Cisco Support Community
Community Member

802.1Q trunking of the native VLAN

I ran across this while studying for the BCMSN:

"Any untagged frames that an 802.1Q trunk receives will be forwarded to any ports in the native VLAN, which could be a security issue. This issue can be avoided by assigning an unused VLAN number to the native VLAN so that any untagged frames that an 802.1Q trunk receives wil not be forwarded to any user ports."

Looking at some of our switches I see that we are using the user VLAN as the native VLAN but we are also trunking that VLAN.

What effect does that have? Is the user VLAN tagged or not since it is both the native VLAN and it is trunked?

Hall of Fame Super Blue

Re: 802.1Q trunking of the native VLAN

Hi Derek

The native vlan is the vlan that is not tagged when sent down a trunk link. So it doesn't matter if you are sending the user vlan down the trunk link or not, it will not be tagged if it is the native vlan.

As you say it would be better to use a vlan that is not used for either management or user ports in yor environment, Cisco recommend vlan 999.



Community Member

Re: 802.1Q trunking of the native VLAN

Thanks Jon.

Another thing I was curious about; is there any reason to trunk on a link when you only have one VLAN? That is the pratice we follow too and I am just wondering what is the premise behind that.


Re: 802.1Q trunking of the native VLAN

From practical point of view the premise behind that is the case, where you would create another VLAN. Then you can easily add it to the trunk without disrupting your operations. If you have ACCESS uplink, you will not be able to easily propagate this new VLAN without creating disruptions.

Also the mentioned security issue can arise.

CreatePlease to create content