The native VLAN is simply the default VLAN all ports are in on your network switch. Frame in the native VLAN are untagged by default and represent a security vulnerability. It’s an important security step. Native VLAN numbers must match on either side of a trunk link.

Change the Native VLAN

Lab Details

You can use the free tool Cisco Packet Tracer to configure this lab.

Use the below topology which is two switches connected together.

You must know all the basic steps to follow to protect your network such as changing default logins and enforcing strong passwords. Changing your native VLAN is another such step. Here’s how you do it.

Lab Walkthrough

Task 1:

Drag two switches onto the canvass and connect via a crossover cable.

Task 2:

Configure one side as a trunk link and it will create a trunk link.

Switch>en

Switch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#host SW0

SW0(config)#int f0/1

SW0(config-if)#switchport mode trunk

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Task 3:

Check the layer 2 status of the port. Note the fact it is now a trunk and is using VLAN1 as the native VLAN.

SW0#show int f0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Task 4:

Create VLAN 10 and then change the native VLAN. You should see errors right away because Switch1 still uses VLAN1 as the native VLAN.

SW0(config)#vlan 10

SW0(config-vlan)#exit

SW0(config-if)#switchport trunk native vlan ?

  <1-4094>  VLAN ID of the native VLAN when this port is in trunking mode

SW0(config-if)#switchport trunk native vlan 10

SW0(config-if)#end

SW0#

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/1 (10), with Switch FastEthernet0/1 (1).

Task 5:

Check the layer 2 configurations on F0/1 for Switch0.

SW0#show int f0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 10 (VLAN0010)

Voice VLAN: none

Task 6:

Configure VLAN 10 on Switch1 and put F0/1 as using it as the native.

Switch>

Switch>en

Switch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#hostname SW1

SW1(config)#vlan 10

SW1(config-vlan)#int f0/1

SW1(config-if)#switchport trunk native vlan 10

SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet0/1 on VLAN0010. Port consistency restored.

 Notes:

This is yet another important security step. You would usually use a high number for the VLAN and one which is unused by hosts. You can check the native VLAN also with the ‘show interfaces trunk’ command.

SW0#show interfaces trunk

Port Mode  Encapsulation Status   Native vlan

Fa0/1 on    802.1q       trunking  1

Port Vlans allowed on trunk

Fa0/1 1-1005

Port Vlans allowed and active in management domain

Fa0/1 1

Port Vlans in spanning tree forwarding state and not pruned

Fa0/1 none

If you have questions about the Network+ certification, drop us a line.

We have hands-on labs for Cisco, Linux, CompTIA, Ethical Hacking, IP Subnetting, Python and more.