This chapter covers VLAN mismatch and native VLAN issues, two of the most common Layer 2 problems tested on the CompTIA Network+ N10-009 exam. Understanding these concepts is critical because they account for roughly 5-10% of troubleshooting questions, often appearing in performance-based scenarios. You will learn the underlying mechanisms, how to identify symptoms, and how to resolve these issues using CLI commands and best practices.
Jump to a section
Imagine a hotel where each room has a phone extension, and the front desk has a switchboard that connects calls between rooms and to the outside. The hotel has a policy that all internal calls use a specific 'internal line' (like VLAN 1 by default). However, one day a new phone system is installed, and the front desk is set to treat all calls from room 101 as internal (using the internal line), but room 101's phone is configured to use a different 'guest line' for calls. When room 101 tries to call the front desk, the front desk sees the call coming on the guest line but expects it on the internal line, so it doesn't recognize the room number and drops the call. Meanwhile, the front desk tries to send an internal broadcast (like a wake-up call) on the internal line, but room 101 doesn't hear it because it's listening on the guest line. This is exactly like a VLAN mismatch: the switch port expects frames tagged with a certain VLAN ID (or untagged for native VLAN), but the device sends frames with a different tag or untagged on a different VLAN. The result is communication failure, often with symptoms like inability to ping or DHCP failure. The native VLAN is like the default internal line: if both sides don't agree on which VLAN is untagged, traffic gets misdirected.
What is a VLAN Mismatch?
A VLAN mismatch occurs when two connected switch ports are configured with different VLAN memberships for the same link. In a properly functioning network, when two switches are connected via a trunk link, both ends must agree on which VLANs are allowed and which VLAN is designated as the native VLAN. If the configurations do not match, frames may be dropped, misdirected, or cause loops.
VLANs (Virtual Local Area Networks) logically segment a physical network into multiple broadcast domains. Each VLAN is identified by a 12-bit VLAN ID (VID) ranging from 1 to 4094, as defined in IEEE 802.1Q. VLANs 1 and 1002-1005 are reserved (VLAN 1 is the default native VLAN).
How VLAN Mismatch Occurs
A common scenario: Two switches, SW1 and SW2, are connected via a trunk. SW1's interface Gi0/1 is configured as a trunk with allowed VLANs 10,20,30 and native VLAN 10. SW2's interface Gi0/1 is configured as a trunk with allowed VLANs 20,30,40 and native VLAN 20. The mismatch in allowed VLANs means VLAN 10 traffic from SW1 will be dropped when received on SW2 because SW2 does not have VLAN 10 allowed on the trunk. Additionally, the native VLAN mismatch (10 vs 20) causes both switches to treat untagged frames as belonging to different VLANs, leading to potential security issues and communication failures.
The Mechanism of VLAN Tagging
On trunk links, Ethernet frames are tagged with a 4-byte 802.1Q header inserted between the source MAC and EtherType fields. The tag contains a 12-bit VLAN ID (VID). The native VLAN is special: frames belonging to the native VLAN are sent untagged on a trunk link. Both ends must agree on which VLAN is the native VLAN; otherwise, a switch receiving an untagged frame will assign it to its own native VLAN, which may be different from the sender's native VLAN. This can cause frames to be placed in the wrong VLAN, leading to connectivity issues or even VLAN hopping attacks.
Key Components and Defaults
Default native VLAN: VLAN 1 (on most Cisco switches).
Default allowed VLANs on a trunk: all VLANs (1-4094).
IEEE 802.1Q standard defines the tagging mechanism.
Dynamic Trunking Protocol (DTP) can negotiate trunking, but it is insecure and often disabled.
Configuration and Verification Commands
On Cisco IOS, configure a trunk interface:
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20,30Verify with:
show interfaces trunk
show interfaces gigabitethernet0/1 switchport
show vlan briefOutput example:
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 10
Port Vlans allowed on trunk
Gi0/1 10,20,30Native VLAN Issues
Native VLAN issues arise when the native VLAN is not consistent across a trunk link. For example, if SW1 has native VLAN 10 and SW2 has native VLAN 20, then:
SW1 sends untagged frames for VLAN 10. SW2 receives them and assigns them to VLAN 20 (its native VLAN). Those frames are then forwarded into VLAN 20, which may be a different broadcast domain. This can cause traffic from VLAN 10 to appear in VLAN 20, leading to security breaches or connectivity problems.
