Switchport trunk native vlan question...
What am I missing in regards to the following two lines assigned to a sw interface:
switchport trunk native vlan 80
switchport mode trunk
Why assign a VLAN to the port when your trunking it (meaning you allowing all VLANs to pass)?
Thank you.
By default native VLAN is VLAN 1, but can be changed to any No. on the trunk port by command "switchport trunk native vlan #". This will make a new vlan# as native & allow all pkts from this vlan to pass thru trunk untagged.
Native VLANs are used to carry CDP, PAgP & VTP messages. Thus the Frames on native VLAN are untagged. For these messages to propagate between devices, native VLANS must match on both sides of the trunk. In case of native VLAN mismatch on bothsides of the trunk, STP will put the trunk port in err-disabled state.
Similar Messages
-
VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1
Hi All,
L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
Thanks,
HCHi HC,
the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
Simon -
Switchport trunk native vlan & switchport access vlan dual configuration
I've discovered this dual configuration on a 3500xl switch while troubleshooting an incrementing runts issue. Could the config of this port be related to the issue at hand?
port configuration:
interface FastEthernet0/3
duplex full
speed 100
switchport access vlan 203
switchport trunk encapsulation dot1q
switchport trunk native vlan 203
switchport trunk allowed vlan 1,203,204,220,1002-1005
switchport mode trunk
spanning-tree portfastHi,
The 'switchport access vlan' command will have no effect on the configuration you have on this port. The port will operate as a trunk and will dis-regard any config that pertains to an access port.
Hope that helps ...
Paresh -
What is the effect of the command switchport trunk native vlan x
Hello all,
I have a SG500 switch. The port Gi0/19 is directly connected to a machine. When i show the running config file i find the following config in the interface gi0/19:
switchport trunk native vlan 70
I need to understand this command because i'm a bit confused that i know that only if we have a link between two switch that we put an interface in a trunk mode.
Please Help :)Trunks can carry all the traffic(vlan 70,80,........Including vlan1)
Access port can only be in one vlan (Say vlan 70)
So if you configured as trunk and connect the server, and since native vlan is 70, when traffic is of vlan 70, it will not be tagged so your server can understand it.(Assuming that server do not have the capacity to understand the tagged frames). Traffic in other vlan will also be received by this interface (say vlan 80,....vlan1....) but will be dropped.
If you configure it as only access and in vlan 70, only untagged vlan 70 traffic will be received on the interface.
Thanks -
Switchport comparision, "trunk native vlan" versus "access vlan"
I want to understand the logic when I install IP phone with PC attached. Is there any difference between two configurations. for exmaple, consideration to handle QoS.
switchport access vlan 100
switchport voice vlan 200
versus
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport voice vlan 200
switchport mode trunk
Thanks in adance,The difference is that these applies to two different set of switches.
The first set of configuration applies to the new series switches, Cisco 3550, 3560, 3750 series.
The second set applies to the olders series Cisco 2900, Cisco 3500XL etc. In these switches, you need to configure the port as a trunk before the port can take both voice and data vlan.
In the newer series, the port can take both voice and data vlan and still not run in trunk mode.
Regards,
Anup -
Cisco SF302-08P пропадает с порта trunk native vlan, когда подключаю IP PHONE.
Здравствуйте!
У меня возникла проблема с коммутатором Cisco SF302-08P. В частности проблема заключается в настройке порта для IP phone и ПК.
Как известно это PoE коммутатор.
vlan database
vlan 47,147
exit
voice vlan id 147
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
hostname DepGrajdIniciativ
ip ssh server
snmp-server server
ip telnet server
interface vlan 47
ip address 172.27.47.253 255.255.255.0
no ip address dhcp
interface fastethernet1
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
switchport trunk allowed vlan add 147
switchport trunk native vlan 47 <-----
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type ip_phone_desktop
147 влан для Ip phone. 47 влан для компьютера.
