Tagging and Untagging VLANS

Hi all. I think this is a terminology question more than anything, but I have a co worker that says I should configure switch with "untagging" vlans. Im not sure what he means, does he mean a access port? I would thing a trunk port "tags" vlans, but does an access port not do that? Can someone help explain this to me please? Thank you.

To tag or not to tag?
This type of question is constantly returning in this forum. A search would bring up quite some usefull info but I will make a final attempt anyway:
A switch-port can be configured as access or trunk. In access mode, incoming frames are tagged with the vlan-id that the port belongs to. An access port expects untagged frames.
In trunk mode, the port is expecting tagged frames. As you know, trunks are used to interconnect switches.
In the outgoing direction, an access port removes all tagging, a trunk preserves it.
With all this, there is one special case: the native vlan. Each port has one vlan (vlan1 by default) that is used as the native vlan. For compatability with non-vlan capable equipment, this vlan is sent & received untagged. This is hardly used as most trunks are point-to-point between vlan-capable devices. Make sure that the native vlan is set the same on both sides of the link.
Ports that connect IP phones have a mix between trunk and access. The data from the PC is forwarded on the access-vlan, the voice traffic utilizes the voice vlan as specified with the comand: switchport voice vlan, and this vlan must be tagged to preserve the 802.1p field that is part of a dot1Q tag and contains the priority info. voice is prio 5.
Hope this solves your question about to tag or not to tag.
Regards,
Leo

Similar Messages

  • Tough Switch and UAP Vlan Setup

    Similar thread question in this community discussion: 
    http://community.spiceworks.com/topic/1080225-isolate-guest-network-by-vlan?page=1#entry-4846326
    This discussions goes into great detail about tagging and untagging and pvid. 

    This seems to be a theme this week.First you need to confirm that your AP supports multiple SSIDs. If it does then the typical process is to create your multiple SSIDs and connect them to a defined vlan. In most installations your business (private) SSID will be connected to your native vlan (typ VLID 1) and your guest SSID will be connected to some other vlan ( VLID 200 ?)Inside your switch you will need to create vlan 200, and then on the port that goes to your AP you will need to setup the PVID to VLID 1 (should be already set), make vlan 200 a member of that port and set it up for tagging. So the port going to the AP will have VLID 1 untagged (native vlan) and VLID 200 tagged.From there you say you have two routers. Your current primary router you will leave as is, but for you guest network router you will take port 8 and set the...

  • Connecting two untagged VLANS from two different switches

    I have a Cisco SG300-52P Small Business switch and hopefully I can explain well what's going on. We have a Juniper EX4200 L3 switch that has a bunch of our corporate VLANs (they are routed VLANs) and that allows communication between all of our corporate networks. We have several other L2 Netgear, HP Procurve, etc... on which we have split the ports down the middle and divided them into two broadcast domains by setting them as untagged VLANs. One cable goes from each of the different VLANs on the L2 switches into different VLANs on the L3 switch. As long as STP is disabled this seems to work fine. However, we tried this same scenario on this Cisco Small Business switch and only one of the two untagged VLANs on the Cisco will pass traffic at a time. I believe that whenever the VLAN that is on the default (VLAN 1) is plugged in, the other (the one we created) shuts down but when VLAN 1 is unplugged, the other VLAN immediately starts to work. What seems weird is that the Cisco seems to learn the Juniper's MAC on the VLAN that doesn't work and the Juniper learns the MAC on the one that does work. In other words, the Juniper does not learn the Cisco's MAC on both of the VLANs that the Cisco is plugged into, as it does with the other L2 switches that we have, and the Cisco does not learn the MACs of the Juniper on both of its VLANs. I hope this is making sense and please let me know if there is any way I can further clarify. I'm sure I'm just doing something dumb that I'm overlooking so feel free to slap me in the face. :-)
    Thank you in advance for your time!

