Untagged vs. Tagged VLAN: What’s the Difference?

Written by Kelsey Kinzer on June 8, 2022

Share This Article

At one point in time, networking was one of the modern wonders of the world. By connecting every device at a company, organizations could broadly disseminate information in what felt like a secret code. 

The problem was those networks quickly began to spiral out of control. With hundreds or even thousands of computers linked to one network, processing power tanked, and security did too. Anyone on the network could view, download, steal, or sell company data 一 a recipe for disaster.

How did enterprises overcome these challenges? Enter: VLANs.

VLANs, or virtual area networks, splice local area networks into distinct groups and connect those groups of devices remotely. Once a device is part of a VLAN, it can only communicate with other devices on that same network, which automatically decreases broadcast volume and locks down data access. Behind the scenes, IT can also use VLANs to manage traffic and implement additional security measures that reduce the risk of a breach.

To reap the benefits of a VLAN, you first need to understand the fundamentals. In this piece, we’ll explain what a VLAN is, how tagged VLANs differ from untagged VLANs, and why VLAN tagging can uplevel your network security.

What Is a VLAN?

A VLAN, or virtual area network, is a group of devices that share a broadcast domain. On the surface, that doesn’t sound too complicated or special, but the VLAN is a big step up from its predecessor 一 the LAN.

A LAN, or local area network, is a cluster of connected computers housed in a specific area, such as a corporate office. Whenever a broadcast is sent within a LAN, all devices within the network have to process and accept it. 

This puts enormous strain on all of the devices, slows the network down, and makes the data within those broadcasts easily accessible to anyone who can access the network. As a LAN increases in scope, the CPU overhead and lack of security become unsustainable.

That’s why many enterprises have turned to VLANs, which separate a LAN into distinct segments. Typically, organizations create VLANs for every department. Devices within a VLAN can communicate with each other, and each other only. 

Since VLANs are inherently virtual, employees can communicate securely with their peers no matter where they are located. Even if all employees are at the office, VLANs make it easy to add or remove devices from a network without the cabling or infrastructure hassle of a LAN.

How Does a VLAN Work?

VLANs would not be designed as we know them today without learning from the shortcomings of the Ethernet. Back in the 1970s, the Ethernet was a novelty; linking multiple devices together had never been done before. 

Although impressive at the time, many issues arose as a result. When more than one device transmitted broadcasts at once, messages would garble, which led to the first routers and switches.

Even those didn’t address the issue of constant broadcast traffic, and network professionals learned that as the number of devices increased, the efficacy of their networks would decrease. Restricting a network to one local area helped. 

Still, as companies began letting more and more employees work remotely, LANs were impossible to maintain, eventually leading to the development of virtual area networks.

VLANs work by segmenting a large network into multiple smaller networks in a logical way. Each VLAN is a standalone network whose connected devices can send and receive broadcasts.

However, configuring a VLAN isn’t as simple as partitioning out different departments in an organization. Sometimes companies need to send global broadcasts or one VLAN needs to communicate with another. 

For instance, maybe a computer that’s a part of one VLAN should be allowed to connect to a scanner or smart TV on another. At the same time, maybe employees on the customer success team (who are on their own VLAN) should not be permitted to interact with computers on the finance team VLAN.

VLANs institute rules about how subnetworks can communicate with each other via access ports. When a broadcast or frame reaches a switch, the access port decides whether to pass the VLAN information through. Ports are classified as “tagged” or “untagged,” which we’ll touch on in the next section.

The Difference Between Tagged and Untagged VLANs

Now that you understand the history behind VLANs and how they work in theory, it’s time to dive into how they work in practice.

For the most part, VLANs fall into two categories: tagged and untagged, sometimes called “trunk” or “access,” respectively. Let’s examine the commonalities and differences of each.

