3.2.3. Native VLAN

💡 First Principle: When 802.1Q trunk ports send frames, they insert a 4-byte tag identifying the VLAN. But one VLAN gets special treatment—the native VLAN sends frames WITHOUT a tag. This exists for backward compatibility with devices that don't understand VLAN tags. By default, the native VLAN is VLAN 1.

Why is this a security concern? The native VLAN creates an attack vector called VLAN hopping. An attacker sends double-tagged frames: the outer tag matches the native VLAN (and gets stripped by the first switch), revealing the inner tag pointing to a target VLAN. The second switch delivers the frame to the attacker's chosen VLAN—bypassing your segmentation entirely.

What happens when native VLANs mismatch? If Switch A has native VLAN 1 and Switch B has native VLAN 99 on the same trunk, untagged frames from A arrive at B and get placed in VLAN 99 instead of VLAN 1. Traffic ends up in the wrong VLAN, users lose connectivity, and CDP/STP may report errors.

Security Best Practices:

• Change the native VLAN to an unused VLAN (e.g., VLAN 999)
• Ensure native VLAN matches on both ends of every trunk
• Never use the native VLAN for user traffic
• Consider switchport trunk native vlan tag to tag even native VLAN frames

Switch(config-if)# switchport trunk native vlan 999

Verification:

Switch# show interfaces trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/24      on           802.1q         trunking      99

Port        Vlans allowed on trunk
Gi0/24      10,20,30

⚠️ Exam Trap: A native VLAN mismatch doesn't just cause traffic issues—STP may detect the inconsistency and put the port in an inconsistent state, effectively shutting down the trunk link entirely.