understanding vlan frame tagging

Understanding VLAN Frame Tagging — ISL, DTP, and IEEE 802.1Q Explained

by

Learn how VLAN frame tagging works and why it’s essential for multi-switch networks. Understand ISL, DTP, and IEEE 802.1Q tagging protocols with easy explanations, real examples, and Cisco configuration commands. Perfect for network engineers and CCNA learners.

When VLANs span across multiple switches, the switches need a way to identify which VLAN each Ethernet frame belongs to.
That’s exactly what VLAN Frame Tagging does.

Let’s explore how frame tagging works, why it’s needed, and the key protocols — ISL, DTP, and the most important one, IEEE 802.1Q (dot1Q).

What Is VLAN Frame Tagging?

When traffic travels inside a switch, it’s easy for the switch to know which VLAN a frame belongs to — each access port is tied to a specific VLAN.

However, when that frame needs to cross over to another switch (through a trunk link), the receiving switch must somehow recognize which VLAN the frame belongs to.
To make this possible, the switch adds a VLAN tag to the frame — a small piece of identifying information.

This process is known as VLAN Frame Tagging.

In simple terms: Frame tagging is like placing a label on a package before sending it so the receiver knows exactly where it belongs.

Example: How Frame Tagging Works

Let’s use the diagram below as an example.

image

We have two switches — SwitchA and SwitchB, connected by a trunk link carrying VLANs 100 and 200.

  • HostA, HostB, HostD, and HostE are part of VLAN 100
  • HostC and HostF are part of VLAN 200

Scenario 1 – HostA → HostB

When HostA sends a frame to HostB (both in VLAN 100 on SwitchA):

  • The frame stays within SwitchA
  • No tagging occurs because it never leaves the switch
  • The frame is switched directly to HostB

Scenario 2 – HostA → HostC

If HostA sends a frame to HostC (different VLANs, same switch):

  • Still no tagging occurs
  • Because they belong to different VLANs, routing (Layer 3) would be required
  • The switch will not forward the frame between VLANs

Scenario 3 – HostA → HostD

Now, if HostA sends a frame to HostD (same VLAN, but on SwitchB):

  • The frame leaves SwitchA through the trunk port
  • The switch adds a VLAN tag (VLAN 100 in this case)
  • SwitchB receives the tagged frame and reads the VLAN ID
  • It then forwards the frame only to ports that belong to VLAN 100 (e.g., gi1/20, gi1/21)
  • Before sending the frame to HostD, the VLAN tag is removed

This is how VLAN tagging lets multiple VLANs travel across one cable — while keeping their traffic completely separate.

VLAN Frame Tagging Protocols

Cisco switches support two main frame tagging methods:

  1. ISL (Inter-Switch Link)
  2. IEEE 802.1Q (dot1Q)

Additionally, the Dynamic Trunking Protocol (DTP) helps negotiate which tagging protocol will be used on a trunk link.

Let’s understand each of them.

Inter-Switch Link (ISL)

ISL was Cisco’s proprietary frame tagging protocol used in early VLAN implementations.
It could work with various technologies like Ethernet, Token Ring, and FDDI.

How ISL Works:

  • ISL encapsulates the original Ethernet frame — meaning it wraps the entire frame with an additional 26-byte header and 4-byte trailer.
  • This increases the frame size by 30 bytes.
  • The header includes a 15-bit VLAN ID.
  • The trailer includes an additional CRC (Cyclic Redundancy Check) for data integrity.

Since normal Ethernet frames have a maximum size (MTU) of 1518 bytes, ISL-tagged frames become oversized (often called giants or baby giants).
Cisco switches are designed to handle these larger frames — one reason ISL remained proprietary to Cisco devices.

ISL Limitations:

  • Supports a maximum of 1000 VLANs
  • Not widely supported by non-Cisco switches
  • Now deprecated — modern Cisco devices primarily use 802.1Q

Manual Configuration Example – ISL

If your switch still supports ISL, you can manually configure a trunk using ISL encapsulation:

Switch(config)# interface gigabitEthernet0/1 Switch(config-if)# switchport trunk encapsulation isl Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk allowed vlan 10,20,30

Explanation:

  • switchport trunk encapsulation isl → Enables ISL tagging.
  • switchport mode trunk → Makes the port a trunk port.
  • switchport trunk allowed vlan → Specifies which VLANs can use the trunk.

