Description:
Tag-based VLAN is required when multiple networks have to communicate through a single physical interface, such as a switch port. Each network is assigned its own individual VLAN ID. The VLAN IDs are used to uniquely identify the communication.
Tagging modes are used to control the communication of inbound and outbound packets. There are three different VLAN tagging modes. Access, Trunk and Hybrid.
This article describes how the various VLAN tagging modes work.

Access (never):
This tagging mode is used when connecting a network device that cannot process VLAN IDs itself (such as a notebook).
Info:
For the sake of simplicity, the fact that an increasing number of network cards and even Windows offer partial support of VLAN is not considered in this document.
The access port must have been given the appropriate port VLAN ID (PVID). This controls which network a device may communicate with.

Trunk (always):
This tagging mode is used to interconnect routers, access points or switches.
Network devices such as notebooks cannot be connected.

Hybrid (mixed):
This tagging mode is used to interconnect routers, access points or switches.
Since the PVID is assigned to untagged packets, network devices like notebooks are also able to communicate in the network tagged with the PVID.
Info:
Typically, the PVID used for the Hybrid tagging mode corresponds to the VLAN ID of the management network
.

Example scenario 1:
  • A router is set up with an INTRANET and a Guest network. The INTRANET is assigned VLAN 1 and the Guest network is assigned VLAN 2.
  • A managed switch is connected to the router. The two VLANs were created on the switch.
  • The router and the switch each have a port that is set to the Hybrid tagging mode.
  • On the switch, a further port was set to the Access tagging mode and a notebook was connected to this port.
  • The router and the switch use the PVID 1 on the ports tagged as Hybrid.
  • The switch port operating the tagging mode Access was assigned the PVID 1, so that the notebook in the INTRANET is able to communicate.
The router sends a packet from the INTRANET to the notebook connected to the switch in the same network. The VLAN tag 1 is removed at the router port because VLAN ID 1 is the PVID, so the packet arrives at the switch untagged. The switch attaches the PVID 1 and forwards the packet to the port tagged as Access, which is connected to the notebook. The VLAN tag is removed when outbound to the notebook.
In the other direction, a packet is sent without a VLAN tag from the notebook to the router (INTRANET). The switch attaches the PVID 1 to the incoming packet and forwards it to the next switch port that is tagged as Hybrid. This removes the VLAN tag 1 for outbound packets as this corresponds to the PVID. The packet arrives untagged at the router, which then attaches the PVID 1 to inbound packets on the port tagged as Hybrid.

Example scenario 2:
  • A router is set up with an INTRANET and a Guest network. The INTRANET is assigned VLAN 1 and the Guest network is assigned VLAN 2.
  • A managed switch is connected to the router. The two VLANs were created on the switch.
  • The router and the switch each have a port that is set to the Hybrid tagging mode.
  • On the switch, a further port was set to the tagging mode Access and a notebook was connected to this port.
  • The router and the switch use the PVID 1 on the ports tagged as Hybrid.
  • The switch port with the tagging mode Access was assigned the PVID 2, so that the notebook is able to communicate on the Guest network.
The router sends a packet from the Guest network to a notebook connected to the switch in the same network. The packet is passed through the router port, as VLAN ID 2 does not match the PVID and it arrives at the switch with VLAN tag 2. The packet is forwarded to the port tagged as Access, which is connected to the notebook. The port tagged as Access then removes the VLAN tag for packets that are outbound to the notebook.
In the other direction, a packet is sent from the notebook to the router without a VLAN tag (Guest network). The switch attaches the PVID 2 to the incoming packet and forwards it to the next switch port that is tagged as Hybrid. The switch forwards the packet with the VLAN tag 2 to the router. The packet with VLAN tag 2 arrives at the router (Guest network).

Example scenario 3:
  • A router is set up with an INTRANET and a Guest network. The INTRANET is assigned VLAN 1 and the Guest network is assigned VLAN 2.
  • A managed switch is connected to the router. The two VLANs were created on the switch.
  • The router and the switch each have a port set to the tagging mode Trunk.
  • On the switch, a further port was set to the tagging mode Access and a notebook was connected to this port.
  • The switch port with the tagging mode Access was assigned the PVID 2, so that the notebook is able to communicate on the Guest network.
The router sends a packet from the Guest network to a notebook connected to the switch in the same network. The packet passes through the router port with the VLAN tag 2 outbound and arrives at the switch with the same VLAN tag. The packet is forwarded to the port tagged as Access, which is connected to the notebook. The port tagged as Access then removes the VLAN tag for packets that are outbound to the notebook.
In the other direction, a packet is sent from the notebook to the router without a VLAN tag (Guest network). The switch attaches the PVID 2 to incoming packets and forwards them to the next switch port that is tagged as Trunk. The switch forwards the packet with the VLAN tag 2 to the router. The packet with VLAN tag 2 arrives at the router (Guest network).

Example scenario 4:
  • A router is set up with an INTRANET and a Guest network. The INTRANET is assigned VLAN 1 and the Guest network is assigned VLAN 2.
  • On the router, a port has been set to the tagging mode Hybrid.
  • The port tagged as Hybrid on the router was assigned PVID 1.
  • A notebook is connected to the port tagged as Hybrid on the router.
The router sends a packet from the INTRANET to the notebook connected to the router in the same network. The VLAN tag 1 is removed on the router port because VLAN ID 1 is the PVID, so the packet arrives at the notebook untagged.
In the other direction, a packet is sent without a VLAN tag from the notebook to the router (INTRANET). The packet arrives untagged at the router, which then attaches the PVID 1 to inbound packets on the port tagged as Hybrid.