eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Virtual local area networks (VLANs) are one of the most important networking innovations of the last 30 years, enabling organizations of all sizes to expand or specialize their operations with virtually segmented networking groups and operations. Tap Protocol Identify
VLANs have made it possible for major enterprises to create more secure network configurations and computing operations, but a VLAN setup alone doesn’t offer support for the more intricate routing configurations necessary for more complex networking scenarios and distributed enterprise teams. Enter the tagged VLAN and the largest debate surrounding VLANs: Is it better to work with a tagged or an untagged VLAN setup?
Also read: What is a VLAN? Ultimate Guide to How VLANs Work
We’ll dive deeper into both types of VLANs in the following sections, but before we go too far, it’s important to know the basics of what each type of VLAN is and why you might want to use either one:
Both tagged and untagged VLANs add additional structure and logic to a network than a traditional LAN can, but in their designs, purposes, and most common use cases, tagged and untagged VLANs operate quite differently. Below, consider how tagged vs. untagged VLANs differ across different networking and network security metrics.
See how one managed service provider uses VLANs to protect backups from ransomware: Building a Ransomware Resilient Architecture
A tagged VLAN is a virtual local area network — or multiple VLANs — that uses different ID tags to segment network traffic into more specific broadcast domains. Even if several devices all technically sit within the same VLAN, they can only communicate and share certain information with other devices as authorized by the trunk port switch that has been configured for particular tag(s).
Tagged VLANs have become increasingly popular for enterprise networks because they give network administrators and cybersecurity teams more hands-on controls over and visibility into network traffic. VLAN tags also make it easier to quickly identify and classify different types of network traffic, which lends itself to greater network visibility and easier risk identification and threat mitigation for a network security team.
The following are some of the most common scenarios in which organizations choose to use tagged VLAN configurations:
Also read: How to Implement Microsegmentation
An untagged VLAN is a more traditional VLAN in which an untagged access port is connected to a host device. Because tags are not an integral part of this setup, it does not matter if the host device is VLAN-aware. The host is able to transmit frames to the access switch port and does not have to add any kind of label or ID for that traffic to be accepted. Once the traffic is received by the access port, it may be given a temporary tag, but regardless, that switch is set up to send untagged traffic to one untagged VLAN source, which is typically another VLAN-unaware host.
Untagged VLANs are most useful when organizations need simple network connections that are easy to maintain or when traffic is low and unspecialized. In guest and home networks where device counts are limited or devices are mostly VLAN-unaware user devices, untagged VLANs give network administrators the simplicity they need and give end users the ease of use they want.
Untagged VLAN is less widespread in larger organizations, but particularly for SMBs and smaller or hybrid networking operations, you may choose to use untagged VLAN for the following reasons:
Also read: Network Protection: How to Secure a Network
While it is theoretically possible for multiple untagged VLANs to exist in a trunk, in practice, there can and should only be up to one untagged VLAN per trunk port. This is because an untagged VLAN has no designation that indicates which devices and components should connect to it; if multiple untagged VLANs are present in a single trunk port, it will not be clear to other devices where they should connect or if they should connect to one of these untagged VLANs.
There are many ways to check if a VLAN is tagged or untagged. Network administrators can look for labels on ports that indicate if the port is an untagged (access) port or if it is a tagged (trunk) port. Users may also be able to check switch and router configurations and settings, device documentation, or VLAN membership lists for more information.
VLANs are useful virtualized infrastructures that support a more logical approach to network grouping and communication, making it possible for network administrators on larger networks to more effectively group and control different types of network traffic. Tags add an additional grouping and control element to the VLAN designation, which is particularly useful for organizations that need to manage larger amounts of traffic for different cybersecurity, workload, and performance scenarios.
But when it comes to tagged vs. untagged VLAN, it’s not necessarily a question of which one is better but rather which one(s) make the most sense for your organization’s devices and particular needs. In fact, it’s often beneficial to use a combination of both tagged and untagged VLANs on your enterprise network, whether you’re attempting to prioritize voice over other performance data on a VoIP network or you’re working to make simple connections to end-user devices while maintaining more complex connections on your network. Using a combination of tagged and untagged VLANs gives you the best of both simplicity and network control.
Next: Top Network Access Control Solutions
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Subscribe to Cybersecurity Insider for top news, trends & analysis
eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.
Advertise with TechnologyAdvice on eSecurity Planet and our other IT-focused platforms.
Virtual Ethernet Tap Property of TechnologyAdvice. © 2023 TechnologyAdvice. All Rights Reserved Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.