802.1Q Native VLAN on Cisco IOS Switch

The IEEE 802.1Q trunking protocol describes something called the native VLAN. All native VLAN traffic is untagged; it doesn’t have an 802.1Q tag on the Ethernet frame. When you look at it in Wireshark, it will look the same, just like any standard Ethernet frame.

When your Cisco switches receive an Ethernet frame without a tag on an 802.1Q-enabled interface, it will assume it belongs to the native VLAN. For this reason, you need to make sure that the native VLAN is the same on both sides.

By default, VLAN 1 is the native VLAN. We can change this if we want. Let’s look at an example. I will use two switches for this:

cisco sw1 sw2 8021q trunk

I will configure an 802.1Q trunk between those two switches so we can look at the native VLAN:

SW1(config)#interface Fastethernet 0/24
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW2(config)#interface Fastethernet 0/24
SW2(config-if)#switchport trunk encapsulation dot1q
SW2(config-if)#switchport mode trunk

We can verify our trunk configuration and see the native VLAN like this:

SW1#show interface fastEthernet 0/24 trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/24      on               802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/24      1-4094

Port        Vlans allowed and active in management domain
Fa0/24      1,10,12-13,20,23,34,100,123

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/24      1,10,12-13,20,23,34,100,123
SW2#show interfaces fastEthernet 0/24 trunk

Port        Mode             Encapsulation  Status        Native vlan
Fa0/24      on               802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/24      1-4094

Port        Vlans allowed and active in management domain
Fa0/24      1,10,12-13,20,23-24,30

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/24      1,10,12-13,20,23-24,30

Above, you can see that the trunk is operational, we are using 802.1Q encapsulation, and the native VLAN is 1. So what kind of traffic is running on the native VLAN? Let’s take a look at a Wireshark capture of our trunk!

Wireshark Cisco Native VLAN

As you can see, some management protocols like CDP (Cisco Discovery Protocol) are sent on the native VLAN. For security reasons, it might be a good idea to change the native VLAN from VLAN 1 to something else. You can do it like this:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 799 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
566 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags: ,


Forum Replies

  1. Is there any specific reason to tag the native vlan?

  2. Is there any specific reason to tag the native vlan?

  3. Hi Dan,

    There is a security vulnerability (VLAN Hopping) when you don’t tag the native VLAN, that’s the only reason I can think of.

    If you are interested, I can do a write up for VLAN hopping…might be interesting :slight_smile:

    Rene

  4. Thanks for your answer Rene, of course it would be interesting to have the write up for VLAN hopping

    Regards

  5. Hi Dan,

    I put it on my list, when it’s done I’ll let you know.

    Rene

149 more replies! Ask a question or join the discussion by visiting our Community Forum