Does the dot1q native VLAN need to be defined on the switch?

I understand the issues with using VLAN 1 as the native VLAN on a dot1q trunk. I follow best practices and change the native VLAN to a VLAN that does not carry any other traffic (switchport trunk native vlan x). I usually go a step further and do not define the VLAN in the switch configuration. This way if traffic bleeds into the native VLAN because it is untagged then it cannot go anywhere.   So if I use VLAN 999 as the native VLAN, I do not create VLAN 999 on the switch.   I’m curious if anyone else does this or if there are any thoughts on whether this is a good or bad practice? 

If you are tagging your native VLAN but do not have that VLAN in the vlan database - it makes no difference if the VLAN exists or not in my opinion. All the vlans on your trunks would be tagged anyway.
It seems like a clever idea, but not sure if it provides any benefit.

Similar Messages

  • Question about the dot1q native vlan

    On a dot1q trunk, the switch can send untagged frames in the native vlan and tagged frames in the other vlans.
    Both end switches know the native vlan id, but firstly, the receiving switch must determine which frame type(tagged or untagged) the frame is.
    The peer switch how to determine that the received framed is tagged or untagged? There are not any bits in the frame header in either frame format(ethernet or dot1q format) indicating that "I" am untagged or tagged.
    In the other word, after a frame is received , how the receiving switch make certain that the two bytes after the "source mac address" in the frame is a "TPID" field (dot1q tag) but not a "Type/Length" field (untaged Ethernet frame ), or vice versa.

    If the frame's Type/Length field value equals 0x8100 the a TPID field will follow.

  • 1240 AP does not honor native vlan diffent then 1

    Hi,
    I stumple with a cracy issue and hope someone have an idea what is going wrong.
    I have an older 1240 Autonomous AP where I cannot figure out why the device is using vlan1 instead the required vlan 1616 for management traffic.
    Anyway clients can connect, getting IP adresses and traffic is routed but the ap can be managed only via serial console cable or temp. by configuring
    the port on the 3750 from trunk to an access port.
    1240 config.
    version 12.4
    hostname ap
    dot11 mbssid
    dot11 ssid vlan1621
       vlan 1621
    dot11 ssid vlan1630
       vlan 1630
    bridge irb
    interface Dot11Radio0
     no ip address
     no ip route-cache
     encryption vlan 1621 mode ciphers aes-ccm
     encryption vlan 1630 mode ciphers aes-ccm tkip
     ssid vlan1621
     ssid vlan1630
     station-role root
     no cdp enable
    interface Dot11Radio0.21
     encapsulation dot1Q 1621
     no ip route-cache
     bridge-group 21
    interface Dot11Radio0.30
     encapsulation dot1Q 1630
     no ip route-cache
     bridge-group 30
    interface FastEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
    interface FastEthernet0.16
     encapsulation dot1Q 1616 native
     no ip route-cache
     bridge-group 1
    interface FastEthernet0.21
     encapsulation dot1Q 1621
     no ip route-cache
     bridge-group 21
    interface FastEthernet0.30
     encapsulation dot1Q 1630
     no ip route-cache
     bridge-group 30
    interface BVI1
     ip address 192.168.16.11 255.255.255.0
     ip helper-address 192.168.18.20
     no ip route-cache
    ip default-gateway 192.168.16.1
    bridge 1 route ip
    3750g config:
    interface GigabitEthernet1/0/39
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 1616
     switchport trunk allowed vlan 1616-1630
     switchport mode trunk
     switchport nonegotiate
    Changing the bridge-group on the fa0.16 subinterface from 1 to anything different was also without success.
    tested 1240 firmware: c1240-k9w7- 123-8.JA2 / 124-25d.JA1 / 124-25d.JA2

