Basics: Cisco IOS Native VLANs

Cisco IOS and Native VLANs

  • An 802.1Q trunk port can carry tagged and untagged frames because Ethernet is assumed to be a shared medium and there may hosts on the medium that cannot handle untagged frames.
  • Untagged frames must placed into a VLAN by the receiving switch, the native VLAN is the VLAN used.
  • When a switch receives an untagged frame on a tagged interface it is assumed membership of the Native VLAN.
  • For 802.1.Q tagged interfaces, Cisco uses untagged frames to carry admin various protocols between the switches e.g. CDP, DTP, LACP (?). Not all vendors implement a native VLANs.
  • Configurable Native VLAN IDs are a response to the security vulnerability published by SANS in July 2000 that noted a possible VLAN hopping attack using the Native VLAN. Because VLAN1 on Cisco switches has special significance
  • It is not mandatory for vendors to implement Native VLANs so vendor interoperability for protocols using the feature will be a specific configuration issue.
  • For Cisco switches the Native VLAN ID must match on both end of the trunk.
  • By default the Native VLAN is 1.
  • My “Security Best Practice” is to configure the Native VLAN ID to VLAN 666 and to ensure that this VLAN is not used anywhere in the network. The number “666″ helps people to remember this. An attacker who attempts to use the VLAN hopping attack will end up in a dead VLAN that has no hosts to leverage.

This message appears when the native VLAN is mismatched on the two Cisco switches:

[sourcecode wraplines="false" gutter="false" autolinks="false"]
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEhernet1/1 (2),
with D-R3550-9B GigabitEthernet0/1 (1)
[/sourcecode]

Corrections and updates welcome :)

About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

You can contact Greg via the site contact page.

  • mike brs

    Also STP uses native VLAN for sending BPDUs frames around the switch domain. So a care needed to for all switches to use the same native vlan in order to make the stp topology.

  • Clarke

    There are some instances where a native vlan is needed for production traffic. In terms of virtualization where out of band management for the bare metal hypervisor (Xen for example) is not available, and you need a separate vlan for it, however it does not support .1q tagging.

    You are spot on about separating native vlan from Cisco’s “maintenance” traffic

    Great blogs and podcasts, keep up the good work.

  • http://www.facebook.com/people/Vitaliy-Soldatov/100001797510834 Vitaliy Soldatov

    vlan 777 name NEVER-USED state suspend
     

  • http://www.facebook.com/people/Vitaliy-Soldatov/100001797510834 Vitaliy Soldatov

    :)vlan 777 name NEVER-USED state suspend
     

  • Andrew Hoyos

    FWIW, you’ll only see the message about Native VLAN mismatch if CDP is enabled on the port. In multivendor situations, not the case….

  • Adam P

    The CDP error message can be suppressed while basic CDP services still run with

    no cdp advertise-v2

    I have not looked into this any further than confirming the absense of the error messages so I am unsure as to what else it would disable.

    • Anonymous

      no cdp advertise-v2 will cause havoc with your IP telephones – not recommended at the access layer (unless troubleshooting potential CCIE voice problems)

  • Dumlu Timuralp

    Also note that “VLAN 1″ plays an important role in Cisco world. Even if you remove “VLAN 1″ from trunk; DTP, PAgP, CDP, VTP are sent with a “VLAN 1″ tag.  If you are working in a multi – vendor environment this information is vital.

    Please check : http://www.cisco.com/en/US/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml

  • http://blog.masker.net Jason Masker

    I prefer to disallow the native vlan in the ‘switchport trunk allowed vlan’ list. Cisco admin traffic is, of course, still allowed. 

  • Jon

    Technically the native vlan can be mismatched between two switches, but CDP will complain as noted. And your stp domains will be merged on both switches but for two different vlans. But in some certain integration or cross vendor cases you want to make the natives different vlan numbers. Remember on the wire there is no tag, it’s only local at the switches for the native vlan.

Subscribe For Weekly Updates by Email

Get a Weekly Summary of Latest Articles and Posts to your Email Inbox Every Sunday

Thanks for signing up. Look for the email from MailChimp & make sure you confirm your email address. You may need to check your spam or gmail settings to be sure of receiving the email.

Note: You can unsubscribe at any time using the link at the bottom of every email.