Changing Default Native VLAN

Similar Messages

• Changing the Native VLAN command?

  Can someone please refresh me as to what the command is to change the Native VLAN for the entire switch? (IE: not just on the trunk, I mean the default native for the entire switch). Thanks

  Hi
  While on this topic. I have been trying to trunk to 2960 switches and can't seem to get a proper connection. I am using packet tacer. The 1st switch already has a trunk port going to a router and the router has port is trunked and has sub ints for each of vlans 2 and 3 and each sub trunk has respective  native encap vlan configured. My management vlan is vlan 3. And I don't have an int vlan1 only int vlan 3. The router and the 1st siwtch work fine. But now I am trying to get another trunk port with second switch. I configured both ints for trunking using native vlan 1. Now the links are in up state but both ends are not leds green, one is orange. And I have only int vlan 3 as with other switch and ip in same subnet as managment ip but cannot ping. Strange thing vtp info can pass but no connection to other switch vlans and router etc, only local connectivity. Plz help, below is the configs of the rotuer and two switches. It is switch 1 that is giving me beans to connect to the rest.
  Router0
  version 12.2
  no service timestamps log datetime msec
  no service timestamps debug datetime msec
  service password-encryption
  hostname RouterA
  enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
  username admin secret 5 $1$mERr$vPOtdREpWgzFVVY37SB2h/
  ip name-server 0.0.0.0
  interface Loopback0
  description management
  ip address 192.168.1.1 255.255.255.0
  interface Loopback1
  ip address 192.168.2.1 255.255.255.224
  interface FastEthernet0/0
  no ip address
  duplex auto
  speed auto
  interface FastEthernet0/0.1
  encapsulation dot1Q 1 native
  ip address 192.168.3.1 255.255.255.0
  interface FastEthernet0/0.2
  encapsulation dot1Q 2
  ip address 10.5.0.1 255.255.255.0
  interface FastEthernet0/0.3
  encapsulation dot1Q 3
  ip address 192.168.4.1 255.255.255.0
  interface FastEthernet0/1
  description management
  no ip address
  duplex auto
  speed auto
  interface Serial0/0
  ip address 172.16.1.1 255.255.255.252
  interface Serial0/1
  no ip address
  interface FastEthernet1/0
  no ip address
  duplex auto
  speed auto
  interface FastEthernet1/1
  no ip address
  duplex auto
  speed auto
  router rip
  version 2
  network 172.16.0.0
  network 192.168.1.0
  network 192.168.2.0
  no auto-summary
  ip classless
  access-list 1 permit 192.168.4.0 0.0.0.255
  access-list 1 permit host 192.168.4.2
  line con 0
  line vty 0 4
  access-class 1 in
  password 7 08316C5D1A2E5505165A
  login
  end
  Switch 0 (connected to Router 0)
  version 12.2
  no service timestamps log datetime msec
  no service timestamps debug datetime msec
  service password-encryption
  hostname SwitchA
  no logging console
  enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
  ip name-server 0.0.0.0
  username admin password 7 08651D0A043C3705561E0B54322E2B3C2B063137324232064274
  spanning-tree portfast default
  interface FastEthernet0/1
  interface FastEthernet0/2
  interface FastEthernet0/3
  interface FastEthernet0/4
  interface FastEthernet0/5
  switchport access vlan 3
  interface FastEthernet0/6
  switchport access vlan 3
  interface FastEthernet0/7
  interface FastEthernet0/8
  interface FastEthernet0/9
  interface FastEthernet0/10
  interface FastEthernet0/11
  interface FastEthernet0/12
  interface FastEthernet0/13
  switchport access vlan 2
  interface FastEthernet0/14
  switchport access vlan 2
  interface FastEthernet0/15
  switchport access vlan 2
  interface FastEthernet0/16
  switchport access vlan 2
  interface FastEthernet0/17
  switchport access vlan 2
  interface FastEthernet0/18
  switchport mode trunk
  interface FastEthernet0/19
  switchport access vlan 2
  switchport mode access
  interface FastEthernet0/20
  switchport access vlan 2
  interface FastEthernet0/21
  switchport access vlan 2
  interface FastEthernet0/22
  switchport mode access
  interface FastEthernet0/23
  switchport access vlan 2
  interface FastEthernet0/24
  switchport mode trunk
  interface GigabitEthernet1/1
  interface GigabitEthernet1/2
  interface Vlan1
  no ip address
  interface Vlan3
  ip address 192.168.4.10 255.255.255.0
  ip default-gateway 192.168.4.1
  access-list 1 permit 192.168.4.0 0.0.0.255
  access-list 1 permit host 192.168.4.1
  line con 0
  line vty 0 4
  access-class 1 in
  password 7 08316C5D1A2E5505165A
  login
  line vty 5 15
  login
  end
  Switch 1 (connected to Switch0) (This is the second switch which I cannot get connected to rest of network properly)
  version 12.2
  no service timestamps log datetime msec
  no service timestamps debug datetime msec
  no service password-encryption
  hostname Switch
  interface FastEthernet0/1
  interface FastEthernet0/2
  interface FastEthernet0/3
  interface FastEthernet0/4
  interface FastEthernet0/5
  switchport access vlan 3
  interface FastEthernet0/6
  switchport access vlan 3
  interface FastEthernet0/7
  interface FastEthernet0/8
  interface FastEthernet0/9
  interface FastEthernet0/10
  interface FastEthernet0/11
  interface FastEthernet0/12
  interface FastEthernet0/13
  interface FastEthernet0/14
  interface FastEthernet0/15
  interface FastEthernet0/16
  interface FastEthernet0/17
  interface FastEthernet0/18
  switchport mode trunk
  interface FastEthernet0/19
  interface FastEthernet0/20
  interface FastEthernet0/21
  interface FastEthernet0/22
  interface FastEthernet0/23
  interface FastEthernet0/24
  interface GigabitEthernet1/1
  interface GigabitEthernet1/2
  interface Vlan1
  no ip address
  interface Vlan3
  ip address 192.168.4.20 255.255.255.0
  ip default-gateway 192.168.4.1
  line con 0
  line vty 0 4
  login
  line vty 5 15
  login
  end

