VLAN mismatch between switches is one of the most common and insidious problems you'll face on the CCNA 200-301 exam and in real networks. It can cause complete connectivity loss for an entire VLAN without any obvious error messages. Understanding how to identify and fix this issue is critical for exam objective 2.1 (Troubleshoot interface and cable issues). This chapter will teach you the exact steps to diagnose VLAN mismatches, using the right show commands and interpreting their output correctly.
Jump to a section
Imagine you live in an apartment building with a central mailroom. Each apartment has a mailbox number (VLAN ID). The mailroom has slots for each apartment, and the postal worker sorts mail by apartment number. Now, suppose the building manager decides to repaint the mailroom and accidentally swaps the labels on slots 10 and 20. A letter addressed to apartment 10 is placed in slot 20. When the resident of apartment 20 checks their mail, they find someone else's letters, and the resident of apartment 10 gets no mail at all. This is exactly what happens in a VLAN mismatch. On a trunk link between two switches, each switch must agree on which VLANs are allowed and which VLAN is the native VLAN (untagged). The native VLAN is like the default slot for unlabeled mail. If one switch thinks the native VLAN is VLAN 1 and the other thinks it's VLAN 99, then frames sent without a VLAN tag (like most management traffic) are placed into different VLANs on each switch. The result: devices in the same VLAN cannot communicate across the trunk because the switches disagree on which VLAN the frames belong to. Worse, if the allowed VLAN lists differ, some VLANs may be completely blocked. Just like the mailroom mix-up, the problem isn't with the letters themselves—it's with the labeling system. The solution is to verify and align the VLAN configurations on both ends of the trunk using commands like show interfaces trunk.
What is a VLAN Mismatch?
A VLAN mismatch occurs when two switches connected by a trunk link have inconsistent VLAN configurations. This can involve:
Different native VLAN IDs on each side of the trunk.
Different allowed VLAN lists (one switch allows VLAN 10, the other does not).
One side configured as a trunk while the other is an access port (or vice versa).
VLAN mismatches break connectivity for devices in the affected VLANs. Traffic may be dropped, misdirected, or placed into the wrong VLAN. The most dangerous scenario is a native VLAN mismatch: because native VLAN frames are sent untagged, a mismatch causes control traffic (CDP, VTP, DTP, STP BPDUs) and user data to be received on the wrong VLAN, potentially creating security holes or loops.
How VLAN Mismatch Occurs at the Frame Level
When a switch sends a frame on a trunk port, it adds a 4-byte 802.1Q tag containing the VLAN ID, except for frames belonging to the native VLAN, which are sent untagged. The receiving switch reads the tag (or lack thereof) and places the frame into the corresponding VLAN. If the native VLANs differ:
Switch A sends a frame from VLAN 10 untagged (because it thinks native VLAN is 10).
Switch B receives an untagged frame and places it into its native VLAN (say VLAN 99).
The frame ends up in the wrong VLAN, breaking communication.
If allowed VLAN lists differ:
Switch A sends a tagged frame for VLAN 20.
Switch B's trunk configuration does not include VLAN 20 in its allowed list.
Switch B drops the frame.
Key States, Timers, and Defaults
Default native VLAN on Cisco switches: VLAN 1.
Default allowed VLAN list on a trunk: all VLANs (1-4094).
DTP (Dynamic Trunking Protocol) negotiates trunking mode. Mismatch in DTP mode (e.g., one side dynamic desirable, other side access) can lead to one side trunking and the other not.
Cisco Discovery Protocol (CDP) and Spanning Tree Protocol (STP) run on the native VLAN. A native VLAN mismatch can cause CDP to report errors and STP to malfunction.
