Native VLAN and the "Black Hole"
While reviewing the configuration of a network that I'm supporting, it seems that the original design of the network has the black hole VLAN as the native VLAN. At the least this seems incorrect, and possibly very dangerous, but I'm not exactly sure why or how to articulate that. Can someone confirm or deny this suspicion?
In addition, I had two further questions regarding the practice of using a black hole VLAN:
1. If you have any unused ports, it seems more practical to just admin down these ports instead of creating an unused VLAN. Is there some added advantage to ALSO putting these ports in an unused VLAN (e.g. 999)? If the port was needed, you can simply admin up the port, during which time you could also change any needed VLAN configurations. In other words, you'd have to log into the device and make changes whether you went with the admin down method, the Black Hole VLAN method, or both. So what's the point?
2. Assuming you do use the Black Hole VLAN as an added security method, I feel that including that VLAN in the "switchport trunk allowed vlan" command is counterproductive, but I'm not fully able to articulate why. Can someone help me with this?
Thanks for any information or suggestions that you may have.
Assuming you mean a vlan for unused ports when you refer to a black hole vlan. If so the key things are -
a) that vlan does not have a L3 vlan interface (SVI) for it as there is no need to route it
b) any unused ports are shutdown
if you follow the above then I can't see the danger in using the native vlan but I wouldn't do it regardless of that. I would have a dedicated native vlan and a separate vlan for unused ports.
To my mind there should be no ports allocated to the native vlan (other than trunk ports obviously).
The benefit of using a dedicated vlan for unused ports is -
a) it provides an additional level of security. People make mistakes and having to do multiple things to enable a port requires more attention than simply doing a "no shut" on the interface.
The more attention someone is paying the more likely they will get it right or at least the less likely they will make a mistake.
b) if you don't use an unused vlan you are leaving all the ports in the default vlan which is vlan 1 and this should be avoided as this vlan is overused already eg. switch control plane traffic is sent on this vlan for example and often the switch management interfaces are in this vlan.
As far as allowing the unused vlan on trunk links it is totally unnecessary and in fact you really don't want to do that. The idea of the unused vlan is for non communication so it would make no sense to allow it on trunk links.
In my last place of work we used vlan 998 as the unused vlan and vlan 999 as the native vlan.
Neither had an SVI for it.
If by black hole vlan you meant something else then please clarify.
Jon
Similar Messages
-
WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan
Hi
We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
I can't find any recommandations regarding the use of native vlan/ssid vlan
Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
Regards,
Lars ChristianIt is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
HTH
Rasika
**** Pls rate all useful responses **** -
About the Native Vlan and Management Vlan.
I wanted to know that Management vlan and Native vlan can be different vlan id or both should be same vlan id. Why should not be native vlan 1.
The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
a
Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
Hope this helps ! -
Will we get The Black Hole soundtrack that is on the US Itunes in the UK???
As usual the UK version of Itunes is way behind the US one. They seem to have a far better database of film music than the UK one. Will we be getting the Black Hole soundtrack that has recently been posted on the US store?
Sorry, but we're all just your fellow users here and have no way of knowing what may or may not appear in an given country's iTunes Store. You can submit suggestions for the iTunes Music Store through the feedback page (make sure you clearly specify which country's iTunes Store you're referring to). Whether or not your suggestion will ever be acted upon will depend on a number of factors, some out of Apple's control (to start with, the artists and record companies have to be willing to license the tracks to Apple for your country), so don't expect instant action.
Forum Tip: Since you're new here, you've probably not discovered the Search feature available on every Discussions page, but next time, it might save you time (and everyone else from having to answer the same question multiple times) if you search a couple of ways for a topic, both in the relevant forums, in the User Tips Library and in the Apple Knowledge Base before you post a question.
Regards. -
Hi!
I have a particular installation on a customer site.
The management vlan is the number 1 (which is the native vlan) for the whole network and all the switches tag the native vlan.
So when I plug my AP on a port of a switch configured in trunk mode, it doesn't work.
How can I resolve this issue?
ThanksYes, you can specify the native VLAN, though I am not sure if that will enable tagging of that VLAN or not. You might have to try it yourself to see. See the following link for pictures of the pages in question.
http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#t12
Because I think it will require a reboot after enabling HREAP but before setting up VLAN support, you might need to set it as an access port while making the changes.
