Jun 24 2017

Basics: Cisco IOS Native VLANs #vlans


You are here: Home / Basics / Basics: Cisco IOS Native VLANs

Basics: Cisco IOS Native VLANs

Cisco IOS and Native VLANs

  • An 802.1Q trunk port can carry tagged and untagged frames because Ethernet is assumed to be a shared medium and there may hosts on the medium that cannot handle untagged frames.
  • Untagged frames must placed into a VLAN by the receiving switch, the native VLAN is the VLAN used.
  • When a switch receives an untagged frame on a tagged interface it is assumed membership of the Native VLAN.
  • For 802.1.Q tagged interfaces, Cisco uses untagged frames to carry admin various protocols between the switches e.g. CDP, DTP, LACP (?). Not all vendors implement a native VLANs.
  • Configurable Native VLAN IDs are a response to the security vulnerability published by SANS in July 2000 that noted a possible VLAN hopping attack using the Native VLAN. Because VLAN1 on Cisco switches has special significance
  • It is not mandatory for vendors to implement Native VLANs so vendor interoperability for protocols using the feature will be a specific configuration issue.
  • For Cisco switches the Native VLAN ID must match on both end of the trunk.
  • By default the Native VLAN is 1.
  • My Security Best Practice is to configure the Native VLAN ID to VLAN 666 and to ensure that this VLAN is not used anywhere in the network. The number 666 helps people to remember this. An attacker who attempts to use the VLAN hopping attack will end up in a dead VLAN that has no hosts to leverage.

This message appears when the native VLAN is mismatched on the two Cisco switches:

[sourcecode wraplines= false gutter= false autolinks= false ]
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEhernet1/1 (2),
with D-R3550-9B GigabitEthernet0/1 (1)

Corrections and updates welcome

About Greg Ferro

Human Infrastructure for Data Networks. 25 year survivor of Corporate IT in many verticals, tens of employers working on a wide range of networking solutions and products.

Host of the Packet Pushers Podcast on data networking at – now the largest networking podcast on the Internet.


Also STP uses native VLAN for sending BPDUs frames around the switch domain. So a care needed to for all switches to use the same native vlan in order to make the stp topology.

There are some instances where a native vlan is needed for production traffic. In terms of virtualization where out of band management for the bare metal hypervisor (Xen for example) is not available, and you need a separate vlan for it, however it does not support .1q tagging.

You are spot on about separating native vlan from Cisco s maintenance traffic

Great blogs and podcasts, keep up the good work.

vlan 777 name NEVER-USED state suspend

)vlan 777 name NEVER-USED state suspend

Andrew Hoyos says

FWIW, you ll only see the message about Native VLAN mismatch if CDP is enabled on the port. In multivendor situations, not the case .

The CDP error message can be suppressed while basic CDP services still run with

no cdp advertise-v2

I have not looked into this any further than confirming the absense of the error messages so I am unsure as to what else it would disable.

no cdp advertise-v2 will cause havoc with your IP telephones not recommended at the access layer (unless troubleshooting potential CCIE voice problems)

Dumlu Timuralp says

Also note that VLAN 1 plays an important role in Cisco world. Even if you remove VLAN 1 from trunk; DTP, PAgP, CDP, VTP are sent with a VLAN 1 tag. If you are working in a multi vendor environment this information is vital.

Please check.

I prefer to disallow the native vlan in the switchport trunk allowed vlan list. Cisco admin traffic is, of course, still allowed.

Technically the native vlan can be mismatched between two switches, but CDP will complain as noted. And your stp domains will be merged on both switches but for two different vlans. But in some certain integration or cross vendor cases you want to make the natives different vlan numbers. Remember on the wire there is no tag, it s only local at the switches for the native vlan.

Written by admin

Leave a Reply

Your email address will not be published. Required fields are marked *