If you have more than one VLAN on a port (a “trunk port“), you need some way to tell which packet belongs to which VLAN on the other end. To do this you are “tagging” a packet with a VLAN tag (or VLAN header if you like). In reality a VLAN tag is inserted in the Ethernet frame like this:
The 802.1Q (dot1q, VLAN) tag contains a VLAN-ID and other things explained in the 802.1Q Standard. The first 16 bits contain the “Tag Protocol Identifier” (TPID) which is 8100. This also doubles as the EtherType 0x8100 for devices that don’t understand VLANs.
So a “tagged” packet contains the VLAN information in the Ethernet frame while an “untagged” packet doesn’t. A typical use case would be if you have one port from a router to a switch which multiple customers are attached to:
In this example customer “Green” has VLAN 10 and Customer “Blue” has VLAN 20. The ports between switch and customers are “untagged” meaning for the customer the arriving packet is just a normal Ethernet packet.
The port between router and switch is configured as a trunk port so that both router and switch know which packet belongs to which customer VLAN. On that port the Ethernet frames are tagged with the 802.1Q tag.