Nexus 7k and native vlan 1

Similar Messages

• Management and native Vlan in different subnet??

  Can i have a management ip and native vlan in different subnet on a AIR-1242 and 2960 switch?
  Native on Switch = 1.
  Interface vlan 100 = 10.10.1.25X /24
  BVI ip in vlan 100 = 10.10.1.25X /24
  -HM-

  Hi,
  Thanks for the update..
  Ok in short YES this can be done.. here is the AP configuration..
  Step 1>> Configure the SSID and map it with respective Vlans..
  Step 2>> Create the sub interafce int dot11 0.5 / int fa 0.5 (encapsulation dot1q 5 , bridge-group 5)and int dot11 0.6 / int fa 0.6(encapsulation dot1q 6 , bridge-group 6)
  Step 3>> Create the sub interface 0.100 for both Radio and Fa and under this (encapsulation dot1q 100 native , bridge-group 1)
  Step 4>> Make sure all the interafces are up and running and Try to ping the VLAN 100 interafce ip addr from the AP to verify.
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

• Voice Vlan and Native Vlan

  Dear all,
  I am now reading some information regarding the setup of Voip Phone. It mentioned that the Phone is actually a 3-ports switch:
  Port 1: Connect to upstream switch
  Port 2: Transfer Phone traffic
  Port 3: Connect to a PC
  Actually, what should i configure on the upstream switch port? Should it be a trunk port containing both the voice traffic vlan and pc data vlan?
  Or something else?
  Also, there is a term called 'Voice Vlan', is there any different between 'Voice vlan' and ordinary Vlan ?
  Is there any special usage of 'Native' Vlan in implementing Voip?
  Thanks.
  Br,
  aslnet

  Thanks.
  How about if the PC data should be tagged as another vlan (e.g., Vlan 10)? Then I should change the native vlan to vlan 10?
  But from my understanding, Native Vlan should be the same in the whole network, then I need to change the whole network native vlan? If there are different vlans should be assigned to different PCs that behind different VoIP-phone, then how to do it?
  From my guessing, is it i can assign individual native vlan (vlan10) on that port (connect to voip-phone), and then keep the switch's uplink port as original native vlan (vlan1).
  Therefore, PC data traffic would be untagged when entering from voip to the switch, and then tagged as vlan10 when leaving the switch to other uplink switch, right?
  Thanks.

• Fabric interconnect and Native Vlan

  Hi
  I just want to ask a simple question
  is there any precautions with native vlan between the Switched infrastructure and the Fabric interconnect ?! 
  I mean can I use any vlan as a native vlan ex.999 "anything but not 1" ?! 

  As a security best practice on trunks carrying multiple VLANs you should not allow the native vlan on the line.  When you have a single VLAN going to a device, an end node for example, the port should be configured as an access port with a single data VLAN, and potentially a voice vlan if that will be used.  
  For example, our N5Ks have a trunk to each of our UCS interconnects.  We set the native VLAN on the n5k side to 999. 999 is not in the allowed list for the trunk then, so the native VLAN never makes it to the ucs.  On the ucs then, any server that can handle VLANs (esxi for example) we send only tagged VLANs -- no VLAN is marked native, thus accomplishing the same thing as we did for the n5k to FI link.
  It is recommended to not leave your native VLAN as 1 as best practice.  It's less of a concern if the native VLAN isn't in the allowed list, but to avoid mis configuration issues you should set it to another VLAN. 

• FIP and Native VLAN

  Hello,
  according to documentation, FIP uses native vlan for FCoE VLAN discovery. Is it necessary to trunk native VLAN on the CNA port of a switch facing a server? For example if e1/1 is connected to a host and I'm using VLAN10 for data and VLAN100 for storage, and my native vlan is VLAN1, should the configuration be:
  interface Ethernet1/1
    switchport mode trunk
    switchport trunk native vlan 1
    switchport trunk allowed vlan 1,10,100
    spanning-tree port type edge trunk
  OR is it sufficient to have:
  interface Ethernet1/1
    switchport mode trunk
    switchport trunk allowed vlan 10,100
    spanning-tree port type edge trunk
  Another alternative, which takes into account that host may not tag it's data traffic:
  interface Ethernet1/1
    switchport mode trunk
    switchport trunk native vlan 10
    switchport trunk allowed vlan 10,100
    spanning-tree port type edge trunk
  Is it really a must to trunk native VLAN? In my lab it works either way.