    Hi
    I have applied your config onto 1252 AP directly connect to 3560 switch as shown below & config works as expected.
    +++++++ Switch Config ++++++
    vlan 1616,1621,1630
    interface GigabitEthernet0/1
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 1616
     switchport trunk allowed vlan 1616-1630
     switchport mode trunk
    interface Vlan1616
     ip address 192.168.16.1 255.255.255.0
    ++++++++++ AP Config ++++++++++
    dot11 ssid vlan1621
       vlan 1621
    dot11 ssid vlan1630
       vlan 1630
    interface Dot11Radio0
     encryption vlan 1621 mode ciphers aes-ccm
     encryption vlan 1630 mode ciphers aes-ccm tkip
     ssid vlan1621
     ssid vlan1630
    interface Dot11Radio0.21
     encapsulation dot1Q 1621
     bridge-group 21
    interface Dot11Radio0.30
     encapsulation dot1Q 1630
     bridge-group 30
    interface GigabitEthernet0.16
     encapsulation dot1Q 1616 native
     bridge-group 1
    interface GigabitEthernet0.21
     encapsulation dot1Q 1621
     bridge-group 21
    interface GigabitEthernet0.30
     encapsulation dot1Q 1630
     bridge-group 30
    interface BVI1
     ip address 192.168.16.11 255.255.255.0
    ip default-gateway 192.168.16.1
    AAP1#ping 192.168.16.1                                                       
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:
    If it does not work for you, I would check vlan 1616 is available in all your switches upto where SVI for vlan 1616 defined.
    In your case interface vlan 1616 defined on AP directly connected switch ?
    HTH
    Rasika
    **** Pls rate all useful resposnes ****

  • Why does my screen blank and need to be refreshed when I switch between multiple open tabs and is there a fix to this?

    If I have one tab open at a site, and then open a new tab to a different website, when I click back on my other tab the screen is a blank gray color and I have to refresh it to get the site back. This happens almost every time I switch between my open tabs, no matter which tab I am going back to. I am not having this problem in any other browsers. This has only started happening in the last couple of months and it has gotten really annoying. Does anyone know how I can stop this?

    Start Firefox in [[Safe Mode]] to check if one of your add-ons is causing your problem (switch to the DEFAULT theme: Tools > Add-ons > Themes).
    See [[Troubleshooting extensions and themes]] and [[Troubleshooting plugins]]
    If it does work in Safe-mode then disable all your extensions and then try to find which is causing it by enabling one at a time until the problem reappears.<br />
    You can use "Disable all add-ons" on the [[Safe mode]] start window to disable all extensions.<br />
    You have to close and restart Firefox after each change via "File > Exit" (Mac: "Firefox > Quit"; Linux: "File > Quit")

  • VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1

    Hi All,
    L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
    Thanks,
    HC

    Hi HC,
    the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
    Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
    If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
    Simon

  • SG-300 52p POE and the case of Native vlan forgotten on a Port-channel

    Hi
    We have recently changed our access switched to Cisco Small Business SG-300 52p on which is working firmware
    SW version    1.3.5.58
    We found out a very annoying problem on Port-channel and default vlan topic.
    Our switch have a default vlan diffrent to the vlan 1 that depends on the floor they are, and this native vlan is at first defined on the portchannel of our central switch, a Cisco 3750
    Example of a central switch port-channel with a define native vlan:
    interface Port-channel2
    description TO 1F
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 6
    switchport trunk allowed vlan 4-6,11,13
    switchport mode trunk
    on the SG300 side the configuration is this:
    interface Port-channel2
    description 1F
    switchport trunk allowed vlan add 4-5,11,13
    !next command is internal.
    macro auto smartport dynamic_type switch
    As you can see there is no "switchport trunk native vlan 6" simply because the SG300 once i write it on the command line, it accepts the command but the command sentence is not written on the conf (why?!)
    the result is that everytime the SG300 is restarted on the port-channel i got two AUTO CREATED commands on the configuration "
    switchport trunk native vlan 1
    switchport default-vlan tagged
    that let not work the network on that floor until i manually write on the SG300
    no switchport default-vlan tagged
    switchport trunk native vlan 6
    These command, as said, works once i write them but are not viewed on a "sh run" and so saved on the conf so every time SG 300 is restarted i need to re-write them.
    Is this a bug?
    have i made some mistake?
    Please let me know
    regards
    Pietro

    Figure out!
    the problem was on macro i have to write this:
    macro auto processing type switch disabled
    and then everything starts going as it should be
    Regards
    Pietro

  • Why dot1Q doesn't tag native vlan?