IOS CLI Verification Commands
The primary command to detect VLAN mismatches is:
show interfaces trunkExample output:
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/1 1-1005
Port Vlans allowed and active in management domain
Gi0/1 1,10,20,30
Port Vlans in spanning tree forwarding state and not pruned
Gi0/1 1,10,20,30If the native VLAN is different on the far end, you'll see a CDP message:
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with Switch2 GigabitEthernet0/1 (99).Other useful commands:
show interfaces gigabitEthernet 0/1 switchport
show cdp neighbors gigabitEthernet 0/1 detail
show vlan briefInteraction with Related Protocols
CDP: Detects native VLAN mismatches and logs them.
DTP: Negotiates trunking; mismatch can prevent trunk from forming.
STP: Uses the native VLAN for BPDUs; a mismatch can cause STP to block ports incorrectly.
VTP: Not commonly used, but VLAN mismatches can cause VTP inconsistencies.
Step-by-Step Troubleshooting Flow
Check trunk status with show interfaces trunk.
Verify native VLAN consistency on both ends.
Verify allowed VLAN lists match.
Check for CDP native VLAN mismatch messages.
Verify interface mode (trunk vs. access) matches.
Correct any mismatches using switchport trunk native vlan or switchport trunk allowed vlan.
Common Pitfalls
Assuming both switches have the same default native VLAN (they might have been changed).
Forgetting that the native VLAN must match on both ends.
Overlooking that DTP can cause one side to be a trunk and the other an access port.
Thinking that a VLAN mismatch always causes a complete outage—sometimes it only affects specific VLANs.
Identify the Affected VLANs
Begin by gathering symptoms. Users in a specific VLAN cannot reach resources across the switch. Use `show vlan brief` on both switches to confirm the VLAN exists and has ports assigned. Then check the trunk link between the switches with `show interfaces trunk`. Look for the 'Native vlan' column and the 'Vlans allowed on trunk' list. If the native VLAN differs, you'll see a mismatch. If a VLAN is missing from the allowed list, that VLAN's traffic is blocked.
Verify Native VLAN Consistency
On both ends of the trunk, run `show interfaces trunk` and note the native VLAN. If they differ, you have a native VLAN mismatch. Also check for CDP messages: `show logging | include NATIVE_VLAN_MISMATCH`. To fix, on the switch with the wrong native VLAN, enter interface configuration mode and use `switchport trunk native vlan <correct-vlan-id>`. For example, to set native VLAN to 99: `interface gigabitEthernet 0/1` then `switchport trunk native vlan 99`.
Verify Allowed VLAN Lists
On both ends, compare the 'Vlans allowed on trunk' list from `show interfaces trunk`. They should match. If one switch has a restricted list (e.g., only VLANs 1,10,20) and the other allows all VLANs, traffic for VLANs not in the restricted list will be dropped. To fix, use `switchport trunk allowed vlan add <vlan-list>` to add missing VLANs, or `switchport trunk allowed vlan <vlan-list>` to set an explicit list (this removes all others). Be careful: the latter command overwrites the current list.
Check Interface Mode Mismatch
Use `show interfaces gigabitEthernet 0/1 switchport` on both ends. Look for the 'Administrative Mode' and 'Operational Mode' fields. If one side is trunk and the other is access, the link will not pass VLAN traffic correctly. For example, if one switch is set to 'dynamic desirable' and the other is 'access', the dynamic side will become a trunk only if the other side also negotiates. To fix, manually set both sides to trunk: `switchport mode trunk`.
Examine CDP and STP Issues
A native VLAN mismatch can cause STP to malfunction because BPDUs are sent on the native VLAN. Check STP status with `show spanning-tree vlan <vlan-id>`. If the root port is unexpected or ports are blocking, a native VLAN mismatch might be the cause. Also, CDP will report the mismatch. Use `show cdp neighbors interface gigabitEthernet 0/1 detail` to see the remote device's native VLAN (if CDP is working). If CDP is not working, the mismatch might be preventing CDP messages from being received.
Correct and Verify
After making changes, verify the fix. Re-run `show interfaces trunk` on both ends to confirm native VLAN and allowed lists match. Test connectivity from a device in the affected VLAN (e.g., ping the default gateway on the other switch). Also, clear any STP issues by waiting for convergence or manually reconfiguring. Finally, check for CDP messages again to ensure no new mismatches appear.
