a new ISL header |
| Overhead | 4 bytes | 30 bytes (26 ISL header + 4 ISL trailer) |
| Native VLAN concept | Yes (one VLAN untagged) | No (every VLAN tagged) |
| Vendor support | Universal | Cisco only |
| Status in 2026 | Universal default | Deprecated; not supported on modern Catalyst |
The newest Catalyst 9000 series does not support ISL at all. If you encounter ISL in the wild, you are looking at a legacy network that needs migration. Configuring 802.1Q Trunks on Cisco Catalyst Switches walks through the modern trunk pattern.
MTU Implications: Why You See 1522-Byte Frames
The 4-byte tag adds to frame size. A standard Ethernet frame is 64-1518 bytes (without FCS); with 802.1Q tagging, the maximum becomes 1522 bytes. That extra 4 bytes is enough that older equipment without "baby giant" support will silently drop tagged frames at maximum size.
Modern Cisco switches accept 1522-byte (or larger) tagged frames by default; you usually do not have to configure anything. The exception is jumbo-frame deployments where the IP MTU is set to 9000, and you might need to confirm the system MTU accommodates 9000 + 4 (tag) bytes. Check with show system mtu on Catalyst.
Verifying Tagged Frames in Practice
To see the 802.1Q tag in action on a Cisco switch, the easiest way is to mirror a trunk port to a span session and capture with Wireshark. The 802.1Q tag will show as a separate "802.1Q Virtual LAN" layer between the Ethernet header and the inner protocol.
For a quick CLI sanity check on what VLANs a trunk is carrying:
Switch# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi1/0/24 on 802.1q trunking 999
Port Vlans allowed on trunk
Gi1/0/24 10,20,30,999Encapsulation should always show 802.1q on modern switches. If you see isl, you have a legacy device or misconfiguration.
Summary
The 802.1Q tag is 4 bytes inserted between Src MAC and EtherType: TPID (2 bytes, always 0x8100) plus TCI (2 bytes split into 3-bit PCP, 1-bit DEI, and 12-bit VLAN ID). The PCP carries QoS priority, the VID identifies the VLAN, and the native VLAN traverses the trunk untagged for backwards compatibility.
If you remember nothing else: TPID is always 0x8100, the VLAN ID is 12 bits with practical range 1-4094, and the native VLAN should never be VLAN 1 in a production deployment. Bookmark this article as your byte-by-byte reference, and see the VLAN cluster pillar for the operational picture.