1. Do not use VLANs for your H-REAP deployment and set the access point switch ports as Access ports in the VLAN you want your users to be in. The AP will need an IP in the user VLAN, but that is not usually a problem. If you do not need multiple user VLANs from different SSIDs, this will be the easiest option.
2. Disable native VLAN tagging for the ports with APs with the command I listed above. -
VLAN trunking, native vlan and management vlan
Hello all,
In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
Regards,
Leo -
VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1
Hi All,
L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
Thanks,
HCHi HC,
the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
Simon -
Native VLAN and Trunks on Bridges
I have a need for different Native VLANs on the radio side and the ethernet side. Can this be done on the non-root 1410 bridge?
The radio native VLAN is to support the management on teh 1410 bridges. I also need to attach a single device from another VLAN on the non-root bridge and I do not want to have to put in a switch just to break out that needed VLAN.The bridge supports only one SSID. You should assign the SSID to the native VLAN
1.Create subinterfaces on the radio and Ethernet interfaces.
2. Enable 802.1q encapsulation on the subinterfaces and assign one subinterface as the native VLAN.
3. Assign a bridge group to each VLAN.
4. (Optional) Enable WEP on the native VLAN.
5. Assign the bridge's SSID to the native VLAN.
To assign an SSID to a VLAN and how to enable a VLAN on the bridge radio and Ethernet ports
For further information click this link.
http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.3_8_JA/configuration/guide/p38vlan.html -
Whats difference between native vlan and pvid
whats difference between native vlan and pvid ?
Hi,
a port VLAN ID is the assigned VLAN of an access-port.
The native VLAN is used in a trunk. A trunk is used to connect another switch or a device which belongs to more than 1 VLAN. Since a standard ethernet frame doesn't provide a field to distinguish VLANs, a special field is inserted, this is called "tagging". Nevertheless, frames belonging to the native VLAN are transmitted without such a tag (in other words: the ethernet frames are not modified). In this way, traffic forwaring is possible in the native VLAN even when the trunk is not working correctly.
In theory, when you would connect a trunkport from one switch to an accessport of another, communication for the native VLAN would be possible. In such a scenario, the native VLAN-ID doesn't have to match the PVID. Hope, this isn't to confusing.
You can find more details in discussion https://learningnetwork.cisco.com/thread/8721#39225
Regards,
Rolf -
Hi, I'd like to put a black and white effect on my colour footage which will look really sharp but which also looks bright so the whites look bright and the blacks look very dark . Any tips of which best effects to use to achieve this look in Prem Pro. Thanks
Under the Effects-Lumetri Looks-Desaturation choose a B and W effect. Then add the luma corrector from the Video effects-colour correction section. Adjust the brightness and contrast to get the effect you want.
-
How can I buy apple watch for the space black stainless steel case and the black sport band for one order?
Unfortunately no. I asked the same question when I went to the local Apple Store for my "try on" and as of now you would have to order the watch with the metal link band and the black sports band separately.
-
Wireless AP native vlan and switch trunk
Hi,
I am unable to ping my ap, i think it is due to the multiple vlan issues, can provide some advise, my config for the ap and switch is as below
AP Config
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hostname
logging rate-limit console 9
enable secret 5 $1$ZxN/$eYOf/ngj7vVixlj.wjG2G0
no aaa new-model
ip cef
dot11 syslog
dot11 ssid Personal
vlan 2
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 070E26451F5A17113741595D
crypto pki token default removal timeout 0
username Cisco password 7 1531021F0725
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
stbc
beamform ofdm
station-role root
no dot11 extension aironet
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
no dfs band block
stbc
beamform ofdm
channel dfs
station-role root
interface Dot11Radio1.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio1.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface GigabitEthernet0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.1.100 255.255.255.0
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
password 7 01181101521F
login
transport input all
end
Switch Port config
interface FastEthernet1/0/10
switchport trunk native vlan 100
switchport mode trunkI will re-check the routing again but could it be some bridging issues ?
interface GigabitEthernet0
no ip address
duplex auto
speed auto
**** unable to put up this command on the giga port
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
I try to put this command on the gigaethernet port but it does not allow me, could this be the bridging issue ? -
Hi Folks,
I am having a doubt with native Vlan in trunk ports.
