This chapter covers native VLAN configuration and security, a critical topic for the Network+ N10-009 exam. Native VLANs appear in about 5-8% of exam questions, often in the context of trunking, VLAN hopping attacks, and switch security. Understanding how native VLANs work, how to configure them properly, and how misconfiguration leads to security vulnerabilities is essential for the Network Implementation domain (Objective 2.1). We will dissect the mechanism, default behavior, security risks like double tagging, and best practices for hardening your network.
Jump to a section
Imagine a company telephone system where every employee has a desk phone, but there is a single shared line for the whole office. The receptionist maintains a log mapping each employee's extension to the shared line when they make a call. However, there is one unlabeled cable port in the wiring closet that is always connected to the shared line by default—any phone plugged into that port gets the shared line without needing to ask the receptionist. This is the 'native' port. If an employee plugs their personal phone into that port, they can make calls as if they were on the shared line, even though they should be on a private line. Worse, if an attacker gains physical access and plugs into that port, they can eavesdrop on all shared-line calls. In networking, the native VLAN (VLAN 1 by default) is like that unlabeled port: it carries traffic for all untagged frames on a trunk link. If not explicitly changed to an unused VLAN, an attacker can use a double-tagging attack to send frames that hop from the native VLAN to a victim VLAN, bypassing security. The solution is to change the native VLAN to a 'parking lot' VLAN that is never used for user traffic, just as you would label that cable port as 'emergency only' and disconnect it from the shared line.
What is the Native VLAN?
The native VLAN is a concept that applies to IEEE 802.1Q trunk links. On a trunk port, frames are typically tagged with a VLAN ID to identify which VLAN they belong to. However, the native VLAN is the VLAN that carries untagged traffic on a trunk. By default, Cisco switches use VLAN 1 as the native VLAN. Any frame that arrives on a trunk port without an 802.1Q tag is assumed to belong to the native VLAN. Similarly, frames destined for the native VLAN are sent untagged on the trunk.
Why Does the Native VLAN Exist?
The native VLAN exists for backward compatibility with devices that do not understand 802.1Q tagging. For example, an older switch or a hub might be connected to a trunk port. Those devices cannot process tagged frames, so the native VLAN allows them to communicate using untagged frames. In modern networks, the native VLAN is often still used for management traffic or for connecting legacy devices, but it is a significant security risk if not managed properly.
How the Native VLAN Works Internally
When a switch sends a frame on a trunk port, it checks the VLAN of the frame. If the VLAN ID equals the native VLAN configured on that port, the switch strips the 802.1Q tag and sends the frame untagged. If the VLAN ID is different, the switch adds the appropriate 802.1Q tag. On the receiving end, when a switch receives a frame on a trunk port, it inspects the frame for a tag. If a tag is present, the frame is assigned to the VLAN indicated by the tag. If no tag is present, the frame is assigned to the native VLAN of that port.
This behavior is defined in IEEE 802.1Q-2014, Section 8.6.2. The native VLAN is sometimes called the 'default VLAN' or 'untagged VLAN.' The key point is that the native VLAN is a per-port property. Different trunk ports can have different native VLANs.
Default Values and Important Numbers
Default native VLAN on Cisco switches: VLAN 1
Default VLAN 1 exists on all switches and cannot be deleted.
All ports are in VLAN 1 by default (access and trunk).
The management VLAN is often VLAN 1 by default but should be changed.
The native VLAN can be changed to any existing VLAN (1-4094) or to 'none' on some platforms.
The command to change the native VLAN on a Cisco trunk: switchport trunk native vlan <vlan-id>
To verify: show interfaces trunk
Security Risks: VLAN Hopping via Double Tagging
The primary security concern with the native VLAN is a type of VLAN hopping attack called double tagging. Here's how it works:
An attacker on a switch port in VLAN 10 (the victim VLAN) sends a frame with two 802.1Q tags. The outer tag has VLAN 10 (the native VLAN of the trunk), and the inner tag has VLAN 20 (the target VLAN).
When the frame reaches the first switch, it sees the outer tag (VLAN 10) and processes the frame as belonging to VLAN 10. The switch then forwards the frame out of the trunk port. Since the native VLAN is VLAN 10, the switch strips the outer tag (because native VLAN frames are sent untagged) and forwards the frame with only the inner tag (VLAN 20) out the trunk.
The receiving switch sees the frame with a single tag (VLAN 20) and forwards it to the target in VLAN 20, bypassing any access control lists (ACLs) that might have been in place.
This attack works only if the attacker is in the same VLAN as the native VLAN of the trunk. Therefore, the mitigation is to change the native VLAN to a VLAN that is not used for any user traffic—often called a 'black hole' or 'parking lot' VLAN. Additionally, you can disable trunking on access ports and use dedicated VLANs for management.
