Imagine building a highway between two cities, but one city labels its off-ramps with numbers and the other uses colors. That chaos is exactly what happens when the native VLAN doesn't match on a trunk link. For the CCNA 200-301 exam (objective 2.1), native VLAN mismatch is one of the most common and easily tested trunking issues. Real network engineers encounter this all the time, and understanding its symptoms, causes, and fixes is essential for both the exam and real-world troubleshooting.
Jump to a section
Think of a large office building with two wings connected by a single hallway. Each wing has its own security guard. The hallway is a trunk link—it carries traffic for multiple departments (VLANs). The building management decides that any unlabeled mail (untagged frames) should be delivered to the 'general office'—but each wing has a different understanding of what 'general office' means. In Wing A, the general office is Room 100 (native VLAN 1). In Wing B, the general office is Room 200 (native VLAN 99). The guards are configured to put unlabeled mail into a box labeled 'general office'—but they use different room numbers. When a person in Wing A drops off an unlabeled envelope, the Wing A guard puts it in the box for Room 100 and sends it down the hallway. The Wing B guard receives it, sees it's unlabeled, and assumes it's for Room 200—so they deliver it to the wrong office. Meanwhile, any labeled mail (tagged frames for specific VLANs) travels correctly because the label tells the guard exactly where it goes. The result: some mail gets lost, some ends up in the wrong place, and the building's internal communication breaks down. This is exactly what happens with native VLAN mismatch: untagged frames are misinterpreted by the receiving switch, causing them to be placed into the wrong VLAN. Tagged frames for other VLANs work fine, which is why the problem can be subtle—some traffic works, some doesn't.
What Is Native VLAN Mismatch?
A trunk link carries traffic for multiple VLANs. By default, frames from VLAN 1 are sent untagged (no 802.1Q header) across the trunk. The native VLAN is the VLAN that is not tagged on the trunk. On Cisco switches, the native VLAN defaults to VLAN 1. When two switches are connected via a trunk, both ends must agree on which VLAN is the native VLAN. If they don't match, a native VLAN mismatch occurs.
Why Does It Matter?
Native VLAN mismatch causes two specific problems: 1. Control plane traffic leakage: CDP, VTP, DTP, PAgP, and STP BPDUs are typically sent untagged on the native VLAN. If the native VLANs differ, these control plane frames may be received on the wrong VLAN, causing switches to form incorrect adjacencies or even bridging loops. 2. User traffic misdelivery: Untagged frames from one switch are placed into the native VLAN of the receiving switch. This can cause unicast frames to be delivered to wrong hosts, or broadcast frames to flood the wrong VLAN.
Step-by-Step Packet Walkthrough
Consider Switch A with native VLAN 1 and Switch B with native VLAN 99. - Switch A sends an untagged frame (e.g., a broadcast from VLAN 1) out the trunk. - Switch B receives the untagged frame and, because its native VLAN is 99, assumes the frame belongs to VLAN 99. - Switch B floods the frame to all ports in VLAN 99, not VLAN 1. - Hosts in VLAN 99 receive traffic they shouldn't; hosts in VLAN 1 never see it.
Similarly, if Switch B sends an untagged frame from VLAN 99, Switch A will place it into VLAN 1.
Key Commands and Outputs
To check native VLAN configuration on a trunk:
Switch# show interfaces trunkExample output:
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/1 1-4094
Port Vlans allowed and active in management domain
Gi0/1 1,10,20,30
Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 1,10,20,30To see native VLAN mismatch errors:
Switch# show interfaces trunkIf there is a mismatch, you'll see:
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with SwitchB GigabitEthernet0/1 (99).Also, CDP will report the mismatch in its logs.