    It sounds like there is a layer 2 loop in your network if spanning tree is shutting down the ports.  You should be able to do a show spanning-tree on the switch, or look in spanning tree rstp interface status.
    are there any other interconnects between devices?  Like un-managed hubs, WAPs with bridging, virtual servers with multiple NIC cards?
    Show spanning tree on each device might show what is going on, or at least tell you which ports are root ports, which ones are forwarding or blocking.  Best practice is to configure your spanning tree if you have more than 1 or 2 switches.
    A detail topology showing port numbers, (sanitized) IP addresses, vlans and purpose, trunks with what vlans are tagged, and  untagged .
    from your description,  your network looks like
    multiple vlans - layer 3 Juniper swtich - netgearS1 vlan`1 --procurveS2 vlan 1 -- ciscoS3 vlan1
                                                           \-- netgearS1 vlan2 - - procurveS2 vlan --  ciscoS3 vlan 2
    I'm having trouble visiualizing <<One cable goes from each of the different VLANs on the L2 switches into different VLANs on the L3 switch. >>
    are the cables for vlan 1 going to vlan 1 or are the cables for vlan1 going to a different vlan on the other switch?
    Can you reduce the complexity and number of interconnects by using trunking?
    What are the IPs and default gateway of all devices, L3 switch?
    These switches do STP, RSTP and multiple spanning tree, but will not do per vlan spanning tree.  so there may be some configuration required on all switches to get the correct root bridge (the Juniper I assume)

  • Any advantages to setting the AP-Manager and Management interface to an untagged vlan?

    Any advantages to setting the AP-Manager and Management interface to an untagged vlan? Currently, our controllers have their management and ap-manager interfaces on the same untagged vlan. Would it be wise to change this? Are there any gotchyas I should be aware of?

    No really, there won't be a problem. Management an AP-manager can be on different vlans.
    The vlan you chose to untag is the vlan you should declare as native on the switch, that's it.
    No advantage in having interfaces configured in a way or another.
    Some people want the management to be in a "management" subnet and the ap-manager will be in the subnet with all the APs. Some others have several AP subnets so the ap-manager is in the same as management ... no importance whatsoever as long as the config is coherent.
    The only thing that is worth considering is the size of AP subnet to me. If you give a /16 for APs and have 1000 APs in a single subnet, ARP and broadcast storms will be hitting the fan. But the vlan tag/untags that you chose are not important
    To rate an answer, click on the stars below it. 1 for not so useful and 5 for very useful.
    Nicolas
    ===
    Don't forget to rate answers that you find useful.

  • RV320 and WAN VLAN tagging/IPTV

    I have a fiber connection on WAN1 which only works with VLAN tagging and I can't find a way to make it work without the provider's middleware router (Comtrend C5813)... Is there a way to connect to my FTTH (Lucent I240G-B) router directly? I'm having problems with my IPTV (multicast) service, if it's connect direct to the middleware I can have multiple channels running at once, but if I go back to the RV320 and do the same, everything start to pixelate.
    Using Wireshark I can see that the RV320 is connecting to the different channels with CS4 DSCP marking.
    Any ideas?
    Thank you!

    As you can read above, I'm having problems with my IPTV pixelation/cuts... I need to be able to connect directly to the fiber and have more control over the connection, but I don't see the option on the web admin for PPPOE over VLAN. I don't know if it's a hardware limitation or just software (the GUI).

  • VLAN tagging and tagging question

    Hello,
    I have a question about VLAN tagging on a Cisco switch.
    I've learned that switches tag frames with VLAN IDs once the frame enters a Trunk port (not when it enters a VLAN port).
    Now, if two computers from the same VALN and on the SAME switch talk to each other then logically there should not be any VLAN assignment on the frames (as if they were connected to a hub).
    Is that correct please?
    TIA

    Disclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    Just to muddy the waters, since VLAN edge/access ports don't normally tag frames with VLAN IDs, referencing your question about two computers "talking" to each other, it doesn't matter whether the two ports or on the same switch or even different switches; or in the same VLAN or not.
    Also understand trunk ports normally tag frames, and edge/access ports don't, but an exception for the former is the "native" VLAN frames aren't tagged, and an exception for the latter, a Voice VLAN will tag frames.

  • VLAN Tags and Hyper-V Switches

    Does the Hyper-V 2012 Virtual Switch support forwarding VLAN-tagged packets to a guest OS with the VLAN tags intact?  In other words, can I have a single virtual NIC handle multiple VLANs by doing the VLAN filtering inside the guest OS?
    I would like to run a guest OS that sits on multiple VLANs, and while I could create and delete virtual NICs which are assigned to a single VLAN, it would be much more flexible in my environment to have Hyper-V simply forward frames with the VLAN (802.1q)
    tags intact so that the guest OS can see the tags and deal with them appropriately.  (looking at running a virtual router that sits across multiple VLANs).
    I can't see any obvious way to do this.  I thought that leaving the VLAN tag for the guest off would cause packets to be forwarded unfiltered, but that appears to not be the case.  Does anyone know how to enable forwarding tagged frames through
    a virtual switch/NIC to a guest OS?
    Thanks!