In a topology of 3 switches. Switch A is connected with switchB and SwitchC on uplinks. Can I configure the different native vlans for 2 different trunk for switch A.
Like I am having 3 vlan,s configured in switch A with VTP domain transparent(1,500,900-Vlans configured). Same configuration is there in B & C too.
So can we use 999 as a native vlan for trunk between A&B and native vlan 1 for trunk configured between A&C.yes possible, if specific reasons. Already discussed several times on this forum. Pls refer this link:
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe4e88 -
Oracle RAC Interconnect, PowerVM VLANs, and the Limit of 20
Hello,
Our company has a requirement to build a multitude of Oracle RAC clusters on AIX using Power VM on 770s and 795 hardware.
We presently have 802.1q trunking configured on our Virtual I/O Servers, and have currently consumed 12 of 20 allowed VLANs for a virtual ethernet adapter. We have read the Oracle RAC FAQ on Oracle Metalink and it seems to otherwise discourage the use of sharing these interconnect VLANs between different clusters. This puts us in a scalability bind; IBM limits VLANs to 20 and Oracle says there is a one-to-one relationship between VLANs and subnets and RAC clusters. We must assume we have a fixed number of network interfaces available and that we absolutely have to leverage virtualized network hardware in order to build these environments. "add more network adapters to VIO" isn't an acceptable solution for us.
Does anyone know if Oracle can afford any flexibility which would allow us to host multiple Oracle RAC interconnects on the same 802.1q trunk VLAN? We will independently guarantee the bandwidth, latency, and redundancy requirements are met for proper Oracle RAC performance, however we don't want a design "flaw" to cause us supportability issues in the future.
We'd like it very much if we could have a bunch of two-node clusters all sharing the same private interconnect. For example:
Cluster 1, node 1: 192.168.16.2 / 255.255.255.0 / VLAN 16
Cluster 1, node 2: 192.168.16.3 / 255.255.255.0 / VLAN 16
Cluster 2, node 1: 192.168.16.4 / 255.255.255.0 / VLAN 16
Cluster 2, node 2: 192.168.16.5 / 255.255.255.0 / VLAN 16
Cluster 3, node 1: 192.168.16.6 / 255.255.255.0 / VLAN 16
Cluster 3, node 2: 192.168.16.7 / 255.255.255.0 / VLAN 16
Cluster 4, node 1: 192.168.16.8 / 255.255.255.0 / VLAN 16
Cluster 4, node 2: 192.168.16.9 / 255.255.255.0 / VLAN 16
etc.
Whereas the concern is that Oracle Corp will only support us if we do this:
Cluster 1, node 1: 192.168.16.2 / 255.255.255.0 / VLAN 16
Cluster 1, node 2: 192.168.16.3 / 255.255.255.0 / VLAN 16
Cluster 2, node 1: 192.168.17.2 / 255.255.255.0 / VLAN 17
Cluster 2, node 2: 192.168.17.3 / 255.255.255.0 / VLAN 17
Cluster 3, node 1: 192.168.18.2 / 255.255.255.0 / VLAN 18
Cluster 3, node 2: 192.168.18.3 / 255.255.255.0 / VLAN 18
Cluster 4, node 1: 192.168.19.2 / 255.255.255.0 / VLAN 19
Cluster 4, node 2: 192.168.19.3 / 255.255.255.0 / VLAN 19
Which eats one VLAN per RAC cluster.Thank you for your answer!!
I think I roughly understand the argument behind a 2-node RAC and a 3-node or greater RAC. We, unfortunately, were provided with two physical pieces of hardware to virtualize to support production (and two more to support non-production) and as a result we really have no place to host a third RAC node without placing it within the same "failure domain" (I hate that term) as one of the other nodes.
My role is primarily as a system engineer, and, generally speaking, our main goals are eliminating single points of failure. We may be misusing 2-node RACs to eliminate single points of failure since it seems to violate the real intentions behind RAC, which is used more appropriately to scale wide to many nodes. Unfortunately, we've scaled out to only two nodes, and opted to scale these two nodes up, making them huge with many CPUs and lots of memory.
