Basics: Cisco IOS Native VLANs

Cisco IOS and Native VLANs

  • An 802.1Q trunk port can carry tagged and untagged frames because Ethernet is assumed to be a shared medium and there may hosts on the medium that cannot handle untagged frames.
  • Untagged frames must placed into a VLAN by the receiving switch, the native VLAN is the VLAN used.
  • When a switch receives an untagged frame on a tagged interface it is assumed membership of the Native VLAN.
  • For 802.1.Q tagged interfaces, Cisco uses untagged frames to carry admin various protocols between the switches e.g. CDP, DTP, LACP (?). Not all vendors implement a native VLANs.
  • Configurable Native VLAN IDs are a response to the security vulnerability published by SANS in July 2000 that noted a possible VLAN hopping attack using the Native VLAN. Because VLAN1 on Cisco switches has special significance
  • It is not mandatory for vendors to implement Native VLANs so vendor interoperability for protocols using the feature will be a specific configuration issue.
  • For Cisco switches the Native VLAN ID must match on both end of the trunk.
  • By default the Native VLAN is 1.
  • My “Security Best Practice” is to configure the Native VLAN ID to VLAN 666 and to ensure that this VLAN is not used anywhere in the network. The number “666” helps people to remember this. An attacker who attempts to use the VLAN hopping attack will end up in a dead VLAN that has no hosts to leverage.

This message appears when the native VLAN is mismatched on the two Cisco switches:

[sourcecode wraplines=”false” gutter=”false” autolinks=”false”]
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEhernet1/1 (2),
with D-R3550-9B GigabitEthernet0/1 (1)

Corrections and updates welcome :)

  • mike brs

    Also STP uses native VLAN for sending BPDUs frames around the switch domain. So a care needed to for all switches to use the same native vlan in order to make the stp topology.

  • Clarke

    There are some instances where a native vlan is needed for production traffic. In terms of virtualization where out of band management for the bare metal hypervisor (Xen for example) is not available, and you need a separate vlan for it, however it does not support .1q tagging.

    You are spot on about separating native vlan from Cisco’s “maintenance” traffic

    Great blogs and podcasts, keep up the good work.

  • Vitaliy Soldatov

    vlan 777 name NEVER-USED state suspend

  • Vitaliy Soldatov

    :)vlan 777 name NEVER-USED state suspend

  • Andrew Hoyos

    FWIW, you’ll only see the message about Native VLAN mismatch if CDP is enabled on the port. In multivendor situations, not the case….

  • Adam P

    The CDP error message can be suppressed while basic CDP services still run with

    no cdp advertise-v2

    I have not looked into this any further than confirming the absense of the error messages so I am unsure as to what else it would disable.

    • Anonymous

      no cdp advertise-v2 will cause havoc with your IP telephones – not recommended at the access layer (unless troubleshooting potential CCIE voice problems)

  • Dumlu Timuralp

    Also note that “VLAN 1” plays an important role in Cisco world. Even if you remove “VLAN 1” from trunk; DTP, PAgP, CDP, VTP are sent with a “VLAN 1” tag.  If you are working in a multi – vendor environment this information is vital.

    Please check :

  • Jason Masker

    I prefer to disallow the native vlan in the ‘switchport trunk allowed vlan’ list. Cisco admin traffic is, of course, still allowed. 

  • Jon

    Technically the native vlan can be mismatched between two switches, but CDP will complain as noted. And your stp domains will be merged on both switches but for two different vlans. But in some certain integration or cross vendor cases you want to make the natives different vlan numbers. Remember on the wire there is no tag, it’s only local at the switches for the native vlan.