802.1Q Native VLAN on Cisco IOS Switch

I think you are asking whether Cisco has any management dependencies on VLAN 1? In other words, is it okay to disable, or filter out VLAN 1? The answer to this is it is okay to do this. In fact, for security purposes, most people avoid using VLAN 1 entirely. By pruning VLAN 1 from trunks, you will not break any needed Cisco protocols.

1 Like

Hi Rene,

How can you capture the frames passing through the trunk by using Wireshark?
As far as I know, the capturing tool Wireshark is supposed to be installed in a server.

Could you show me the topology diagram for the capturing?

Whijoon Yim,

19 posts were merged into an existing topic: 802.1Q Native VLAN on Cisco IOS Switch

Yes you can. One thing to remember is that you don’t necessarily need wireshark in order to capture the data. You need wireshark to interpret it (although it can capture it as well). Cisco has the ability to capture the data for you, then all you have to do is export the data and read it with Wireshark on any computer you want.

I recommend you check out the Embedded Packet Capture lesson for more details …

Hello Rene,
quick question please,
when we applied :

SW1(config)#interface fastEthernet 0/24
SW1(config-if)#switchport trunk native vlan 10

and then i went ahead and did : sh vlan brief , i cannot see that vlan 10 is created at all? can we have more than native vlan at the same time on the same switch?

im getting this:

Port        Mode             Encapsulation  Status        Native vlan
Et0/1       desirable        n-isl          trunking      10
Po1         on               802.1q         trunking      1



Hello Eng_A

It is important to understand how VLANs are created and how they are applied. In the Cisco IOS, you can apply a VLAN (say to an access port or a trunk port) without it actually existing! And actually, you don’t get an error message for this either. This is also the case when you apply the Native VLAN. So when you apply a native VLAN to a trunk port, there are two steps:

  1. Create the VLAN (or make sure that it already exists)
  2. Apply the Native VLAN configuration to the trunk

As you have already seen, these commands don’t actually have to be implemented in the above order.

So for commands like:

SW1(config-if)#switchport access vlan 10
SW1(config-if)#switchport trunk allowed vlan 10
SW1(config-if)#switchport trunk native vlan 10

vlan 10 may not even exist, but you can still issue the above commands.

The only time a VLAN will be created without explicitly issuing the vlan xx command (where xx is the VLAN ID) is when you create an SVI. For example:

SW1(config)# interface vlan 10

This command creates the SVI on a switch, but it also automatically creates the associated VLAN. If you have terminal monitor on, you will actually see a syslog message that informs you of this.

So, to answer your question, you must create vlan 10 in order for your native vlan configuration to work correctly.

I hope this has been helpful!


1 Like

At what point do you assign an IP address to a vlan say
“Interface vlan2
IP address…”
instead of assigning IP address to a normal interace.

Hello Olaniyi.

The command interface vlan 2for example would be used to create a Switched Virtual Interface (SVI) on a layer 3 switch to function as a default gateway and allow for inter-VLAN routing. If you have a layer 3 switch with two VLANs configured on it, say VLAN 20 and 30 with subnets and respectively, these VLANs cannot communicate with each other. If you create two SVIs, say VLAN 20 and VLAN 30 and assign them IP addresses and respecitvely, you can use these as gateways on the end devices to allow communication between the VLANs on the same switch.

This command is only available on layer 3 switches and NOT on routers. On routers, you would assign an IP address on a specific physical interface.

I hope this has been helpful!


19 posts were merged into an existing topic: 802.1Q Native VLAN on Cisco IOS Switch

is there specific topic to describe Native VLAN exactly what dose it uses for and how dose it help switching process ?

Hello Mohammad.

Frames that are placed on a trunk include a VLAN tag. Switches know to which VLAN to forward a frame that is received on a trunk interface by this tag. If however for some reason, there is no tag on a frame that is received, the switch must know what to do with it. The Native VLAN configuration essentially tells the switch on which VLAN any UNtagged frames should be placed.

Now if you have connected two switches with a trunk, it is highly unlikely that any frame will arrive without a tag. (If it does, then there is a problem with some configuration). However, if you have a hub between two switches connected with a trunk and you have a PC connected to that hub, then you will definitely receive untagged frames on the trunk ports. Take a look at the following diagram:

Any frames sent by the PC will hit the trunk ports on the two switches untagged. The switches must know what to do with them. This is why the native VLAN must be configured, otherwise these frames will be dropped.

