Hello Abilash
Thanks for your kind words, your encouragement is appreciated!! 
Laz
Hey, I still donāt understand about the native VLAN.
I read that trunk frames can be tagged or untagged and the latter are native VLANs.
But what is a native VLAN, is it an untagged VLAN?
But what is an untagged frame?
*This is a loop and I donāt understand it
Hello Alexis.
A trunk will tag frames upon egress of the frame from the trunk port. This means that if a frame comes to the trunk port on VLAN 10 for example, a tag of VLAN 10 will be added to the frame and sent out of the port. The switch on the other end will receive the frame, will examine the tag, and if the VLAN ID is in the allowed VLAN list, the frame will be accepted, the tag removed, and the frame will be forwarded to the appropriate port. If it is not in the allowed VLAN list, it will be discarded.
Now the native VLAN configuration on a trunk port simply tells the switch that if an untagged frame is received on the trunk port, it should be placed on the VLAN configured as native.
You can find out more information about this in the following post:
I hope this has been helpful!
Laz
1 Like
Hello, thank you for your excellent response.
This means that, if traffic arrives from an unconfigured VLAN (it would be VLAN 1), this frame must go to the native VLAN (VLAN 1) right?
So, the default VLAN always has to be the same as the native VLAN?
For example, if I have 3 VLANs: (1) unconfigured, (2) VLAN 10, (3) VLAN 20. And the native VLAN is 99. Unconfigured VLAN frames when sent to other VLANs will be discarded?
Hello Alexis
Not quite. First of all, letās not confuse the default and native VLANs. The default VLAN is always VLAN 1 on Cisco switches (and most other switches as well). This cannot change. Now the native VLAN is something that only exists on a trunk port. The native VLAN is configured on every trunk port, and can actually be different on each trunk port of a switch (but it should be the same on both ends of a trunk link). By default, the native VLAN is set to VLAN 1. But this can be changed, and should be changed for security purposes. So if you donāt configure the native VLAN on a trunk port, its native VLAN will be 1.
Now what does this mean? Well, it simply means that if an untagged frame arrives on a trunk port, it will be placed on the native VLAN configured on that port.
However, this does not mean that the native VLAN can be transmitted over the trunk. Take a look at this diagram:
When A communicates with B, the frame exits Fa0/1 on SW1 with a tag because VLAN 10 is allowed on the trunk. When the frame reaches SW2, the tag will be removed and the frame forwarded to the appropriate port and host, because VLAN 10 is allowed on the trunk port. So a tagged frame only exists on the wire between the two trunk ports.
Now what if C tries to communicate with D? That communication will fail because VLAN 99 is not one of the allowed VLANs. Only allowed VLANs will be tagged, sent across the trunk, and untagged at their destination. The native VLAN configuration does not make that VLAN allowed across the trunk, nor will it send any such traffic as untagged traffic.
The only thing the native VLAN configuration does is, if an untagged frame arrives on a trunk port, that frame is placed on the configured native VLAN. In this topology however, this will never happen.
But take a look at this topology:
Here we have a hub between two of the switches, and a PC connected to that hub. In this case, the trunks on both SW1 and SW2 will receive untagged frames from PC1. These will be sent on the configured native VLAN on each switch. Note, that this is a very bad network design, but it is used to illustrate the concept.
I hope this has been helpful!
Laz
Thank you for that good answer. Iām sorry if Iām a little incomprehensible.
One last thing, when you say āThe native VLAN configuration does not make that VLAN allowed across the trunkāā¦what happens if the native vlan is not configured as 99?
Hello Alexis
No problem, you comprehensible just fine!!
So letās take a look at this diagram again:
Notice that we changed the native VLAN on the trunk and make it VLAN 10. What does that mean? Well this just means that if an untagged frame reaches a trunk port on either SW1 or SW2, it will be put on VLAN 10. But VLAN 10 is also allowed on the trunk. This means that any communication between host A and B, will be tagged with VLAN 10 as usual.
So you see the native VLAN, can also be an allowed VLAN on the trunk. If a frame is transmitted using that VLAN, it will be tagged normally. If however an untagged frame arrives on a trunk port, it will be put in the native VLAN.
Remember an untagged frame is a frame that has no indication of which VLAN it belongs to. If it arrives on an access port, it is placed on the VLAN that the access port is configured on. This is normal behaviour. But a trunk port is designed to take tagged frames and place them in the proper VLAN. An untagged frame arriving at a trunk port is unusual, and a trunk port just doesnāt know what to do with it. So it will put it in the native VLAN.
I hope this has been helpful!
Laz
Thank you very much! You explain well.
So, when the native VLAN is placed, what happens next? Is it discarded?
Another thing, if C is not in VLAN 99 and does not belong to any VLAN and wants to get to B. It could get there without any problem because it would be labeled as VLAN 10 and VLAN 10 is allowed?
