Native VLAN

There are certain types of traffic that require no VLAN tags at all when traversing a trunk link, and the switch will still know who the ethernet frame belongs to. An ethernet frame that travels trunk links without any VLAN tag belongs to the Native VLAN. By default the native VLAN is 1 but the native VLAN can be configured as any existing VLAN, such as VLAN 100, VLAN 200, or VLAN 300. For example if the native VLAN for a topology with 3 switches is VLAN 100. When an ethernet frame arrives at one of those switches via a trunk link without a VLAN tag, it will assume that the frame belongs to VLAN 100. Native VLANs are useful for backward compatibility with switches that do not support VLAN tags. So if say there’s a switch in a topology that does not support 802.1Q tagging, that switch can still participate in the topology depending on what VLAN you want it to forward traffic for. If you want that one switch to forward traffic for VLAN 10, you set the native VLAN on the rest of the switches to VLAN 10. When the legacy switch sends traffic untagged, all the switches in the topology will automatically assume that the frame belongs to VLAN 10. This allows for the switch to participate in the network topology without having their frames dropped. Native VLANs carry traffic for untagged traffic only, and the native VLAN can only be mapped (configured) to only one VLAN. Native VLANs can only exist on trunk ports and access ports are incapable of supporting Native VLANs. Native VLANs must match on all switches in the network topology because if they are mismatched they can cause security vulnerabilities and open the door for VLAN hopping. Attackers can exploit VLAN mismatches to gain access to a VLAN they are not supposed to have access to.