Configuration and Verification Commands
On a Cisco IOS switch, to configure a trunk port and change the native VLAN:
interface GigabitEthernet0/1
switchport mode trunk
switchport trunk native vlan 999To verify the native VLAN:
show interfaces trunkSample output:
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 999To see the native VLAN on a specific port:
show interfaces GigabitEthernet0/1 switchportLook for 'Trunking Native Mode VLAN:' in the output.
Interaction with Related Technologies
VTP (VLAN Trunking Protocol): VTP advertises VLAN information across trunks. The native VLAN is still used for untagged traffic even with VTP. Changing the native VLAN on a VTP server will propagate to clients.
DTP (Dynamic Trunking Protocol): DTP negotiates trunking between switches. The native VLAN is only relevant after the trunk is established. DTP can be a security risk because it can allow an attacker to negotiate a trunk and then perform VLAN hopping. Best practice is to disable DTP on access ports (switchport nonegotiate).
STP (Spanning Tree Protocol): STP BPDUs are sent untagged on the native VLAN. If the native VLAN is mismatched between two switches, STP may fail, causing loops. Always ensure the native VLAN matches on both ends of a trunk.
Private VLANs: Private VLANs can isolate ports within the same VLAN. The native VLAN can be a private VLAN, but care must be taken to avoid breaking management access.
Best Practices for Native VLAN Security
Change the native VLAN from the default VLAN 1 to an unused VLAN (e.g., 999). Never use VLAN 1 for user traffic.
Set the native VLAN to a VLAN that does not exist (if possible) or to a VLAN that is not used for any other purpose. Some switches allow setting the native VLAN to 'none'.
Disable trunking on access ports by using switchport mode access and switchport nonegotiate.
Use a dedicated management VLAN that is separate from the native VLAN.
Prune unused VLANs from trunks to reduce the attack surface.
Implement VLAN access maps to filter traffic between VLANs.
Always match the native VLAN on both ends of a trunk to prevent STP issues and misconfiguration.
Common Pitfalls in Configuration
Mismatched native VLAN: If the native VLAN differs on each end of a trunk, the switch will not be able to communicate properly. Management traffic and STP BPDUs will be lost, potentially causing a loop.
Using VLAN 1 for management: VLAN 1 is the default native VLAN and is used for CDP, VTP, and DTP. If you change the native VLAN, ensure management traffic is on a separate VLAN.
Forgetting to change the native VLAN on both ends: A common mistake is to change it on one switch only. Always configure both sides.
Advanced: Native VLAN in a Virtual Environment
In virtualized environments like VMware ESXi, virtual switches also have a concept of native VLAN (or VLAN 0). When a virtual switch port group is set to VLAN 0, it uses the native VLAN of the physical uplink. This can cause issues if the physical switch's native VLAN is not what you expect. Always explicitly set the VLAN ID on virtual port groups to avoid relying on native VLAN behavior.
Identify Trunk Ports and Native VLAN
First, determine which ports are configured as trunks using `show interfaces trunk`. This command lists all trunk ports, their mode, encapsulation, status, and native VLAN. Note the native VLAN value for each trunk. If the native VLAN is 1 (the default), it is a security risk. Also, check if any access ports are inadvertently trunking due to DTP negotiation. Use `show interfaces switchport` on suspected ports to see if the operational mode is 'trunk' when it should be 'access'.
Create a Dedicated Unused VLAN for Native
Create a new VLAN that will be used exclusively as the native VLAN for all trunks. This VLAN should have no user ports assigned to it and no Layer 3 interface (SVI) unless required for management. Use `vlan 999` and `name NATIVE_VLAN` in global configuration. Ensure this VLAN is not used for any other purpose. On some switches, you can also set the native VLAN to 'none' if the platform supports it, which effectively disables untagged traffic.
Configure the Native VLAN on Each Trunk
Enter interface configuration mode for each trunk port and set the native VLAN: `switchport trunk native vlan 999`. This command changes the native VLAN for that port. The switch will now send untagged frames only for VLAN 999, and any untagged frames received will be assigned to VLAN 999. Repeat for all trunk ports on all switches. Ensure that the native VLAN matches on both ends of each trunk link.
Disable DTP and Set Access Ports to Access Mode
For any port that is meant to be an access port (connecting to end devices), explicitly set it to access mode and disable DTP: `switchport mode access` and `switchport nonegotiate`. This prevents an attacker from negotiating a trunk and then performing VLAN hopping. Also, consider disabling trunking on ports that are not used for trunks by using `switchport mode dynamic desirable` or `switchport mode dynamic auto`? No, those are trunk negotiation modes. For access ports, always use `switchport mode access`.
