📘 CCNA 200-301 v1.1
2.2 Configure and verify interswitch connectivity
2.2.c Native VLAN
1. What is a VLAN (Quick Recap)
A VLAN (Virtual Local Area Network) is used to separate a network into smaller logical segments, even if the devices are connected to the same physical switch.
For example:
- VLAN 10 – for Servers
- VLAN 20 – for Workstations
- VLAN 30 – for Management
Each VLAN acts as its own broadcast domain.
2. What is a Trunk Port (Review Context)
Before we understand the Native VLAN, it’s important to recall what a Trunk Port is.
A trunk port is a switch port that carries traffic for multiple VLANs at the same time.
It uses VLAN tags (802.1Q tags) to identify which VLAN each frame belongs to.
When a frame moves between switches, it travels over a trunk link.
Each frame is labeled (tagged) with a VLAN ID — except for one special VLAN — the Native VLAN.
3. Definition of Native VLAN
The Native VLAN is the untagged VLAN on a trunk port.
That means:
- All traffic belonging to the Native VLAN is sent without an 802.1Q tag.
- When a switch receives an untagged frame on a trunk link, it assigns that frame to the Native VLAN.
4. Purpose of Native VLAN
The Native VLAN exists for compatibility and management reasons.
Let’s see why:
- When two switches communicate through a trunk link, sometimes a frame may arrive without a VLAN tag (for example, some control traffic or certain device communications).
- The switch must know which VLAN to place that untagged frame in.
- That’s why the concept of Native VLAN exists — to have one VLAN that handles untagged frames.
In short:
The Native VLAN acts as a “default VLAN” for untagged traffic on a trunk.
5. Default Native VLAN
By default, on Cisco switches, the Native VLAN is VLAN 1.
This means:
- If you do not manually configure a Native VLAN, VLAN 1 is automatically used as the Native VLAN.
- VLAN 1 is also used by default for many control plane protocols such as CDP (Cisco Discovery Protocol), VTP (VLAN Trunking Protocol), and STP (Spanning Tree Protocol).
6. Configuring the Native VLAN
You can change the Native VLAN to a different VLAN (for example, VLAN 99) for better management and security.
Command Syntax:
Switch(config)# interface gigabitEthernet 0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 99
This sets VLAN 99 as the Native VLAN on that trunk interface.
Verify the Configuration:
Switch# show interfaces trunk
You’ll see output similar to:
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 99
This confirms the trunk link is active and VLAN 99 is being used as the Native VLAN.
7. How the Native VLAN Works in Communication
Let’s go step by step through what happens:
- Tagged Frame:
- When a switch sends a frame for VLAN 10 across a trunk, it adds a VLAN tag saying “this frame belongs to VLAN 10”.
- Untagged Frame (Native VLAN):
- When the switch sends a frame belonging to the Native VLAN (for example, VLAN 99), it does not add a tag.
- Receiving End Behavior:
- When the other switch receives an untagged frame, it assumes the frame belongs to its own Native VLAN.
8. Mismatched Native VLAN
A Native VLAN mismatch happens when two switches on the same trunk link have different Native VLANs configured.
Example:
| Switch 1 | Switch 2 |
|---|---|
| Native VLAN 99 | Native VLAN 1 |
If a frame from VLAN 99 leaves Switch 1 (untagged) and reaches Switch 2, Switch 2 will think that frame belongs to VLAN 1.
This causes incorrect VLAN assignments, possible security issues, and connectivity problems.
9. How to Detect a Native VLAN Mismatch
Cisco devices automatically detect and warn about this situation.
You’ll see a CDP (Cisco Discovery Protocol) message like:
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (99), with SwitchB FastEthernet0/1 (1).
This message helps network engineers identify configuration errors quickly.
10. Security Considerations for Native VLAN
Native VLANs can sometimes be used in VLAN hopping attacks if not configured properly.
To avoid this, follow Cisco’s best practices:
Best Practices:
- Do not use VLAN 1 as the Native VLAN — create a separate VLAN (like VLAN 99) and use that as the Native VLAN.
- Avoid using the Native VLAN for user traffic.
- Manually configure the Native VLAN on all trunk ports — never leave it to defaults.
- Ensure Native VLAN matches on both sides of every trunk link.
11. Verification Commands Summary
| Command | Purpose |
|---|---|
show interfaces trunk | Displays the trunk ports and the native VLANs. |
show running-config interface [int] | Displays the configuration of the specific interface. |
show vlan brief | Displays all VLANs and their assigned ports. |
show interfaces [int] switchport | Displays details about the switchport including trunking and native VLAN info. |
12. Summary Table
| Concept | Description |
|---|---|
| Native VLAN | VLAN that carries untagged traffic on a trunk. |
| Default Native VLAN | VLAN 1 (on Cisco switches). |
| Function | Handles untagged frames received on a trunk link. |
| Configuration Command | switchport trunk native vlan [vlan_id] |
| Verification Command | show interfaces trunk |
| Best Practice | Use a dedicated VLAN (not VLAN 1) as the Native VLAN and keep it consistent across all trunks. |
✅ In Summary:
Mismatched or default configurations can cause security and connectivity issues.
The Native VLAN is used to carry untagged traffic on trunk ports.
Default Native VLAN is VLAN 1, but it’s recommended to change it.
Both ends of a trunk must have the same Native VLAN.
Use show interfaces trunk to verify.