Дело в том, что когда, например, на 1 порт подключаю IP phone (cisco 6921), с порта пропадает настройка "switchport trunk native vlan 47", соотвественно, на компьютере, который подключен к телефону на порт "computer", пропадает связь (теряется vlan 47?). Приходится по новой прописывать, но он сохраняется до следующей перезагрзуки коммутатора или телефона.
P.S. настройки на коммутаторе сохраняем командой "copy run start" или "wr". На телефоне "admin vlan" указан 147.
P.S.S. телефон питается по PoE.
В чем может быть проблема? я работал со многими cisco коммутаторами, но нигде такой картины не видел.... -
The old native vlan question....
Topic came up during troubleshooting a 3524XL sw.
I think my understanding of the native vlan concept is wrong.
I thought on a trunk port (Cisco device) that any packet transversing a trunk link (dot1q trunk that is) has a vlan tag applied on the egress port. As an untagged packet arrives on the port (prior to being sent out over the trunk), its is tagged with the native vlan (if its not assocated with any other vlan), then sent out the (egress) the trunked port.
But lately I have been reading that
"A native vlan is the untagged vlan on an 802.1q trunked switchport. The native vlan and management vlan could be the same, but it is better security practice that they aren't. Basically if a switch receives untagged frames on a trunkport, they are assumed to be part of the vlan that are designated on the switchport as the native vlan. Frames egressing a switchport on the native vlan are not tagged. This is the definition however more recent switch software often will allow you to tag all of the frames, even those in the native vlan. This gives some added security and allows the CoS bits to be carried between switches even on the native vlan. Let me know if you need further clarification."
From : https://learningnetwork.cisco.com/thread/8721
So this tells me that you can have a packet transversing a dot1q link w/o a vlan tag...then when it arrives on the other end its put in the vlan that is on that native vlan question. Is this correct?
If so, and a packet can transverse a trunk link w/o a VLAN tag applied, how does a sw detect (ingress) a native vlan mismatch?
Thanks!Hi,
It's correct, the native vlan is not tagged by default on the trunk link but some platform can make you tag all traffic though even the native vlan.
The native vlan mismatch is detected through cdp.
Regards.
Alain.
Don't forget to rate helpful posts. -
Don't configure a native VLAN unless you have to. You're increasing you attack surface with the potential of VLAN hopping (Dot1q hopping some call it).
http://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/
https://en.wikipedia.org/wiki/VLAN_hopping
Edit:SpellingHello,
I'm trying to understand better native vlan trunking. Maybe someone can please help explain? I understand trunking and vlans and I know that on the trunked port I can allow whatever vlans I want to and I know that the native vlan carries non tagged frames.
So for example, if I have say 3 vlans and a native vlan
vlan 10, vlan 20, vlan 30 and I have the command on the trunked port "switchport trunk allowed vlan 10,20,30"
so all those vlans will pass on the trunk correct? And native vlan 1 will pass all the telnet, cdp, traffic etc, correct?
Also how do I change the native vlan?
Thanks.
This topic first appeared in the Spiceworks Community -
I asked this in another forum, but was hoping for some other explanations...
switchport mode trunk
switchport native vlan 80
switchport trunk allowed vlan 50, 80
Can someone provide a line by line explanation of whats being done?
If I understand correctly, the first line lets ALL vlans through this port. The second line lets all untagged traffic that comes from VLAN 80 through. Line three perplexes me, because if we are trunking the port (letting all VLANs through) why explicitly let these two VLANs through when they are already allowed.
Thank you.Hi
"switchport mode trunk" means configure the link as a trunk link ie. a link that can carry traffic for multiple vlans. By default it will allow all vlans.
"switchport native vlan 80" means the vlan on the trunnk link that will not be tagged will be vlan 80. So all other vlan traffic is tagged but not this vlan.
"switchport trunk allowed vlan 50, 80" means only allow vlan 50 and vlan 80 traffic across this link. There a number of reasons you may want to do this. Perhaps at the other end of the link you know that the switch only has ports in vlan 50 and vlan 80 so there is no need to forward traffic for any other vlan. By not allowing those vlans across the trunk you not only stop broadcast traffic from going across the trunk (which can be achieved with the "vtp pruning" command) but you also stop STP for any other vlans than 50 & 80 across the link.
