Native vlans and tagging

Similar Messages

• Native Vlan and tagging

  Hi!
  I have a particular installation on a customer site.
  The management vlan is the number 1 (which is the native vlan) for the whole network and all the switches tag the native vlan.
  So when I plug my AP on a port of a switch configured in trunk mode, it doesn't work.
  How can I resolve this issue?
  Thanks

  Yes, you can specify the native VLAN, though I am not sure if that will enable tagging of that VLAN or not. You might have to try it yourself to see. See the following link for pictures of the pages in question.
  http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#t12
  Because I think it will require a reboot after enabling HREAP but before setting up VLAN support, you might need to set it as an access port while making the changes.
  1. Do not use VLANs for your H-REAP deployment and set the access point switch ports as Access ports in the VLAN you want your users to be in. The AP will need an IP in the user VLAN, but that is not usually a problem. If you do not need multiple user VLANs from different SSIDs, this will be the easiest option.
  2. Disable native VLAN tagging for the ports with APs with the command I listed above.

• WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

  Hi
  We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
  Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
  If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
  I can't find any recommandations regarding the use of native vlan/ssid vlan
  Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
  Regards,
  Lars Christian

  It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
  From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Whats difference between native vlan and pvid

                     whats difference between native vlan and pvid ?

  Hi,
  a port VLAN ID is the assigned VLAN of an access-port.
  The native VLAN is used in a trunk. A trunk is used to connect another switch or a device which belongs to more than 1 VLAN. Since a standard ethernet frame doesn't provide a field to distinguish VLANs, a special field is inserted, this is called "tagging". Nevertheless, frames belonging to the native VLAN  are transmitted without such a tag (in other words: the ethernet frames are not modified). In this way, traffic forwaring is possible in the native VLAN even when the trunk is not working  correctly.
  In theory, when you would connect a trunkport from one switch to an accessport of another, communication for the native VLAN would be possible. In such a scenario, the native VLAN-ID doesn't have to match the PVID. Hope, this isn't to confusing.
  You can find more details in discussion https://learningnetwork.cisco.com/thread/8721#39225
  Regards,
  Rolf

• Native VLAN and the "Black Hole"

  While reviewing the configuration of a network that I'm supporting, it seems that the original design of the network has the black hole VLAN as the native VLAN.  At the least this seems incorrect, and possibly very dangerous, but I'm not exactly sure why or how to articulate that.  Can someone confirm or deny this suspicion?
  In addition, I had two further questions regarding the practice of using a black hole VLAN:
  1.  If you have any unused ports, it seems more practical to just admin down these ports instead of creating an unused VLAN.  Is there some added advantage to ALSO putting these ports in an unused VLAN (e.g. 999)?  If the port was needed, you can simply admin up the port, during which time you could also change any needed VLAN configurations.  In other words, you'd have to log into the device and make changes whether you went with the admin down method, the Black Hole VLAN method, or both.  So what's the point?
  2. Assuming you do use the Black Hole VLAN as an added security method, I feel that including that VLAN in the "switchport trunk allowed vlan" command is counterproductive, but I'm not fully able to articulate why.  Can someone help me with this?
  Thanks for any information or suggestions that you may have.

  Assuming you mean a vlan for unused ports when you refer to a black hole vlan. If so the key things are  -
  a) that vlan does not have a L3 vlan interface (SVI) for it as there is no need to route it
  b) any unused ports are shutdown
  if you follow the above then I can't see the danger in using the native vlan but I wouldn't do it regardless of that. I would have a dedicated native vlan and a separate vlan for unused ports.
  To  my mind there should be no ports allocated to the native vlan (other than trunk ports obviously).
  The benefit of using a dedicated vlan for unused ports is -
  a)  it provides an additional level of security. People make mistakes and having to do multiple things to enable a port requires more attention than simply doing a "no shut" on the interface.
  The more attention someone is paying the more likely they will get it right or at least the less likely they will make a mistake.
  b) if you don't use an unused vlan you are leaving all the ports in the default vlan which is vlan 1 and this should be avoided as this vlan is overused already eg. switch control plane traffic is sent on this vlan for example and often the switch management interfaces are in this vlan.
  As far as allowing the unused vlan on trunk links it is totally unnecessary and in fact you really don't want to do that. The idea of the unused vlan is for non communication so it would make no sense to allow it on trunk links.
  In my last place of work we used vlan 998 as the unused vlan and vlan 999 as the native vlan.
  Neither had an SVI for it.
  If by black hole vlan you meant something else then please clarify.
  Jon

• VLAN trunking, native vlan and management vlan

  Hello all,
  In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
  We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.

