There may be a time when you need to configure 802.1Q Tagging on a router's FastEthernet Interface.

One potential situation is when you have a switch that doesn't have Layer-3 capabilities connected to the router, but you have to segment the hosts connected to the switch into seperate networks. Why? Maybe you have a segments you want to prevent from speaking to each other - you can apply access-lists to the subinterfaces (hint) just as you can a normally configured physical interface.

***Note The FastEthernet interface type is important, as this doesn't work on 10 Meg Ethernet interfaces!

Here's the configuration:

interface FastEthernet0/0
 description USER and SERVER LANs
 no ip address
 ip route-cache flow
 duplex auto
 speed auto

interface FastEthernet0/0.1
 description USER-LAN
 encapsulation dot1Q 1
 ip address 10.10.1.1 255.255.255.0
 ip helper-address 10.10.3.100
 ipx encapsulation NOVELL-ETHER
 ipx network AAAAAA

interface FastEthernet0/0.2
 description SERVER-LAN
 encapsulation dot1Q 2
 ip address 10.10.2.1 255.255.255.0
 ip access-group 101 in

The important things to pay attention to here are:

1) The subinterface number and the the vlan number (follows "encapsulation dot1Q") must be the   
    same.
2) You can configure this as you would any other interface - except speed and duplex. That's
    configured on the main interface. In this example "interface FastEthernet0/0". Notice I have IPX
    configured on one USER LAN, and have an IP access-list applied to the SERVER LAN.

This configuration has worked with any switch that supports 802.1Q Tagging.

Disclaimer - I take no responsibility for bugs in the manufacturer's implementation of 802.1Q