Understanding VLAN’s is not always easy. Especially if you learn it from the internet by yourself.
Firstly what is the purpose of VLAN’s? How do you differentiate between Tagged and Untagged Ports? and What is the PVID?

A simple definition is: A VLAN is a group of devices on one or more LANs that are configured to communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments.

Let’s simplify this. For now, think about a twenty-four port switch to which there are two companies connect. They share the same internet connection but the companies are not able to see each other network. This is where Vlanning comes in. Without expanding your Network by buying additional equipment you can segment this switch to act like three different switches.  Each segment working independently from one another.

This makes managing networks easier and at the same time more difficult to manage. If you understand the concept of VLAN and how it works with other devices and technologies Maintenance and Upgrades will be easy.

But like everything else, you can quickly over complicate a Network Environment and cause more issues than what you are solving. 

Lets quickly work through a few concepts that you need to know to understand this better.

VLAN ID

The VLAN ID is a specific number that you assign to that VLAN Segment. This ID gets added to the frames that are being sent either by device itself or by the switch when it receives the traffic. If the port, the data is being sent to on the switch is a member of the same VLAN ID it will accept the data and send it on. If the VLAN ID is not correct it will drop the data.

VLAN-Aware vs VLAN-Unaware

One of the most difficult things to explain is the difference between a tagged port and an untagged port.

The basics are there are two types of device you can plug into your network. They are VLAN-aware device and VLAN-Unaware Devices.

Think of it like this, your home PC does not have an option to specify a VLAN when plugin it into your Network so it is VLAN-Unaware. Whereas most IP phones have the option to add a VLAN ID which makes it VLAN-aware.

Untagged

Similar an Untagged port does not require the device connected to give a VLAN ID when receiving data, thus a VLAN-Unaware Device. It will rather add it to the correct VLAN ID on the switch side with something called PVID. When sending out the same port it will strip the VLAN ID if the VPID is the same.

Tagged

Tagged Port, on the other hand, requires the data to have the VLAN ID already in the frame when receiving the data from a VLAN-Aware Device. It will keep the VLAN ID in the frame when it sends from the same port.

PVID

A Port VLAN ID (PVID) is a default VLAN ID that is assigned to an untagged port to designate the virtual LAN segment to which this port is connected. 

What this means that if a port is untagged in multiple different VLAN’s any VLAN-Unaware Devices will be automatically placed in the PVID as per specified on that Port. Only one PVID can be specified per port so logically it makes no sense on why to have multiple Untagged VLAN’s on the same port.

Where PVID works is for ports that support both tagged and untagged packets. For example IP Phone and Computer. If a packet is received by the switch without a VLAN tag, the PVID tag is added. When the switch sends a packet out it will strip the VLAN tag if it matches the PVID. This allows a computer to work on the same port without any networking changes.

You should have a better understanding of how VLAN’s work. The concept stays the same regardless of the device Physical or Virtual. If you have a big network I would advise you to read up on Trunk Ports as well. For Smaller Network you should be able to secure your environment with a little bit of Planning.