    Hi,
    >  Does it depend on any particular settings on the physical NIC?
    No special settings on the physical NIC, but not every NIC support VLAN tagging. You should generally not set the VLAN ID at the physical NIC, it should be set on either the Virtual Switch or the individual Virtual Machine’s configuration. The VLAN ID on
    the Virtual Switch is what the Host or Parent Partition uses. The VLAN ID setting on the individual Virtual Machine’s settings is what each VM will use.
    For more information please refer to following MS articles:
    Understanding Hyper-V VLANs
    http://blogs.msdn.com/b/adamfazio/archive/2008/11/14/understanding-hyper-v-vlans.aspx
    VLAN Tricks with NICs - Teaming & Hyper-V in Windows Server 2012
    http://blogs.technet.com/b/keithmayer/archive/2012/11/20/vlan-tricks-with-nic-teaming-in-windows-server-2012.aspx#.UWznBmawrX0
    Set-VMNetworkAdapterVlan
    http://technet.microsoft.com/en-us/library/hh848475(v=wps.620).aspx
    Hope this helps!
    TechNet Subscriber Support
    If you are
    TechNet Subscription user and have any feedback on our support quality, please send your feedback
    here.
    Lawrence
    TechNet Community Support

  • WAP321 and Guest VLAN

    I am struggling to remember how to configure a small biz client of mine who just purchased four of these WAP321 APs. They want to have two SSIDs one being for private LAN access along with internet and one that can only access the internet. With that said I setup the private SSID to be on VLAN 1 (default or basically untagged) and the guest SSID on VLAN2. At this point my problem would lie in the fact that since that since packets on the guest SSID are tagged with VLAN 2 it is not going to receive an IP address from the DHCP server which is actually a Windows server on the private LAN. THis makes sense but I think in other situations I have simply utilized the layer 3 switch and setup a DHCP scope on the switch which leaves us without any need to access an internal DHCP server. Can this be configured on the WAP321 access points...ie provide DHCP services to a specified VLAN...in this case VLAN 2?
    In either event, the switches are managable and have VLAN capabilities but no VLANs have been setup. Each ports sees all packets on any VLAN. What is the best way to set this up? Oh and the firewall/router is a medium end SonicWALL, not sure if that matters.
    Thanks for any assistance in advance.

    Hi [email protected], thank you for using our forum, my name is Johnnatan I am part of the Small business Support community. I apologize for the delay; in this case the server should be able to assign DHCP to Vlan2 once you setup the pool of address. I advise you to check all the devices if there are created the Vlan2, also check if there is any access rule for Vlan2.
    If you assign multiple DHCP servers you can get few issues with the addresses. I advise you try to assign DHCP from one server to avoid any issues.
    I hope you find this answer useful
    “Please rate useful posts so other users can benefit from it”
    Greetings, 
    Johnnatan Rodriguez Miranda.
    Cisco Network Support Engineer.

  • Passing voice and data Vlans on Cisco SG200-08P help

    Hello All,
    I'm struggling with a configuration issue on the Cisco SG200-08P.
    We are using the Cisco SG200-08P on a mobile cart that will go from class room to class room that will have computer and cisco Voip phone plugged into it. The issue is that each of our closets are in differnt VLANS ( 1 voice and 1 data....lets say data vlan 20 and voice vlan 2025 for conversation) and that we route to each closet.
    It would be great if I could just create a generic data and voice vlan to dynamically pick up what the upstream switch has however, it seems that I've been unsuccessful in doing so.
    So far I can pass the data Vlan no probablem. The upstream switch port is set to access port and a switch port access voice vlan (these are 3750x switches)
    If the above is not possible I guess I will take what I can get. Should I just create data vlan 20 and voice vlan2025 on the Cisco SG200-08P and make a trunk port on the Cisco SG200-08P and a trunk on the 3750x? Is there an option on the Cisco SG200-08P to tag voice traffic?
    I'm also concerned with VTP and I did not see an area in the Cisco SG200-08P to set that as a client and transparent mode.
    Thanks for any help,
    Dan