HTH
Jon -
VLAN trunking, native vlan and management vlan
Hello all,
In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
Regards,
Leo -
All,
I have a problem that I just cannot wrap my mind around. We have UCS setup in a lab with 2 interconnects connected to 2 nexus 5510 switches. The nexus switches are uplinked to the network via a 4900m switch. All trunks are setup and tested as functional. All routing is setup and confirmed. I have an issue in UCS that is baffling me. In the lab I have kept the native VLAN at vlan1. I have setup test vlans 2-10 on all the switches and interconnects. I have created a service profile that contains 1 nic and placed it in VLAN 7. I have installed Windows 2008 on a blade using this service profile. In the OS I have statically IP'ed the NIC for the scheme used in VLAN 7. From the OS I cannot ping another device that is in vlan 7. I also cannot ping a host on another vlan. If I place a check on VLAN 1 as the native vlan I still cannot ping anything. If I place the check for native vlan to vlan 7 I can ping hosts within the same vlan as well as outside the vlan. So, why do I need to place vlan 7 as the native vlan when all my trunks are set up as vlan 1 being the native vlan?
Thanks for any help,
KenKen,
When allowing certain VLANs on your Service Profile vNICs you need to set the native VLAN. This is because the way you have it configured currently you're only "allowing VLAN 15", but you're not tagging it. This would work fine for ESX or Linux where you can assign the dot1q tag at the host. With Windows unless you have specific drivers doing the tagging for you, you'll need to do this at the vNIC level within UCS.
Two ways to see this in action. When creating a service profile in the "Basic" method - not "Expert", you will select a single VLAN for your interfaces. This will treat the interfaces pretty much like an "Access Port". Conversely when you use the "Expert mode you're enable the vNIC as a trunk, in which you will "allow" all the VLANs you'd like access to. Sounds like this is the method you have performed.
For a Windows OS, set the VLAN as Native for the VLAN you want it to access and you'll be sweet. Unchecking that "Native VLAN" option box is allowing the traffic to traverse out of UCS on the Native VLAN of your network - VLAN 1, which is why it's MAC appears on the other fabric under VLAN1
Regards,
Robert -
SG500 LACP trunk mismatch native vlan on individual ports
Hi All,
I have just configured up a sg500 with a lacp trunk to an upstream switch.
I am getting native vlan mismatch on the individual ports of the lacp team.
24-Jan-2013 12:54:48 %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi1/1/24.
24-Jan-2013 12:57:35 %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi1/1/48.
The following is showing the correct native vlan
BH-WS-AC-2#show int switchport port 1
Port : Po1
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 2000
Port is member in:
Vlan Name Egress rule Port Membership Type
1200 1200 Tagged Static
1210 Management Tagged Static
1212 1212 Tagged Static
2000 Native Vlan Untagged Static
But the following shows that the individual ports think they are the default vlan 1.
BH-WS-AC-2#show int switchport gi1/1/48
Port : gi1/1/48
Port Mode: Trunk
Gvrp Status: disabled
Ingress Filtering: true
Acceptable Frame Type: admitAll
Ingress UnTagged VLAN ( NATIVE ): 1
Port is member in:
Vlan Name Egress rule Port Membership Type
The following shows the LACP as up:
BH-WS-AC-2#show int Port-Channel 1
Load balancing: src-dst-mac-ip.
Gathering information...
Channel Ports
Po1 Active: gi1/1/24,gi1/1/48
Is this normal behaviour? as i cannot set the native vlan directly on the gi interface due to it being in the trunk.
SimonHi Simon, native vlan mismatch is a cosmetic error from CDP. It won't affect services provided the vlans are a member of the ports in question.
You can set the native vlan while it is within the lag. On the SX500 it would be
config t
int po1
switchport trunk native vlan xxxx
The port channel is the same as any other individual port so it's not a problem. 802.1q specifies the native vlan is the untagged member, if you want to get rid of the error, make sure the untagged vlans match up on both sides.
