UCS Native VLAN Question

All,
I have a problem that I just cannot wrap my mind around.  We have UCS setup in a lab with 2 interconnects connected to 2 nexus 5510 switches.  The nexus switches are uplinked to the network via a 4900m switch.  All trunks are setup and tested as functional. All routing is setup and confirmed.  I have an issue in UCS that is baffling me.  In the lab I have kept the native VLAN at vlan1.  I have setup test vlans 2-10 on all the switches and interconnects.  I have created a service profile that contains 1 nic and placed it in VLAN 7.  I have installed Windows 2008 on a blade using this service profile.  In the OS I have statically IP'ed the NIC for the scheme used in VLAN 7.  From the OS I cannot ping another device that is in vlan 7.  I also cannot ping a host on another vlan.  If I place a check on VLAN 1 as the native vlan I still cannot ping anything.  If I place the check for native vlan to vlan 7 I can ping hosts within the same vlan as well as outside the vlan.  So, why do I need to place vlan 7 as the native vlan when all my trunks are set up as vlan 1 being the native vlan?
Thanks for any help,
Ken

Ken,
When allowing certain VLANs on your Service Profile vNICs you need to set the native VLAN. This is because the way you have it configured currently you're only "allowing VLAN 15", but you're not tagging it.   This would work fine for ESX or Linux where you can assign the dot1q tag at the host.  With Windows unless you have specific drivers doing the tagging for you, you'll need to do this at the vNIC level within UCS.
Two ways to see this in action.  When creating a service profile in the "Basic" method - not "Expert", you will select a single VLAN for your interfaces.  This will treat the interfaces pretty much like an "Access Port".  Conversely when you use the "Expert mode you're enable the vNIC as a trunk, in which you will "allow" all the VLANs you'd like access to. Sounds like this is the method you have performed.
For a Windows OS, set the VLAN as Native for the VLAN you want it to access and you'll be sweet.  Unchecking that "Native VLAN" option box is allowing the traffic to traverse out of UCS on the Native VLAN of your network - VLAN 1, which is why it's MAC appears on the other fabric under VLAN1
Regards,
Robert

Similar Messages

  • The old native vlan question....

    Topic came up during troubleshooting a 3524XL sw.
    I think my understanding of the native vlan concept is wrong.
    I thought on a trunk port (Cisco device) that any packet transversing a trunk link (dot1q trunk that is) has a vlan tag applied on the egress port.  As an untagged packet arrives on the port (prior to being sent out over the trunk), its is tagged with the native vlan (if its not assocated with any other vlan), then sent out the (egress) the trunked port. 
    But lately I have been reading that
    "A native vlan is the untagged vlan on an 802.1q trunked switchport. The native vlan and management vlan could be the same, but it is better security practice that they aren't. Basically if a switch receives untagged frames on a trunkport, they are assumed to be part of the vlan that are designated on the switchport as the native vlan. Frames egressing a switchport on the native vlan are not tagged. This is the definition however more recent switch software often will allow you to tag all of the frames, even those in the native vlan. This gives some added security and allows the CoS bits to be carried between switches even on the native vlan. Let me know if you need further clarification."
    From : https://learningnetwork.cisco.com/thread/8721
    So this tells me that you can have a packet transversing a dot1q link w/o a vlan tag...then when it arrives on the other end its put in the vlan that is on that native vlan question.  Is this correct?
    If so, and a packet can transverse a trunk link w/o a VLAN tag applied, how does a sw detect (ingress) a native vlan mismatch?
    Thanks!

    Hi,
    It's correct, the native vlan is not tagged by default on the trunk link but some platform can make you tag all traffic though even the native vlan.
    The native vlan mismatch is detected through cdp.
    Regards.
    Alain.
    Don't forget to rate helpful posts.