• Default/native vlan- voip data question- cisco sf300

  hi everybody,
  I have to set up voip and data vlans on cisco sf 300-24P. I will set up phones over LLDP and
  on the same port (on switch) I will have untagged vlan 10 for data, so PC will be connected
  through IP phones on network.
  So what confuses me that on SF 300 under VLAN mgmt--> Default VLAN settings you got
  options to change default VLAN id (which is of course VLAN1) which will be active after reboot.
  How come that you can change default vlan? Isnt that default vlan is always vlan 1 and you can
  change native vlan to be something else- let say vlan 10 which will be untagged vlan for data?
  So what is best practise- should I just leave default vlan 1 and use it for data also or I sholud
  change it to let say VLAN 10 to be native and use it for data.
  And what will be with default VLAN 1 if I change it with above mentioned procedure?
  Thx!

  Hi,
  Best Practice is to leave Vlan 1 for management purposes only. Create yourself a DATA and VOICE vlan. Usually Management vlan does not have DHCP enabled and have to static assigned pc within your management vlan for access. I would say that it really depends on how the rest of your network is configured depending on configuration of switch now. Unless this is a clean install. 
  Hope this helps,
  Jasbryan

• Changing native vlan

  Is there a good reason to change the default native vlan 1 between two 802.1Q trunks? And is there a rule regarding best practices? thanks.

  With 802.1q trunking, the only significance of the native vlan is the fact that it is not tagged. Most administrators default to vlan 1, but others vary.
  It's discussed in the best practices document, but there's no specific best practice for Native Vlan, as changing it does not have any bearing on network performance or stability. It does talk about the significance of Vlan 1, which may be of interest.
  http://www.cisco.com/en/US/customer/products/hw/switches/ps663/products_tech_note09186a0080094713.shtml
  HTH,
  Bobby

• 1410 native vlan Change

  I need to use vlans in a 1410 bridge environment an i need to change the default native vlan too. The question is: what happens to the BVI1 interface, since this one is associated with the native vlan?; is it automatically associated with the new native vlan?, will i need to create a new interface?, what about the connectivity? (this radio does not have a console port). I wolud like to make all changes via CLI.

