In this blog post, we will look at what a Native VLAN is and how it works. But, before we dive into Native VLAN, let's have a quick look at Access ports and Trunk ports. If you are someone new to the world of networking, the terms access, trunk, tagged and untagged can be very confusing.
Cisco uses the terms "access" and "trunk," while HP/UniFi/Meraki/some other vendors use "untagged" and "tagged" ports to describe the same concepts.
Access / Untagged Ports
Access or untagged ports connect end devices, like PCs, servers or printers, to a single VLAN. Each access port is a member of one specific VLAN, which can carry only the traffic for that VLAN. The traffic transmitted over an access port is not tagged with a VLAN ID.
Trunk Ports / Tagged Ports
Trunk ports or tagged ports, on the other hand, are used to interconnect switches and carry traffic for multiple VLANs across a single link. The traffic transmitted over a trunk port is tagged with a VLAN ID, allowing switches to identify which VLAN the traffic belongs to and properly route it.
Native VLANs
Native VLAN is used to carry untagged traffic on a trunk port. When a switch receives untagged traffic on a trunk port, it automatically assumes the traffic belongs to the native VLAN.
When a frame with a native VLAN tag leaves a trunk port, the switch strips out its VLAN tag. However, when a frame with a native VLAN tag leaves a trunk port that has a different native VLAN configured, the frame will retain its original VLAN tag, as it doesn't belong to the configured native VLAN on the transmitting switch.
Native VLAN Usecase
Let's say we have an Access Point (AP) connected to a switch using a trunk port. The AP provides wireless connectivity for two different SSIDs: Office-WiFi and Guest-WiFi, which are associated with VLAN 10 and VLAN 15, respectively. The management traffic of the AP is associated using VLAN 100, which is set as the native VLAN for the trunk port. This configuration ensures that untagged management traffic is tagged with VLAN 100 before being forwarded.
To achieve this setup, we would configure the switch port connected to the AP as a trunk port and allow the necessary VLANs to pass through (10 and 15). Additionally, we would also set VLAN 100 as the native VLAN for management traffic.
Native VLAN Mismatch
A native VLAN mismatch occurs when two switches connected via a trunk link have different native VLANs configured on their respective trunk ports.
In a native VLAN mismatch scenario, untagged traffic from one switch's native VLAN is incorrectly tagged with the other switch's native VLAN on the receiving end. This mistagged traffic can then be forwarded within the wrong VLAN, potentially allowing unauthorized access to sensitive information or systems. It may also cause network loops when the mistagged traffic is sent back to the originating switch.
To avoid native VLAN mismatches, it is essential to ensure that the native VLAN is consistently configured on both ends of the trunk link. This will prevent potential security risks and network issues that can result from mismatches.
Native VLAN Security Considerations
An attacker could exploit a native VLAN mismatch to inject traffic into a VLAN they shouldn't have access. For example, an attacker connected to a switch with native VLAN 10 could send untagged frames that would be tagged with VLAN 10 by the switch. If the trunk port on the receiving switch is configured with native VLAN 20, the frames would be assumed to belong to VLAN 20 and would be forwarded accordingly.
To prevent these issues, it is crucial to ensure that the native VLAN is consistently configured on both ends of the trunk link.