This is an often confused point for people new to the Networking, in particular to people coming up

the Cisco track, due to Cisco's over emphasis on this point. It is more or less just a terminology
thing. Let me explain.
The 802.1q standard defines a method of tagging traffic between two switches to distinguish which
traffic belongs to which VLANs. In Cisco terms, this is what happens on a "trunk" port. I've seen
other vendors refer to this as a "tagged" port. In this context, it means the same: adding an identifier
to frames to indicate what VLAN the frame belongs to. Terminology aside, the main think to keep in
mind is a VLAN tag is necessary, because often the traffic traversing two switches belongs to
multiple VLANs, and there must be a way to determine which 1's and 0's belong to which VLAN.
But what happens if a trunk port, who is expecting to receive traffic that includes the VLAN tag,
receives traffic with no tag? In the predecessor to 802.1q, known as ISL (cisco proprietary, but
archaic, no one supports it anymore, not even Cisco), untagged traffic on a trunk would simply be
dropped.
802.1q however, provided for a way to not only receive this traffic, but also associate it to a VLAN of
your choosing. This method is known as setting a Native VLAN. Effectively, you configure your trunk
port with a Native VLAN, and whatever traffic arrives on that port without an existing VLAN tag, gets
associated to your Native VLAN.
As with all configuration items, if you do not explicitly configure something, usually some sort of
default behavior exists. In the case of Cisco (and most vendors), the Default Native VLAN is VLAN
1. Which is to say, if you do not set a Native VLAN explicitly, any untagged traffic received on a trunk
port is automatically placed in VLAN 1.
The trunk port is the "opposite" (sort of) from what is known as an Access Port. An access port
sends and expects to receive traffic with no VLAN tag. The way this can work, is that an access port
also only ever sends and expects to receive traffic belonging to one VLAN. The access port is
statically configured for a particular VLAN, and any traffic received on that port is internally
associated on the Switch itself as belonging to a particular VLAN (despite not tagging traffic for that
VLAN when it leaves the switch port).
Now, to add to the confusing mix. Cisco books will often refer to the "default VLAN". The Default
VLAN is simply the VLAN which all Access Ports are assigned to until they are explicitly placed in
another VLAN. In the case of Cisco switches (and most other Vendors), the Default VLAN is usually
VLAN 1. Typically, this VLAN is only relevant on an Access port, which is a port that sends and
expects to receive traffic without a VLAN tag (also referred to an 'untagged port' by other vendors).
So, to summarize:
The Native VLAN can change. You can set it to anything you like.
The Access Port VLAN can change. You can set it to anything you like.
The Default Native VLAN is always 1, this can not be change, because its set that way by
Cisco
The Default VLAN is always 1, this can not be changed, because it is set that way by Cisco
edit: forgot your other questions:
Also, can it / should it be changed?
This is largely an opinion question. I tend to agree with this school of thought:
All unused ports should be in a specific VLAN. All active ports should be explicitly set on to a
particular VLAN. Your switch should then prevent traffic from traversing the uplink into the rest of
your network if the traffic belongs on VLAN1, or the VLAN you are using for unused ports. Everything
else should be allowed up the uplink.
But there are many different theories behind this. As well as differing requirements which would
prevent having such a restricted switch policy (scale, resources, etc).
For instance, if a switch is going into part of a network that is only one VLAN and it's not
VLAN 1, is it possible to make the "default" / native VLAN on all ports a particular VLAN
using one global command, or is the preferred method to make all ports access ports
and set the access VLAN to 10 on each of them?
You can not change the default Cisco configurations. You can use the "interface range" to put all
ports in a different VLAN in one go. You don't really need to change the Native VLAN on the uplink
trunk, so long as the other switch is using the same Native VLAN. If you really want to spare the
switch from adding the VLAN Tag, you could get creative and do the following (although, its
probably not recommended).
Leave all access ports in the VLAN1. Leave the Native VLAN at its default (VLAN1). On the uplink
switch, set the port as a trunk port. And set its Native VLAN to the VLAN you want the lower switch
to be a part of. Since the lower switch will send traffic to the upper switch untagged, the upper
switch will receive it and associate it with what it considers the Native VLAN.

