Why This One Keeps Catching People Off Guard
Native VLAN mismatches have a specific reputation in CCNA study groups: people think they understand this topic right up until a question proves otherwise. It’s not that the concept is complicated. It’s that surface-level understanding feels like complete understanding, and that false confidence is exactly what the exam is designed to test.
The foundation is this: on an 802.1Q trunk link, every frame gets tagged with a VLAN ID so the receiving switch knows where to put it. Every frame except one. Traffic on the native VLAN travels untagged, which means both switches on that trunk have to agree on which VLAN that is. If they don’t, you have a native VLAN mismatch, and traffic starts going places it was never supposed to go.
Cisco switches default to VLAN 1 as the native VLAN, so in a network where nobody has touched the trunk configuration, both sides match automatically and nobody ever thinks about it. The problem shows up when an admin changes the native VLAN on one side of a trunk and forgets the other, or inherits a network where someone else did that months ago. Suddenly frames that Switch A sends untagged as VLAN 1 traffic are being received by Switch B and placed into VLAN 10, or whatever that switch’s native VLAN happens to be. The trunk is up. The allowed VLAN list looks right. But certain traffic isn’t behaving, and nothing about the packet itself tells you why.
That selective failure pattern is the fingerprint of a native VLAN mismatch in a real network. Some traffic works, some doesn’t, and the trunk shows no obvious problems when you first look at it. CDP will actually surface the issue if it’s running. You’ll see a log entry warning about a native VLAN mismatch discovered on a specific interface, and that message appearing in a scenario question is a clue worth recognizing immediately.
The Security Problem Cisco Wants You to Know
Beyond traffic ending up in the wrong VLAN, there’s a security angle that shows up on the exam. A native VLAN mismatch enables a technique called VLAN hopping, where an attacker on one VLAN can get frames delivered into a different VLAN they shouldn’t have access to. The mechanism is double tagging: craft a frame with an outer VLAN tag matching the native VLAN and an inner tag for the target VLAN. The first switch strips the outer tag and forwards the frame untagged because it matches the native VLAN. The second switch sees the inner tag and delivers the frame into the target VLAN. The attack only works in one direction and requires the attacker to be on the native VLAN, but the point is that a misconfigured native VLAN turns a connectivity problem into a security exposure.
The standard mitigation is to set the native VLAN to an unused VLAN ID that no end devices belong to, consistently, across every trunk in the network. Cisco tests whether you understand both the connectivity implication and the security one, so knowing only half of this topic will get you through some questions and fail you on others.
Commands and What to Look For
Setting the native VLAN on a trunk interface is one command:
Switch(config-if)# switchport trunk native vlan 99Both sides of the trunk need the same VLAN number. To verify the current configuration, show interfaces trunk gives you the native VLAN per interface alongside the allowed VLAN list and trunk status. If you’re looking for the CDP warning specifically, it shows up in show log and it’s hard to miss once you know what you’re looking for.
On the exam, native VLAN mismatch questions almost always come as troubleshooting scenarios rather than definition or configuration questions. You’ll get a topology, a symptom, and a list of possible causes. The wrong answers are usually things like an incorrect allowed VLAN list, a trunk that failed to form, or a duplex mismatch. Those are all real problems with overlapping symptoms, and they’re in the list specifically because they can look similar on the surface. The distinguishing detail for native VLAN mismatch is that the trunk is up and the allowed VLANs are correct, but traffic is landing in the wrong place or hosts are receiving frames they shouldn’t be seeing.
If you want to get reps on this until the pattern is automatic, Boson ExamSim runs through this scenario in several variations and the explanations break down why each wrong answer produces a different symptom, which is what actually makes the distinction stick. For context on how this fits into the broader VLAN and trunking picture, the CCNA glossary covers the related terminology worth knowing cold before exam day.
The things to have locked down on this topic are: native VLAN traffic is untagged on 802.1Q trunks, both sides of a trunk must agree on which VLAN that is, a mismatch can enable VLAN hopping attacks in addition to misrouting traffic, and a CDP native VLAN warning in a log is a direct indicator of the problem. That covers the majority of what Cisco will actually ask you.
