802.1Q trunking of the native VLAN

Unanswered Question
Aug 14th, 2007
User Badges:

I ran across this while studying for the BCMSN:

"Any untagged frames that an 802.1Q trunk receives will be forwarded to any ports in the native VLAN, which could be a security issue. This issue can be avoided by assigning an unused VLAN number to the native VLAN so that any untagged frames that an 802.1Q trunk receives wil not be forwarded to any user ports."

Looking at some of our switches I see that we are using the user VLAN as the native VLAN but we are also trunking that VLAN.

What effect does that have? Is the user VLAN tagged or not since it is both the native VLAN and it is trunked?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Tue, 08/14/2007 - 07:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Derek

The native vlan is the vlan that is not tagged when sent down a trunk link. So it doesn't matter if you are sending the user vlan down the trunk link or not, it will not be tagged if it is the native vlan.

As you say it would be better to use a vlan that is not used for either management or user ports in yor environment, Cisco recommend vlan 999.



derek_tracey Tue, 08/14/2007 - 08:47
User Badges:

Thanks Jon.

Another thing I was curious about; is there any reason to trunk on a link when you only have one VLAN? That is the pratice we follow too and I am just wondering what is the premise behind that.

Pavel Bykov Tue, 08/14/2007 - 08:54
User Badges:
  • Silver, 250 points or more

From practical point of view the premise behind that is the case, where you would create another VLAN. Then you can easily add it to the trunk without disrupting your operations. If you have ACCESS uplink, you will not be able to easily propagate this new VLAN without creating disruptions.

Also the mentioned security issue can arise.


This Discussion