Untagged VLANs

Untagged or “access” VLANs are connected to hosts (usually servers) that pass VLAN information to and from each network and cannot differentiate between any VLAN configuration. In this way, untagged VLANs have a more linear structure, moving from A to B rather than from A to B, C, and D. Generally, untagged VLANs are the default.

Here’s how the flow typically goes:

  1. Host A sends traffic to a switch, and the traffic doesn’t have a VLAN tag.
  2. Traffic is received on access port 1 (also untagged).
  3. Port 1 adds a VLAN tag to the frame, and the switch dictates that the frame must be sent to Host B through access port 2 (an untagged port).
  4. The VLAN tag is removed.
  5. Traffic flows to Host B.

Tagged VLANs

Tagged or “trunk” VLANs enable switch access ports to handle more than one VLAN and separate traffic accordingly. Instead of the data going from one host to another, frames with a VLAN tag can be distributed from one host to many other hosts that are connected to a port, depending on their configuration. The tags denote which packets should be sent to specific VLANs on the other side in this flow:

  1. Host A sends a frame without a VLAN tag.
  2. Traffic is received on port 1 that is configured with VLAN 7, which gets added to the frame.
  3. The switch recognizes the VLAN tag, which says to send the frame to switch 2.
  4. Switch 2 has a tagged access port for VLAN 7, which matches the original tag.
    1. If at this point, VLAN tags did not match (i.e., VLAN 7 vs. VLAN 5), the frame gets dropped.
  5. Traffic is forwarded on to the switch 2 tagged port, which, again, checks whether the tag is permitted elsewhere and distributes the broadcast to all other VLAN 7-configured access ports.
  6. Once traffic reaches an untagged access port, the tag is stripped from the frame, which is sent to the final host.

VLAN Tagging and Network Security

While VLAN tagging makes for a more involved VLAN implementation, it offers access to a much wider range of network benefits, including:

  • Stronger security – Identifier tags can be weaved into the user authentication process, automatically and dynamically steering users into the proper VLAN (which inherently forbids them from receiving broadcasts from other networks). Beyond that, IT can configure separate firewalls and other security software based on the sensitivity of data that are passed through each tagged VLAN.
  • Less congestion – Untagged VLANs are limited by their linear design. While it results in better traffic management than LANs, untagged VLANs still inhibit network performance. 
  • Lower costs – Untagged VLANs need more switches to get data to where it needs to go. But tagged VLANs pre-configure the direction traffic, making them more efficient and eliminating the need for costly devices.
  • Simple troubleshooting and updates – IT has visibility into all VLAN tags, making it easier for them to understand the root cause of any issues. Plus, VLAN tags can be updated at any time, making it easy for IT to make swift changes that don’t drastically impact employees’ workdays. And if the company is expanding (physically or remotely), IT can quickly create and add more tagged VLANs to the overall network.

Network Security and Segmentation with JumpCloud

Although VLAN tagging takes more advanced preparation and configuration, it’s optimal for companies with sensitive data, high traffic, and multiple VLANs. VLAN tagging offers traffic separation without the cost of extra network devices like switches, and allows organizations to add supplementary security measures through authentication. 

With security checks at every possible level, companies can feel more confident that their data and their customers’ data are safeguarded 一 especially during the age of remote work. And it all starts with the RADIUS protocol, which can be implemented with solutions like JumpCloud. 

JumpCloud’s cloud model for RADIUS allows IT to provision and deprovision user access to VPN and Wi-Fi networks straight from their browser and further secure those networks with MFA, without the restriction of building, maintaining, or monitoring physical servers. 

Learn more about how you can jumpstart your VLAN approach with JumpCloud’s Cloud RADIUS.

Kelsey Kinzer

Kelsey is a passionate storyteller and Content Writer at JumpCloud. She is particularly inspired by the people who drive innovation in B2B tech. When away from her screen, you can find her climbing mountains and (unsuccessfully) trying to quit cold brew coffee.

Continue Learning with our Newsletter