  • UCS native vlan

    Hi,  Can anyone explain how native vlan configuration should be used in UCS? when creating vnic, and checking "trunk", you then select the vlans to be allowed in the trunk, there is also a native vlan radio button beside each vlan. If the Cat 6509 uplink switch is connected to Fabric Interconnect using normal trunk configuration as follows:  interface ten5/2 switchport switchport trunk encap dot1q switchport mode trunk  with the above config on the Cat6509, assuming default vlan 1 is the native vlan, does that mean that i have to check the native VLAN 1 when configuring the vNIC?  Thanks Eng Wee

    Hi folks,
    Although an old post, still an upto date issue!  I've just got round it in my implementation!
    Was looking at all sorts of places, but need to ensure that not only is your native vlan set at your switch end (connecting to the FIs) to the iSCSI vlan, also on your relevant vNICs in your service profiles, AND AND AND, needs to be set as the system native VLAN in the LAN tab.
    Also to note, you don't need native vlan set the same on other links, so if your storage links 'tag' the iSCSI vlan that will be fine.
    Hope this helps.
    Rgds
    Dominic

  • Switchport trunk native vlan question...

    What am I missing in regards to the following two lines assigned to a sw interface:
    switchport trunk native vlan 80
    switchport mode trunk
    Why assign a VLAN to the port when your trunking it (meaning you allowing all VLANs to pass)?
    Thank you.

    By default native VLAN is VLAN 1, but can be changed to any No. on the trunk port by command "switchport trunk native vlan #". This will make a new vlan# as native & allow all pkts from this vlan to pass thru trunk untagged.
    Native VLANs are used to carry CDP, PAgP & VTP messages. Thus the Frames on native VLAN are untagged. For these messages to propagate between devices, native VLANS must match on both sides of the trunk. In case of native VLAN mismatch on bothsides of the trunk, STP will put the trunk port in err-disabled state.

  • Native VLAN question

    I asked this in another forum, but was hoping for some other explanations...
    switchport mode trunk
    switchport native vlan 80
    switchport trunk allowed vlan 50, 80
    Can someone provide a line by line explanation of whats being done?
    If I understand correctly, the first line lets ALL vlans through this port. The second line lets all untagged traffic that comes from VLAN 80 through. Line three perplexes me, because if we are trunking the port (letting all VLANs through) why explicitly let these two VLANs through when they are already allowed.
    Thank you.

    Hi
    "switchport mode trunk" means configure the link as a trunk link ie. a link that can carry traffic for multiple vlans. By default it will allow all vlans.
    "switchport native vlan 80" means the vlan on the trunnk link that will not be tagged will be vlan 80. So all other vlan traffic is tagged but not this vlan.
    "switchport trunk allowed vlan 50, 80" means only allow vlan 50 and vlan 80 traffic across this link. There a number of reasons you may want to do this. Perhaps at the other end of the link you know that the switch only has ports in vlan 50 and vlan 80 so there is no need to forward traffic for any other vlan. By not allowing those vlans across the trunk you not only stop broadcast traffic from going across the trunk (which can be achieved with the "vtp pruning" command) but you also stop STP for any other vlans than 50 & 80 across the link.
    HTH
    Jon

