Solved: Native VLAN mismatch - explanation needed

iores · ‎04-08-2025

Hi,

I was reading this article.

What does it mean that the switch was connected to the same server that "crossed VLANs"?

Does it mean that the server behaved like a hub?

M02@rt37 · ‎04-08-2025

When this article says that the switch was connected to a server that "crossed VLANs," it doesn’t mean that the server behaved like a hub, but rather that the server was configured in such a way (intentionally or accidentally...) that it was bridging or routing traffic between VLAN internally.

In most cases, this hapens when a server has multiple virtual interfaces (like in a virtualized environment with Vmware, HyperV, etc.) or is running some kind of software bridge between VLAN-tagged and untagged interfaces. If that server receive frames on one VLAN and then send them back out taged as another VLAN (or as untagged/native), it can create a situation where VLANs "leak" into each other — essentially crossing VLAN boundaries...

This is problematic because switches expect clear separation of VLANs. If a server sends traffic with an unexpected VLAN tag or as untagged (native) traffic on a trunk port where the native VLAN is different on each end, it can trigger a CDP-NATIVE_VLAN_MISMATCH message — since cisco devices expect native VLAN to match on both ends of a trunk.

So no, the server isn’t acting like a hub in the classic sense, but it is acting as a L2 (or sometimes Layer 3) bridge or router that is moving traffic between VLANs in a way the network design didn’t account for. This can cause unexpected behavior, including VLAN mismatches and even security issues if sensitive traffic leaks into the wrong VLAN.

Hope that is clear.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎04-08-2025

Hello @iores

When this article says that the switch was connected to a server that "crossed VLANs," it doesn’t mean that the server behaved like a hub, but rather that the server was configured in such a way (intentionally or accidentally...) that it was bridging or routing traffic between VLAN internally.

In most cases, this hapens when a server has multiple virtual interfaces (like in a virtualized environment with Vmware, HyperV, etc.) or is running some kind of software bridge between VLAN-tagged and untagged interfaces. If that server receive frames on one VLAN and then send them back out taged as another VLAN (or as untagged/native), it can create a situation where VLANs "leak" into each other — essentially crossing VLAN boundaries...

This is problematic because switches expect clear separation of VLANs. If a server sends traffic with an unexpected VLAN tag or as untagged (native) traffic on a trunk port where the native VLAN is different on each end, it can trigger a CDP-NATIVE_VLAN_MISMATCH message — since cisco devices expect native VLAN to match on both ends of a trunk.

So no, the server isn’t acting like a hub in the classic sense, but it is acting as a L2 (or sometimes Layer 3) bridge or router that is moving traffic between VLANs in a way the network design didn’t account for. This can cause unexpected behavior, including VLAN mismatches and even security issues if sensitive traffic leaks into the wrong VLAN.

Hope that is clear.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

iores · ‎04-09-2025

M02@rt37

Based on the logs from the article, it seems like the switch is connected to itself?

M02@rt37 · ‎04-09-2025

Yep! It suggest the switch is connected to itself — or at least, two ports on the same switch (or stack) are connected to each other.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.