What is the Native VLAN?

As you remember from the previous lesson, trunk ports send and receive Ethernet frames tagged with IEEE 802.1q VLAN tags. The primary idea behind this is to be able to transport frames from multiple VLANs over a single physical link between switches. This means that both ends of a trunk will always receive tagged frames as shown in Figure 1.

But is it always? What if there is a hub in the way or any other layer 1 device? What will happen if an untagged frame somehow gets into the trunk link? Native VLAN has been introduced to solve this specific scenario.

Frames forwarding over a trunk line
Figure 1. Frames forwarding over a trunk line

Native VLAN is configured per trunk port, it is locally significant and it tells the switch - "if you receive an untagged data into this port, forward it like it is part of the native VLAN number". For example, if we configure the native VLAN on a trunk to be 20, if data without IEEE 802.1q header comes in that port, it will be forwarded in VLAN 20. You can see an example of this in Figure 2. PC7 is somehow connected to the trunk and is sending untagged frames. When they are received on both sides of the link, they are forwarded into the VLAN 20 (the Native VLAN).

By default, the native VLAN of all trunk ports on Cisco switches is assigned to VLAN 1 but it can be any valid VLAN number.

Untagged frames comming in a trunk link
Figure 2. Figure 2. Untagged frames coming in a trunk link

There is another very important angle to this concept. The switches are not only putting the received untagged data into the native VLAN, but they are also sending the data in the Native VLAN untagged. Look at the example in Figure 3, the frames from VLAN 10 are carried across the trunk with 802.1q headers, but the frames from VLAN20 are carried across untagged because VLAN20 is the Native VLAN of the trunk port. All control plane messages such as CDP, VTP, and DTP are also sent through the Native VLAN i.e untagged.

Frames are untagged in the Native VLAN but tagged in all others
Figure 3. Frames are untagged in the Native VLAN but tagged in all others

Configuring and Verifying Native VLAN on a Trunk port

Let's first see how we can check the operational mode and the native VLAN on any trunk port using the command show interface switchport.

SW2#show interface Gi0/1 switchport
Name: Gig0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: All
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

You can see that by default, VLAN 1 is configured as Native. Let's change it to be another value. This is done using the switchport trunk native vlan command in interface configuration mode. Always have in mind that this configuration is locally significant and has to be manually configured to match on both sides of the trunk link otherwise a faulty sate occurs. 

SW2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

SW2(config)#interface GigabitEthernet 0/1
SW2(config-if)#switchport trunk ?
  allowed  Set allowed VLAN characteristics when interface is in trunking mode
  native   Set trunking native characteristics when interface is in trunking
           mode

SW2(config-if)#switchport trunk native vlan ?
  <1-4094>  VLAN ID of the native VLAN when this port is in trunking mode

SW2(config-if)#switchport trunk native vlan 10
SW2(config-if)#end
%SYS-5-CONFIG_I: Configured from console by console

SW2#show interface Gi0/1 switchport 
Name: Gig0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 10 (USERS)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: All
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Native VLAN Mismatch

Interface Trunk configuration is locally significant. This means that the Trunk settings on one switchport do not have to exactly match the settings on the other side of the link. Therefore, you can configure native VLAN 10 on one side and VLAN 20 on the other side of a single trunk link. This causes a dangerous faulty state called Native VLAN mismatch. Cisco proprietary protocol CDP can detect this misconfiguration and report with error messages as shown below.  Please note that, if CDP is disabled on the link, there is no way for the switch to automatically detect this. 

SW2#
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (10), with SW1 GigabitEthernet0/1 (1).

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (10), with SW1 GigabitEthernet0/1 (1).

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (10), with SW1 GigabitEthernet0/1 (1).

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (10), with SW1 GigabitEthernet0/1 (1).

Native VLAN mismatch can cause some major issues and security implications such as:

  • Misdirected traffic - Frames, originating in the VLAN configured as Native, are sent untagged across the trunk. Upon receiving on the other side on the link, they are forwarded in different VLAN because trunk settings don't match on both sides.
  • VLAN hopping - malicious traffic can cross VLAN boundaries.

Allowed VLANs on a Trunk port

By default on Cisco switches, frames from all VLANs are transported over the trunk link. However, there is a way to specify exactly which VLAN numbers are allowed to be carried across. There are many cases in which you would want to specify only certain VLANs and not send frames from all VLANs. If we take figure 4 as an example, the switch on the left has four VLANs 10,20,30 and 40 but the switch on the right has VLANs 10, 20, 50, and 60. So you would probably want to send only traffic for 10 and 20 over the trunk link. This can be configured using the switchport trunk allowed vlan feature. Let's configure the link in Figure 4 to carry across only frames from vlan 10 and 20. 