Verify Configuration and Test Connectivity
After configuration, use `show interfaces trunk` to confirm that the native VLAN has changed to 999. Also, verify that management access (e.g., SSH, SNMP) still works. Test connectivity between devices on different VLANs to ensure that inter-VLAN routing is unaffected. If you have a network monitoring tool, check for any STP topology changes or BPDU errors. Finally, attempt a double-tagging attack in a lab to confirm that the new native VLAN prevents the attack (the attacker would need to be in VLAN 999, which has no user ports).
In a typical enterprise campus network, you might have hundreds of switches with multiple trunks between access switches and distribution switches. The native VLAN is often overlooked because it 'just works' by default. I've seen a large financial institution that suffered a VLAN hopping attack because they left the native VLAN as VLAN 1. An attacker on a public-facing access port (which was in VLAN 10) was able to send double-tagged frames and reach the HR server in VLAN 20. The fix was to change the native VLAN on all trunks to a dedicated VLAN (e.g., 999) and ensure no user ports were in that VLAN.
Another scenario is in data center environments with top-of-rack (ToR) switches. Often, management interfaces are in VLAN 1, and the native VLAN is also VLAN 1. This is a security risk because any untagged frame on a trunk could be misinterpreted as management traffic. Best practice is to move management to a separate VLAN (e.g., VLAN 100) and change the native VLAN to an unused VLAN. Additionally, use a dedicated management network out-of-band when possible.
A third scenario is in cloud or virtualized environments. For example, in a VMware vSphere environment, the virtual switch's native VLAN (VLAN 0) corresponds to the physical switch's native VLAN. If the physical switch's native VLAN is 1, and a virtual machine is set to VLAN 0, it will be in VLAN 1, which might be the management VLAN. This can cause accidental access to management interfaces. The solution is to explicitly set the VLAN ID on virtual port groups and change the physical switch's native VLAN to an unused VLAN.
Performance considerations: Changing the native VLAN has negligible performance impact. However, if the native VLAN is mismatched, the switch will drop BPDUs, causing STP to reconverge, which can cause temporary loops and packet loss. Also, if the native VLAN is used for a large amount of traffic (e.g., if you mistakenly put user traffic in the native VLAN), the untagged traffic might be misclassified, but modern switches handle this efficiently.
Common misconfigurations: Forgetting to change the native VLAN on both ends of a trunk is the most common. Also, some administrators change the native VLAN but forget to create the VLAN first, resulting in the native VLAN being 'nonexistent' which can cause the port to go into errdisable state. Always create the VLAN before referencing it in the native command.
The N10-009 exam tests native VLAN configuration and security primarily under Objective 2.1 (Network Implementation). Expect 1-2 questions on this topic. The exam focuses on:
Default native VLAN: VLAN 1. Questions often ask 'What is the default native VLAN on a Cisco switch?' The wrong answer is often 'VLAN 0' or 'VLAN 4095'. Remember: 802.1Q uses VLAN 0 for priority tagging, but the native VLAN is 1 by default.
VLAN hopping attack via double tagging: The exam will ask how to mitigate this. The correct answer is 'Change the native VLAN to an unused VLAN.' Wrong answers include 'Disable trunking on all ports' (not practical) or 'Use 802.1X' (which does not prevent double tagging).
Which frames are untagged on a trunk: Frames in the native VLAN are sent untagged. A common exam question: 'On a trunk, which VLAN's frames are sent without an 802.1Q tag?' The answer is the native VLAN.
Configuration command: switchport trunk native vlan <vlan-id>. The exam may present a scenario where you need to select the correct command from a list. Common wrong command: switchport native vlan (missing 'trunk') or vlan native.
Verification command: show interfaces trunk shows the native VLAN. The exam may ask which command displays the native VLAN. show vlan brief does not show trunk details.
STP and native VLAN: Mismatched native VLANs cause STP issues. A question might describe a loop occurring after a trunk is connected, and the answer is mismatched native VLAN.
Best practice: Always change the native VLAN from VLAN 1. The exam may ask 'What is the best security practice for native VLAN?' The answer is to set it to an unused VLAN.
Edge cases: The exam might ask about the effect of setting the native VLAN to a VLAN that does not exist. In that case, the trunk will still work but any untagged frames will be dropped. Also, if you set the native VLAN to 'none' (on some platforms), the trunk will not accept untagged frames, which is the most secure option.
How to eliminate wrong answers: Understand the mechanism. For double-tagging, the attack requires the attacker to be in the native VLAN. Therefore, any answer that does not involve changing the native VLAN is likely wrong. Also, remember that DTP is separate from native VLAN; disabling DTP prevents trunk negotiation but does not prevent double tagging if a trunk is already established.
The default native VLAN on Cisco switches is VLAN 1.
Frames in the native VLAN are sent untagged on 802.1Q trunks.