In enterprise networks, VLAN mismatches often occur during switch replacements or when new switches are added without proper coordination. For example, consider a scenario where an organization uses VLAN 99 for management traffic (native VLAN) across all trunk links. A junior engineer connects a new switch using the default native VLAN 1. Suddenly, management access to the new switch fails, and STP reconverges, causing a brief outage. The senior engineer runs show interfaces trunk and spots the native VLAN mismatch. The fix is quick: set the native VLAN to 99 on the new switch's uplink port.
Another common scenario involves mergers or acquisitions where two companies have different VLAN numbering schemes. The network team must decide on a common allowed VLAN list. If they forget to update one side, traffic for certain VLANs is silently dropped. Troubleshooting involves checking the allowed VLAN list on each trunk and adding the missing VLANs.
A more subtle issue: a technician accidentally removes all VLANs from a trunk with the command switchport trunk allowed vlan none while trying to restrict a specific VLAN. This immediately blocks all VLAN traffic across that trunk. The symptom is a complete loss of connectivity between switches, but the link remains up (layer 1 and 2 are fine). The fix is to re-add the required VLANs: switchport trunk allowed vlan add 1,10,20,30.
In production, always document the native VLAN and allowed VLAN list for each trunk. Use consistent configurations across all switches. When troubleshooting, start with show interfaces trunk—it's the single most revealing command. Also, enable CDP on all switches to get automatic native VLAN mismatch alerts.
Performance considerations: Allowing too many VLANs on a trunk can increase CPU usage for STP and other protocols, but this is rarely an issue on modern hardware. The main concern is security: restricting allowed VLANs to only those needed reduces the attack surface. Always prune unused VLANs from trunks.
The CCNA 200-301 exam tests VLAN mismatch troubleshooting under objective 2.1 (Troubleshoot interface and cable issues). Expect scenario-based questions where you must identify the cause of connectivity loss given show command outputs. Key points:
Native VLAN mismatch is the most tested concept. You will see a CDP error message or show interfaces trunk output showing different native VLANs. The fix is to make them consistent.
Allowed VLAN list mismatch is another common trap. You might see that a specific VLAN is not in the allowed list on one side. The question may ask why devices in VLAN 20 cannot communicate across the trunk.
DTP mode mismatch can cause one side to be a trunk and the other an access port. Know the DTP modes: trunk, access, dynamic desirable, dynamic auto. The exam expects you to know that dynamic auto + dynamic auto results in an access link, not a trunk.
Common wrong answers: - "The trunk is down" – but the question often states the link is up/up. - "VLAN 1 is not allowed" – but VLAN 1 is always allowed by default. - "The native VLAN is not configured" – but it is configured, just mismatched. - "STP is blocking the port" – STP may block due to mismatch, but the root cause is the mismatch itself.
Decision rule: When you see a symptom like "PCs in VLAN 10 can't ping each other across switches" and the trunk is up, immediately check show interfaces trunk for native VLAN and allowed VLAN consistency. If CDP messages are shown, look for NATIVE_VLAN_MISMATCH.
Specific values: Default native VLAN is 1. Default allowed VLAN list is all. The command to set native VLAN is switchport trunk native vlan <vlan-id>. The command to set allowed VLAN list is switchport trunk allowed vlan <vlan-list>.
Calculation traps: None, but be careful with VLAN IDs – they range from 1 to 4094, but only 1-1005 are displayed in older IOS versions. Extended VLANs (1006-4094) require VTP transparent mode or no VTP.
Elimination strategy: For multiple-choice questions, eliminate any answer that doesn't involve comparing both ends of the trunk. VLAN mismatch is always a two-sided problem.
VLAN mismatch occurs when trunk endpoints disagree on native VLAN or allowed VLAN list.
Use 'show interfaces trunk' to verify native VLAN and allowed VLANs on both ends.
CDP logs 'NATIVE_VLAN_MISMATCH' when native VLANs differ.