Frame Tagging
As you now know, you can set up your VLANs to span more than one connected switch.
You can see that going on in Figure 11.6, which depicts hosts from two VLANs spread
across two switches. This flexible, power-packed capability is probably the main advantage
to implementing VLANs, and we can do this with up to a thousand VLANs and thousands
upon thousands of hosts!

All this can get kind of complicatedeven for a switchso there needs to be a way
for each one to keep track of all the users and frames as they travel the switch fabric and
VLANs. When I say, switch fabric, Im just referring to a group of switches that share the
same VLAN information. And this just happens to be where frame tagging enters the scene.
This frame identification method uniquely assigns a user-defined VLAN ID to each frame.
Heres how it works: Once within the switch fabric, each switch that the frame reaches
must first identify the VLAN ID from the frame tag. It then finds out what to do with the
frame by looking at the information in whats known as the filter table. If the frame reaches a
switch that has another trunked link, the frame will be forwarded out of the trunk-link port.
Once the frame reaches an exit thats determined by the forward/filter table to be an
access link matching the frames VLAN ID, the switch will remove the VLAN identifier.
This is so the destination device can receive the frames without being required to under-
stand their VLAN identification information.

Another great thing about trunk ports is that theyll support tagged and untagged traffic
simultaneously if youre using 802.1q trunking, which we will talk about next. The trunk
port is assigned a default port VLAN ID (PVID) for a VLAN upon which all untagged traffic
will travel. This VLAN is also called the native VLAN and is always VLAN 1 by default, but
it can be changed to any VLAN number.

Similarly, any untagged or tagged traffic with a NULL (unassigned) VLAN ID is

assumed to belong to the VLAN with the port default PVID. Again, this would be
VLAN 1 by default. A packet with a VLAN ID equal to the outgoing port native VLAN
is sent untagged and can communicate to only hosts or devices in that same VLAN. All
other VLAN traffic has to be sent with a VLAN tag to communicate within a particular
VLAN that corresponds with that tag.

VLAN Identification Methods

VLAN identification is what switches use to keep track of all those frames as theyre tra-
versing a switch fabric. Its how switches identify which frames belong to which VLANs,
and theres more than one trunking method.

Inter-Switch Link (ISL)

Inter-Switch Link (ISL) is a way of explicitly tagging VLAN information onto an Ethernet
frame. This tagging information allows VLANs to be multiplexed over a trunk link through
an external encapsulation method. This allows the switch to identify the VLAN membership
of a frame received over the trunked link.

By running ISL, you can interconnect multiple switches and still maintain VLAN informa-
tion as traffic travels between switches on trunk links. ISL functions at layer 2 by encapsulat-
ing a data frame with a new header and by performing a new cyclic redundancy check (CRC).
Of note is that ISL is proprietary to Cisco switches and its used for Fast Ethernet and
Gigabit Ethernet links only. ISL routing is pretty versatile and can be used on a switch
port, router interfaces, and server interface cards to trunk a server. Although some Cisco
switches still support ISL frame tagging, Cisco is moving toward using only 802.1q.
IEEE 802.1q

Created by the IEEE as a standard method of frame tagging, IEEE 802.1q actually inserts a
field into the frame to identify the VLAN. If youre trunking between a Cisco switched link
and a different brand of switch, youve got to use 802.1q for the trunk to work.
Unlike ISL, which encapsulates the frame with control information, 802.1q inserts an
802.1q field along with tag control information, as shown in Figure 11.7.
For the Cisco exam objectives, its only the 12-bit VLAN ID that matters. This field
identifies the VLAN and can be 2 12 , minus 2 for the 0 and 4,095 reserved VLANs, which
means an 802.1q tagged frame can carry information for 4,094 VLANs.
It works like this: You first designate each port thats going to be a trunk with 802.1q
encapsulation. The other ports must be assigned a specific VLAN ID in order for them to
communicate. VLAN 1 is the default native VLAN, and when using 802.1q, all traffic for
a native VLAN is untagged. The ports that populate the same trunk create a group with
Routing between VLANs
469
this native VLAN and each port gets tagged with an identification number reflecting that.
Again the default is VLAN 1. The native VLAN allows the trunks to accept information
that was received without any VLAN identification or frame tag.