General security

What are tagged and untagged ports?

Graeme Messina
September 24, 2019 by
Graeme Messina

Back in the old days, there were no such things as managed switches. Instead, modern Ethernet connections were handled by simple devices called hubs. There were many older standards that predate Ethernet technology, such as token ring and ARCnet, but for our purposes, we will take a look at early Ethernet hubs.

You can think of an Ethernet hub as a single network segment that physically connects hosts to one another via a hardware link. This means that any device that connects to the physical port of the hub will have access to the network, provided they configure their device to match the segment that they are trying to connect to. This is great for ease of setup, but it is a nightmare for security.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Even worse, it opened the door for a major issue: collisions. Collisions occur when two hosts attempt to transmit data at exactly the same time. This happened quite often, as Ethernet communicates rapidly by human standards — many times per second. Cheaper hubs did not handle collisions very well and would sometimes need to be physically power-cycled or restarted in order to get them back up and running again.

An improvement over hubs came in the form of managed switches. Managed switches offer many advanced features such as port configuration and VLANs, which give much greater control and security over unmanaged switches and hubs.

If you are new to the world of networking, then you might have a few questions regarding VLANs. Perhaps the biggest stumbling block for newcomers to this side of networking is that they are a bit confused by how VLAN IDs relate to one another, how they connect segments of a network together and what they do. If you are already feeling a little lost, then don’t worry: we’ll be looking at the basic concepts behind the technology that makes port tagging possible.

What is a VLAN?

A Virtual Local Area Network is a method used to segment networks without the need to physically run cables to separate hardware. As we now know, unmanaged switches offered no segmentation, meaning that any device connected to the hub would broadcast and send data when it was able to, leading to collisions. VLANs intelligently segment your network by directing traffic only between VLANs that have been configured to communicate with one another.

VLANs can be thought of as a method of sorting OSI Layer 2 traffic, which is the Data layer. This means that even though two computers or hosts on two different VLANs are plugged into the same network switch, they will not be able to talk to one another. They will need to make use of an external router to direct traffic between VLANs unless they use port tagging.

How does tagging fit into the equation?

Ports can be either tagged or untagged. With Cisco devices, an untagged switch port will connect to hosts that have no idea of any VLAN configurations within the networking environment. The traffic generated in this untagged configuration will be free of any VLAN information until it reaches the switch’s port. At this point, a VLAN ID is assigned to the frame. This is generally configured by default as VLAN 1 on most managed switches, but this can vary from vendor to vendor.

In the case of an untagged port, you are essentially telling the switch that the host is unaware of what tagging means and that any data that comes from that device will have a tag added to it with a specific VLAN ID. If you have additional managed network switches that understand what VLANs are, then you will set the ports between these switches as tagged and specify which VLAN IDs are allowed to pass through.

As an additional setting, you may also need to configure inter-VLAN if you do not have an external router performing this function, but it needs to be specified or else it will not work. Your managed switch also needs to support the feature.

A basic way to think about VLAN tagging and when to use tagged or untagged ports could be like this:

  • If you are linking switches together in a switch-to-switch configuration, then the ports that connect the two devices together need to be tagged, and they specify which VLANs are allowed through. VLANs are the broadcast domains
  • Computers, servers and other hosts will generally be unaware of the VLAN configuration, and their switch ports will be set to untagged. The PVID will then assign the relevant default VLAN for that switch port. A PVID is the Port VLAN ID, which is essentially just the default VLAN ID that is configured for all untagged frames on that port

The main thing to think about with tagged versus untagged ports, and VLANs in general, is that for the setup to work there will be subnetting involved. This means that there is a requirement to have a dedicated routing device, or even a Layer 3 switch that has routing capabilities, installed on your network.

Conclusion

Understanding how tagging works is not difficult, but it does take a little practice to fully incorporate how it works into your own environment. Knowing when a port needs to be tagged or not will depend mainly on how many VLANs are on a specific port on your managed switch. The standard that governs this technology is known as 802.1Q, and it says that on any particular port on a managed switch you can have a VLAN that is untagged.

The result is that you can have one VLAN on every port which does not need to be tagged. Tagging tells the port to send a packet with header information with a tag number that identifies it as belonging to a specific VLAN.

We hope that you have found our simple guide to tagged and untagged ports useful, and that it helps you to better understand why your current network setup has been configured the way that it has been. As with most secure network environments, there is a great deal of configuration that needs to happen during the initial setup of your network if you are going to control access to devices across your site or sites.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Sources

Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.