CDP (Cisco Discovery Protocol) and VTP (VLAN Trunking Protocol) are typically sent on the native VLAN. If native VLANs mismatch, these protocols may not work, causing neighbor discovery failures.
Symptoms of VLAN Mismatch
Hosts cannot ping each other even though they are in the same VLAN.
DHCP requests fail (broadcasts not forwarded correctly).
Spanning Tree Protocol (STP) may reconverge or cause loops.
CDP/LLDP neighbors not showing up.
Error messages like "%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (10), with SW2 GigabitEthernet0/1 (20)."
How to Troubleshoot
Verify trunk status and native VLAN on both ends using show interfaces trunk.
Ensure the native VLAN matches on both sides.
Check allowed VLAN lists; ensure the VLANs you need are permitted.
Use show cdp neighbors detail to see if CDP reports a native VLAN mismatch.
If using DTP, consider disabling it and setting trunk mode manually.
Interaction with Related Technologies
VTP: VTP advertisements are sent on the native VLAN. A mismatch can prevent VLAN database synchronization.
STP: BPDUs are sent on the native VLAN. A mismatch can cause STP to block ports or create loops.
DTP: DTP frames are sent on the native VLAN. Mismatch can prevent trunk negotiation.
VLAN Hopping: An attacker can exploit native VLAN mismatch by sending double-tagged frames (802.1Q-in-802.1Q) to jump to a different VLAN. To mitigate, set the native VLAN to an unused VLAN and disable trunking on access ports.
Best Practices
Always set the native VLAN to an unused VLAN (e.g., VLAN 999) on all trunk links.
Prune unused VLANs from the trunk allowed list.
Manually configure trunk mode; avoid DTP.
Document VLAN assignments and trunk configurations.
Use switchport nonegotiate to disable DTP.
Identify Symptoms of Mismatch
Begin by recognizing common symptoms: hosts in the same VLAN cannot communicate, DHCP fails, or CDP/LLDP neighbors are missing. On Cisco switches, you may see console messages like 'Native VLAN mismatch discovered'. Use `show interfaces trunk` to quickly see trunk status and native VLAN on each end. Also check for excessive CRC errors or runts on the link, which can indicate tagging issues.
Verify Trunk Configuration on Both Ends
On each switch, execute `show interfaces trunk` and `show interfaces switchport`. Compare the native VLAN and allowed VLAN lists. Ensure both sides use the same native VLAN. If one side is set to trunk and the other to access, you have an operational mismatch. Also confirm the trunk encapsulation (dot1q) matches. Document the expected configuration.
Check CDP or LLDP for Mismatch Alerts
Cisco Discovery Protocol (CDP) reports native VLAN mismatches. Use `show cdp neighbors detail` to see if the remote device reports a different native VLAN. The output includes 'Native VLAN: 10' for the local and 'Native VLAN: 20' for the remote if mismatched. LLDP (IEEE 802.1AB) can also be used with `show lldp neighbors detail` to check VLAN information.
Correct the Native VLAN Mismatch
Choose a consistent native VLAN for the trunk. Best practice is to use an unused VLAN (e.g., VLAN 999) to avoid accidental traffic leakage. On each switch, configure the trunk interface with `switchport trunk native vlan <vlan-id>`. After change, verify with `show interfaces trunk`. Ensure the switchport mode is set to trunk on both ends.
Correct Allowed VLAN List Mismatch
If the allowed VLAN lists differ, update them to include the same set of VLANs. Use `switchport trunk allowed vlan add <vlan-list>` or `switchport trunk allowed vlan remove <vlan-list>` to synchronize. Be careful not to accidentally remove a VLAN that is in use. After changes, verify with `show interfaces trunk` and test connectivity from hosts in each VLAN.