    On a Catalyst switch, when a port is defined as a trunk without a vlan specified on the port, all vlan pass through the port. On a small business switch it is nearly the opposite. You must specify the vlans on the links. Additionally, ingress filter discards anything not associated to the port.
    802.1q specifies there must be an untagged vlan which is the native vlan (of course you can make exceptions, tagging the default vlan..).
    One thing I did in the past with a 2960, I made an LLDP network policy and it basically "provisioned" the downstream switch connecting link and voice vlan. That may be another idea for you.
    Here's a link that may be useful-
    https://supportforums.cisco.com/message/3811376
    Here is the 2960 config I used to feed a SB switch voice info
    Switch#show run
    Building configuration...
    Current configuration : 2206 bytes
    ! Last configuration change at 00:41:16 UTC Mon Mar 1 1993
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname Switch
    boot-start-marker
    boot-end-marker
    no aaa new-model
    system mtu routing 1500
    vtp mode transparent
    network-policy profile 1
    voice vlan 100 cos 4
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    vlan 2
    name test
    vlan 100
    lldp run
    interface FastEthernet0/1
    network-policy 1
    spanning-tree portfast
    interface FastEthernet0/2
    interface FastEthernet0/3
    interface FastEthernet0/4
    interface FastEthernet0/5
    interface FastEthernet0/6
    interface FastEthernet0/7
    interface FastEthernet0/8
    interface FastEthernet0/9
    interface FastEthernet0/10
    interface FastEthernet0/11
    interface FastEthernet0/12
    interface FastEthernet0/13
    interface FastEthernet0/14
    interface FastEthernet0/15
    interface FastEthernet0/16
    interface FastEthernet0/17
    interface FastEthernet0/18
    interface FastEthernet0/19
    interface FastEthernet0/20
    interface FastEthernet0/21
    interface FastEthernet0/22
    interface FastEthernet0/23
    interface FastEthernet0/24
    interface FastEthernet0/25
    interface FastEthernet0/26
    interface FastEthernet0/27
    interface FastEthernet0/28
    interface FastEthernet0/29
    interface FastEthernet0/30
    interface FastEthernet0/31
    interface FastEthernet0/32
    interface FastEthernet0/33
    interface FastEthernet0/34
    interface FastEthernet0/35
    interface FastEthernet0/36
    interface FastEthernet0/37
    interface FastEthernet0/38
    interface FastEthernet0/39
    interface FastEthernet0/40
    interface FastEthernet0/41
    interface FastEthernet0/42
    interface FastEthernet0/43
    interface FastEthernet0/44
    interface FastEthernet0/45
    interface FastEthernet0/46
    interface FastEthernet0/47
    interface FastEthernet0/48
    interface GigabitEthernet0/1
    switchport mode trunk
    interface GigabitEthernet0/2
    interface Vlan1
    no ip address
    interface Vlan100
    no ip address
    ip http server
    ip http secure-server
    logging esm config
    line con 0
    line vty 5 15
    end
    Switch#
    -Tom
    Please mark answered for helpful posts