  • Various questions on uplink profiles, CoS, native VLAN, downlink trunking

    I will be using vPC End Host Mode with MAC-pinning. I see I can further configure MAC-Pinning. Is this required or will it automatically forward packets by just turning it on? Is it also best not to enable failover for the vnics in this configuration? See this text from the Cisco 1000V deployment Guide:
    Fabric Fail-Over Mode
    Within the Cisco UCS M71KR-E, M71KR-Q and M81KR adapter types, the Cisco Unified Computing System can
    enable a fabric failover capability in which loss of connectivity on a path in use will cause remapping of traffic
    through a redundant path within the Cisco Unified Computing System. It is recommended to allow the Cisco Nexus
    1000V redundancy mechanism to provide the redundancy and not to enable fabric fail-over when creating the
    network interfaces within the UCS Service Profiles. Figure 3 shows the dialog box. Make sure the Enable Failover
    checkbox is not checked."
    What is the 1000V redundancy?? I didn't know it has redundancy. Is it the MAC-Pinning set up in the 1000V? Is it Network State Tracking?
    The 1000V has redundancy and we can even pin VLANs to whatever vNIC we want. See Cisco's Best Practices for Nexus 1000V and UCS.
    Nexus1000V management VLAN. Can I use the same VLAN for this and for ESX-management and for Switch management? E.g VLan 3 for everything.
    According to the below text (1000V Deployment Guide), I can have them all in the same vlan:
    There are no best practices that specify whether the VSM
    and the VMware ESX management interface should be on the same VLAN. If the management VLAN for
    network devices is a different VLAN than that used for server management, the VSM management
    interface should be on the management VLAN used for the network devices. Otherwise, the VSM and the
    VMware ESX management interfaces should share the same VLAN.
    I will also be using CoS and Qos to prioritize the traffic. The CoS can either be set in the 1000V (Host control Full) or per virtual adapter (Host control none) in UCS. Since I don't know how to configure CoS on the 1000V, I wonder if I can just set it in UCS (per adapter) as before when using the 1000V, ie. we have 2 choices.
    Yes, you can still manage CoS using QoS on the vnics when using 1000V:
    The recommended action in the Cisco Nexus 1000V Series is to assign a class of service (CoS) of 6 to the VMware service console and VMkernel flows and to honor these QoS markings on the data center switch to which the Cisco UCS 6100 Series Fabric Interconnect connects. Marking of QoS values can be performed on the Cisco Nexus 1000V Series Switch in all cases, or it can be performed on a per-VIF basis on the Cisco UCS M81KR or P81E within the Cisco Unified Computing System with or without the Cisco Nexus 1000V Series Switch.
    Something else: Native VLANs
    Is it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1?   I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.
    Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?
    And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...
    What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup described here with 1000V and MAC-pinning.
    No, port channel should not be configured when MAC-pinning is configured.
    [Robert] The VSM doesn't participate in STP so it will never send BPDU's.  However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter.  PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs.  I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.
    -Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?
    Edit: 26 July 14:23. Found answers to many of my many questions...

    Answers inline.
    Atle Dale wrote:
    Something else: Native VLANsIs it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1?   I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.[Robert] The native VLAN is assigned per hop.  This means between the 1000v Uplinks port profile and your UCS vNIC definition, the native VLAN should be the same.  If you're not using a native VLAN, the "default" VLAN will be used for control traffic communication.  The native VLAN and default VLAN are not necessarily the same.  Native refers to VLAN traffic without an 802.1q header and can be assigned or not.  A default VLAN is mandatory.  This happens to start as VLAN 1 in UCS but can be changed. The default VLAN will be used for control traffic communication.  If you look at any switch (including the 1000v or Fabric Interconnects) and do a "show int trunk" from the NXOS CLI, you'll see there's always one VLAN allowed on every interface (by default VLAN 1) - This is your default VLAN.Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?[Robert] There's no VLAN 0.  An access port doesn't use a native VLAN - as its assigned to only to a single VLAN.  A trunk on the other hand carries multiple VLANs and can have a native vlan assigned.  Remember your native vlan usage must be matched between each hop.  Most network admins setup the native vlan to be the same throughout their network for simplicity.  In your example, you wouldn't set your VM's port profile to be in VLAN 0 (doens't exist), but rather VLAN 2 as an access port.  If VLAN 2 also happens to be your Native VLAN northbound of UCS, then you would configured VLAN 2 as the Native VLAN on your UCS ethernet uplinks.  On switch northbound of the UCS Interconnects you'll want to ensure on the receiving trunk interface VLAN 2 is set as the native vlan also.  Summary:1000v - VM vEthernet port profile set as access port VLAN 21000v - Ethernet Uplink Port profile set as trunk with Native VLAN 2UCS - vNIC in Service Profile allowing all required VLANs, and VLAN 2 set as NativeUCS - Uplink Interface(s) or Port Channel set as trunk with VLAN 2 as Native VLANUpstream Switch from UCS - Set as trunk interface with Native VLAN 2From this example, your VM will be reachable on VLAN 2 from any device - assuming you have L3/routing configured correctly also.And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...[Robert] This statement recommends "not" to use a native VLAN.  This is a practice by some people.  Rather than using a native VLAN throughout their network, they tag everything.  This doesn't change the operation or reachability of any VLAN or device - it's simply a design descision.  The reason some people opt not to use a native VLAN is that almost all switches use VLAN 1 as the native by default.  So if you're using the native VLAN 1 for management access to all your devices, and someone connects in (without your knowing) another switch and simply plug into it - they'd land on the same VLAN as your management devices and potentially do harm.What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup descrived here with 1000V and MAC-pinning.[Robert] On the first generation hardware (6100 FI and 2104 IOM) port channeling is not possible.  With the latest HW (6200 and 2200) you can create port channels with all the IOM - FI server links.  This is not configurable.  You either tell the system to use Port Channel or Individual Links.  The major bonus of using a Port Channel is losing a link doesn't impact any pinned interfaces - as it would with individual server interfaces.  To fix a failed link when configured as "Individual" you must re-ack the Chassis to re-pinn the virtual interfaces to the remaining server uplinks.  In regards to 1000v uplinks - the only supported port channeling method is "Mac Pinning".  This is because you can't port channel physical interfaces going to separate Fabrics (one to A and one to B).  Mac Pinning gets around this by using pinning so all uplinks can be utilized at the same time.--[Robert] The VSM doesn't participate in STP so it will never send BPDU's.  However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter.  PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs.  I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.-Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?[Robert] The two STP commands would be used only when the VEM (ESX host) is directly connected to an upstream switch.  For UCS these two commands to NOT apply.