Default native VLAN is 1; default allowed VLAN list includes all VLANs.
DTP mode mismatch can prevent trunk formation; manually set both sides to 'trunk'.
Always check both ends of a trunk; a mismatch is a two-sided issue.
Fix native VLAN mismatch with 'switchport trunk native vlan <vlan-id>'.
These come up on the exam all the time. Here's how to tell them apart.
Native VLAN Mismatch
Untagged frames are placed in wrong VLAN
Affects control traffic (CDP, STP, VTP)
Logged by CDP as NATIVE_VLAN_MISMATCH
Fix: set same native VLAN on both ends
Symptoms: management loss, STP issues
Allowed VLAN List Mismatch
Tagged frames for specific VLANs are dropped
Does not affect control traffic (sent on native VLAN)
Not directly logged; no CDP message
Fix: add missing VLANs to allowed list on one or both ends
Symptoms: specific VLANs unreachable
Mistake
A VLAN mismatch only affects user data, not control traffic.
Correct
A native VLAN mismatch affects control traffic (CDP, STP BPDUs, VTP) because they are sent untagged on the native VLAN. This can cause STP loops or loss of management.
Candidates often think control protocols are independent of VLAN configuration.
Mistake
If the trunk is up/up, there cannot be a VLAN mismatch.
Correct
A trunk can be up/up even with a VLAN mismatch. The link is operational at layer 1 and 2, but traffic may be misdelivered or dropped.
Candidates associate 'up/up' with full connectivity, but it only indicates physical and data link layer readiness.
Mistake
The native VLAN must be the same on both ends only if you use VLAN 1.
Correct
The native VLAN must match regardless of which VLAN ID is used. Any mismatch causes issues.
Some think native VLAN mismatch only matters if using non-default VLANs.
Mistake
You can fix a VLAN mismatch by changing the allowed VLAN list on one side.
Correct
Fixing a mismatch requires making both sides consistent. Changing only one side may create a new mismatch.
Candidates may think only one side is wrong, but the problem is the difference between the two.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default native VLAN is VLAN 1. This is the VLAN used for untagged traffic on a trunk port. It is important to change it to a dedicated management VLAN for security reasons. On the CCNA exam, remember that if you see a native VLAN mismatch, the default is 1 unless changed.
Use the command 'show interfaces trunk' on the switch. Look for the 'Native vlan' column. For a specific interface, you can use 'show interfaces gigabitEthernet 0/1 trunk'. Also, 'show interfaces gigabitEthernet 0/1 switchport' will show the native VLAN under 'Trunking Native Mode VLAN'.
The command is 'switchport trunk native vlan <vlan-id>' under interface configuration mode. For example, to set native VLAN to 99: 'interface gigabitEthernet 0/1' then 'switchport trunk native vlan 99'. This command must be applied on both ends of the trunk.
No, a VLAN mismatch does not bring the trunk down. The trunk remains up/up at layer 1 and 2. However, traffic may be misdirected or dropped. The only way a trunk goes down is if the interface is administratively shut down or a physical issue occurs.
Native VLAN mismatch affects untagged frames (including control traffic) and causes them to be placed in the wrong VLAN. Allowed VLAN list mismatch affects tagged frames; if a VLAN is not in the allowed list, its frames are dropped. Both are common exam topics.
DTP negotiates trunking status. If one switch is set to 'dynamic desirable' and the other to 'access', the link becomes an access link, not a trunk. This is a type of mode mismatch, not a VLAN mismatch per se, but it prevents VLAN traffic from passing. Always ensure both ends are in trunk mode for trunking.
First, identify which switch has the wrong native VLAN by comparing the output of 'show interfaces trunk' on both ends. Then, on the switch with the incorrect native VLAN, enter interface configuration mode for the trunk port and use 'switchport trunk native vlan <correct-vlan-id>' to match the other side. Verify with 'show interfaces trunk' again.
You've just covered Troubleshoot: VLAN Mismatch Between Switches — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?