How to Fix It
On each side of the trunk, configure the same native VLAN:
SwitchA(config)# interface gigabitethernet 0/1
SwitchA(config-if)# switchport trunk native vlan 99Or change the other side to match:
SwitchB(config)# interface gigabitethernet 0/1
SwitchB(config-if)# switchport trunk native vlan 1Interaction with STP
STP BPDUs are sent untagged on the native VLAN. If native VLANs mismatch, a switch might receive BPDUs on a VLAN that is not its native VLAN. This can cause STP to incorrectly block or forward ports, leading to loops. For example, if Switch A sends a BPDU tagged for VLAN 1 (native) and Switch B receives it untagged but places it into VLAN 99, that BPDU may be ignored or processed incorrectly. This is why native VLAN mismatch is a serious issue.
Interaction with CDP and DTP
CDP and DTP also use untagged frames. CDP will specifically report native VLAN mismatch. DTP may fail to negotiate trunking if the native VLANs don't match, though DTP is rarely used in modern networks.
Common Misconfigurations
One side has "switchport nonegotiate" and the other doesn't—this doesn't directly cause native VLAN mismatch, but can lead to trunking issues.
Changing native VLAN on only one side of the trunk.
Forgetting that the default native VLAN is 1 and assuming it's something else.
Verification Checklist
Use show interfaces trunk on both switches.
Look for the "Native vlan" field.
If they differ, you have a mismatch.
Also check CDP logs for mismatch messages.
Verify that the native VLAN exists on both switches.
Ensure the native VLAN is not pruned or filtered on the trunk.
Summary
Native VLAN mismatch is a configuration error where the two ends of a trunk have different native VLANs. It causes untagged frames to be placed into the wrong VLAN, leading to control plane issues and user traffic misdelivery. Always ensure both sides agree on the native VLAN.
Identify Symptoms
The most common symptom is that some traffic works (tagged VLANs) but other traffic fails (untagged frames). Users in VLAN 1 might not be able to communicate across the trunk, while users in VLAN 10 can. You may see CDP messages like '%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with SwitchB GigabitEthernet0/1 (99).' Also, STP may behave unexpectedly, causing loops or blocked ports. The key is to recognize that the problem is asymmetric: only traffic that relies on the native VLAN is affected.
Verify Trunk Status
Use `show interfaces trunk` on both switches. This command shows the trunking status, encapsulation, allowed VLANs, and—crucially—the native VLAN. Example output on SwitchA might show 'Native vlan 1', while on SwitchB it shows 'Native vlan 99'. If they differ, you have a mismatch. Also check that the trunk is actually up/up and in trunking mode. If one side is in access mode, the trunk won't form, but that's a different issue.
Check CDP Logs
Cisco Discovery Protocol (CDP) is enabled by default on Cisco switches and runs on the native VLAN. CDP will report native VLAN mismatches in the log. Use `show logging` or `show cdp neighbors detail` to see if there are mismatch messages. For example: 'Native VLAN mismatch: 1 vs 99.' CDP is a great first indicator because it proactively warns you. However, if CDP is disabled, you won't see these messages, so always verify with `show interfaces trunk`.
Inspect Frame Flow
Use a packet capture or debug to confirm that untagged frames are being placed into the wrong VLAN. On a real switch, you can use `debug spanning-tree events` or `debug cdp packets` to see how control frames are handled. For user traffic, you might use `monitor session` to capture traffic on the trunk and see that untagged packets are tagged with the wrong VLAN at the receiver. This step is more advanced but helps solidify understanding.
Correct the Mismatch
On the switch with the mismatched native VLAN, configure the correct native VLAN using `switchport trunk native vlan <vlan-id>`. For example, if SwitchA is native VLAN 1 and SwitchB is native VLAN 99, you can change SwitchB to match: `SwitchB(config-if)# switchport trunk native vlan 1`. Or change SwitchA to match SwitchB. The important thing is that both sides are identical. After making the change, the CDP error should clear, and traffic should flow correctly.
Verify the Fix
After configuration, use `show interfaces trunk` on both switches to confirm the native VLANs match. Also check `show logging` to ensure no new mismatch messages appear. Test connectivity by pinging from a host in the native VLAN across the trunk. If the ping succeeds, the issue is resolved. As a final check, you can `clear cdp counters` and wait for CDP to rediscover neighbors without errors.
