Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1251
Views
0
Helpful
4
Replies

NATIVE VLAN MISSMATCH

lironofir
Level 1
Level 1

‎07-05-2022 12:30 PM

Why it is important to keep identical number for native VLAN? I mean the SW could decide that any untagged frame arrived from trunk is directed to native vlan regardless of its number.

 

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎07-05-2022 12:42 PM

NATIVE VLAN is a special VLAN whose traffic traverses on the 802.1Q trunk without any VLAN tag.

 

That does not matter, whether you use the same native VLAN or remove the native VLAN. or suppress the logs.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

David Ruess
VIP
VIP

‎07-05-2022 01:03 PM - edited ‎07-05-2022 01:05 PM

Hello,

 

Correct. That's actually a popular attack as well. Its called VLAN hopping. The reason the NATIVE VLANs must match is the trunk will send the untagged frame down the link. When the receiving end sees its untagged it knows from its configuration that is belongs to the NATIVE untagged VLAN.

 

"VLAN Hopping is an attack where the attacker is able to send traffic from one VLAN into another. There are two different methods to accomplish this: Double tags: the idea behind the attack is that the attacker is connected to an interface in access mode with the same VLAN as the native untagged VLAN on the trunk."

 

You dont HAVE to have a NATIVE VLAN. Its more of a way to connect legacy devices like hubs. They cant process tagged frames and everything connected to it belongs to the same VLAN since its not a managed switch. Therefore you would put the NATIVE VLAN as the VLAN you want the hosts connected to the HUB to be and it will leave it untagged so the hub can distribute it and hosts can read it.

 

By default the NATIVE VLAN is 1 but you can disable that and tag all VLANS (best practice)

 

Hope that helps

 

-David

0 Helpful

MHM Cisco World
VIP
VIP

‎07-05-2022 03:36 PM - edited ‎07-06-2022 03:52 PM

SW1-SW2 
native VLAN in SW1 is VLAN1 native VLAN in SW2 is VLAN2 

now if client in VLAN1 send traffic to client in VLAN1 in other SW2 ? the frame will drop because the SW2 will bridge it to VLAN2 not VLAN1.
that why native is important 

0 Helpful

Martin L
VIP
VIP

‎07-06-2022 03:45 PM

By default Cisco uses Native Vlan 1 for carrying control traffic such STP, CDP, DTP, etc.   Even if you change Native vlan to other number then 1, that control traffic still uses vlan 1. 

Other reasons is Security as mentioned above and that is one very important reason for native vlan 1 to be left alone and not carry any "important" data traffic (end user traffic)

 

Regards, ML
**Please Rate All Helpful Responses **

0 Helpful
Customers Also Viewed These Support Documents