In a large enterprise campus network with hundreds of switches, VLAN mismatches are a common source of outages. For example, during a network upgrade, a junior engineer reconfigures a trunk port but forgets to set the native VLAN to the standard (e.g., VLAN 999). Overnight, the native VLAN remains as VLAN 1 on the new switch, while the rest of the network uses VLAN 999. The result: CDP fails, STP reconverges causing a temporary loop, and users in VLAN 10 (which is the native VLAN on the old switch but not the new one) lose connectivity. The helpdesk receives hundreds of tickets. The senior engineer quickly runs show interfaces trunk on both ends, spots the mismatch, and corrects the native VLAN. The fix takes seconds, but the outage could have been avoided with consistent configuration templates.
Another scenario: A data center uses VMware vSwitch trunk ports connecting to physical switches. The virtual switch is configured to tag all VLANs, but the physical switch trunk port expects the native VLAN to be untagged. If the native VLAN on the physical switch is set to VLAN 1 (default) and the vSwitch does not tag VLAN 1 traffic, frames from the management VLAN (VLAN 1) arrive untagged and are correctly placed in VLAN 1. However, if the physical switch's native VLAN is changed to VLAN 100 (unused), but the vSwitch still sends untagged frames (which it treats as VLAN 1), those frames are placed into VLAN 100 on the physical switch, breaking management connectivity. The fix requires either changing the vSwitch to tag the native VLAN or aligning the native VLAN on both sides.
Performance considerations: A native VLAN mismatch can cause unicast flooding if STP reconverges, leading to high CPU usage on switches. In large networks, this can cause switch crashes. Best practice is to use a dedicated, unused VLAN as the native VLAN on all trunks and enforce this via configuration management tools like Ansible or Cisco Prime.
The N10-009 exam tests VLAN mismatch and native VLAN issues under Objective 5.2 (Given a scenario, troubleshoot common network issues). Expect 2-3 questions on this topic, often in performance-based simulations where you must identify the cause from symptoms and CLI output.
Common Wrong Answers: 1. 'The trunk link is down' – Candidates see connectivity loss and assume physical issue, but the link may be up with mismatched VLANs. Look for CDP errors or partial connectivity. 2. 'DHCP server is unreachable' – DHCP failure is a symptom, not the root cause. The exam wants you to identify the VLAN mismatch. 3. 'VLAN pruning is misconfigured' – While allowed VLAN lists matter, the native VLAN mismatch is a distinct issue. Questions often focus on native VLAN specifically.
Verbatim Terms and Values:
- Default native VLAN: 1
- IEEE 802.1Q
- Commands: show interfaces trunk, show interfaces switchport, show cdp neighbors detail
- Error message: 'Native VLAN mismatch discovered'
Edge Cases: - When one side is trunk and the other is access, the access port will treat all frames as belonging to its access VLAN, causing a mismatch in effect. - On some non-Cisco switches, the native VLAN concept may be called 'untagged VLAN' or 'PVID'. - Double-tagging attacks: The exam may ask how to prevent VLAN hopping; answer: set native VLAN to an unused VLAN and disable trunking on access ports.
How to Eliminate Wrong Answers: - If the question mentions 'CDP neighbor not seen' and 'some hosts work', suspect native VLAN mismatch. - If the question shows output with different native VLANs on each side, that is the answer. - If the question involves DHCP failure but the link is up, check VLANs first.
Default native VLAN is VLAN 1 on Cisco switches.
Native VLAN mismatch causes untagged frames to be placed in the wrong VLAN.
Use 'show interfaces trunk' to verify native VLAN and allowed VLAN lists.
CDP reports native VLAN mismatch with the message 'Native VLAN mismatch discovered'.
Best practice: set native VLAN to an unused VLAN on all trunk links.
VLAN mismatch can cause DHCP failure, STP reconvergence, and loss of connectivity.
Always manually configure trunk mode and disable DTP for security.
