Supporting Multiple VLANs on a Single Trunk
What is an 802.1Q native VLAN?

When configuring an 802.1Q trunk, a matching, native VLAN must be defined on each end of the trunk link. A trunk link is inherently associated with tagging each frame with a VLAN ID. The purpose of the native VLAN is to allow frames not tagged with a VLAN ID to traverse the trunk link. An 802.1Q Native VLAN is defined as one of the following:

  • The VLAN that a port is associated with when not in trunking operational mode
  • The VLAN that is associated with untagged frames that are received on a switch port.
  • The VLAN to which Layer 2 frames will be forwarded if received untagged on an 802.1Q trunk port

Compare this to ISL, where no frame may be transported on the trunk link without encapsulation and any frames received on a trunk port that are un-encapsulated are immediately dropped.

Each physical port has a parameter called a Port VLAN identifier (PVID). Every 802.1Q port is assigned a PVID value equal to the native VLAN ID (VID). When a port receives a tagged frame that is to traverse the trunk link, the tag is respected. For all untagged frames the PVID is considered the tag. This allows the frames to traverse devices that may be unable to read VLAN tag information.

Native VLANs have the following attributes:

  • A trunk port will support only one native, active VLAN per operational mode. The modes are Access and Trunk.
  • By default on Catalyst switches, all switch ports and native VLANs for 802.1Q are assigned to VLAN1.
  • The 802.1Q trunk ports connected to each other via physical or logical segments must all have the same native VLAN configured to operate correctly.
  • If the native VLAN is misconfigured for trunk ports on the same trunk link, Layer 2 loops can occur due to diverting STP BPDUs from their correct VLAN.

Example: Native VLAN Implementation; Two End Devices on the Same Switch Port
A standard place where the Native VLAN of 802.1Q might be used is when a single switch port supports traffic to an IP Phone that then provides a connection to a PC. The port must be configured as 802.1Q so that the Layer 2 header allows the QoS marking to populate the priority (PRI) bits for the telephony traffic. A standard Ethernet packet provides no field for this marking.

The traffic arriving on the switch port from the IP phone will be tagged with VLAN information. The PC traffic arriving on the same switch port will not be tagged. The VLAN ID for the telephony traffic arriving on the 802.1Q trunk port will be respected. The PC traffic arriving with no tag will traverse the Native VLAN.

About Issues with 802.1Q Native VLANs
The following issues need to be considered when configuring the native VLAN on an 802.1Q trunk link:

  • The native VLAN interface configurations must match at both ends of the link or the trunk may not form.
  • By default, the native VLAN will be VLAN1. For the purpose of security, the native VLAN on a trunk should be set to a specific VLAN ID that is not used for normal operations elsewhere on the network.
  • If there is a native VLAN mismatch on an 802.1Q link, CDP, if used and functioning, will issue a "VLAN mismatch" error.
  • On select versions of Cisco IOS software, CDP may not be transmitted or will be automatically turned off if VLAN1 is disabled on the trunk.
  • If there is a native VLAN mismatch on either side of an 802.1Q link, Layer 2 loops may occur.
  • When troubleshooting VLANs, note that a link can have one native VLAN association when in access mode, and another native VLAN association when in trunk mode.