    Why dot1Q doesn't tag native vlan?
    Is there any reason? Or Is there any advantage with this ?
    Regards,
    Chandu

    Chandu
    The native vlan is there to support connectivity to switches that do not support vlan tagging so that if the switch on the other end of the link cannot interpret frames with vlan tags added it can still process the non tagged native vlan packets.
    Nowadays most, if not all, switches do understand vlan tagging so it is very rare you need it for it's original purpose and you can in fact on a lot of Cisco switches actually tell the switch to tag the native vlan as well.
    Jon

  • %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi26.

    Hell everyone,
    I have a sonicwall firewall with 6 vlan and 3 cisco sg28 switches connected to it, everything is working fine, but I se I have these waring the the log files of all three switches.
    I just need to know the best way to resolve this..
    the firsrt switch is the "core" switch and the other two are connect to it in a star pattern.
    Sonicwall--switch1.101.1----switch 101.10
                                          |
                                          |
                                          switch 101.20
    So core switch 101.1 has default vlan set to 100  which is the default lan on the sonicwall that it is connected to. There are no devices in .100
    switch 101.10 has devault vlan set to 1
    switch 101.20 has default vlan set to 1
    switch 101.1 is seeing these warnings..
    2147483643
    2014-Apr-01 19:33:08
    Warning
    %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi27.      
    2147483644
    2014-Apr-01 19:30:52
    Warning
    %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi26.     
    switch 101.10 is seeing these warnings;
    %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi52.        
     port gi52 is connecting to switch 101.1
    switch 101.20 is seeing these warings;
    %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi27.     
     portgi27 is connected to switch 101.1
    Thanks!

    Hi,
     Yes, in this case you can change the native vlan on the that switch with the command (config-if)#switchport trunk native vlan #, there is no need to reboot the switch in order for the change to take effect.
    Regards,

  • (Another) Native VLAN tagging question..

    I have completed CCNA 3 course and am in 4 right now. I am still confused about VLAN native commands such as
    sw tr na vl xxx
    When this is on a trunk port, what does it mean?
    Thanks....

    "So does that mean that before the packet goes onto the trunk link it is put into the native VLAN then when it exits the trunk link (on the other side) it is stripped of the VLAN info? "
    No, what your prior quotation decribed is what a switch should do with untagged frames received on a port defined as a VLAN trunk.
    The VLAN tags informs the switch what VLAN a frames belongs to when it is received on a VLAN trunk port, but without such a tag, how does the switch know the intended VLAN? It doesn't, from the frame itself. So, we can often configure a trunk port to place any untagged frames into one VLAN of our choice. In theory, once we define what VLAN untagged frames will be considered a member of, tagged frames, for that VLAN could also be accepted. Both should be treated the same by the receiving switch.
    As for a switch sending packets out a VLAN trunk, normally you would expect all packets to be VLAN tagged although a switch might support sending one particular VLAN frames without tags to support a device, such as the PC described in your quotation, that doesn't understand how to process, or expect, tagged frames.
    If you're wondering how this all comes to be, consider a PC that knows nothing about VLAN tags is connected to an IP phone which does (which connects to the network) and you want to place the two devices on different VLANs. As the PC traffic transits the phone could, in theory, wrap/unwrap the PC traffic with VLANs tags when working with the network switch. However, if the phone fails, you can design the IP phone hardware to keep the link good from PC to the network, but then the IP phone PC VLAN processing would be lost. So for that reason, and the reason, we might want to add/remove an IP phone "in front" of the PC, we want to continue to support untagged frames to/from the PC.
    Altough the frames to the PC are untagged, since we can configure what VLAN untagged frame should be considered per port, we can have different PCs (on different ports) in different VLANs on the switch. (This is very similar to port based VLANs, but instead of being limited to one logical VLAN per port, we're limited to one untagged VLAN per port but can have multiple tagged VLANs per port.)

  • H-REAP Native VLAN

    In reading the design guides I see that I have to use the Native vlan to send all the CAPWAP traffic for the AP in H-REAP mode. I normally place an unused VLAN as the native vlan to prevent VLAN hopping. How can I do this with the H-REAP AP?

