What does tagging a switchport for vLAN access do?

What does tagging a switchport for vLAN access do?

• Identifies private/public network packets
• Protects against DDoS attacks
• Allows any vLANs to pass between switches
• Allows correctly labeled vLAN traffic through port 

EXPLANATION

 If you have more than one VLAN on a port (a "trunk port"), you need some way to tell which packet belongs to which VLAN on the other end. To do this you are "tagging" a packet with a VLAN tag (or VLAN header if you like). In reality a VLAN tag is inserted in the Ethernet frame.

The 802.1Q (dot1q, VLAN) tag contains a VLAN-ID and other things explained in the 802.1Q Standard. The first 16 bits contain the "Tag Protocol Identifier" (TPID) which is 8100. This also doubles as the EtherType 0x8100 for devices that don't understand VLANs.
So a "tagged" packet contains the VLAN information in the Ethernet frame while an "untagged" packet doesn't. A typical use case would be if you have one port from a router to a switch which multiple customers

In this example customer "Green" has VLAN 10 and Customer "Blue" has VLAN 20. The ports between switch and customers are "untagged" meaning for the customer the arriving packet is just a normal Ethernet packet.
The port between router and switch is configured as a trunk port so that both router and switch know which packet belongs to which customer VLAN. On that port the Ethernet frames are tagged with the 802.1Q tag.