Hello Alexis
Iām not sure what you mean. Can you clarify your question?
All access ports on a switch (the ports to which hosts are connected) must belong to a VLAN. If no VLAN has been configured on an access port, the VLAN by default is VLAN 1. Now the only way that C can communicate with B is if its access port was configured on VLAN 10. Otherwise, C cannot communicate with B.
The following lessons describe these concepts in more detail:
I hope this has been helpful!
Laz
I understand, thank you very much. Sorry for all the questions 
Hello Alexis
No problem! And donāt apologize for the questions, thatās what weāre here for, to answer any questions you may haveā¦
Laz
Thank you, as a matter of fact.
When you say āā¦If however an untagged frame arrives on a trunk port, it will be put in the native VLANā¦ā what happens next? Does the native VLAN discard the frame?
Hello Alexis
If an untagged frame reaches a trunk port, and that trunk port is correctly configured with a native VLAN, that frame will be accepted and forwarded on to its destination. For example, take a look at this diagram once again:
Letās say that both SW1 and SW2 have VLAN1 configured on their trunk ports. If PC1 sends a frame, it will reach the trunk port of SW1, and will be placed on VLAN 1, and it will be processed like any other frame.
Letās say that frame is a broadcast frame. That means that any other ports connected to VLAN 1 on both SW1 and SW2 will get the frame. Notice the orange arrows that show that the frame will reach all areas of VLAN1.
If it is not a broadcast frame, then the normal MAC address table lookup will take place, forwarding the frame to the appropriate destination based on itās destination MAC address.
I hope this has been helpful!
Laz
Thanks again for the explanation.
So, (in that same example) letās say the native VLAN is set to VLAN 10. The frame will be forwarded to all Swtiches that have the VLAN 10, is that correct?
Hello Alexis
Yes that is correct. Remember that the frame that exits PC1 in the diagram has no VLAN designation. It doesnāt belong to any VLAN. If such a frame reaches a trunk port, the trunk port will have no idea what to do with it. So it uses the native VLAN configuration to decide what VLAN to place it on.
I hope this has been helpful!
Laz
Hello everybody;
Can I connect a router on access port ? For example;
I have two routers and one switch.
R1;
int eth 0/0.10
encaps dot1q 10
ip add 192.168.12.1 255.255.255.0
R1;
int eth 0/0.10
encaps dot1q 10
ip add 192.168.12.2 255.255.255.0
Sw
vlan 10
exi
int ra eth 0/0-1
sw mode acc
sw acc vlan 10
R1 eth 0/0.10 connect SW1 eth 0/0
R2 eth 0/0.10 connect SW1 eth 0/1
Best regards.
Hello Nurullah
To answer your initial question, yes you can connect a router to an access port of a switch. However, your configuration above will not function correctly. Indeed, there are several issues with the above configuration and description.
First of all, in your router configuration, you have configured subinterfaces on the physical Ethernet 0/0 interface, and by using the command encapsulation dot1q 10 you are telling the router that the device on the other end is configured with a trunk port. Such a configuration is common for topologies called āRouter on a stickā.
Secondly, you have configured the same subinterface, namely 0/0.10 twice. When you configure subinterfaces you must create different ones, otherwise, you are simply overwriting the configuration of the first. For example, eth0/0.10 and eth0/0.20.
Thirdly, it is not possible to connect subinterfaces to different physical interfaces. Subinterfaces can only exist within the physical interface they have been created in.
Now if you want to connect a router to an access port on the switch, there is no specialized configuration. Simply configure the physical interface of the router with an IP address (no subinterfaces), enable it, and connect it. Simple as that.
I suggest you go over the following lesson in detail that deals with the configuration of subinterfaces and their connections to switch ports to more fully understand the concepts involved.
I hope this has been helpful!
Laz
Hi Laz/Rene,
At the end of this lesson it says the next one is about trunking, but in the queue the next lesson is in fact Introduction to VLAN Trunking Protocol (VTP). Luckily these other lessons [1] were tagged so I was able to find them by searching and in the switching section. I thought Iād mention it in case you wanted to amend the links.
[1]
Trunking on Cisco IOS Switch
802.1Q Native VLAN on Cisco IOS Switch
Thanks
Bhav
1 Like
Hello Bhav
Looking at the lesson I see that the next lesson indicated is 802.1Q as shown in this screenshot:
In the table of contents on the right, it also states the same lesson as coming after the VLAN configuration one:
However, what appears there also depends on how you got there in the first place.
Having a second look, when viewing the lesson as part of the CCNA 200-301 course, you are correct, the order does change and now I do see VTP as the next lesson. Thanks for pointing that out, I will let Rene know.
Your feedback is always valuable!
Laz
Hi Bhav,
Thanks for letting us know. Iām making some changes now to the text and order.
Rene