  You can configure multiple VLANs on the Wireless bridge using the GUI, you do not need CLI or console access to configure VLANs. Here is a good document which explains how to configure VLANs on Bridges.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#vlanbr

• Changing native vlan on running network

  I want to change the native vlan on running network. a network include 30 switches . there is loop free topology .
  unfortunately native vlan is vlan 1 and also management network .
  in my test environment :
   if I go to a switch and change native vlan from 1 to 100  the stp will Block the link for vlan 1 and i lose my access to the switch and then i should go to other side and change the native vlan to 100.
  i just want to know the best practice for this situation.
  Thanks !

  Correct. As soon as you change it to 100, you will lose access to the devices since vlan 1 is used for management.  To shorten the down time, you can create vlan 100 and all the SVIs on all switches ahead of time and than change it form 1 to 100 in a maintenance window.
  HTH

• Various questions on uplink profiles, CoS, native VLAN, downlink trunking

  I will be using vPC End Host Mode with MAC-pinning. I see I can further configure MAC-Pinning. Is this required or will it automatically forward packets by just turning it on? Is it also best not to enable failover for the vnics in this configuration? See this text from the Cisco 1000V deployment Guide:
  Fabric Fail-Over Mode
  Within the Cisco UCS M71KR-E, M71KR-Q and M81KR adapter types, the Cisco Unified Computing System can
  enable a fabric failover capability in which loss of connectivity on a path in use will cause remapping of traffic
  through a redundant path within the Cisco Unified Computing System. It is recommended to allow the Cisco Nexus
  1000V redundancy mechanism to provide the redundancy and not to enable fabric fail-over when creating the
  network interfaces within the UCS Service Profiles. Figure 3 shows the dialog box. Make sure the Enable Failover
  checkbox is not checked."
  What is the 1000V redundancy?? I didn't know it has redundancy. Is it the MAC-Pinning set up in the 1000V? Is it Network State Tracking?
  The 1000V has redundancy and we can even pin VLANs to whatever vNIC we want. See Cisco's Best Practices for Nexus 1000V and UCS.
  Nexus1000V management VLAN. Can I use the same VLAN for this and for ESX-management and for Switch management? E.g VLan 3 for everything.
  According to the below text (1000V Deployment Guide), I can have them all in the same vlan:
  There are no best practices that specify whether the VSM
  and the VMware ESX management interface should be on the same VLAN. If the management VLAN for
  network devices is a different VLAN than that used for server management, the VSM management
  interface should be on the management VLAN used for the network devices. Otherwise, the VSM and the
  VMware ESX management interfaces should share the same VLAN.
  I will also be using CoS and Qos to prioritize the traffic. The CoS can either be set in the 1000V (Host control Full) or per virtual adapter (Host control none) in UCS. Since I don't know how to configure CoS on the 1000V, I wonder if I can just set it in UCS (per adapter) as before when using the 1000V, ie. we have 2 choices.
  Yes, you can still manage CoS using QoS on the vnics when using 1000V:
  The recommended action in the Cisco Nexus 1000V Series is to assign a class of service (CoS) of 6 to the VMware service console and VMkernel flows and to honor these QoS markings on the data center switch to which the Cisco UCS 6100 Series Fabric Interconnect connects. Marking of QoS values can be performed on the Cisco Nexus 1000V Series Switch in all cases, or it can be performed on a per-VIF basis on the Cisco UCS M81KR or P81E within the Cisco Unified Computing System with or without the Cisco Nexus 1000V Series Switch.
  Something else: Native VLANs
  Is it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1?   I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.
  Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?
  And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...
  What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup described here with 1000V and MAC-pinning.
  No, port channel should not be configured when MAC-pinning is configured.
  [Robert] The VSM doesn't participate in STP so it will never send BPDU's.  However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter.  PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs.  I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.
  -Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?
  Edit: 26 July 14:23. Found answers to many of my many questions...