  • Query on Vocie and Data VLan on same Swithc port

    Hi All,
    This is query regarding allowing both Vocie and data Vlans on a single switch port. I knew tehre are different ways to configure and acheive this, but not sure how techncially they are different from each other>
    Way 1:
    interface FastEthernet1/5
    description *** IP Phone/Data Port ***
    switchport trunk native vlan 10
    switchport mode trunk
    switchport voice vlan 16
    no logging event link-status
    no snmp trap link-status
    mls qos trust cos
    spanning-tree portfast
    sh int trunk
    Port      Mode         Encapsulation  Status        Native vlan
    Fa1/5     on           802.1q         trunking      10
    Fa1/7     on           802.1q         trunking      10
    Fa1/12    on           802.1q         trunking      10
    Fa1/13    on           802.1q         trunking      10
    Fa1/14    on           802.1q         trunking      10
    Port      Vlans allowed on trunk
    Fa1/5     1-1005
    Fa1/7     1-1005
    Fa1/12    1-1005
    Fa1/13    1-1005
    Fa1/14    1-1005
    Port      Vlans allowed and active in management domain
    Fa1/5     1,10,16
    Fa1/7     1,10,16
    Fa1/12    1,10,16
    Fa1/13    1,10,16
    Fa1/14    1,10,16
    Port      Vlans in spanning tree forwarding state and not pruned
    Port      Vlans in spanning tree forwarding state and not pruned
    Fa1/5     1,10,16
    Fa1/7     1,10,16
    Fa1/12    1,10,16
    Fa1/13    1,10,16
    Fa1/14    1,10,16
    sh vlan-switch
    VLAN Name                             Status    Ports
    1    default                          active    Fa1/0, Fa1/1, Fa1/2, Fa1/3
                                                    Fa1/4, Fa1/6, Fa1/8, Fa1/9
                                                    Fa1/10, Fa1/11, Fa1/15
    10  DVLAN                            active
    16  VVLAN                            active    Fa1/0, Fa1/1, Fa1/2, Fa1/3
                                                    Fa1/4, Fa1/6, Fa1/8, Fa1/9
                                                    Fa1/10, Fa1/11, Fa1/15
    In the above config, the port Fa 1/5 which is currnetly up and running( this port is ocnencted with IP phoen and a PC)  is not shown in sh vlan-switch output as assigned to vlan 10 or vlan 16. Not sure it is becuase the output was taken from ISR rotuer with NM 16-ESW module .
    sh int fa 1/5 switchp
    Name: Fa1/5
    Switchport: Enabled
    Administrative Mode: trunk
    Operational Mode: trunk
    Administrative Trunking Encapsulation: dot1q
    Operational Trunking Encapsulation: dot1q
    Negotiation of Trunking: Disabled
    Access Mode VLAN: 0 ((Inactive))
    Trunking Native Mode VLAN: 10 (DVLAN)
    Trunking VLANs Enabled: ALL
    Trunking VLANs Active: 1,10,16
    Priority for untagged frames: 0
    Override vlan tag priority: FALSE
    Voice VLAN: 16
    Appliance trust: none
    In above ocnfig, the port is configured as trunk and hence it can carry multiple vlan traffic on swithcport. As IP phones will have inbuilt switch which runs DTP by default and CDP to reciognize the conencted devcies.  I am not sure how this config works as even it's configured as trunk the DTP negotiation is disabled and how phone switch can differentiate the voice frames and data frames. Please explain in loigcal as it's known that as we have confgiured vlan 10 as native and vocie vlan 16 as trunk it carries the voice traffic.
    Way 2:
    interface FastEthernet1/2
    description *** IP Phone/Data Port ***
    switchport access vlan 10
    switchport mode access
    switchport voice vlan 16
    no logging event link-status
    no snmp trap link-status
    mls qos trust cos
    spanning-tree portfast
    In the above config, even the port is access it's carrying multiple vlan traffic despite of being trunk port. Not sure how the trunk will be formed even DTP neogotiation is off. Isi t because of voice vlan command and if so what it deos exactly.  Please can anyone elaborate in detail. Sorry, if my post is big and confusing
    sh int fa 1/2 switchport
    Name: Fa1/2
    Switchport: Enabled
    Administrative Mode: static access
    Operational Mode: static access
    Administrative Trunking Encapsulation: negotiate
    Operational Trunking Encapsulation: native
    Negotiation of Trunking: Off

    Switch - Phone - PC
    1. First question:
         # int f0/1
         # switchport mode access
         # spanning-tree portfast
         # switchport access vlan 50
         # switchport voice vlan 10
    This is the ideal way to configure and in all latest IOS Switches and in latest ISR routers, we do this as the command "switch port voice vlan" command  says to switch port that it carries the voice traffic as tagged and PC as untagged.
    As we all know the default switch port of a switch will be either Dynamic auto or Dynamic Desirable which means DTP is on and in turn it means negotiation of trunking is ON. This is as per my understanding.
    The Sub-Questions for 1st Question are below:
    1  Does the trunk negotiation happen between Access Switch switch port and Mini 3 Port Switch within the IP Phone. If mini switch in IP PHone negotiates to form  trunk based on DTP then what’s the default switch port mode of mini switch in the IP Phone.
    2. As in above config we are no where mentioning the port to be trunk. But it’s still allowing multiple vlan’s traffic to carry on access port. The switchport mode is access when you do “ sh int fa 0/1 swithcport.”.  Is it the swithcport voice vlan command does the magic?
    2. Second Question:
         # int f0/1
         # switchport trunk encapsulation dot1q
         # switchport trunk native vlan 10     (data VLAN)
         # switchport mode trunk
         # swichport voice vlan 15
    The Sub-Questions for 2nd Question are below:
    When do we use this configuration.? In my set-up the above config is seen on 2811 ISR routers with NM-16ESW modules.  Can’t we configure the data vlan a switch port access vlan 10 , instead of trunk native vlan.