Trunk allowed Vlans example
Figure 4. Example of a Trunk link with allowed VLANs

First, let's verify how many virtual LANs are configured on SW1 and SW2.

SW1#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/5, Fa0/6, Fa0/7, Fa0/9
                                                Fa0/10, Fa0/11, Fa0/12, Fa0/13
                                                Fa0/14, Fa0/20, Fa0/21, Fa0/22
                                                Fa0/23, Fa0/24, Gig0/1, Gig0/2
10   USERS                            active    Fa0/2, Fa0/3, Fa0/4
20   SERVERS                          active    Fa0/15, Fa0/16, Fa0/17
30   SALES                            active    Fa0/8
40   MGMT                             active    Fa0/18, Fa0/19
1002 fddi-default                     active    
1003 token-ring-default               active    
1004 fddinet-default                  active    
1005 trnet-default                    active    
SW2#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/19
                                                Fa0/22, Fa0/23, Fa0/24, Gig0/1
                                                Gig0/2
10   USERS                            active    Fa0/2, Fa0/3, Fa0/4
20   SERVERS                          active    Fa0/12, Fa0/13, Fa0/14
50   IT                               active    Fa0/15, Fa0/16, Fa0/17, Fa0/18
60   SENSORS                          active    Fa0/20, Fa0/21
1002 fddi-default                     active    
1003 token-ring-default               active    
1004 fddinet-default                  active    
1005 trnet-default                    active  

Note that if we look at the show interface trunk output on SW1, it is shown that VLANs 1 - 1005 are allowed on the trunk. This means that all are allowed.

SW1#sh int trunk 
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/1       1-1005

Port        Vlans allowed and active in management domain
Fa0/1       1,10,20,30,40

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1,10,20,30,40

The same can be seen on SW2 as well.

SW2#sh int trunk 
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/1       1-1005

Port        Vlans allowed and active in management domain
Fa0/1       1,10,20,50,60

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1,10,20,50,60

We want to configure only 10 and 20 to be allowed. Let's configure the trunk link on SW1 and SW2. The configuration is the same on both switches, so we need to look at only one example.

SW2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#interdace fa0/1
SW2(config-if)#switchport trunk ?
  allowed  Set allowed VLAN characteristics when interface is in trunking mode
  native   Set trunking native characteristics when interface is in trunking
           mode

SW2(config-if)#switchport trunk allowed vlan ?
  WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
  add     add VLANs to the current list
  all     all VLANs
  except  all VLANs except the following
  none    no VLANs
  remove  remove VLANs from the current list

SW2(config-if)#switchport trunk allowed vlan 10,20
SW2(config-if)#end
SW2#
%SYS-5-CONFIG_I: Configured from console by console

The same configuration is applied on both switches. Let's now look at the trunk ports.

SW2#show interfaces trunk 
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/1       10,20

Port        Vlans allowed and active in management domain
Fa0/1       10,20

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       10,20

Using this feature is very common in scenarios where a switch owned by one organization is connected to another external switch. Usually, there is an agreement to exchange data in one VLAN so you would want to filter all other VLANs out.

Summary

  • Inbound: Untagged frames received on a trunk port are forwarded into the VLAN configured as Native.
  • Outbound: Frames from the VLAN configured as Native are forwarded untagged.
  • Control-plane messages such as DTP and BPDUs are sent out untagged.
  • Control-plane messages such as CDP and VTP are sent out untagged if Native VLAN is 1 otherwise are tagged with VLAN1.
  • Native VLAN is configured per trunk port and is locally significant. Therefore, different VLAN numbers can be configured on both sides of a single trunk link leading to native VLAN mismatch.
  • Native VLAN mismatch leads to misdirected traffic and is a security implication.
  • Allowed VLANs can be specified on any trunk port with the switchport trunk allowed vlan command.

 

 

Comments

aarmijo10

Fri, 12/31/2021 - 03:39

Hello, I just wanted to report a typo:
SW2(config)#interdace fa0/1

Thanks, and really enjoying this content. Cheers

svramdurg

Wed, 03/09/2022 - 14:09

Hi, What is the need for native VLAN configuration per trunk line? It is more simple to imagine that all legacy devices not supporting VLAN will be on a single native VLAN configured in the switch. Then all trunk lines of the switch will forward packets without VLAN headers to the single native VLAN of the switch.