  Answers inline.
  Atle Dale wrote:
  Something else: Native VLANsIs it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1?   I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.[Robert] The native VLAN is assigned per hop.  This means between the 1000v Uplinks port profile and your UCS vNIC definition, the native VLAN should be the same.  If you're not using a native VLAN, the "default" VLAN will be used for control traffic communication.  The native VLAN and default VLAN are not necessarily the same.  Native refers to VLAN traffic without an 802.1q header and can be assigned or not.  A default VLAN is mandatory.  This happens to start as VLAN 1 in UCS but can be changed. The default VLAN will be used for control traffic communication.  If you look at any switch (including the 1000v or Fabric Interconnects) and do a "show int trunk" from the NXOS CLI, you'll see there's always one VLAN allowed on every interface (by default VLAN 1) - This is your default VLAN.Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?[Robert] There's no VLAN 0.  An access port doesn't use a native VLAN - as its assigned to only to a single VLAN.  A trunk on the other hand carries multiple VLANs and can have a native vlan assigned.  Remember your native vlan usage must be matched between each hop.  Most network admins setup the native vlan to be the same throughout their network for simplicity.  In your example, you wouldn't set your VM's port profile to be in VLAN 0 (doens't exist), but rather VLAN 2 as an access port.  If VLAN 2 also happens to be your Native VLAN northbound of UCS, then you would configured VLAN 2 as the Native VLAN on your UCS ethernet uplinks.  On switch northbound of the UCS Interconnects you'll want to ensure on the receiving trunk interface VLAN 2 is set as the native vlan also.  Summary:1000v - VM vEthernet port profile set as access port VLAN 21000v - Ethernet Uplink Port profile set as trunk with Native VLAN 2UCS - vNIC in Service Profile allowing all required VLANs, and VLAN 2 set as NativeUCS - Uplink Interface(s) or Port Channel set as trunk with VLAN 2 as Native VLANUpstream Switch from UCS - Set as trunk interface with Native VLAN 2From this example, your VM will be reachable on VLAN 2 from any device - assuming you have L3/routing configured correctly also.And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...[Robert] This statement recommends "not" to use a native VLAN.  This is a practice by some people.  Rather than using a native VLAN throughout their network, they tag everything.  This doesn't change the operation or reachability of any VLAN or device - it's simply a design descision.  The reason some people opt not to use a native VLAN is that almost all switches use VLAN 1 as the native by default.  So if you're using the native VLAN 1 for management access to all your devices, and someone connects in (without your knowing) another switch and simply plug into it - they'd land on the same VLAN as your management devices and potentially do harm.What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup descrived here with 1000V and MAC-pinning.[Robert] On the first generation hardware (6100 FI and 2104 IOM) port channeling is not possible.  With the latest HW (6200 and 2200) you can create port channels with all the IOM - FI server links.  This is not configurable.  You either tell the system to use Port Channel or Individual Links.  The major bonus of using a Port Channel is losing a link doesn't impact any pinned interfaces - as it would with individual server interfaces.  To fix a failed link when configured as "Individual" you must re-ack the Chassis to re-pinn the virtual interfaces to the remaining server uplinks.  In regards to 1000v uplinks - the only supported port channeling method is "Mac Pinning".  This is because you can't port channel physical interfaces going to separate Fabrics (one to A and one to B).  Mac Pinning gets around this by using pinning so all uplinks can be utilized at the same time.--[Robert] The VSM doesn't participate in STP so it will never send BPDU's.  However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter.  PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs.  I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.-Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?[Robert] The two STP commands would be used only when the VEM (ESX host) is directly connected to an upstream switch.  For UCS these two commands to NOT apply.

