Virtual local area networks (VLANs) are one of the most important networking innovations of the last 30 years, enabling organizations of all sizes to expand or specialize their operations with virtually segmented networking groups and operations.
VLANs have made it possible for major enterprises to create more secure network configurations and computing operations, but a VLAN setup alone doesn’t offer support for the more intricate routing configurations necessary for more complex networking scenarios and distributed enterprise teams. Enter the tagged VLAN and the largest debate surrounding VLANs: Is it better to work with a tagged or an untagged VLAN setup?
Also read: What is a VLAN? Ultimate Guide to How VLANs Work
Table of Contents
Differences Between Tagged and Untagged VLANs
We’ll dive deeper into both types of VLANs in the following sections, but before we go too far, it’s important to know the basics of what each type of VLAN is and why you might want to use either one:
- Tagged VLANs: When tags are implemented in a VLAN, the broadcast domain is further segmented and devices can only communicate with other devices that have matching tags. Tagged VLANs are best for larger organizations that need stricter traffic and security controls over more complex, higher volume, and different types of network traffic.
- Untagged VLANs: Untagged VLANs are traditional VLANs in which all devices share a broadcast domain, meaning every asset on the VLAN receives every message or piece of data that is transmitted. Untagged VLANs are ideal for smaller organizations and less complicated networking operations where no specialized security or classifications are necessary to separate and isolate VLAN traffic.
Both tagged and untagged VLANs add additional structure and logic to a network than a traditional LAN can, but in their designs, purposes, and most common use cases, tagged and untagged VLANs operate quite differently. Below, consider how tagged vs. untagged VLANs differ across different networking and network security metrics.
| Tagged VLANs | Untagged VLANs | |
| General Setup | Trunk ports are labeled and set up to classify and move traffic to different VLANs and VLAN segments in the network. Trunk ports often link network switches to enable inter-VLAN routing. | A network access port is set up to enable access to only one VLAN; these ports frequently connect end-user devices like laptops and printers. |
| Approach to Network Segmentation | VLAN tags segment the overall VLAN into smaller logical networks and operations; tagged devices and frames can only communicate with each other in the same tagged VLAN, except for when inter-VLAN routing is available and authorized. | No official segmentation; physical switch port assignments are the sole source of isolation. All devices can communicate within an untagged VLAN because no additional rules are in place to limit broadcasts. |
| Security of Configuration | Security is improved in tagged VLANs through traffic isolation and clear VLAN tagging labels, though network professionals are responsible for setting up safeguards against VLAN hopping. However, tagged VLANs are more difficult to configure, and configuration errors can lead to new security vulnerabilities. | Security concerns arise due to shared broadcast domains among VLANs and all VLAN devices and users. However, untagged VLANs are less vulnerable to VLAN hopping risks and misconfigurations. |
| Compatibility With Network Devices | Tagged VLANs are not always compatible with legacy and older networking devices that are not “VLAN-aware.” Tagged VLANs also don’t work with most end-user devices. | Untagged VLANs are compatible with most network devices. |
| Broadcast and Overhead Control | While tagged VLANs give network administrators more control over the size of and assets included in a broadcast domain, the additional data VLAN tags add to networks slightly increase overhead and processing requirements. | Untagged VLANs make it harder for network admins to control devices and where they broadcast; however, there are fewer overhead processing requirements because no VLAN tags need to be processed for network traffic to move through. |
| Quality of Service (QoS) | VLAN tags offer the detailed information necessary to efficiently triage network resources to critical or high-bandwidth applications; this work is done with the help of Quality of Service (QoS) policies. | Untagged VLANs do not typically provide the detail necessary for QoS policies to be implemented for traffic and resource management. |
| Scalability | Tagged VLAN is ideal for network scalability, as VLAN tags support more granular network segmentation and operations, transparent traffic management and classification, inter-VLAN routing, and remote work networking scenarios. | Because of the simple A-to-B connections that most untagged VLANs operate under, untagged VLANs are ideal for smaller businesses and networks; it is much more difficult to expand devices, traffic types, and other complexities without VLAN tags. |
| Ease of Use and Flexibility | Tagged VLANs are typically not as easy to implement and maintain over time because of their complexities and larger number of components, but they are more flexible and can be built up due to their precise segmentation. | Untagged VLANs are easier to set up and maintain because there are no additional tags, classifications, or groupings to manage. However, untagged VLANs are less flexible due to limited network segmentation and the fact that devices are mostly bound to physical switch ports and locations. |
See how one managed service provider uses VLANs to protect backups from ransomware: Building a Ransomware Resilient Architecture
Tagged VLANs
A tagged VLAN is a virtual local area network — or multiple VLANs — that uses different ID tags to segment network traffic into more specific broadcast domains. Even if several devices all technically sit within the same VLAN, they can only communicate and share certain information with other devices as authorized by the trunk port switch that has been configured for particular tag(s).
Tagged VLANs have become increasingly popular for enterprise networks because they give network administrators and cybersecurity teams more hands-on controls over and visibility into network traffic. VLAN tags also make it easier to quickly identify and classify different types of network traffic, which lends itself to greater network visibility and easier risk identification and threat mitigation for a network security team.
When to Use Tagged VLANs
The following are some of the most common scenarios in which organizations choose to use tagged VLAN configurations:
- Inter-VLAN Routing and Complex Traffic Management: When you have multiple VLANs that need to share information, tagged VLANs enable more complex configurations and data transmissions via trunk-port switches and routing.
