Understanding the Native VLAN ID for Trunk Ports
Understanding the Native VLAN ID for Trunk Ports
A trunk port can carry untagged packets simultaneously with the 802.1Q tagged packets. When you assign a
default port VLAN ID to the trunk port, all untagged traffic travels on the default port VLAN ID for the trunk
port, and all untagged traffic is assumed to belong to this VLAN. This VLAN is referred to as the native
VLAN ID for a trunk port. The native VLAN ID is the VLAN that carries untagged traffic on trunk ports.
The trunk port sends an egressing packet with a VLAN that is equal to the default port VLAN ID as untagged;
all the other egressing packets are tagged by the trunk port. If you do not configure a native VLAN ID, the
trunk port uses the default VLAN.
Note
Native VLAN ID numbers must match on both ends of the trunk.
Understanding Allowed VLANs
By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs are allowed on
each trunk. However, you can remove VLANs from this inclusive list to prevent traffic from the specified
VLANs from passing over the trunk. You can add any specific VLANs later that you may want the trunk to
carry traffic for back to the list.
To partition the Spanning Tree Protocol (STP) topology for the default VLAN, you can remove VLAN1 from
the list of allowed VLANs. Otherwise, VLAN1, which is enabled on all ports by default, will have a very big
STP topology, which can result in problems during STP convergence. When you remove VLAN1, all data
traffic for VLAN1 on this port is blocked, but the control traffic continues to move on the port.
Understanding Native 802.1Q VLANs
To provide additional security for traffic passing through an 802.1Q trunk port, the vlan dot1q tag native
command was introduced. This feature provides a means to ensure that all packets going out of a 802.1Q
trunk port are tagged and to prevent reception of untagged packets on the 802.1Q trunk port.
Without this feature, all tagged ingress frames received on a 802.1Q trunk port are accepted as long as they
fall inside the allowed VLAN list and their tags are preserved. Untagged frames are tagged with the native
VLAN ID of the trunk port before further processing. Only those egress frames whose VLAN tags are inside
the allowed range for that 802.1Q trunk port are received. If the VLAN tag on a frame happens to match that
of the native VLAN on the trunk port, the tag is stripped off and the frame is sent untagged.
This behavior could potentially be exploited to introduce "VLAN hopping" in which a hacker could try and
have a frame jump to a different VLAN. It is also possible for traffic to become part of the native VLAN by
sending untagged packets into an 802.1Q trunk port.
To address the above issues, the vlan dot1q tag native command performs the following functions:
• On the ingress side, all untagged data traffic is dropped.
• On the egress side, all traffic is tagged. If traffic belongs to native VLAN it is tagged with the native
Cisco Nexus 5000 Series NX-OS Layer 2 Switching Configuration Guide, Release 5.1(3)N1(1)
72
VLAN ID.
Configuring Access and Trunk Interfaces
OL-25842-01