  • UCS FCoE Native VLAN

    Cisco doc (http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/white_paper_c11-560403.html) about FIP advises the following:
    "The FIP VLAN discovery protocol is the only FIP  protocol running on the native VLAN; all other FIP protocols run on the  discovered FCoE VLANs."
    As for FCoE in UCS, Is the native vlan mentioned above FCoE native VLAN (by default is vlan 4049 in UCS 2.0) ?

    Hi,
    Usually when you add it to the trunk as native, you don't to add again.  So, option-2
    HTH

  • Q-in-Q w/o Native VLAN tag question

    Let's assume that we have Q-in-Q setup between 2 service provider switches.  To run Q-in-Q we want to terminate a trunk into each tunnel port and enable native VLAN tagging to ensure that all customer VLAN's are tagged.  In some cases we may have a customer that wants to connect their own equipment into the tunnel port on our switch, so it wouldn't actually be a trunk - it would be an access port.  If this occurs then there is no inner VLAN tag, only an outer VLAN tag.  Will tunnelling still function properly in this scenario?

    actually this is not true... sorry Kishore 
    Tunneling still works and traffic within the SP core will be singled tagged (with the SP tag only).
    However when you do this you need to be extremely careful specially if you use dot1q trunks in the core with native vlan within the customer range. You might end up in unexpected result in this case.
    See an exmple of a possible issue you might see in this case:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_58_se/configuration/guide/swtunnel.html#wp1008635
    The solution would be to tag native vlan in the SP core or use ISL trunks or use native vlans outside customer range or (logically) use trunk ports on CE device (still paying attention to native vlan though).
    Riccardo

  • Default/native vlan- voip data question- cisco sf300

    hi everybody,
    I have to set up voip and data vlans on cisco sf 300-24P. I will set up phones over LLDP and
    on the same port (on switch) I will have untagged vlan 10 for data, so PC will be connected
    through IP phones on network.
    So what confuses me that on SF 300 under VLAN mgmt--> Default VLAN settings you got
    options to change default VLAN id (which is of course VLAN1) which will be active after reboot.
    How come that you can change default vlan? Isnt that default vlan is always vlan 1 and you can
    change native vlan to be something else- let say vlan 10 which will be untagged vlan for data?
    So what is best practise- should I just leave default vlan 1 and use it for data also or I sholud
    change it to let say VLAN 10 to be native and use it for data.
    And what will be with default VLAN 1 if I change it with above mentioned procedure?
    Thx!

