What is the Native VLAN?
As you remember from the previous lesson, trunk ports send and receive Ethernet frames tagged with IEEE 802.1q VLAN tags. The primary idea behind this is to be able to transport frames from multiple VLANs over a single physical link between switches. This means that both ends of a trunk will always receive tagged frames as shown in Figure 1.
But is it always? What if there is a hub in the way or any other layer 1 device? What will happen if an untagged frame somehow gets into the trunk link? Native VLAN has been introduced to solve this specific scenario.
Native VLAN is configured per trunk port, it is locally significant and it tells the switch - "if you receive an untagged data into this port, forward it like it is part of the native VLAN number". For example, if we configure the native VLAN on a trunk to be 20, if data without IEEE 802.1q header comes in that port, it will be forwarded in VLAN 20. You can see an example of this in Figure 2. PC7 is somehow connected to the trunk and is sending untagged frames. When they are received on both sides of the link, they are forwarded into the VLAN 20 (the Native VLAN).
By default, the native VLAN of all trunk ports on Cisco switches is assigned to VLAN 1 but it can be any valid VLAN number.
There is another very important angle to this concept. The switches are not only putting the received untagged data into the native VLAN, but they are also sending the data in the Native VLAN untagged. Look at the example in Figure 3, the frames from VLAN 10 are carried across the trunk with 802.1q headers, but the frames from VLAN20 are carried across untagged because VLAN20 is the Native VLAN of the trunk port. All control plane messages such as CDP, VTP, and DTP are also sent through the Native VLAN i.e untagged.
Configuring and Verifying Native VLAN on a Trunk port
Let's first see how we can check the operational mode and the native VLAN on any trunk port using the command show interface switchport.
SW2#show interface Gi0/1 switchport
Name: Gig0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: All
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
You can see that by default, VLAN 1 is configured as Native. Let's change it to be another value. This is done using the switchport trunk native vlan command in interface configuration mode. Always have in mind that this configuration is locally significant and has to be manually configured to match on both sides of the trunk link otherwise a faulty sate occurs.
SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#interface GigabitEthernet 0/1
SW2(config-if)#switchport trunk ?
allowed Set allowed VLAN characteristics when interface is in trunking mode
native Set trunking native characteristics when interface is in trunking
mode
SW2(config-if)#switchport trunk native vlan ?
<1-4094> VLAN ID of the native VLAN when this port is in trunking mode
SW2(config-if)#switchport trunk native vlan 10
SW2(config-if)#end
%SYS-5-CONFIG_I: Configured from console by console
SW2#show interface Gi0/1 switchport
Name: Gig0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 10 (USERS)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: All
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Native VLAN Mismatch
Interface Trunk configuration is locally significant. This means that the Trunk settings on one switchport do not have to exactly match the settings on the other side of the link. Therefore, you can configure native VLAN 10 on one side and VLAN 20 on the other side of a single trunk link. This causes a dangerous faulty state called Native VLAN mismatch. Cisco proprietary protocol CDP can detect this misconfiguration and report with error messages as shown below. Please note that, if CDP is disabled on the link, there is no way for the switch to automatically detect this.
SW2#
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (10), with SW1 GigabitEthernet0/1 (1).
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (10), with SW1 GigabitEthernet0/1 (1).
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (10), with SW1 GigabitEthernet0/1 (1).
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (10), with SW1 GigabitEthernet0/1 (1).
Native VLAN mismatch can cause some major issues and security implications such as:
- Misdirected traffic - Frames, originating in the VLAN configured as Native, are sent untagged across the trunk. Upon receiving on the other side on the link, they are forwarded in different VLAN because trunk settings don't match on both sides.
- VLAN hopping - malicious traffic can cross VLAN boundaries.
Allowed VLANs on a Trunk port
By default on Cisco switches, frames from all VLANs are transported over the trunk link. However, there is a way to specify exactly which VLAN numbers are allowed to be carried across. There are many cases in which you would want to specify only certain VLANs and not send frames from all VLANs. If we take figure 4 as an example, the switch on the left has four VLANs 10,20,30 and 40 but the switch on the right has VLANs 10, 20, 50, and 60. So you would probably want to send only traffic for 10 and 20 over the trunk link. This can be configured using the switchport trunk allowed vlan feature. Let's configure the link in Figure 4 to carry across only frames from vlan 10 and 20.
First, let's verify how many virtual LANs are configured on SW1 and SW2.
SW1#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gig0/1, Gig0/2
10 USERS active Fa0/2, Fa0/3, Fa0/4
20 SERVERS active Fa0/15, Fa0/16, Fa0/17
30 SALES active Fa0/8
40 MGMT active Fa0/18, Fa0/19
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
SW2#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/19
Fa0/22, Fa0/23, Fa0/24, Gig0/1
Gig0/2
10 USERS active Fa0/2, Fa0/3, Fa0/4
20 SERVERS active Fa0/12, Fa0/13, Fa0/14
50 IT active Fa0/15, Fa0/16, Fa0/17, Fa0/18
60 SENSORS active Fa0/20, Fa0/21
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
Note that if we look at the show interface trunk output on SW1, it is shown that VLANs 1 - 1005 are allowed on the trunk. This means that all are allowed.
SW1#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,10,20,30,40
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,10,20,30,40
The same can be seen on SW2 as well.
SW2#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 1-1005
Port Vlans allowed and active in management domain
Fa0/1 1,10,20,50,60
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,10,20,50,60
We want to configure only 10 and 20 to be allowed. Let's configure the trunk link on SW1 and SW2. The configuration is the same on both switches, so we need to look at only one example.
SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#interdace fa0/1
SW2(config-if)#switchport trunk ?
allowed Set allowed VLAN characteristics when interface is in trunking mode
native Set trunking native characteristics when interface is in trunking
mode
SW2(config-if)#switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
SW2(config-if)#switchport trunk allowed vlan 10,20
SW2(config-if)#end
SW2#
%SYS-5-CONFIG_I: Configured from console by console
The same configuration is applied on both switches. Let's now look at the trunk ports.
SW2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/1 10,20
Port Vlans allowed and active in management domain
Fa0/1 10,20
Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 10,20
Using this feature is very common in scenarios where a switch owned by one organization is connected to another external switch. Usually, there is an agreement to exchange data in one VLAN so you would want to filter all other VLANs out.
Summary
- Inbound: Untagged frames received on a trunk port are forwarded into the VLAN configured as Native.
- Outbound: Frames from the VLAN configured as Native are forwarded untagged.
- Control-plane messages such as DTP and BPDUs are sent out untagged.
- Control-plane messages such as CDP and VTP are sent out untagged if Native VLAN is 1 otherwise are tagged with VLAN1.
- Native VLAN is configured per trunk port and is locally significant. Therefore, different VLAN numbers can be configured on both sides of a single trunk link leading to native VLAN mismatch.
- Native VLAN mismatch leads to misdirected traffic and is a security implication.
- Allowed VLANs can be specified on any trunk port with the switchport trunk allowed vlan command.