Hello Aaron
Putting routers aside for a moment, In general, when creating trunks , it is considered good practice to create a native VLAN on both ends of the trunk (on the switches themselves) that will not be used anywhere else. Create VLAN 99 for example and name it Native VLAN. This VLAN should not be assigned to any ports. Configure the switchport trunk native vlan 99 on both ends and you have secured yourself from any potential VLAN hopping attack.
Now when you apply this to a router on a stick scenario, the switch end of the configuration should use the same best practice. You should create the VLAN and assign it as the native VLAN on that interface. On the router end of the link, you have one of two choices:
Choice 1: Explicitly create a subinterface where the native VLAN will be configured. i.e.
interface fastethernet 1/0/1.99
encapsulation dot1q 99 native
You don’t even have to configure an IP address, and actually, you shouldn’t. Essentially what this does is if any frames are sent to this interface with no VLAN tag, they will be processed by this interface. This interface essentially goes nowhere, so any frames coming here would be dropped.
Choice 2: Don’t create a subinterface for the native VLAN. The physical interface will process any frames sent without a VLAN ID by default.
In this case, you don’t even have to specify the encapsulation dot1q 99 native command as all untagged traffic will go to this interface by default. Again, if you don’t configure an IP address the interface will go nowhere so any untagged frames that reach it will be dropped.
So in both cases, the native VLAN configs at both ends of such a link will match and will function correctly and safely.
I hope this has been helpful!
Laz