  • SF500 48P - Multiple VLANs and Voice VLAN

    I have a SF500-48P switch and and have several VLANs on it (over 25 vlans).
    Each of these ports shall support also an IPPhone on vlan 4.
    I was thinking about using LLDP so I won't have to setup the VLAN manually on each phone.
    But when I do here what's happening,
    Original configuration:
    Port 25:
    Vlan 35 untagged
    When I plug the phone, the configuration changes to:
    Vlan 1 untagged
    Vlan 4 tagged
    I was expecting the following:
    Vlan 35 untagged
    Vlan 4 tagged
    Note that ports 1-25 have their own individual VLAN and need to be isolated (already done ACL in the router).
    I need help,
    regards,

    What about my other ports that belongs to other Vlans (11-24)?
    With the steps you gave me, as soon I connect a Phone, the untagged Vlan becomes 35 for any ports where a phone is connected.
    Since I have several Vlans untagged (only 1 per port), I don't want the untagged vlan to be changed by the smartport settings.  Is there a way to do that?

  • Users VLAN and Management VLAN

    is it possible to separate two VLANs:
    one is running for the users VLAN connects to the clients
    one is for management purpose.
    Is there a sample code available for access points, bridges, and switches?
    I am really appreciated that

    Hi,
    You can configure VLANs on enterprise access points.
    What you need to do is configure the access point with its managment IP address, set this as the native vlan and then add the other VLAN or VLANs.
    Then on the switch that the access point is connected to you need to configure a trunk port and make sure that the native vlan is the same VLAN you set as native on the access point.
    As an example if the Access point has an IP address for managment vlan 20, we set this VLAN as native and then we add the other VLAN or VLANs, and on the switch you configure the port as a trunk port with the same native VLAN 20.
    Note, native vlan is the same as untagged vlan. When we confgure a trunk port this will tag all vlans except the native vlan or untagged vlan that needs to be the same between directly connected devices.

  • Voice Vlan and Native Vlan

    Dear all,
    I am now reading some information regarding the setup of Voip Phone. It mentioned that the Phone is actually a 3-ports switch:
    Port 1: Connect to upstream switch
    Port 2: Transfer Phone traffic
    Port 3: Connect to a PC
    Actually, what should i configure on the upstream switch port? Should it be a trunk port containing both the voice traffic vlan and pc data vlan?
    Or something else?
    Also, there is a term called 'Voice Vlan', is there any different between 'Voice vlan' and ordinary Vlan ?
    Is there any special usage of 'Native' Vlan in implementing Voip?
    Thanks.
    Br,
    aslnet

    Thanks.
    How about if the PC data should be tagged as another vlan (e.g., Vlan 10)? Then I should change the native vlan to vlan 10?
    But from my understanding, Native Vlan should be the same in the whole network, then I need to change the whole network native vlan? If there are different vlans should be assigned to different PCs that behind different VoIP-phone, then how to do it?
    From my guessing, is it i can assign individual native vlan (vlan10) on that port (connect to voip-phone), and then keep the switch's uplink port as original native vlan (vlan1).
    Therefore, PC data traffic would be untagged when entering from voip to the switch, and then tagged as vlan10 when leaving the switch to other uplink switch, right?
    Thanks.

  • VLAN trunking, native vlan and management vlan

    Hello all,
    In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
    We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.

    To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
    Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
    When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
    I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
    Regards,
    Leo

  • About the Native Vlan and Management Vlan.

    I wanted to know that Management vlan and Native vlan can be different vlan id or  both should be same vlan id. Why should not be native vlan 1.

    The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
    It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
    Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
    Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will  send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
    a
    Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
    Hope this helps !

Maybe you are looking for

  • 4 PDF reports from Single report in reports 10G

    Hi All, i want to generate 4 PDF report from one oracle report in reports 10G. from the same query i want to generate 4 PDF with different order and result set based upon the query parameter at a single time. exp: query fetch Some eng/spanish provide

  • Define key figures -incoming order, invoiced sales and credit memo in BW

    Hi everyone, I combined two ODS into one ODS from 2LIS_11_VAITM & 2LIS_13_VDITM. I want to generate reports that contain net value, cost of incoming order, invoiced sales, and credit memo'(SD module). I tried to create some calculated key figures in

  • Mail Adapter Change File Extension

    We have the receiver mail adapter setup to send the contents of a message to an internal email account. The adapter works and the message arrives as a soap.xml and payload.xml. The problem is that our mail system blocks the xml extension. Is there an

  • Job to trigger a process chain

    Hi Gurus, I have to create a job in SM37 which triggers a process chain every day at 2 am.This job has to run after the completion of another job.Please let me know the procedure.I searched the forums but did not find anything suiting my requirement.

  • Background Color to a Window

    A right click on a window such as, say, Documents or any subwindow within that window such as Pictures will reveal a menu that includes "Show View Options". Among other things the view options allow one to change the background appearance. One may ch