  To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
  Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
  When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
  I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
  Regards,
  Leo

• VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1

  Hi All,
  L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
  Thanks,
  HC

  Hi HC,
  the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
  Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
  If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
  Simon

• About the Native Vlan and Management Vlan.

  I wanted to know that Management vlan and Native vlan can be different vlan id or  both should be same vlan id. Why should not be native vlan 1.

  The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
  It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
  Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
  Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will  send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
  a
  Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
  Hope this helps !

• Wireless AP native vlan and switch trunk

  Hi,
  I am unable to ping my ap, i think it is due to the multiple vlan issues, can provide some advise, my config for the ap and switch is as below
  AP Config
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname hostname
  logging rate-limit console 9
  enable secret 5 $1$ZxN/$eYOf/ngj7vVixlj.wjG2G0
  no aaa new-model
  ip cef
  dot11 syslog
  dot11 ssid Personal
     vlan 2
     authentication open
     authentication key-management wpa version 2
     guest-mode
     wpa-psk ascii 7 070E26451F5A17113741595D
  crypto pki token default removal timeout 0
  username Cisco password 7 1531021F0725
  bridge irb
  interface Dot11Radio0
  no ip address
  encryption vlan 2 mode ciphers aes-ccm tkip
  ssid Personal
  antenna gain 0
  stbc
  beamform ofdm
  station-role root
  no dot11 extension aironet
  interface Dot11Radio0.2
  encapsulation dot1Q 2
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 spanning-disabled
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  interface Dot11Radio0.100
  encapsulation dot1Q 100 native
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio1
  no ip address
  encryption vlan 2 mode ciphers aes-ccm tkip
  ssid Personal
  antenna gain 0
  no dfs band block
  stbc
  beamform ofdm
  channel dfs
  station-role root
  interface Dot11Radio1.2
  encapsulation dot1Q 2
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 spanning-disabled
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  interface Dot11Radio1.100
  encapsulation dot1Q 100 native
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface GigabitEthernet0
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0.2
  encapsulation dot1Q 2
  bridge-group 2
  bridge-group 2 spanning-disabled
  no bridge-group 2 source-learning
  interface GigabitEthernet0.100
  encapsulation dot1Q 100 native
  bridge-group 1
  bridge-group 1 spanning-disabled
  no bridge-group 1 source-learning
  interface BVI1
  ip address 192.168.1.100 255.255.255.0
  ip default-gateway 192.168.1.1
  ip forward-protocol nd
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  password 7 01181101521F
  login
  transport input all
  end
  Switch Port config
  interface FastEthernet1/0/10
  switchport trunk native vlan 100
  switchport mode trunk

  I will re-check the routing again but could it be some bridging issues ?
  interface GigabitEthernet0
  no ip address
  duplex auto
  speed auto
  **** unable to put up this command on the giga port
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  I try to put this command on the gigaethernet port but it does not allow me, could this be the bridging  issue ?

• Native Vlan and Trunking

  Hi Folks,
  I am having a doubt with native Vlan in trunk ports.
  In a topology of 3 switches. Switch A is connected with switchB and SwitchC on uplinks. Can I configure the different native vlans for 2 different trunk for switch A.
  Like I am having 3 vlan,s configured in switch A with VTP domain transparent(1,500,900-Vlans configured). Same configuration is there in B & C too.
  So can we use 999 as a native vlan for trunk between A&B and native vlan 1 for trunk configured between A&C.

  yes possible, if specific reasons. Already discussed several times on this forum. Pls refer this link:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe4e88

• Native VLAN and Trunks on Bridges

  I have a need for different Native VLANs on the radio side and the ethernet side. Can this be done on the non-root 1410 bridge?
  The radio native VLAN is to support the management on teh 1410 bridges. I also need to attach a single device from another VLAN on the non-root bridge and I do not want to have to put in a switch just to break out that needed VLAN.

  The bridge supports only one SSID. You should assign the SSID to the native VLAN
  1.Create subinterfaces on the radio and Ethernet interfaces.
  2. Enable 802.1q encapsulation on the subinterfaces and assign one subinterface as the native VLAN.
  3. Assign a bridge group to each VLAN.
  4. (Optional) Enable WEP on the native VLAN.
  5. Assign the bridge's SSID to the native VLAN.
  To assign an SSID to a VLAN and how to enable a VLAN on the bridge radio and Ethernet ports
  For further information click this link.
  http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.3_8_JA/configuration/guide/p38vlan.html

• Help config vlan and inter routing vlan on 2 switches SF300-24 ???