• Quesiton about PVID , SA520, Native VLAN

  Is PVID the same thing as "native vlan"? Can the native VLAN be changed on a SA520? Currently I believe it to be 1, I'd like to change the native VLAN to 10.
  I have a scenario where I have a prexisting production LAN of  192.168.1.0/24 . It's a small organization (a church), but they purchased 3 Aironet 1130ag units. They want to have a "private" WLAN that is part of 192.168.1.0/24 , and a guest WLAN of a different subnet (I chose 192.168.20.0/24) . The two should never meet. There will likely never be a guest computer connected via ethernet. Guest computers would always have to connect wirelessly.
  I accomplished this to a point.
  I left VLAN 1 on the SA520 192.168.75.0/24 subnet as default.I created a VLAN 10 , 192.168.1.0/24 subnet, and I created a VLAN 20, 192.168.20.0/24 subnet.
  VLAN Recap:
  VLAN 1 , 192.168.75.0/24
  VLAN 10, 192.168.1.0/24
  VLLAN 20, 192.168.20.0/34
  Ports 1-3 of the SA520 are members of VLAN 1, 10, and 20 (cannot remove membership of VLAN1, which is pretty annoying).
  The Aironets have been configured correctly.
  SSID: Priv is part of VLAN 10
  SSID: Pub is part of VLAN 20
  Both are secured by WPA, and when I connect, the proper DHCP subnet passes from the firewall through to the wireless client, for each respective SSID.
  Ultimately, I'd like the SBS 2003 server to handle DHCP for VLAN 10, and have the SA520 handle DHCP for VLAN 20, but i'll take what I can get.
  Here's my challenge:
  The original production LAN is connected via an unmanged switch.
  I'd like to trunk the unmanaged switch to Port 4 on the SA520. However, since the PVID (native vlan?) of SA520 is 1, and I cannot make Port 4 on the SA520 ony a member of VLAN 10, then anything traffic coming from the unanaged switch will automatically be tagged with VLAN1, correct? Thus causing the already existing production network to start receiving DHCP from the firewall in the 192.168.75.0/24 range.
  Any ideas or help on the above?
  What I would do if I had a managed switch on the production LAN:
  If I had a managed switch on the production LAN, what I think I would do is make one port a trunk port, connect that port to Port 4 on the SA520, then make all the rest of the ports on the managed switch access ports, and members of VLAN 10. Am I on the right track there?
  Hiccups when setting up the WAP:
  I would have changed the VLAN 1 on SA520 to 192.168.1.0/24  subnet, and only created a second subnet, but there was a challenge  with that and the WAP's.
  Cannot change the VLAN the dot11radio0 is a part of. There's not encapsulation command.
  Could  not broadcast the SSID's successfully and secure via WPA unless the  SSID's were on VLAN's other than 1. The dot11radio0 would go into a  "reset" state.
  Could change the VLAN subinterfaces  of dot11radio0 were on, for example dot11radio0.10 is a member of VLAN  10.  Dot11radio0.20 is a member of VLAN2.
  In any event, it's working, but the rest of the infrastructure is the challenge.
  Here's one of my  WAP configs as an example:
  Building configuration...
  Current configuration : 2737 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname WAP2
  enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
  no aaa new-model
  no ip domain lookup
  dot11 syslog
  dot11 ssid CASPRIV
     vlan 10
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 107E1B101345425A5D4769
  dot11 ssid CASPUB
     vlan 20
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 132616013B19066968
  username Cisco password 7 0802455D0A16
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 20 mode ciphers aes-ccm
  encryption vlan 10 mode ciphers aes-ccm
  ssid CASPRIV
  ssid CASPUB
  mbssid
  channel 6
  station-role root
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.10
  encapsulation dot1Q 10
  ip address 192.168.1.5 255.255.255.0
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  bridge-group 10 spanning-disabled
  interface Dot11Radio0.20
  encapsulation dot1Q 20
  ip address 192.168.20.3 255.255.255.0
  no ip route-cache
  bridge-group 20
  bridge-group 20 subscriber-loop-control
  bridge-group 20 block-unknown-source
  no bridge-group 20 source-learning
  no bridge-group 20 unicast-flooding
  bridge-group 20 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  shutdown
  encryption mode ciphers aes-ccm
  ssid CASPRIV
  dfs band 3 block
  channel dfs
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.10
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  no bridge-group 10 source-learning
  bridge-group 10 spanning-disabled
  interface FastEthernet0.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface BVI1
  no ip address
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local