IEEE 802.1Q standard defines VLAN tagging with a 12-bit VLAN ID.
VLAN hopping attacks exploit native VLAN mismatch with double-tagging.
To prevent VLAN hopping, set native VLAN to unused VLAN and disable trunking on access ports.
These come up on the exam all the time. Here's how to tell them apart.
VLAN Mismatch
Involves any VLAN ID misconfiguration on trunk (allowed list or access VLAN).
Can cause traffic loss for specific VLANs.
May affect both tagged and untagged frames.
Detected by comparing allowed VLAN lists on both ends.
Example: SW1 allows VLAN 10 but SW2 does not; traffic for VLAN 10 is dropped.
Native VLAN Mismatch
Specifically refers to disagreement on which VLAN is untagged on a trunk.
Causes untagged frames to be placed in the wrong VLAN.
Only affects untagged frames (native VLAN traffic).
Detected by CDP/LLDP or comparing native VLAN configuration.
Example: SW1 native VLAN 10, SW2 native VLAN 20; untagged frames go to wrong VLAN.
Mistake
VLAN mismatch only affects tagged traffic.
Correct
VLAN mismatch affects both tagged and untagged traffic. The native VLAN mismatch specifically impacts untagged frames, causing them to be placed in the wrong VLAN. Tagged traffic may also be dropped if the VLAN is not in the allowed list.
Mistake
Setting the native VLAN to an unused VLAN eliminates all VLAN mismatch issues.
Correct
It eliminates native VLAN mismatch issues, but you still need to ensure allowed VLAN lists match. A mismatch in allowed VLANs can still cause traffic loss for specific VLANs.
Mistake
VLAN mismatch only occurs on trunk ports.
Correct
While trunk ports are the most common, VLAN mismatch can also occur on access ports if the VLAN configured on the switch differs from the VLAN expected by the connected device (e.g., a VoIP phone with a PC behind it).
Mistake
CDP automatically fixes native VLAN mismatch.
Correct
CDP only detects and reports the mismatch; it does not correct it. The network engineer must manually reconfigure the native VLAN to match.
Mistake
Native VLAN mismatch only causes issues with broadcast traffic.
Correct
It affects all traffic on the native VLAN, including unicast. Untagged frames (including BPDUs, CDP, and user data) are misclassified, leading to connectivity loss for all hosts in that VLAN.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A VLAN mismatch occurs when two connected switch ports have different VLAN configurations (e.g., different allowed VLANs or native VLAN). To fix it, ensure both sides have the same native VLAN and allowed VLAN list. Use `switchport trunk native vlan <vlan>` and `switchport trunk allowed vlan <vlan-list>` on both interfaces. Verify with `show interfaces trunk`.
It means that two directly connected Cisco switches have different native VLANs configured on their trunk link. For example, one has native VLAN 1 and the other has native VLAN 10. This causes untagged frames to be misclassified. Resolve by setting the same native VLAN on both ends.
Yes, indirectly. STP BPDUs are sent on the native VLAN. If the native VLAN mismatches, BPDUs may not be received correctly, causing STP to fail and potentially create loops. Also, misclassified frames can cause unicast flooding.
VLAN hopping can occur via double-tagging when the native VLAN is the same as the attacker's VLAN. To prevent: set the native VLAN to an unused VLAN, disable trunking on access ports (use `switchport mode access`), and avoid using VLAN 1 as native. Also, use `switchport nonegotiate` to disable DTP.
The default native VLAN is VLAN 1. It is recommended to change it to an unused VLAN for security and to avoid accidental traffic mixing.
Use `show interfaces trunk` to see the native VLAN for each trunk port. Alternatively, `show interfaces <interface> switchport` shows the native VLAN in the output under 'Trunking Native Mode VLAN'.
Yes. DHCP uses broadcast frames. If the native VLAN mismatches, DHCP discovers from a client in the native VLAN may not reach the DHCP server if the server is in a different VLAN or if the broadcast is misclassified. This can cause DHCP failure.
You've just covered VLAN Mismatch and Native VLAN Issues — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?