Double-tagging attacks exploit the native VLAN to hop between VLANs.
Change the native VLAN to an unused VLAN (e.g., 999) to mitigate double-tagging.
Use `switchport trunk native vlan <vlan-id>` to configure the native VLAN.
Use `show interfaces trunk` to verify the native VLAN configuration.
Always match the native VLAN on both ends of a trunk to avoid STP issues.
Disable DTP on access ports with `switchport nonegotiate` to prevent trunk negotiation.
These come up on the exam all the time. Here's how to tell them apart.
Native VLAN Default (VLAN 1)
Default on all Cisco switches.
Vulnerable to double-tagging attacks if attacker is in VLAN 1.
Management traffic often uses VLAN 1, creating a single point of failure.
Untagged frames are assigned to VLAN 1, which may have many user ports.
Easier to configure but less secure.
Native VLAN Changed to Unused VLAN
Requires manual configuration on all trunks.
Mitigates double-tagging attacks because attacker cannot be in the native VLAN.
Management traffic can be placed in a different VLAN, improving security.
Untagged frames are assigned to an unused VLAN, reducing risk.
More secure but requires careful planning and consistent configuration.
Mistake
The native VLAN is always VLAN 1 and cannot be changed.
Correct
The native VLAN can be changed to any existing VLAN (1-4094) using `switchport trunk native vlan <vlan-id>`. Some switches also support setting the native VLAN to 'none'.
Mistake
Double-tagging attacks are prevented by disabling DTP.
Correct
Disabling DTP prevents an attacker from negotiating a trunk, but if a trunk already exists (e.g., between switches), double-tagging can still occur if the attacker is in the native VLAN. The proper mitigation is to change the native VLAN to an unused VLAN.
Mistake
All frames on a trunk are tagged.
Correct
Frames belonging to the native VLAN are sent untagged on a trunk. Only frames from non-native VLANs are tagged.
Mistake
The native VLAN is the same as the management VLAN.
Correct
By default, both are VLAN 1, but they are separate concepts. The native VLAN is a trunk property; the management VLAN is the VLAN used for management traffic (e.g., SSH, SNMP). Best practice is to change both to different VLANs.
Mistake
Setting the native VLAN to an unused VLAN is optional for security.
Correct
It is a critical security best practice. Leaving the native VLAN as VLAN 1 makes the network vulnerable to double-tagging attacks. CompTIA expects you to know this.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The native VLAN is the VLAN that carries untagged traffic on an 802.1Q trunk. By default, it is VLAN 1. It is important for security because if left as default, an attacker in VLAN 1 can perform a double-tagging attack to send frames to other VLANs. Changing the native VLAN to an unused VLAN prevents this attack. On the exam, remember that the native VLAN should never be VLAN 1 in a secure network.
Use the command `switchport trunk native vlan <vlan-id>` in interface configuration mode for the trunk port. First, create the VLAN if it doesn't exist using `vlan <vlan-id>`. Then, verify with `show interfaces trunk`. Ensure the same native VLAN is configured on both ends of the trunk. Example: `interface GigabitEthernet0/1`, `switchport trunk native vlan 999`.
A double-tagging attack involves an attacker sending a frame with two 802.1Q tags. The outer tag matches the native VLAN of the trunk, and the inner tag is the target VLAN. The first switch strips the outer tag (because native VLAN frames are sent untagged) and forwards the frame with the inner tag. The second switch then forwards the frame to the target VLAN, bypassing ACLs. Mitigation: change the native VLAN to an unused VLAN so the attacker cannot be in the native VLAN.
Disabling DTP prevents an attacker from negotiating a trunk on an access port, which stops some VLAN hopping attacks (like switch spoofing). However, it does not prevent double-tagging attacks, which exploit existing trunks. To prevent double-tagging, you must change the native VLAN. DTP is disabled with `switchport nonegotiate` on access ports.
The native VLAN is a property of a trunk port that determines which VLAN's frames are sent untagged. The default VLAN is often VLAN 1, which is the VLAN that all ports are in by default. They are the same by default, but conceptually different. You can change the native VLAN without changing the default VLAN for access ports. On the exam, know that the native VLAN is specifically for trunks.
On some Cisco switches (e.g., Catalyst 9000 series), you can set the native VLAN to 'none' using `switchport trunk native vlan none`. This means no untagged frames are accepted or sent on the trunk. This is the most secure option, but ensure that no devices rely on untagged frames. Check your switch documentation for support.
If the native VLAN differs on each end of a trunk, the switches will not correctly process untagged frames. Management traffic (like CDP, VTP, STP BPDUs) will be lost, potentially causing STP loops or loss of connectivity. The link may still appear up, but traffic in the native VLAN will not pass. Always ensure native VLANs match on both ends.
You've just covered Native VLAN Configuration and Security — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?