-Tom
Please mark answered for helpful posts -
Wireless AP native vlan and switch trunk
Hi,
I am unable to ping my ap, i think it is due to the multiple vlan issues, can provide some advise, my config for the ap and switch is as below
AP Config
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hostname
logging rate-limit console 9
enable secret 5 $1$ZxN/$eYOf/ngj7vVixlj.wjG2G0
no aaa new-model
ip cef
dot11 syslog
dot11 ssid Personal
vlan 2
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 070E26451F5A17113741595D
crypto pki token default removal timeout 0
username Cisco password 7 1531021F0725
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
stbc
beamform ofdm
station-role root
no dot11 extension aironet
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
no dfs band block
stbc
beamform ofdm
channel dfs
station-role root
interface Dot11Radio1.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio1.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface GigabitEthernet0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.1.100 255.255.255.0
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
password 7 01181101521F
login
transport input all
end
Switch Port config
interface FastEthernet1/0/10
switchport trunk native vlan 100
switchport mode trunkI will re-check the routing again but could it be some bridging issues ?
interface GigabitEthernet0
no ip address
duplex auto
speed auto
**** unable to put up this command on the giga port
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
I try to put this command on the gigaethernet port but it does not allow me, could this be the bridging issue ? -
Switch trunk native and switchport trunk allowed commands
Hello,
What will be the result of having these two commands defined on trunk
Switch(Config-if)# switchport trunk native vlan 500
Switch(Config-if)# switchport trunk allowed vlan remove 500
ThanksThe first command would send traffic untagged over vlan 500, but the second command removes vlan 500 from the trunk, so I think you would lose traffic for anything using vlan 500....
HTH,
John
*** Please rate all useful posts *** -
Does it need add the native vlan to allowed vlan list ?
If I confiured the port like this "
switchport trunk native vlan 10
switchport trunk allowed vlan 11,12"
does the vlan 10 allowed passing ? or it still need add vlan 10 to the allowed vlan list like "
switchport trunk native vlan 10
switchport trunk allowed vlan 10,11,12"
ThanksYes you can remove the native VLAN from the list, and it does prevent the native VLAN from traversing the trunk. That is, if you look at the Spanning Tree for the native VLAN, the trunk will be absent from the list of ports on the VLAN.
The question of untagged frames is a different one. There are some control protocols, particularly link-local ones, that are sent untagged, and these will traverse the trunk regardless. However, they are not considered as part of the native VLAN Spanning Tree as such.
But beware: there is a bug in earlier IOS and in all CatOS switches! If you use a non-1 VLAN as your trunk native VLAN, and you disallow it from the trunks, and there are no other ports carrying that native VLAN, then the Spanning Tree for that VLAN shut down. That is fair enough. But the bug is that the Spanning Tree for VLAN 1 also breaks down, sending your network into meltdown.
Kevin Dorrell
Luxembourg
Maybe you are looking for
-
Firefox 3.6.13 will not open as the browser to view web pages from within Dreamweaver CS3
I build websites with Dreamweaver CS3. I am operating on Mac OS 10.4.11 using Firefox 3.6.13 - The problem began on the last software update. I like to use Firefox instead of Safari. Up to the point where I upgraded, I never had a problem but now, wh
-
How can I make a pull down menu in I web
how can I make a pull down menu in I web?
-
Does 10.6.8 support HP Photosmart D7260
My iMac recently stopped working with my HP Photosmart D7260 printer. (Cannot honestly remember if this was linked to a software upgrade, but is definitely not linked to the initial upgrade to Mac OS X 10.6.8 which was loaded a long time ago.) The p
-
Add a MS Word/Excel document to a Calender Event.
How do I add a MS Word/Excel document file to a Calendar Event so that it can be saved in the Calendar Event? In MS Outlook you just either copy or add the file to the Event and save.
-
My smart playlists are duplicating songs
I have my smart playlist set to live update and include anothing with a media kind that is music. The playlist is duplicating certain, but not all, purchased songs on that playlist but is only doing so on my iPhone. On my computer the playlists list