  Dear Cisco!
  now we have 2 switches: SF300-24
  on one SF300-24 we config it at layer 3 mode with VLAN configuration same as following
  VLAN ID 2 (ports: 2 -6) have ip interface  192.168.2.254/24
  VLAN ID 3 (ports: 7 - 10) have ip interface  192.168.3.254/24
  VLAN ID 4 (ports 11- 15 ) have ip interface  192.168.4.254/24
  and VLAN 1 default have IP address: 192.168.1.200
  DHCP relay  - DHCP server 192.168.3.1
                     - DHCP relay: VLAN2; VLAN3; VLAN4
  ip route: 0.0.0.0   0.0.0.0  192.168.3.1
  all ports of VLAN2, VLAN3, VLAN4 set access mode.
  and another SF300-24
  was configed at layer 2. We config VLAN ID 2 ̣̣̣have ports  2 -6; VLAN ID 3 ports 7 -10; VLAN ID 4 port 11-15 ,too.
  And we use port 26 on 2 switches SF300-24 is trunk mode then we connect both SF300-24 switches.
  But on SF300-24 layer 2 cann't inderstand VLAN from Sf300-24 layer 3!!!
  Could you please help me check this situation?
  How to config VLAN on 2 switches SF300-24 Layer 3 and SF300-24 layer 2?
  Thanks!
  See you soon!

  Son Nquyen,
  First i would upgrade to 1.1.8 since the 1.0.0.27 was beta code.
  Next when when connecting both switches together each port will need set via Trunk mode with proper native vlan and tagged vlan traffic. What's the configuration of your trunk ports on each switch?
  Thanks,
  Jasbryan.

• Question about the dot1q native vlan

  On a dot1q trunk, the switch can send untagged frames in the native vlan and tagged frames in the other vlans.
  Both end switches know the native vlan id, but firstly, the receiving switch must determine which frame type(tagged or untagged) the frame is.
  The peer switch how to determine that the received framed is tagged or untagged? There are not any bits in the frame header in either frame format(ethernet or dot1q format) indicating that "I" am untagged or tagged.
  In the other word, after a frame is received , how the receiving switch make certain that the two bytes after the "source mac address" in the frame is a "TPID" field (dot1q tag) but not a "Type/Length" field (untaged Ethernet frame ), or vice versa.

  If the frame's Type/Length field value equals 0x8100 the a TPID field will follow.

• WISM Native Vlan tagged

  Hello , We have 6513 Core Switch and WISM , If I ping from the access points subnet to the WISM IP address there is so many request time out and the number of Access Points registered is going up and down
  In the core switch we are tagging the native Vlan as you can see below
  CORE-SWITCH2#sh run | i tag
  vlan dot1q tag native
  and we don't have the command wism module 9 controller 1 native-vlan X because the native vlan is tagged
  could this be the reason ? that its mandatory that the native VLAN is not tagged for the Cisco WISM configuration
  your reply and feed back is highly appreciated
  many thanks

  Cisco recommends to TAG the management interface. Cisco use to state to configure the managment vlan as native. It makes it easier for QoS as well when all vlans are TAGGED.
  What is key is all your WISMs managment interfaces need to be TAGGED or UNTAGGED. You cant have a mix.
  How are yours set up ?

• "vlan dot1q tag native" end-to-end QoS switched network

  Guys,
  Can I use this in my switched network design, (without using 802.1q tunneling as documentation always seems to mention this vlan in a vlan scenario???)
  I have native vlans and I want to act upon the 802.1p CoS field from end-to-end in my switched network. If the packet happens to be in a native vlan, I cannot do this.
  ie
  pc------accessswitch--------distswitch/rtr
  between access and distribution, there is a dot1q trunk, and the native vlan is the vlan what the pc is in
  Choices.
  run this comand vlan dot1q tag native
  dont have a native vlan, ie have vlan 1 (default as native) on the dot1q up to the dist
  or act only upon L3 dscp
  Can anyone help?
  Many thx,
  Ken

  Hi there,
  Many thx for that. This I understand and the question was really, if I wanted to use a dot1p tag in the dot1q header, but the vlan that the PC was on was the same vlan as the native vlan on the dot1q trunk, what is the best option to ensure I can action qos.
  Just trust dscp on the trunks always
  tag the native,
  or just dont run a native vlan
  I hope this makes sense. Sorry if I was a little confusing b4.
  Thx
  Ken