NetworkingIntermediateLive

VLAN & 802.1Q Reference

vlan802.1qswitchingtrunknetworkingcisco

Updated Mar 25, 2026

A structured reference for VLAN concepts and 802.1Q tagging. Instantly look up any VLAN ID to see its range, usability, and notes — from the standard range (2–1001) to extended IDs and reserved values.

Includes a byte-level 802.1Q tag anatomy diagram (TPID / PCP / DEI / VID) showing how the tag sits in an Ethernet frame, a three-way port mode comparison (access, trunk, hybrid) with Cisco IOS config snippets, a native VLAN security callout covering the VLAN hopping attack and mitigations, and a QinQ / 802.1ad double-tagging overview with S-TAG and C-TAG explained.

VLAN & 802.1Q Reference

VLAN ID ranges, 802.1Q tag anatomy, trunk vs. access port modes, native VLAN security, and QinQ — a complete quick-reference for network engineers.

VLAN ID Lookup

VLAN ID Range Reference

Range	Name	Usable	Notes
0	Reserved	No	Used internally by 802.1Q for CoS priority tagging. Not assignable.
1	Default VLAN	Caution	All ports are in VLAN 1 by default. Avoid for production traffic.
2–1001	Standard Range	Yes	General-purpose VLANs. Safe to use on all platforms. No special requirements.
1002–1005	Legacy Reserved	No	Reserved for FDDI/Token Ring (Cisco). Cannot be deleted.
1006–4094	Extended Range	Caution	Requires VTP transparent mode or VTPv3. Check your platform's support.
4095	Reserved	No	Reserved by IEEE 802.1Q. Not usable.

802.1Q Tag Anatomy

Ethernet Frame — 802.1Q tag inserted after Src MAC

Dst MAC

6 B

Src MAC

6 B

802.1Q Tag

4 B

EtherType

2 B

Payload

46–1500 B

FCS

4 B

802.1Q Tag — 4 bytes (32 bits) broken down

TPID

0x8100

2 bytes

Tag Protocol Identifier. Fixed value 0x8100 signals this is an 802.1Q-tagged frame. The receiving switch checks this field to detect a VLAN tag.

PCP

Priority (0–7)

3 bits

Priority Code Point. Used for Class of Service (CoS / QoS). Value 7 = highest (network control); 0 = best effort. QoS-aware switches forward high-priority frames first.

DEI

Drop Eligible

1 bit

Drop Eligible Indicator. When set to 1, this frame may be dropped during congestion. Formerly called CFI (Canonical Format Indicator) in older 802.1Q revisions.

VID

VLAN ID (0–4095)

12 bits

VLAN Identifier. The 12-bit field specifying which VLAN this frame belongs to. Gives 802.1Q its 4,096 possible VLAN IDs (0–4095, with 0 and 4095 reserved).

Port Modes

Access Port

Carries a single VLAN. Tags are stripped on egress and added on ingress by the switch — the end device sees untagged traffic.

Use for: End devices — PCs, printers, IP phones, servers.

Tagging: Untagged toward the device. The switch owns the VLAN membership.

Cisco IOS

interface GigabitEthernet0/1
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast

Trunk Port

Carries multiple VLANs simultaneously. Each frame is 802.1Q-tagged with its VLAN ID as it traverses the trunk link.

Use for: Switch-to-switch links, switch-to-router (router-on-a-stick), server uplinks carrying multiple VLANs.

Native VLAN: One VLAN per trunk is sent untagged. Default is VLAN 1 — change it to an unused VLAN (best practice).

Cisco IOS

interface GigabitEthernet0/1
 switchport mode trunk
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 10,20,30
 switchport trunk native vlan 999

Hybrid / General Port

Carries both tagged and untagged VLANs on the same port. One VLAN is untagged (PVID); additional VLANs are tagged.

Use for: IP phones (untagged data VLAN + tagged voice VLAN), hypervisor uplinks with multiple guest VLANs.

Note: Vendor-specific — HP/Aruba, Huawei, and Linux bridges use this model. Not standard Cisco IOS port terminology.

HP/Aruba ProCurve

! HP/Aruba ProCurve example
interface 1
 untagged vlan 10
 tagged vlan 20,30
 exit

⚠ Native VLAN Security Risk — VLAN Hopping Attack

The native VLAN on a trunk port is transmitted and received without an 802.1Q tag. By default this is VLAN 1 — the same VLAN all switchports are assigned to out of the box.

VLAN hopping: An attacker on the native VLAN crafts a double-tagged frame (outer tag = native VLAN ID, inner tag = target VLAN ID). The first switch strips the outer tag; the second switch forwards the inner-tagged frame into the target VLAN — bypassing access controls entirely.

Mitigations

Change the native VLAN to a dedicated, unused ID (e.g., VLAN 999) — never VLAN 1
Explicitly tag the native VLAN: switchport trunk native vlan tag
Shut down unused ports and assign them to a dead VLAN (e.g., VLAN 999)
Never use VLAN 1 for production traffic

QinQ / IEEE 802.1ad Double Tagging

QinQ (standardized as IEEE 802.1ad) adds a second VLAN tag to a frame — an outer service tag(S-TAG) wrapping the customer's existing inner tag (C-TAG). Service providers use this to tunnel entire customer VLAN spaces across a shared backbone without VLAN ID conflicts between tenants.

QinQ Frame Structure

Dst MAC

6 B

Src MAC

6 B

S-TAG

0x88A8

C-TAG

0x8100

EtherType

2 B

Payload

…

FCS

4 B

S-TAG — Outer / Service Tag

TPID: 0x88A8 (IEEE 802.1ad) or 0x8100 (legacy vendor compatibility). Added and removed by the provider edge device. Contains the provider's VLAN ID — opaque to the customer.

C-TAG — Inner / Customer Tag

TPID: 0x8100. The original 802.1Q tag from the customer network — untouched by the provider. Customers can use any VLAN IDs they choose; the provider separates tenants via the outer S-TAG.

Key benefit: Each customer gets up to 4,094 usable inner VLAN IDs regardless of overlap with other customers. The provider only needs to manage one outer VLAN ID per customer, dramatically simplifying multi-tenant VLAN administration.

Back to Tools