- QoS Requirements: When you’re interested in establishing a Quality of Service (QoS) policy for critical application and traffic management, VLAN tags provide the necessary information to identify and create specialized rules for top-priority or more complex traffic. QoS enables stricter broadcast and resource controls that prevent certain performance issues.
- Security and Compliance Management: When certain departments, groups, applications, or other categories of network operations require special rules or safeguards that need to be classified and isolated accordingly, tagged VLANs support increased network segmentation. This is particularly important for organizations or departments that must adhere to strict regulations and data security laws.
- Multi-tenant Environments: Beyond the typical organization that operates a network for itself, data centers, cloud providers, and other third-party networking organizations can use tagged VLANs to better isolate and manage traffic for each tenant’s particular requirements.
- VoIP Operations: For Voice over Internet Protocol (VoIP) technology users, tagged VLANs are particularly effective for identifying voice traffic and making sure it is prioritized over other types of traffic; this type of prioritization decreases the chance of performance lags during voice calls.
- Growing or Changing Organizational Demographics: if you work in a hybrid or remote environment, VLAN tags make it easier to manage how network traffic should behave, regardless of where it’s physically coming from. Similarly, if your organization is frequently hiring new employees or otherwise makes recurrent changes to active devices on the network, tagged VLANs are easier to identify and adjust as necessary.
Also read: How to Implement Microsegmentation
Untagged VLANs
An untagged VLAN is a more traditional VLAN in which an untagged access port is connected to a host device. Because tags are not an integral part of this setup, it does not matter if the host device is VLAN-aware. The host is able to transmit frames to the access switch port and does not have to add any kind of label or ID for that traffic to be accepted. Once the traffic is received by the access port, it may be given a temporary tag, but regardless, that switch is set up to send untagged traffic to one untagged VLAN source, which is typically another VLAN-unaware host.
Untagged VLANs are most useful when organizations need simple network connections that are easy to maintain or when traffic is low and unspecialized. In guest and home networks where device counts are limited or devices are mostly VLAN-unaware user devices, untagged VLANs give network administrators the simplicity they need and give end users the ease of use they want.
When to Use Untagged VLANs
Untagged VLAN is less widespread in larger organizations, but particularly for SMBs and smaller or hybrid networking operations, you may choose to use untagged VLAN for the following reasons:
- Limited Number of VLANs: If your organization is smaller and only has one or a small number of VLANs that rarely need to interact with each other via inter-VLAN routing, an untagged VLAN offers enough connectivity for most use cases.
- Small Number of Devices or Traffic Requirements: If you have no special security or performance requirements for any devices on your VLAN, VLAN tags may not be necessary to segment the VLAN broadcast domain further.
- Legacy Devices and Network Technology: Not all legacy hardware and devices are VLAN-aware; these types of devices can not readily accept VLAN tags and operate better in a simple untagged VLAN configuration.
- Consumer and Home Network Configurations: If a network mostly consists of end-user devices like phones or laptops, or if a network is operating in an individual’s home or as a consumer Wi-Fi access point, VLAN tags are overkill for the types and volume of traffic moving through. Especially for guest Wi-Fi networks, untagged VLANs are better for easier log-on and ease of use.
- Lacking Networking Expertise or Budget: Untagged VLANs are easier to set up and harder to misconfigure, making them ideal for teams with inexperienced or small network security teams. Untagged VLANs are also less likely to result in costly security or performance errors and typically don’t require more specialized, VLAN-aware components that can get expensive.
- Less Important Traffic Types: It may be beneficial to leave certain frames, devices, or VLANs untagged if they’re primarily used to transmit less important network traffic. For example, if you’re operating a VLAN for VoIP, you may want to use untagged VLAN for non-voice traffic so the tagged voice traffic can be prioritized for performance needs.
Also read: Network Protection: How to Secure a Network
Frequently Asked Questions (FAQs)
How Many Untagged VLANs Can Exist in a Trunk?
While it is theoretically possible for multiple untagged VLANs to exist in a trunk, in practice, there can and should only be up to one untagged VLAN per trunk port. This is because an untagged VLAN has no designation that indicates which devices and components should connect to it; if multiple untagged VLANs are present in a single trunk port, it will not be clear to other devices where they should connect or if they should connect to one of these untagged VLANs.
How Do You Know if a VLAN Is Tagged or Untagged?
There are many ways to check if a VLAN is tagged or untagged. Network administrators can look for labels on ports that indicate if the port is an untagged (access) port or if it is a tagged (trunk) port. Users may also be able to check switch and router configurations and settings, device documentation, or VLAN membership lists for more information.
Bottom Line: The Benefits of Tagged vs. Untagged VLAN
VLANs are useful virtualized infrastructures that support a more logical approach to network grouping and communication, making it possible for network administrators on larger networks to more effectively group and control different types of network traffic. Tags add an additional grouping and control element to the VLAN designation, which is particularly useful for organizations that need to manage larger amounts of traffic for different cybersecurity, workload, and performance scenarios.
But when it comes to tagged vs. untagged VLAN, it’s not necessarily a question of which one is better but rather which one(s) make the most sense for your organization’s devices and particular needs. In fact, it’s often beneficial to use a combination of both tagged and untagged VLANs on your enterprise network, whether you’re attempting to prioritize voice over other performance data on a VoIP network or you’re working to make simple connections to end-user devices while maintaining more complex connections on your network. Using a combination of tagged and untagged VLANs gives you the best of both simplicity and network control.
