Questions about VLAN

Switches
1

Hello, I have a few questions regarding VLAN:

VLAN Concepts – Please confirm if my understanding is correct:

  1. Definition – Native VLAN / Default VLAN / VLAN 1
    The native VLAN is an untagged VLAN used on a trunk port, while other VLANs on the same trunk are tagged. By default, VLAN 1 is both the native VLAN and the default VLAN on many devices. Some vendors allow disabling the native VLAN, meaning the trunk port will only carry tagged traffic.
  2. VLAN Hopping & Security
    Changing the native VLAN from 1 to another number does not prevent VLAN hopping as long as there’s any untagged VLAN on the trunk with tagged traffic. Even disabling the native VLAN doesn’t fully protect the network because VLAN traffic is unencrypted. The most secure method is to ensure access ports are configured to only access a single untagged VLAN.
  3. Zero-Touch Provisioning
    Most zero-touch provisioning solutions require untagged traffic. If the network is configured to use only tagged traffic, manually assigning the management VLAN on both the switch and access point to enable connectivity.

Now, here are my questions( trunk port is configured with only two tagged VLANs (under Allowed VLANs) and no untagged traffic: VLAN 10 for management and VLAN 100 for main traffic):

  1. I understand the default/native VLAN is VLAN 1.
    In the controller (Settings > Networks > VLANs), if I delete VLAN 1, what happens to the “Default” of “Native VLAN” setting on switch ports?
    Does it still refer to VLAN 1? Or does that mean native VLAN is now disabled on those ports?

  2. If I assign a random VLAN number(666) as the Native VLAN on a switch port, but that VLAN isn’t defined under (Settings > Networks > VLANs), what happens?

  3. I’m currently using the S8-POE switch. Do the VLAN behaviors and settings mentioned apply to other Alta Labs switches and routers?

  4. The previous three questions were about switches. Shifting focus to access points — under the Advanced Settings of a WiFi network, what does the “Default Network VLAN” option mean for an AP? Should this be set to the management VLAN, or should it match the native VLAN (which, in my case, doesn’t exist since all traffic is tagged)?

2

The subnet for VID1 will become unroutable & you will lose the DHCP server.

VID666 will be unroutable, so traffic that requires routing will not succeed.

Yes.

It is the VLAN assigned to the SSID if you do not define the VLAN value in the PSK (using the purple button beside the password) or use RADIUS to assign it.

1 Like
3

Thank you very much for your response. Could you please clarify the part where you mentioned, “The subnet for VID1 will become unroutable & you will lose the DHCP server”?

Here’s my setup:
VLAN 10 is used for management
VLAN 100 is for main traffic
Both VLANs are tagged
No plan to use VID1

If I configure the AP and switch management VLAN to 100, the DHCP for management should still function properly, correct? Under “allowed VLANs,” I’ll keep both VLAN 10 and VLAN 100 checked, and I’ll leave the native VLAN set to “default” (unchanged). Is that the correct approach?

4

I think that sounds correct, but it’s not something I’ve strictly tested yet. I’ll take some time to see if I can look at it myself, but if you experience some issue with trying it yourself then let us know.