Other options, notably the active-passive failover cluster we have in HACMP or PowerHA on the AIX / IBM Power platform is unattractive as the standby node drives no resources yet must consume CPU and memory resources so that it is prepared for a failover of the primary node. We use HACMP / PowerHA with Oracle and it works nice, however Oracle RAC, even in a two-node configuration, drives load on both nodes unlike with an active-passive clustering technology.
All that aside, I am posing the question to both IBM, our Oracle DBAs (whom will ask Oracle Support). Typically the answers we get vary widely depending on the experience and skill level of the support personnel we get on both the Oracle and IBM sides... so on a suggestion from a colleague (Hi Kevin!) I posted here. I'm concerned that the answer from Oracle Support will unthinkingly be "you can't do that, my script says to tell you the absolute most rigid interpretation of the support document" while all the time the same document talks of the use of NFS and/or iSCSI storage eye roll
We have a massive deployment of Oracle EBS and honestly the interconnect doesn't even touch 100mbit speeds even though the configuration has been checked multiple times by Oracle and IBM and with the knowledge that Oracle EBS is supposed to heavily leverage RAC. I haven't met a single person who doesn't look at our environment and suggest jumbo frames. It's a joke at this point... comments like "OMG YOU DON'T HAVE JUMBO FRAMES" and/or "OMG YOU'RE NOT USING INFINIBAND WHATTA NOOB" are commonplace when new DBAs are hired. I maintain that the utilization numbers don't support this.
I can tell you that we have 8Gb fiber channel storage and 10Gb network connectivity. I would probably assume that there were a bottleneck in the storage infrastructure first. But alas, I digress.
Mainly I'm looking for a real-world answer to this question. Aside from violating every last recommendation and making oracle support folk gently weep at the suggestion, are there any issues with sharing interconnects between RAC environments that will prevent it's functionality and/or reduce it's stability?
We have rapid spanning tree configured, as far as I know, and our network folks have tuned the timers razor thin. We have Nexus 5k and Nexus 7k network infrastructure. The typical issues you'd fine with standard spanning tree really don't affect us because our network people are just that damn good. -
I said it all in the header. All the screen components that usually look pale grey look a bit pinkish, and the inages and text discolor when I scrook. This is especially noticeable with text, which goes from black to dark red and back to black when scrolling stops.
I usually use the MBB with a separate monitor, so I hadn't noticed this until today and don't know when it started.
I suspect this means a defect in the display.Start Firefox in [[Safe Mode]] to check if one of your add-ons is causing your problem (switch to the DEFAULT theme: Tools > Add-ons > Themes).
See [[Troubleshooting extensions and themes]] and [[Troubleshooting plugins]]
If it does work in Safe-mode then disable all your extensions and then try to find which is causing it by enabling one at a time until the problem reappears.
You can use "Disable all add-ons" on the [[Safe mode]] start window to disable all extensions.
You have to close and restart Firefox after each change via "File > Exit" (Mac: "Firefox > Quit"; Linux: "File > Quit")
Maybe you are looking for
-
After setting up my 6510e photosmart all computers are able to print ---laptop, netbook and my iPhone can eprint. However, my desktop PC will only print once the printer sleeps (white light is dim) after I completely shut off the printer and then re
-
Hi, How can we transfer stock from vendor to our plant? Movement type 501 cannot be used. Also, 101 movement type cannot be used since the material has not been provided to vendor using 541 mvt type. Thanks in advance.
-
Handling Items which are Subscription Based?
Does anyone know a good way to handle subscription based items? I have a client which sells newspaper subscriptions among other products. Any ideas on how to handle the yearly subscriptions?
-
Windows 2008 R2 IPSEC fails if NAT involved
I'm deploying a project that includes an IPSEC Tunnel between Windows servers, through a NAT Firewall. When both servers were windows 2003, this worked fine. We have had to migrate to Win2k8R2, and now the tunnel is established, but no traffic flows
-
Hi Friends If more than one dialog instance can be installed in a computer? I have installed a sap system(abap stack), central instance and dialog instance are in the same server. the dialog instance has started up, but I can't see the dialog instanc