    Hi,
    Best Practice is to leave Vlan 1 for management purposes only. Create yourself a DATA and VOICE vlan. Usually Management vlan does not have DHCP enabled and have to static assigned pc within your management vlan for access. I would say that it really depends on how the rest of your network is configured depending on configuration of switch now. Unless this is a clean install. 
    Hope this helps,
    Jasbryan

  • SG500 auto voice VLAN question about native VLAN

    I have been installing SG300 and SG500 switches and using the auto voice vlan feature by simply changing voice vlan to 100 and using vlan 1 for default and data.  I normally put the switch in L3 mode and make an access porteach for my IP PBX (vlan 100)  and one to connect to existing data network (vlan 1). Then I make a static route in customers default gateway to route back to vlan 100 and everything works nicely for most installs. 
    On my last install I decided to try to change the default vlan 1 to vlan 10 and go with 10 for data and 100 for voice.  The problem I ran into was that the auto generated config on my phone switchports still use vlan 1 as native vlan.  I am trying to find a way to still use auto vlan and get the desired native vlan without having to make manual config changes.
    Should this be possible?
    Thanks in advance.

    Hi Brandon, you need to modify the macro from native vlan 1 to vlan 10.
    Check out this topic how to modify the macro
    https://supportforums.cisco.com/thread/2177613
    -Tom
    Please mark answered for helpful posts

  • (Another) Native VLAN tagging question..

    I have completed CCNA 3 course and am in 4 right now. I am still confused about VLAN native commands such as
    sw tr na vl xxx
    When this is on a trunk port, what does it mean?
    Thanks....

    "So does that mean that before the packet goes onto the trunk link it is put into the native VLAN then when it exits the trunk link (on the other side) it is stripped of the VLAN info? "
    No, what your prior quotation decribed is what a switch should do with untagged frames received on a port defined as a VLAN trunk.
    The VLAN tags informs the switch what VLAN a frames belongs to when it is received on a VLAN trunk port, but without such a tag, how does the switch know the intended VLAN? It doesn't, from the frame itself. So, we can often configure a trunk port to place any untagged frames into one VLAN of our choice. In theory, once we define what VLAN untagged frames will be considered a member of, tagged frames, for that VLAN could also be accepted. Both should be treated the same by the receiving switch.
    As for a switch sending packets out a VLAN trunk, normally you would expect all packets to be VLAN tagged although a switch might support sending one particular VLAN frames without tags to support a device, such as the PC described in your quotation, that doesn't understand how to process, or expect, tagged frames.
    If you're wondering how this all comes to be, consider a PC that knows nothing about VLAN tags is connected to an IP phone which does (which connects to the network) and you want to place the two devices on different VLANs. As the PC traffic transits the phone could, in theory, wrap/unwrap the PC traffic with VLANs tags when working with the network switch. However, if the phone fails, you can design the IP phone hardware to keep the link good from PC to the network, but then the IP phone PC VLAN processing would be lost. So for that reason, and the reason, we might want to add/remove an IP phone "in front" of the PC, we want to continue to support untagged frames to/from the PC.
    Altough the frames to the PC are untagged, since we can configure what VLAN untagged frame should be considered per port, we can have different PCs (on different ports) in different VLANs on the switch. (This is very similar to port based VLANs, but instead of being limited to one logical VLAN per port, we're limited to one untagged VLAN per port but can have multiple tagged VLANs per port.)

  • Question about the dot1q native vlan

    On a dot1q trunk, the switch can send untagged frames in the native vlan and tagged frames in the other vlans.
    Both end switches know the native vlan id, but firstly, the receiving switch must determine which frame type(tagged or untagged) the frame is.
    The peer switch how to determine that the received framed is tagged or untagged? There are not any bits in the frame header in either frame format(ethernet or dot1q format) indicating that "I" am untagged or tagged.
    In the other word, after a frame is received , how the receiving switch make certain that the two bytes after the "source mac address" in the frame is a "TPID" field (dot1q tag) but not a "Type/Length" field (untaged Ethernet frame ), or vice versa.

    If the frame's Type/Length field value equals 0x8100 the a TPID field will follow.

  • Fabric interconnect and Native Vlan

    Hi
    I just want to ask a simple question
    is there any precautions with native vlan between the Switched infrastructure and the Fabric interconnect ?! 
    I mean can I use any vlan as a native vlan ex.999 "anything but not 1" ?! 