  Hello Paul,
  You have a lot going on here so forgive me if I miss something.
  PVID is for Primary/Port Vlan ID. It is used to identify the vlan on a port and can be used to change the native vlan of a port. You can change the PVID on port 4 of the SA520 to be vlan 10 if you need to.
  The simplest setup would be for you to have your private network all be on the native vlan 1 and set your guest to be on another vlan. All of this would be possible without any problem on the SA520. Unfortunately I do not have much experience with the Aironet APs but they should allow you to continue this configuration onto the wireless network. For assistance with the Aironet APs I would have to refer you to someone more familiar.
  I do hope this helps with setting your network.

• Native VLAN 1

  I'm in the process of setting up UCS.  The default native vlan has a vlan ID of 1 in UCS.  Our native vlan is 1000.  So I setup a new vlan with the vlan ID of 1000 and set it as the natvie VLAN.  I cannot delete the VLAN default (1) even though it isn't the native vlan anymore because UCS won't let me.  We use VLAN id 1 for some of our corporate servers so I can't create a vlan with that ID without an overlap.  Since it's not being used as the native vlan anymore can I go ahead and use VLAN default (1) or is there some issue with me using that vlan?
  Additionally, one other question in regard to the natvie vlan.  I setup another UCS environment and have a few ESXi servers running on it with some active vm's.  When I setup UCS I added a vlan for our companines native vlan (vlan id 1000), but I forgot to set it as the Native VLAN.  So VLAN default (1) is still listed as the Native VLAN.  What implications would there be if I changed the Native VLAN to the vlan I setup (vlan id 1000) while there are running ESXi servers and virtual machines.  Neither the ESXi servers or vm's are using either on of those vlan's in service profiles and vnic templates.

  Russ,
  VLAN 1 can't be pruned from your uplinks it's one of those caveats.  We strongly discourage the use of VLAN 1 anywhere in your network as it presents a security risk.  (Since VLAN 1 exists on every switch by default, its hard to block access to devices using that VLAN).
  You can still use VLAN 1 even if it's not set as the native - no problem there.  Just take note that VLAN is not elgible for Disjoint L2 configuration and will always be allowed on all uplinks.  If you don't have any disjoint L2 networks - then its no problem for you.
  When you talk about the Native VLAN be careful.  If things are working as they are with VLAN 1 as the native vlan, changing it could impact your hosts if they need to communicate to other northbound devices.  I really try to caution people against using Native VLANs at all.  You're blindly sending untagged packets, and relying on the upstream L2 device to decide which VLAN to put the traffic onto.  Native VLANs can change from hop to hop also so it opens up the door for VLAN mis-matching.   You're far better off to TAG EVERYTHING - so there's no concern of native VLANs getting mixed up anywhere. 
  Regards,
  Robert

• Native VLAN on Cisco Switches

  I have a question regarding the default native  vlan, I have a cisco based environment and I set vlan XXX on a native on  trunk links, I also running Multiple Spanning Tree on my switches &  create instances for vlan segregation.
  My question is here could I put vlan 1 (default) in any of instance or not?
  Thanks & Regards,

  With MST, it is not running per VLAN spanning tree, it sends all BPDUs via instance 0 which is called the CIST. These frames are sent untagged via the native VLAN. Normally this is VLAN 1 but if you change it to another VLAN then the BPDUs are sent untagged on that native VLAN.
  Regarding if to use instance 0 or not, it is often recommended to create as many instances as you need to create the desired topology (usually two) and put your VLANs in those instances. It's a good pratice to map all your VLANs straight away because changing the instance to VLAN mapping makes the MST region become multi region until they all have the same instance to VLAN mapping.
  I would keep all VLANs out of instance 0 but it's definitely possible to have VLANs mapped in instance 0 as well.
  Daniel Dib
  CCIE #37149
  Please rate helpful posts.