ISL is not supported on newer Cisco Catalyst switches, but it’s helpful to know for legacy networks.

IEEE 802.1Q – The Industry Standard (dot1Q)

IEEE 802.1Q, often referred to as dot1Q, is the standard VLAN tagging protocol supported across nearly all switch vendors — Cisco, Juniper, HP, Dell, and many others.

Unlike ISL, dot1Q does not encapsulate the frame.
Instead, it inserts a 4-byte VLAN tag directly into the Ethernet frame’s Layer 2 header.

What’s Inside the 802.1Q Tag:

The tag contains:

  • 12-bit VLAN ID field (supports up to 4096 VLANs)
  • Priority bits (used for QoS)
  • Canonical Format Indicator (CFI) bit

After adding the tag, the switch recalculates the CRC because the frame’s contents have changed slightly.

This tag increases the frame size from 1514 bytes to 1518 bytes, which is well within the capacity of modern Ethernet devices.

Key Advantages of 802.1Q:

  • Vendor-independent (works across all brands)
  • Efficient — adds only 4 bytes to the frame
  • Supports up to 4096 VLANs
  • Widely supported and considered the default standard

Most modern switches — including all current Cisco models — use 802.1Q by default for VLAN tagging.

Manual Configuration Example – IEEE 802.1Q

Here’s how to manually configure a trunk using 802.1Q tagging:

Switch(config)# interface gigabitEthernet0/1 Switch(config-if)# switchport trunk encapsulation dot1q Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk allowed vlan 100,200 Switch(config-if)# switchport trunk native vlan 99

Explanation:

  • switchport trunk encapsulation dot1q → Enables 802.1Q tagging.
  • switchport trunk allowed vlan → Allows specific VLANs over the trunk.
  • switchport trunk native vlan → Defines the VLAN that sends traffic without tagging (used for management or default VLANs).

By default, VLAN 1 is the native VLAN. It’s a good practice to change it to something else for better security.

Dynamic Trunking Protocol (DTP)

DTP is a Cisco-proprietary protocol used to automatically negotiate trunk links and determine which tagging protocol (ISL or 802.1Q) to use.

When two Cisco switches are connected, they can use DTP to:

  • Negotiate whether the link should become a trunk or remain an access link
  • Agree on a common tagging protocol

If both ISL and 802.1Q are supported, ISL is typically preferred by default (though this can be changed).

Manual Configuration Example – DTP

You can control how DTP behaves using different modes:

Switch(config)# interface gigabitEthernet0/1 Switch(config-if)# switchport mode dynamic desirable

Other DTP mode options include:

  • dynamic desirable → Actively tries to form a trunk (sends DTP messages)
  • dynamic auto → Passively waits for the other side to request a trunk
  • trunk → Forces trunk mode (no negotiation)
  • access → Forces access mode (no negotiation)
  • nonegotiate → Disables DTP negotiation completely

Example for a static trunk without DTP negotiation:

Switch(config-if)# switchport mode trunk Switch(config-if)# switchport nonegotiate

Best practice: Use nonegotiate on static trunks to avoid accidental or malicious DTP negotiations.

Quick Comparison

FeatureISLIEEE 802.1QDTP
TypeCisco ProprietaryIndustry StandardCisco Proprietary
EncapsulationFull frame encapsulation4-byte tag insertedNegotiates trunk & encapsulation
VLAN ID Size15 bits12 bitsN/A
VLAN Limit10004096N/A
Supported VendorsCisco onlyAll major vendorsCisco only
Current StatusDeprecatedWidely usedStill used (for trunk negotiation)

Summary

VLAN frame tagging ensures that switches can correctly identify which VLAN each Ethernet frame belongs to — even when traffic crosses between switches.

  • ISL introduced VLAN tagging but is now outdated and Cisco-only.
  • DTP helps negotiate trunk and tagging settings automatically.
  • 802.1Q (dot1Q) is the modern, open standard — compact, efficient, and universally supported.

Without VLAN frame tagging, multi-switch VLAN networks simply wouldn’t be possible.

Final Thought

Every time your network passes a VLAN across switches, remember — a small 4-byte tag is working silently inside each frame, keeping your VLANs organized, isolated, and efficient.
That’s the brilliance of VLAN frame tagging.

Leave a Comment