Meraki

Community

Native VLAN and Spanning Tree

Solved
BlakeR1
Here to help
‎May 12 2025 7:57 AM
‎May 12 2025 7:57 AM

Native VLAN and Spanning Tree

Recently I have wanted to make my trunk connections from switch to switch more secure by only allowing the necessary VLANs. I wanted to remove the Native VLAN from the Allowed List (for VLAN hopping) but came upon Meraki documentation that advises to add the Native VLAN to the allowed list. Also, I am running Rapid-PVST on my other non-Meraki switches. I did have a MS switch connected to a non-Meraki switch without the Native VLAN included on the trunk allowed list and it seemed like STP was running properly. 

https://documentation.meraki.com/MS/Deployment_Guides/Advanced_MS_Setup_Guide
 - "If a Native VLAN is specified, ensure that it is also added to the Allowed VLANs configuration"
 - "MS series switches can participate in spanning tree only when a spanning tree instance is running on VLAN 1 of all switches. In addition, VLAN 1 must be allowed on all trunk ports running Rapid-PVST, so that BPDUs are seen by the Meraki switches in the topology"


Would I need to include the Native VLAN to a hybrid network (Meraki and Non-Meraki)? Also, would I need to include the Native VLAN into a Meraki only network?

Labels:
0 Kudos
1 Accepted Solution
alemabrahao
Kind of a big deal
‎May 12 2025 8:30 AM
‎May 12 2025 8:30 AM

Yes, it needs to be included in the hybrid network, as Meraki recommends. In other words, it needs to be included in non-Meraki devices as well.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

5 Replies 5
alemabrahao
Kind of a big deal
‎May 12 2025 8:30 AM
‎May 12 2025 8:30 AM

Yes, it needs to be included in the hybrid network, as Meraki recommends. In other words, it needs to be included in non-Meraki devices as well.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
BlakeR1
Here to help
‎May 12 2025 12:39 PM
‎May 12 2025 12:39 PM

How about a Meraki only network?

0 Kudos
In response to BlakeR1
alemabrahao
Kind of a big deal
‎May 12 2025 1:12 PM
‎May 12 2025 1:12 PM

If they are only Meraki switches then it is not necessary, this recommendation is only for when you have non-Meraki switches connected.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 12 2025 2:40 PM
‎May 12 2025 2:40 PM

>I wanted to remove the Native VLAN from the Allowed List 

 

Spanning tree packets are transmitted on the native VLAN, so that is why you shouldn't prune it.

 

VLAN hopping doesn't affect ports configured as access ports (they don't accept tagged frames).  Consequently, if you configure every port as an access port - except those going to other network devices, you have mitigated the vast majority of the risk.

 

 

BlakeR1
Here to help
‎May 13 2025 7:19 AM
‎May 13 2025 7:19 AM

To follow up on this.
I have Meraki Catalyst switches connecting to a catalyst switch, and last month I removed the native VLAN 1 from the allowed list on the Meraki switches without knowing this information. Nothing panicked and it looked like everything was working properly. I just added VLAN 1 back to the allowed list causing the network to crash with switches going offline and not being able to reach the catalyst switch. 

How did removing the native VLAN not cause a problem but adding it back did?

Edit:
I realized that I didn't adjust the Catalyst switch trunk allow list, it remained as trunk allow all. This could be why it continued to work. So I guess my question is, why did adding it back cause a problem and why does it work without adding native VLAN 1 to the trunk on the Meraki switch?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.