    I'm not quite following your concern...
    An AP, Local or HREAP mode, is only able to communicate via its Native Vlan.  Whatever you define on the switchport as the native vlan, that is the vlan your AP will technically reside in.   Any other vlans you trunk in will be used for client access if configured (and hreap).
    So although I don't think I'm following exactly what you're asking, I think I'm answering it
    Bottom line, whatever you define as the "Native Vlan" on the switchport, that is the vlan of your AP.... no way around this as far as I know.

  • Netflix dosen't work with website restrictions switched on.  What urls need to be defined ? thanks !

    Trying to get Netflix app to work on daughters ipad while using restrictions.  However, when websites are limited to defined URL Netflix app dosen't work.  Does anyone know what urls need to be defined to allow the netflix app to function with web restrictions switched on.  Thanks !

    I have the same issue. Tried all kinds of variations of the netflix urls (movies.netflix.com, signup.netflix.com, http://www.netflix.com, https://netflix.com etc....) couldn't get it working right... Did a mess of google searching and this thread is the only one I could find that addressed my exact issue. Called netflix and Apple. Apple was able to get it working (sort of, or temporarily....) They had me uninstall the app, then go under Settings -> General -> Reset -> Reset All Settings (make sure you know your network password for your wi-fi router before you do this, because you will need to reconnect to wi-fi because the password will get wiped out of the system memory) Supposedly, this will not remove any data, just reset to factory settings. After that was done, they had me shut down the iPad, then restart the iPad. Then reconnect to wi-fi and re-set all of the Restrictions settings I had set up originally. I left in five variations of the netflix urls because when I tried these steps with just one url it wouldn't work. I tried some testing, but couldn't figure which ones were needed so I left all five in the allowed websites section under restrictions. (movies.netflix.com, signup.netflix.com, http://www.netflix.com, https://www.netflix.com, https://movies.netflix.com). Then I re-installed the netflix app and viola! it worked! I did a shutdown and restart of the iPad while I had the apple technician on the phone to make sure the app would still work after a restart and it did! Awesome.... but, after playing with the iPad some, the app would not work again! UGGGGGGGHHHHHH! I don't think I did anything specific to cause it to stop working and repeated the procedure at least 4 times with the same result, so I'm not sure what the problem is and I don't have days to spen on this.... So, I then did a bunch more testing and here's something that seems to work all the time, although it's a bit of a pain in the arse... When the netflix app is not working, go under Settings -> General -> Restrictions -> Websites and set the "Allowed Websites" to All Websites. Then close out of settings and launch the netflix app. (give it a couple of minutes to get past the red screen with spinning wheel if it doesn't open right away). Now, once the netflix app has been launched, go back and set the "Allowed Websites" back to Specific Websites Only and the netflix app will work at least until the next reboot of the iPad... The only problem with this is that you will lose your list of Specific Websites everytime you do this... For me it's not a huge problem, because my son is only 7 and doesn't really "Surf" the web, so I don't really have to add websites all the time. Hope I helped some Stecun... Hopefully netflix and apple will take steps to make this work better in a future update.... If anyone out there has a more permanent solution, it would be greatly appreciated! Where's all the computer science moms and dads at out there?
    For reference, I'm using an iPad mini (not retina) running ios7.0.4 (11B554a). There were no other apps installed besides netflix and the factory installed ones at the time of my testing....

  • Need Info to repair broken power switch connector on logic board

    Hi folks,
    I had some bad luck this week. The power switch connector broke off my daughter's Ibook logic board during a HD upgrade attempt. Unfortunately, it pulled enough of the etch that I can't determine where the connections use to go.
    I would like to salvage the board. So, if anyone has access to a schematic for the G3 Ibook, 14" 900Mz logic board, I would appreciate some info about the circuit. Specifically, to what components does the switch connect. I already identified one side is grounded and the other side is pulled up to 3V through a 1K resistor, but that etch also went somewhere else. I suppose the gate of a FET transistor. Any help would be greatly appreciated.
    Perhaps someone with a dead logic board could trace the circuit with an ohm meter.
    Regards,
    Spencer