• Native Vlan Missmatch message

  Hi All,
  I am connecting 2950 switch port to 6505 switch port, both ports are in trunking mode and allowing only one vlan on the both.
  On 6505 switch I set as follows:-
  enable> set trunk 2/23 700
  enable> set trunk 2/23 nonegotiate dot1q.
  On 2950 I set it as follows:
  (conf)int f0/23
  switchport mode trunk
  switchport trunk Native vlan 700
  switchport nonegotiate.
  when I issue the show logging, I noticed the (Native Vlan missmatch).
  when I chang the switch port config on 2950 to the following it doesn't work:-
  int f0/23
  switchport mode trunk
  switchport trunk allowed vlan 700
  switchport nonegotiate
  when I did the above, the traffic is discarded and subnets 0n the Core 6505 couldn't access subnets on their remote locations.
  Could any body tell me the reason of that, and why I am getting Native Message? as well as why it works only if I set 2950 swith port to (trunk Native vlan ,,,, or ,,,, access mode).
  thanks...

  Hi Friend,
  On cat6k though you have configured it as trunk and allowed only vlan 700 but still the native vlan is 1 by default.
  And you have configured on 2950 native vlan as 700.
  So what I will suggest you is to change the native vlan on cat6k switch also to vlan 700
  How you can do this on catos is
  set vlan 700 2/23
  Now what this will do is on cat6k it will make vlan 700 as native on trunk and you can keep the conig on 2950 same
  (conf)int f0/23
  switchport mode trunk
  switchport trunk Native vlan 700
  switchport nonegotiate.
  or if you just waan a get rid of the error message and keep the config as it was earlier you can also disable CDP on the interface level.
  HTH, if yes please rate the post.
  Ankur

• VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1

  Hi All,
  L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
  Thanks,
  HC

  Hi HC,
  the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
  Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
  If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
  Simon

• %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi26.

  Hell everyone,
  I have a sonicwall firewall with 6 vlan and 3 cisco sg28 switches connected to it, everything is working fine, but I se I have these waring the the log files of all three switches.
  I just need to know the best way to resolve this..
  the firsrt switch is the "core" switch and the other two are connect to it in a star pattern.
  Sonicwall--switch1.101.1----switch 101.10
                                        |
                                        |
                                        switch 101.20
  So core switch 101.1 has default vlan set to 100  which is the default lan on the sonicwall that it is connected to. There are no devices in .100
  switch 101.10 has devault vlan set to 1
  switch 101.20 has default vlan set to 1
  switch 101.1 is seeing these warnings..
  2147483643
  2014-Apr-01 19:33:08
  Warning
  %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi27.      
  2147483644
  2014-Apr-01 19:30:52
  Warning
  %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi26.     
  switch 101.10 is seeing these warnings;
  %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi52.        
   port gi52 is connecting to switch 101.1
  switch 101.20 is seeing these warings;
  %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi27.     
   portgi27 is connected to switch 101.1
  Thanks!

  Hi,
   Yes, in this case you can change the native vlan on the that switch with the command (config-if)#switchport trunk native vlan #, there is no need to reboot the switch in order for the change to take effect.
  Regards,

• Switchport trunk native vlan question...

  What am I missing in regards to the following two lines assigned to a sw interface:
  switchport trunk native vlan 80
  switchport mode trunk
  Why assign a VLAN to the port when your trunking it (meaning you allowing all VLANs to pass)?
  Thank you.

  By default native VLAN is VLAN 1, but can be changed to any No. on the trunk port by command "switchport trunk native vlan #". This will make a new vlan# as native & allow all pkts from this vlan to pass thru trunk untagged.
  Native VLANs are used to carry CDP, PAgP & VTP messages. Thus the Frames on native VLAN are untagged. For these messages to propagate between devices, native VLANS must match on both sides of the trunk. In case of native VLAN mismatch on bothsides of the trunk, STP will put the trunk port in err-disabled state.

• About the Native Vlan and Management Vlan.

  I wanted to know that Management vlan and Native vlan can be different vlan id or  both should be same vlan id. Why should not be native vlan 1.

  The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
  It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
  Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
  Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will  send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
  a
  Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
  Hope this helps !