The native VLAN is one of those concepts that seems trivial - it is "the untagged VLAN on a trunk" - right up until a mismatch breaks a link, or a double-tagging attack hops a VLAN you thought was isolated. The native VLAN is small but load-bearing. This post explains what it is, why it exists, the mismatch problem, the security hole, and how to configure it so neither bites you.
For the cluster overview, see the VLAN and Layer 2 switching pillar.
Tagging, and the one exception
On an 802.1Q trunk, frames carry a 4-byte VLAN tag so the switch on the other end knows which VLAN each frame belongs to. That is the whole point of a trunk: many VLANs, one link, every frame labeled.
The native VLAN is the deliberate exception. Frames in the native VLAN cross the trunk untagged. When a switch sends a frame in the native VLAN, it omits the tag entirely. When it receives an untagged frame on a trunk, it assumes that frame belongs to the native VLAN. So the native VLAN is defined by what is missing: it is the one VLAN whose frames have no tag.
Why an untagged VLAN exists at all
The native VLAN is a backward-compatibility feature. Early or simple devices that share a link - legacy hubs, some IP phones, a switch that does not understand 802.1Q - cannot read a tag. The native VLAN gives them a lane: untagged frames still have a home. It is also where a switch's own control-plane chatter historically rode. In a pure modern switch-to-switch trunk, almost nothing actually needs the native VLAN, which is exactly why it becomes a security liability if you ignore it.
The default: VLAN 1
Out of the box, the native VLAN on every Cisco trunk is VLAN 1. VLAN 1 is also the default access VLAN for every port and the VLAN that protocols like CDP, VTP, DTP, and PAgP use. Leaving everything on VLAN 1 means your management traffic, your control protocols, and your default user traffic all share one untagged VLAN - a poor security posture and the reason every hardening guide tells you to move off VLAN 1.
The native VLAN mismatch
Both ends of a trunk must agree on the native VLAN number. If R1's trunk has native VLAN 1 and R2's has native VLAN 99, you have a native VLAN mismatch.
The consequence is real. An untagged frame R1 sends in VLAN 1 arrives at R2, which sees no tag and drops it into VLAN 99. The two VLANs are now bridged together - traffic leaks between them. This is a security problem and a loop risk. Cisco switches detect the mismatch via CDP and log it:
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered
on GigabitEthernet0/1 (1), with SW2 GigabitEthernet0/1 (99).Spanning tree also reacts: PVST+ can place the mismatched VLAN into a blocking-style inconsistent state to contain the damage. Either way, a native VLAN mismatch is never something to leave logged and ignored.
The security angle: VLAN hopping by double tagging
The native VLAN is the enabler of the double-tagging VLAN hopping attack. An attacker on the native VLAN crafts a frame with two 802.1Q tags. The first switch strips the outer tag (it matches the native VLAN, so it is removed as the frame goes untagged onto the trunk) and forwards the frame. The second switch reads the still-present inner tag and delivers the frame into the target VLAN - one the attacker was never supposed to reach.
The attack only works when the attacker's access VLAN equals the trunk's native VLAN. That single fact drives the entire mitigation: never let the native VLAN be a VLAN that has live user access ports.
Configuring the native VLAN safely
Two practices close the hole. First, set the native VLAN to a dedicated, unused VLAN - one with no access ports and no hosts:
! Create an unused parking VLAN and make it native on the trunk
vlan 999
name NATIVE_UNUSED
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 999Apply the identical native vlan 999 on the far end of every trunk. Second - the stronger control - force the switch to tag the native VLAN too, removing the untagged exception entirely:
! Tag all VLANs on trunks, including the native VLAN
vlan dot1q tag nativeWith native tagging on, double tagging stops working because there is no untagged frame for the attack to exploit. Verify the trunk:
SW1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 999Common gotchas
Key takeaways
The native VLAN is the one VLAN whose frames cross an 802.1Q trunk untagged, and it defaults to VLAN 1. Both ends of every trunk must agree on the native VLAN number, or untagged frames bridge two VLANs together and CDP and STP both raise alarms. The native VLAN is also the enabler of the double-tagging VLAN hopping attack, which works only when an attacker's access VLAN matches the trunk native VLAN. Harden it by setting the native VLAN to a dedicated unused VLAN with no access ports, and ideally by enabling vlan dot1q tag native so nothing crosses a trunk untagged at all.
For the L2 cluster, see the VLAN pillar.