In a large enterprise network, native VLAN mismatches are surprisingly common. For example, during a data center migration, a network engineer might connect a new access switch to an existing distribution switch. The distribution switch has been customized to use VLAN 99 as the native VLAN for security reasons (to avoid using VLAN 1). The new access switch, fresh out of the box, defaults to VLAN 1. As soon as the trunk is established, CDP screams about a mismatch. The engineer might notice that all devices in VLAN 1 lose connectivity across the trunk, but VLAN 10 and 20 work fine. This is a classic native VLAN mismatch scenario.
Another scenario: a company acquires another office and connects the two networks via a trunk. The existing network uses VLAN 1 as native, but the acquired network uses VLAN 999. The trunk is configured with 802.1Q encapsulation, but no one checked the native VLAN. Suddenly, broadcast storms occur because STP BPDUs are being placed into the wrong VLAN, causing loops. The network team spends hours troubleshooting before discovering the mismatch.
A third scenario: a network admin changes the native VLAN on a trunk to improve security (e.g., using a dedicated VLAN for management traffic). They update one side but forget to update the other. The next day, the helpdesk gets calls about intermittent connectivity. The admin runs show interfaces trunk and sees the mismatch immediately.
In production, the fix is straightforward: configure both ends with the same native VLAN. However, the challenge is often identifying that the problem is a mismatch. Many engineers assume that if a trunk is up, all VLANs work. The reality is that only tagged VLANs work; the native VLAN breaks. This is why understanding native VLAN mismatch is critical for real-world troubleshooting.
Scale considerations: In a large network with hundreds of trunks, manually checking each one is impractical. Use network monitoring tools or scripts to compare native VLAN configurations. Some organizations standardize on a non-default native VLAN (e.g., VLAN 999) across all trunks to avoid accidental use of VLAN 1. This simplifies management but requires consistent configuration.
Performance impact: Native VLAN mismatch itself doesn't cause performance degradation beyond the misdelivered traffic. However, if STP loops are created, the entire network can suffer. Therefore, it's a serious issue that must be resolved promptly.
The CCNA 200-301 exam tests native VLAN mismatch under objective 2.1 (Troubleshoot interface and cable issues). The exam expects you to identify the symptoms, verify with show commands, and correct the configuration.
Common wrong answers: 1. "The trunk is down" – The trunk can be up/up even with a mismatch. Only the native VLAN is affected. 2. "All VLANs are broken" – Only the native VLAN is broken; other VLANs work fine. 3. "The problem is an encapsulation mismatch" – Both sides must use the same encapsulation (802.1Q), but a mismatch in encapsulation would cause the trunk to fail entirely. Native VLAN mismatch is different. 4. "The native VLAN is not allowed on the trunk" – The native VLAN is always allowed by default; if it's pruned, the trunk may not form. But that's not a mismatch.
Specific values: Default native VLAN is 1. On some switches, you can change it. The command show interfaces trunk shows the native VLAN in the "Native vlan" field. CDP error message includes the VLAN numbers.
Decision rule: If a trunk is up but some VLANs don't work, check the native VLAN. If CDP reports a mismatch, that's the smoking gun. If not, check allowed VLAN lists.
Scenario question example: "Two switches are connected via a trunk. Users in VLAN 10 can communicate across the trunk, but users in VLAN 1 cannot. CDP shows a native VLAN mismatch. What is the cause?" Answer: The native VLAN is configured differently on each switch.
Elimination strategy: On the exam, if you see a question about a trunk with partial connectivity, immediately suspect native VLAN mismatch. Look for answer choices that mention "native VLAN" or "show interfaces trunk". Eliminate answers about encapsulation, speed/duplex, or trunk mode unless they match the symptoms.
Native VLAN mismatch occurs when the two ends of a trunk have different native VLANs.