The truth is that such a topology is a very bad idea. You should never create such a network. The capability of switches to deal with untagged frames however must be applied and configured in order for trunks to function correctly from end to end.

I hope this has been helpful!


1 Like

Hi Rene,

I now that the “vlan dot1q tag native” command will tag native vlan on all trunks port but what about the “switchport trunk native vlan tag” command used for ??? notice that this command is enabled by default per interface and can not be seen by applying show run all command, but when I use “no switchport trunk native vlan tag” it’s show up in run config.

The switch model and IOS version is :-
Catalyst 4500 L3 Switch Software (cat4500e-IPBASEK9-M), Version 15.1(1)SG, RELEASE SOFTWARE (fc3)

Hi Hussien,

The vlan dot1q tag native is a global command so it applies to all interfaces. If you want to exclude certain interfaces, you can use the no switchport trunk native vlan tag command on the interface level.


Great answer, thanks again Rene.

1 Like

Hi Rene,
Good Day…

When I have configured Native vlan different on Trunk port then Found switch port is “Desg BKN*” state with PVID-Inconsistant for the particular VLAN . I understand VLAN Mismatched on BPDU but why switch Blocking the port.Is it normal rule that if VLAN Mismatched the port will be Blocking mode ??? Need detailed Technical Reason regarding.Thx


Hi Mohammad,

you are correct, it’s normal rule of STP and the port state is BROKEN to prevent the Leaking traffic between the two native VLANs, and The PVID-Inconsistant is checked by SSTP BPDU that PVST+ send per VLAN with 802.1q tag except for the native VLAN where it sent without tag even if the native VLAN is not allowed on the trunk.

Now the question is how the mismatch of native VLAN done ???
well, the SSTP BPDU looks exactly like IEEE BPDU except it has TLV filed than contain VLAN ID, so if the switch receive untagged SSTP BPDU with different TLV ID from it’s local configured native VLAN, it will know that the native VLAN is mismatched from the other side of the trunk and both VLANs will be in “BKN” state of the trunk port in both side.

I hope this has been helpful!

Hi @lagapides , can i just interject and ask a question of my own?

Why do 2 switches need to have the same native VLAN in order for them to communicate? If the frame is untagged anyway without any vlan information then why does the other switch care what its native VLAN is? If i have one switch with a native VLAN of 1 and the other switch native VLAN 99, when one goes to send a CDP or STP fram untagged and it reaches the other switch untagged, then why does it get rejected? Is there still information on what the native VLAN of the sender is and thus as a result have to match?

Thanks again

Hello Michael

You are correct in that you can create a trunk link where the native VLAN is different on each end. The link will function correctly as far as data traffic is concerned (although you will get syslog messages indicating a native VLAN mismatch). However, this causes the following problems:

  1. Using your example, I could have one user on VLAN 1 on Switch 1 who, through the native mismatch configured, would have access to VLAN 99. VLANs by definition should not be able to communicate unless they connect via a router. This is not only a design flaw, but it is also a security risk, especially if VLAN 99 is a server subnet to which you have configured access lists to restrict access.
  2. A native VLAN mismatch will cause problems with STP. Specifically, if there is a native VLAN mismatch, the STP state of one end of the link becomes broken while the other end of the link is functioning normally. This will result in an STP loop. Take a look at this Cisco Learning Network discussion for more details.
  3. Concerning CDP, the CDP traffic is always preferred on the lowest VLAN configured. That is, VLAN 1 always, which cannot be deleted from the VLAN database. The CDP protocol behaves differently when the switch sends CDP as a tagged packet or untagged packet dependent upon the native VLAN configured on the trunk link. However, CDP would not be blocked by a native VLAN mismatch. It actually detects it and gives you syslog messages.

I hope this has been helpful!


1 Like

I have a linux server interface [Trunk/ expecting tagged vlan 1 traffic]. Its connected to L2 switch. Tagging an admin vlan [native/ VLAN1 by default] is not an option on 2950/2960 switches. on Nexus, can be done globally only; so it does not suffice my purpose. What I want is to send vlan 1 traffic [tagged] on that linux server interface. Can this be done with any software of PC [directly connected to linux server port] or from L2 switch?

Hi Deep,

You can’t use vlan dot1q tag native on the 2950/2960 but you could change the native VLAN on a trunk to your server. Something like this:

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 200

This makes VLAN 200 (a bogus VLAN that you don’t use) the native VLAN and VLAN 1 will then be tagged. Still, it’s probably best not to use VLAN 1 but something else instead.