Why is a native VLAN needed on trunk ports?

Every 802.1q trunk port has a native VLAN, but why is it necessary?

The reason is simple: Untagged traffic needs a destination.

Not all traffic on a trunk includes a VLAN tag. If there's no tag, it must belong to the native VLAN.

By default, Cisco uses VLAN 1 as the native VLAN, but it’s important not to confuse the native VLAN with the default VLAN, even though both are set to VLAN 1 by default. The default VLAN is fixed, while the native VLAN is configurable—just ensure that both ends of the trunk are set to the same VLAN.

• CDP (Cisco Discovery Protocol)
• LLDP (Link Layer Discovery Protocol)
• STP BPDUs (Spanning Tree Protocol)
• DTP (Dynamic Trunking Protocol)
• VTP (VLAN Trunking Protocol)
• UDLD (Unidirectional Link Detection)

The control plane protocols listed above will always be assigned to VLAN 1, regardless of the native VLAN setting. This is why changing the native VLAN helps reduce the risk of VLAN hopping attacks—it ensures that user traffic stays out of VLAN 1, where these critical protocols reside.

Best practice: Set the native VLAN to an unused VLAN to reduce security risks, as untagged traffic should not be allowed to roam freely in places it doesn't belong.

There will be some demos with packet captures coming up shortly!