Default native VLAN on Cisco switches is VLAN 1.
Untagged frames are placed into the native VLAN of the receiving switch.
CDP reports native VLAN mismatch with message: %CDP-4-NATIVE_VLAN_MISMATCH.
Use 'show interfaces trunk' to see the native VLAN on each side.
Tagged traffic for other VLANs works fine; only native VLAN traffic is affected.
To fix, configure both sides with the same native VLAN using 'switchport trunk native vlan <vlan-id>'.
Native VLAN mismatch can cause STP loops because BPDUs are sent untagged.
These come up on the exam all the time. Here's how to tell them apart.
Native VLAN Mismatch
Untagged frames are misdelivered
Trunk stays up
CDP reports mismatch
Only native VLAN affected
Fix by matching native VLAN on both sides
Allowed VLAN List Mismatch
Tagged frames may be dropped
Trunk stays up but some VLANs missing
No CDP error (unless native VLAN is pruned)
Affects specific VLANs that are not allowed
Fix by updating allowed VLAN list on both sides
Mistake
A native VLAN mismatch causes the trunk to go down.
Correct
The trunk remains up/up. Only traffic on the native VLAN is affected; other VLANs work normally.
Candidates assume any trunk issue brings the trunk down, but native VLAN mismatch is a logical error, not a physical one.
Mistake
All VLANs are affected equally by a native VLAN mismatch.
Correct
Only the native VLAN is affected. Tagged frames for other VLANs are not impacted because they carry explicit VLAN tags.
Candidates think the entire trunk is broken, but the mismatch only disrupts untagged traffic.
Mistake
The native VLAN must be the same on both ends, but it doesn't matter which VLAN is used.
Correct
While both ends must match, the native VLAN must also exist and be active on both switches. If the native VLAN is deleted or not allowed on the trunk, the trunk may not work.
Candidates focus only on matching, forgetting that the VLAN itself must be present.
Mistake
Changing the native VLAN on one side automatically changes the other side via CDP or DTP.
Correct
There is no protocol that propagates native VLAN configuration. It must be configured manually on both ends.
Candidates overestimate the capabilities of CDP/DTP, thinking they can auto-correct configuration.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Native VLAN mismatch occurs when the two ends of an 802.1Q trunk are configured with different native VLANs. The native VLAN is the VLAN that sends frames untagged across the trunk. When mismatched, untagged frames from one switch are placed into the wrong VLAN on the other switch, causing connectivity issues for that VLAN. CDP typically reports the mismatch. The fix is to configure both sides with the same native VLAN.
Use 'show interfaces trunk' on both switches and compare the 'Native vlan' field. Also check CDP logs for '%CDP-4-NATIVE_VLAN_MISMATCH' messages. If the native VLANs differ, you have a mismatch.
No. The trunk remains up/up. Only traffic on the native VLAN is affected. Other VLANs work normally because their frames are tagged and not subject to the mismatch. This is why the problem can be subtle.
The default native VLAN is VLAN 1. All ports, including trunks, have native VLAN 1 by default. It can be changed using 'switchport trunk native vlan <vlan-id>'.
No. Only the native VLAN is affected. Tagged frames for other VLANs are not impacted because they carry explicit VLAN tags that are correctly processed. The mismatch only affects untagged frames.
CDP sends periodic messages untagged on the native VLAN. When a switch receives a CDP message, it checks the VLAN of the incoming frame. If the frame is untagged, the switch assumes it belongs to its native VLAN. If the native VLANs differ, the receiving switch will see a discrepancy between its native VLAN and the sender's native VLAN (which is embedded in the CDP message) and logs the mismatch.
It is generally recommended to change the native VLAN from the default VLAN 1 to a different, unused VLAN for security. This prevents attackers from exploiting the native VLAN to gain access to control plane traffic. However, you must ensure consistency across all trunks.
You've just covered Troubleshoot: Native VLAN Mismatch on Trunk — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?