  FIP VLAN Discovery
  FIP VLAN discovery discovers the FCoE VLAN that will be used by all other FIP protocols as well as by the FCoE encapsulation for Fibre Channel payloads on the established virtual link. One of the goals of FC-BB-5 was to be as nonintrusive as possible on initiators and targets, and therefore FIP VLAN discovery occurs in the native VLAN used by the initiator or target to exchange Ethernet traffic. The FIP VLAN discovery protocol is the only FIP protocol running on the native VLAN; all other FIP protocols run on the discovered FCoE VLANs.
  The ENode sends a FIP VLAN discovery request to a multicast MAC address called All-FCF-MACs, which is a multicast MAC address to which all FCFs listen. All FCFs that can be reached in the native VLAN of the ENode are expected to respond on the same VLAN with a response that lists one or more FCoE VLANs that are available for the ENode's VN_Port login. This protocol has the sole purpose of allowing the ENode to discover all the available FCoE VLANs, and it does not cause the ENode to select an FCF.

• Wireless VLAN and Native VLAN

  OK, I’m a bit confused about what to do with the native VLAN. I know that for QoS/CoS, I should not use VLAN1 as the native VLAN. I also know that I should use a separate VLAN as the management VLAN. So I’m left thinking, do I need a native VLAN? If I do, can I just make a dumb VLAN that goes nowhere and use that as the native VLAN? Or am I just completely missing something. Thanks

  The native VLAN must also be your management VLAN for Cisco APs.
  The Native VLAN can be any number, as long as you configure it accordingly.
  Also keep in mind that the local RADIUS server, and DHCP will only deliver to the native VLAN. If you intend to use either of those services on the non-native VLAN/SSID, you'll need to have a layer three device on the line to forward that traffic.
  Good Luck
  Scott

• What is difference between Default VLAN and Native VLAN?

  Answer

  Cisco switches always have VLAN 1 as the default VLAN, which is needed for many protocol communication between switches like spanning-tree protocol for instance.
  You can't change or even delete the default VLAN, it is mandatory.
  The native VLAN is the only VLAN which is not tagged in a trunk, in other words, native VLAN frames are transmitted unchanged.
  Per default the native VLAN is VLAN 1 but you can change that:
  #show interface Fa0/8 trunk
  Port        Mode             Encapsulation  Status        Native vlan
  Fa0/8       on               802.1q         other         1
  (config-if)#switchport trunk native vlan 2
  (config-if)#do show interface f0/8 trunk
  Port        Mode             Encapsulation  Status        Native vlan
  Fa0/8       on               802.1q         other         2
  The default VLAN is still VLAN 1.
  #show vlan id 1
  VLAN Name Status    Ports
  1    default active    Fa0/8, Gi0/1
  HTH
  Rolf

• Nexus 5548 and err-vlans

  Hi
  I have configured some vituals VPC and a customer Nexus Switch.
  But if run this commands:
  sh int port-channel 8 status err-vlans
  It returns 3 vlans. But i can't find what this means.
  The vlan is working, and traffic is flowing though it.
  Regards Kenneth Dalbjerg

  Hi,
  Is VPC configured correctly?  Has the port-channel been configured on both 5ks?
  What is the output of "sh vpc and sh vpc incons?
  Can you post the relevant configs from both 5ks?
  Also, what is the output of sh port-cha summary
  HTH

• WLSM, mGRE tunnels and Native VLAN

  I understand that to be able to use mGRE tunnels, all that is needed from the AP is to have IP connectivity. If the AP connects to a port on a switch, and that port is on VLAN 196, for instance, will the following setup allow me to connect to that VLAN over wireless, and at the same time allow other users (through the use of the other SSID) to connect to a network that's on a mobility group?
  I've tested it already and it works. I just want to know if there are any drawbacks, or if it's not recommended. etc...
  interface Dot11Radio0
  encryption mode wep mandatory
  ssid vlan196
  authentication open eap eap_methods
  authentication network-eap eap_methods
  ssid public
  authentication open eap eap_methods
  authentication network-eap eap_methods
  mobility network-id 100

  I had a look at your configuration and it looks good. I think this is the best way of doing this and will work without any issues. You can goahead and implement this setup.

• WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

  Hi
  We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
  Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
  If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
  I can't find any recommandations regarding the use of native vlan/ssid vlan
  Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
  Regards,
  Lars Christian

  It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
  From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Native Vlan and Trunking

  Hi Folks,
  I am having a doubt with native Vlan in trunk ports.
  In a topology of 3 switches. Switch A is connected with switchB and SwitchC on uplinks. Can I configure the different native vlans for 2 different trunk for switch A.
  Like I am having 3 vlan,s configured in switch A with VTP domain transparent(1,500,900-Vlans configured). Same configuration is there in B & C too.
  So can we use 999 as a native vlan for trunk between A&B and native vlan 1 for trunk configured between A&C.

  yes possible, if specific reasons. Already discussed several times on this forum. Pls refer this link:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe4e88

• About the Native Vlan and Management Vlan.

  I wanted to know that Management vlan and Native vlan can be different vlan id or  both should be same vlan id. Why should not be native vlan 1.

  The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
  It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
  Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
  Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will  send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
  a
  Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
  Hope this helps !

• Dot1q-tunneling and native frames ( untagged )

  hi all I have the following setup:
  tunnel Port:
  interface GigabitEthernet1/0/2
  switchport access vlan 784
  switchport mode dot1q-tunnel
  switchport nonegotiate
  l2protocol-tunnel cdp
  l2protocol-tunnel stp
  l2protocol-tunnel vtp
  no cdp enable
  spanning-tree portfast
  Trunk Port - Into Carrier Network
  interface GigabitEthernet1/0/25
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 4094
  switchport mode trunk
  switchport nonegotiate
  load-interval 30
  speed nonegotiate
  spanning-tree bpdufilter enable
  the Native Port on the tunnel interface = 1 and native vlan tagging is enabled on the switch.
  what happens to untagged frames that hit the tunnel port from the customer? Imagine that they dont have their port as a trunk and are instead emitting untagged frames?
  are these dropped or simply have a single Q-tag pushed and are then tunnelled through the carrier network?
  I have followed the recommendation of making the trunk port have a native vlan that is not the native vlan of any of the tunnel ports.
  thanks

  Normally double-tag traffic is seen as NON-IP traffic by metro devices, since they cannot see beyond first tag.
  Untagged customer traffic will behave like IP traffic in metro network, since it will have only one tag.
  You can use a trick - create an IP access list on trunk port with "deny ip any any" - basically denying all IP traffic. That should stop all traffic that was not tagged by the customer. Ofcourse that will disable your management - so you need to plan this.
  If more than one customer is using same S-VLAN, and one customer has e.g. VLAN 3 untagged, and other one has VLAN 5 untagged, their VLANs will be interconnected.

• Can I use non-native VLAN for AP management (BVI100 vs. BVI1)

  Owning AIR-AP1121G-E-K9 and AIR-AP1131AG-E-K9, with IOS 12.3.8JA2, want to migrate AP (wired) management from native VLAN1 to tagged VLAN100.
  Management VLAN must not be accessed by WiFi devices.
  Tried to configure fa0.100, bridge 100 and BVI 100 instead of fa0.1, bridge 0.1 and BVI1, reloaded and AP is working, but doesn't respond to management.
  Tried to use simple L3 fa0.1, but int is not reachable from outside.
  Any suggestions?
  Thank you very much
  Flavio Molinelli
  [email protected]

  The management VLAN must be the Native VLAN ... it doesn't have to be VLAN 1, but whichever VLAN you declare as Native will be the Management VLAN (at least as far as the AP is concerned) ...
  Some switches / routers permit the management and Native VLANs to be different ... verify that both are configured and matching on both ends (AP and switch / router).
  Good Luck
  Scott

• Trunk Native VLAN

  Don't configure a native VLAN unless you have to. You're increasing you attack surface with the potential of VLAN hopping (Dot1q hopping some call it).
  http://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/
  https://en.wikipedia.org/wiki/VLAN_hopping
  Edit:Spelling

  Hello,
  I'm trying to understand better native vlan trunking. Maybe someone can please help explain? I understand trunking and vlans and I know that on the trunked port I can allow whatever vlans I want to and I know that the native vlan carries non tagged frames.
  So for example, if I have say 3 vlans and a native vlan
  vlan 10, vlan 20, vlan 30 and I have the command on the trunked port "switchport trunk allowed vlan 10,20,30"
  so all those vlans will pass on the trunk correct? And native vlan 1 will pass all the telnet, cdp, traffic etc, correct?
  Also how do I change the native vlan?
  Thanks.
  This topic first appeared in the Spiceworks Community