    Hi spencer,
    Apple doesn't make circuit diagrams available, sorry. I've done or had done component level repairs of iBook logic boards before, usually to re-attach connectors which have come off, but unlike yours, these ones have all come off leaving the trace on the board.
    The fact the traces have come off isn't good, as you can probably tell. It's also a 4 layer board, so where the vias go is important. I have a couple of dead logic boards from 500,600 and 700mhz iBooks. The 14 inch logic boards are essentially the same as the 12 inch ones. These pictures are of the area of a 700mhz logic board.
    http://theducks.org/pictures/ibook-logic-board-top.JPG
    http://theducks.org/pictures/ibook-logic-board-bottom.JPG
    Hope it helps.

  • Does it need add the native vlan to allowed vlan list ?

    If I confiured the port like this "
    switchport trunk native vlan 10
    switchport trunk allowed vlan 11,12"
    does the vlan 10 allowed passing ? or it still need add vlan 10 to the allowed vlan list like "
    switchport trunk native vlan 10
    switchport trunk allowed vlan 10,11,12"
    Thanks

    Yes you can remove the native VLAN from the list, and it does prevent the native VLAN from traversing the trunk. That is, if you look at the Spanning Tree for the native VLAN, the trunk will be absent from the list of ports on the VLAN.
    The question of untagged frames is a different one. There are some control protocols, particularly link-local ones, that are sent untagged, and these will traverse the trunk regardless. However, they are not considered as part of the native VLAN Spanning Tree as such.
    But beware: there is a bug in earlier IOS and in all CatOS switches! If you use a non-1 VLAN as your trunk native VLAN, and you disallow it from the trunks, and there are no other ports carrying that native VLAN, then the Spanning Tree for that VLAN shut down. That is fair enough. But the bug is that the Spanning Tree for VLAN 1 also breaks down, sending your network into meltdown.
    Kevin Dorrell
    Luxembourg

  • If VLAN 1 is the native VLAN, then does that mean thier can only be one?

    If VLAN 1 is native, does that mean when you assign another VLAn to be native, VLAN 1 is no longer native and the other VLAN is? meaning you can only have one?

    Let us start by being clear that the concept of native vlan is related to a particular interface doing trunking. If you have two interfaces doing trunking it is quite possible that the first one would have vlan 1 as native and the other one might have vlan 2 as native.
    On a particular interface doing trunking it is quite true that there can be only a single native vlan for that trunk.
    HTH
    Rick

  • The old native vlan question....

    Topic came up during troubleshooting a 3524XL sw.
    I think my understanding of the native vlan concept is wrong.
    I thought on a trunk port (Cisco device) that any packet transversing a trunk link (dot1q trunk that is) has a vlan tag applied on the egress port.  As an untagged packet arrives on the port (prior to being sent out over the trunk), its is tagged with the native vlan (if its not assocated with any other vlan), then sent out the (egress) the trunked port. 
    But lately I have been reading that
    "A native vlan is the untagged vlan on an 802.1q trunked switchport. The native vlan and management vlan could be the same, but it is better security practice that they aren't. Basically if a switch receives untagged frames on a trunkport, they are assumed to be part of the vlan that are designated on the switchport as the native vlan. Frames egressing a switchport on the native vlan are not tagged. This is the definition however more recent switch software often will allow you to tag all of the frames, even those in the native vlan. This gives some added security and allows the CoS bits to be carried between switches even on the native vlan. Let me know if you need further clarification."
    From : https://learningnetwork.cisco.com/thread/8721
    So this tells me that you can have a packet transversing a dot1q link w/o a vlan tag...then when it arrives on the other end its put in the vlan that is on that native vlan question.  Is this correct?
    If so, and a packet can transverse a trunk link w/o a VLAN tag applied, how does a sw detect (ingress) a native vlan mismatch?
    Thanks!

    Hi,
    It's correct, the native vlan is not tagged by default on the trunk link but some platform can make you tag all traffic though even the native vlan.
    The native vlan mismatch is detected through cdp.
    Regards.
    Alain.
    Don't forget to rate helpful posts.

Maybe you are looking for