With the switchport modes you can have "Access" or "Trunked".
The difference is that "Access" has a single VLAN assigned to it whreas a "Trunk" has whatever VLANs you want to assign to it.
Normally, an edge switch (Where users are connected) are assigned "Access" as they will only belong to one particular VLAN, however, if there is more than 1 vlan on the switch, the port that connects the edge switch to the next switch (Backbone or core) will need to be set as a trunk. If it is not then only 1 vlan can traverse the link. So, hypothetically, lets say you have th following set up:-
Fa0/1 - Access VLAN10
Fa0/2 - Access VLAN10
Fa0/3 - Access VLAN20
Fa0/4 - Access VLAN20
Fa0/24 - Trunk - Dot1q - vlans allowed 10, 20
Now, Fa0/24 is a trunk because you require 2 vlans to get across the link to the next switch. That switch will need its connected port to be configured the same as the current switch or the trunk will not work.
The switch you are connecting externally can then be set as an access port assigned to the vlan for the users you want on that vlan, therefore you have provided the seperation required.
The dot1q encapsulation is required as an extra tag on the front of the packet is required, so the far end switch knows the number of the vlan and knows which port or ports to send the packet to.
Hope that explains it a bit better.