Re: Default VLAN 1

Huan NG · ‎12-19-2024

Hi all,

Hope you all are doing well.
I have a quick question regarding the default Vlan 1.
If I choose VLAN 1 not to be a native VLAN on my switches by issuing the command SW1(config-if)#switchport trunk native vlan 100. Will the default Vlan 1 be tagged?
Thank you for any insights.

Regards,
Huan

Flavio Miranda · ‎12-19-2024

@Huan NG

Vlan1 is not tagged in Cisco switch. It is a special vlan. Dont matter if you choose another vlan to be native.

Joseph W. Doherty · ‎12-19-2024

I believe the answer is yes, which appears contrary to @Flavio Miranda's reply. I suspect what Flavio has in mind is control traffic, like CDP, VTP, DTP, which are considered part of VLAN 1, and are untagged, I also believe, regardless of a trunk port's native VLAN assignment.

Huan NG · ‎12-19-2024

Thank you. It is what I thought as well but want to be assured by asking.

MHM Cisco World · ‎12-19-2024

No any native vlan by defualt not tag' if it vlan1 or other vlan.

You can check that by

Show interface x switchport

This output give you if the native vlan is tag or not.

Note:- You can change this default behavior

MHM

Huan NG · ‎12-19-2024

Yes, I learned that a native VLAN on trunks isn't tagged.
But when the default VLAN 1 isn't a native VLAN on a trunk anymore, it will be tagged.

MHM Cisco World · ‎12-19-2024

yes sure, vlan1 will be tag if it not native vlan

MHM

paul driver · ‎12-19-2024

Hello

@Huan NG wrote:

#switchport trunk native vlan 100. Will the default Vlan 1 be tagged?

yes it will.

Note: -The concept of native vlan is ONLY applicable to dot1q trunks, ISL trunks there is no such concept as it encapsulates the vlan frame and not tags it

Edited:
FYI - Although you are prohibited from deleting vlan 1, It can be pruned off a trunk along with any other manually specified native vlan (which by the doesn't even need to exist in the vlan database) without any detrimental effect to any of the ctrl plane protocols, they will all still work

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

M02@rt37 · ‎12-20-2024

Hello @Huan NG

When you configure a trunk port to use a native VLAN other than VLAN 1 (e.g., switchport trunk native vlan 100), the behavior of VLAN 1 changes on that trunk link. By default, VLAN 1 is untagged on trunk links because it is the default native VLAN. However, when you explicitly set the native VLAN to a different VLAN (such as VLAN 100 in your case), the default VLAN 1 will no longer be treated as the native VLAN. Instead, VLAN 1 will be tagged like all other non-native VLANs on the trunk.

Why ?
The native VLAN is a special designation on trunk links for traffic that is transmitted without an 802.1Q tag. When you change the native VLAN from VLAN 1 to VLAN 100, only VLAN 100 traffic will be untagged on the trunk. All other VLANs, including VLAN 1, will have their traffic tagged with the corresponding VLAN ID.

-Tagged VLAN 1 Traffic: Traffic belonging to VLAN 1 will be sent with an 802.1Q tag on the trunk link. This ensures that the receiving switch can distinguish VLAN 1 traffic from other VLANs.
-Native VLAN Traffic: Only traffic belonging to VLAN 100 will remain untagged on the trunk.

** Best Practices: Changing the native VLAN from VLAN 1 is considered a best practice for security reasons, as VLAN 1 is often a default target for attacks **

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Richard Burts · ‎12-20-2024

Perhaps it might help if we think about the meaning of the terms. When we say that vlan 1 is the default vlan we are saying simply that any layer 2 switchport that is not specifically assigned to some vlan will be assigned to vlan 1. Saying that vlan 1 is the default vlan does not say anything about whether it is tagged or not.

Tags become a factor when we introduce trunking. With multiple vlans on the trunk there needs to be a way to determine which vlan a frame belongs to, and the tag is the mechanism for that. On the trunk one vlan will be transmitted with no tag and this is the "native" vlan. Note that "native" and "default" are not necessarily related.

HTH

Rick

M02@rt37 · ‎12-20-2024

Yep ! When we refer to VLAN 1 as the default VLAN, we are describing the behavior of a switch. On most switches, any L2 port that is not explicitly assigned to a VLAN is automatically associated with VLAN 1. This makes VLAN 1 the default for unconfigured access ports. However, this designation of "default" does not inherently mean anything about how frames are tagged—it is simply the starting VLAN assignment for ports.

The tagging of VLANs comes into play when trunking is configured. A trunk link allows multiple VLANs to traverse a single physical connection between switches or other network devices. To ensure frames are identified correctly as belonging to specific VLANs, a tag is added to the Ethernet frame. This tagging is done using protocols like 802.1Q.

On a trunk link, there is a concept of the native VLAN, which specifies one VLAN that will transmit its traffic untagged. This is often VLAN 1 by default, but administrators can change the native VLAN to another VLAN for various reasons, such as improved security or separation of management traffic. The key point here is that the native VLAN refers to how frames are transmitted over a trunk (untagged), while the default VLAN refers to the initial assignment of ports.

Importantly, the default VLAN and the native VLAN are not inherently tied together. For instance:

VLAN 1 might be the default VLAN for access ports, but another VLAN (e.g., VLAN 100) could be designated as the native VLAN on trunk links.
Similarly, the native VLAN on a trunk can be changed to any VLAN, and VLAN 1 can still serve as the default VLAN for unconfigured ports.

This distinction is crucial for designing and managing networks effectively, especially in environments where security or traffic segmentation is a concern.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

vishalbhandari · ‎12-20-2024

@Huan NG

No, VLAN 1 will not be tagged. When you change the native VLAN to 100, VLAN 1 will no longer be treated as the native VLAN. However, VLAN 1 remains untagged by default on trunk links unless explicitly configured otherwise. Native VLAN 100 will also be untagged, but all other VLANs will be tagged as usual.

paul driver · ‎12-20-2024

Hello @Huan NG
apologies this is incorrect you cannot have two native vlans as such if a vlan other then vlan 1 is specified as native then vlan 1 will then be tagged
Now for crtl plane protocols they will still work even if vlan1 is excluded from the trunk altogether and the new native did even exist in the vlan DB -for instance and as if my memory is correct DTP is always untagged but cdp on the other hand always chooses the lowest vlan number and those packet can be tagged -i’m sure others will correct me if i’m wrong

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎12-20-2024

BTW, I suspect a "native" VLAN frame, on a Cisco trunk port likely is called such because it's like a frame usually seen on access ports or most host NICs, natively, i.e. untagged.

However, I've been told that a Cisco trunk port will also accept tagged frames for their native VLAN, if the tag's VLAN ID matches the native VLAN.

Also, although I agree with @Richard Burts that the primary purpose of .1Q tags is to differentiate between multiple VLANs, the tag can also be used just for QoS purposes using a VLAN ID of zero. The latter, possibly, might be considered a "native" VLAN ID. (Don't know whether a Cisco trunk would accept such, but at least some of their access ports are supposed to.)

Lastly, other hardware vendors equivalent of a Cisco trunk port might not accept any frame without a tag and such a tag not using VLAN ID zero.