802.1Q Native VLAN on Cisco IOS Switch

Hello Michael

You are correct in that you can create a trunk link where the native VLAN is different on each end. The link will function correctly as far as data traffic is concerned (although you will get syslog messages indicating a native VLAN mismatch). However, this causes the following problems:

  1. Using your example, I could have one user on VLAN 1 on Switch 1 who, through the native mismatch configured, would have access to VLAN 99. VLANs by definition should not be able to communicate unless they connect via a router. This is not only a design flaw, but it is also a security risk, especially if VLAN 99 is a server subnet to which you have configured access lists to restrict access.
  2. A native VLAN mismatch will cause problems with STP. Specifically, if there is a native VLAN mismatch, the STP state of one end of the link becomes broken while the other end of the link is functioning normally. This will result in an STP loop. Take a look at this Cisco Learning Network discussion for more details.
  3. Concerning CDP, the CDP traffic is always preferred on the lowest VLAN configured. That is, VLAN 1 always, which cannot be deleted from the VLAN database. The CDP protocol behaves differently when the switch sends CDP as a tagged packet or untagged packet dependent upon the native VLAN configured on the trunk link. However, CDP would not be blocked by a native VLAN mismatch. It actually detects it and gives you syslog messages.

I hope this has been helpful!

Laz

2 Likes