Friday, January 9, 2009

Native VLANs - ISL vs 802.1q, CatOS vs IOS

When configuring trunking, the discussion of Native VLANs may be a little confusing, especially when comparing ISL trunking vs 802.1q, and IOS vs CatOS.

Here's a breakdown:

First, the concept of Native VLAN is only understood by 802.1q. So, for ISL trunking, do not worry about setting it, as ISL encapsulates EVERY FRAME going through that trunk(more below).

A Native VLAN is merely a single VLAN ID already allowed on a trunk that will be used for all untagged frames sent/received. In other words, if the switch receives a frame on this trunk with no VLAN ID tagged on it, it will assume that this frame is in the Native VLAN, and inversely, if it sends a frame on this trunk that is in the Native VLAN, it will not bother tagging the frame.

As stated above, this does not apply to ISL because it encapsulates packets(instead of tagging them, like 802.1q), and every packet must be encapsulated, therefore, ISL does not bother with the concept.

Typically, you have a dedicated "switch management" VLAN on your network, and all your switches' management addresses are in this VLAN, and this VLAN is set as native on every trunk link between these switches. A lot of times setting the Native VLAN does not matter on newer switches, but I have found that some Cisco Autonomous APs and very old switches require it set, so I feel it is best to keep it consistent, YMMV.

To check the current Native VLAN on IOS:
sh int trunk InterfaceX/Y

To check the current Native VLAN on CatOS:
sh trunk X/Y

On IOS, its pretty easy to set the native VLAN, just enter the following command under the interface(where Z is the VLAN ID):
switchport trunk native vlan Z

On CatOS, its not as obvious, but just as easy, you just merely set the vlan of the trunk port as if it were an access port:
set vlan Z X/Y

As I said before its not terribly necessary nowadays, but for consistency I recommend setting it to the same VLAN as the management interface of your end-user switches. No matter what you do, you must ensure that the Native VLAN matches on both sides of your 802.1q trunk, because otherwise two Cisco switches will detect the mismatch via CDP and will block the port, until its fixed. The following IOS command will show you a list of any such blocked ports:
show spanning-tree inconsistentports


  1. Good work! Thank you very much!
    I always wanted to write in my site something like that. Can I take part of your post to my site?
    Of course, I will add backlink?

    Regards, Reader

  2. I have the native VLAN thing down OK. I have a issue with a existing vlan 34 serving serveral access uni/ems service. engineering is wanting to add a actelis 2300 off a access port and serve the customer with a actelis 624 at the prem. this is a new config for us and my question is the poeple who know the actelis gear is wanting to set this up as a trunk as if the actelis is an extention of the TLS network we are thinking we must remain config'd as access sence the existing service is all access/ems.we are using 6509's catos. Any thing else needed please let me know.