    As a security best practice on trunks carrying multiple VLANs you should not allow the native vlan on the line.  When you have a single VLAN going to a device, an end node for example, the port should be configured as an access port with a single data VLAN, and potentially a voice vlan if that will be used.  
    For example, our N5Ks have a trunk to each of our UCS interconnects.  We set the native VLAN on the n5k side to 999. 999 is not in the allowed list for the trunk then, so the native VLAN never makes it to the ucs.  On the ucs then, any server that can handle VLANs (esxi for example) we send only tagged VLANs -- no VLAN is marked native, thus accomplishing the same thing as we did for the n5k to FI link.
    It is recommended to not leave your native VLAN as 1 as best practice.  It's less of a concern if the native VLAN isn't in the allowed list, but to avoid mis configuration issues you should set it to another VLAN. 

  • Native VLAN 1

    I'm in the process of setting up UCS.  The default native vlan has a vlan ID of 1 in UCS.  Our native vlan is 1000.  So I setup a new vlan with the vlan ID of 1000 and set it as the natvie VLAN.  I cannot delete the VLAN default (1) even though it isn't the native vlan anymore because UCS won't let me.  We use VLAN id 1 for some of our corporate servers so I can't create a vlan with that ID without an overlap.  Since it's not being used as the native vlan anymore can I go ahead and use VLAN default (1) or is there some issue with me using that vlan?
    Additionally, one other question in regard to the natvie vlan.  I setup another UCS environment and have a few ESXi servers running on it with some active vm's.  When I setup UCS I added a vlan for our companines native vlan (vlan id 1000), but I forgot to set it as the Native VLAN.  So VLAN default (1) is still listed as the Native VLAN.  What implications would there be if I changed the Native VLAN to the vlan I setup (vlan id 1000) while there are running ESXi servers and virtual machines.  Neither the ESXi servers or vm's are using either on of those vlan's in service profiles and vnic templates.

    Russ,
    VLAN 1 can't be pruned from your uplinks it's one of those caveats.  We strongly discourage the use of VLAN 1 anywhere in your network as it presents a security risk.  (Since VLAN 1 exists on every switch by default, its hard to block access to devices using that VLAN).
    You can still use VLAN 1 even if it's not set as the native - no problem there.  Just take note that VLAN is not elgible for Disjoint L2 configuration and will always be allowed on all uplinks.  If you don't have any disjoint L2 networks - then its no problem for you.
    When you talk about the Native VLAN be careful.  If things are working as they are with VLAN 1 as the native vlan, changing it could impact your hosts if they need to communicate to other northbound devices.  I really try to caution people against using Native VLANs at all.  You're blindly sending untagged packets, and relying on the upstream L2 device to decide which VLAN to put the traffic onto.  Native VLANs can change from hop to hop also so it opens up the door for VLAN mis-matching.   You're far better off to TAG EVERYTHING - so there's no concern of native VLANs getting mixed up anywhere. 
    Regards,
    Robert

  • The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?

    Hello
    I think the following topologies are supported for Cisco Routers
    And the Physical interface also can be using as Native VLAN interface right? 
    Topology 1.
     R1 Gi0.1 ------ IEEE802.1Q Tunneling  L2SW ------ Gi0 R2
    R1 - configuration
    interface GigabitEthernet0.1
     encapsulation dot1Q 1 native
     ip address 10.0.0.1 255.255.255.0
    Topology 2.
    R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
    interface GigabitEthernet0
    ip address 10.0.0.1 255.255.255.0
     And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
    R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3 
          Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4  (same VLAN-ID) 
    R1 - configuration
    interface GigabitEthernet0
     ip address 10.0.0.1 255.255.255.0
    interface GigabitEthernet8.20
     encapsulation dot1Q 20
     ip address 20.0.0.1 255.255.255.0
    Any information is very appreciated. but if there is any CCO document please let me know.
    Thank you very much and regards,
    Masanobu Hiyoshi

    Hello,
    The diagram is helpful.
    If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
    Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
    Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
    Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
    My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
    Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
    I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
    Best regards,
    Peter

Maybe you are looking for

  • Ipod touch not turning on or connecting to computer

    Recently tried to update my Ipod Touch 2g, and during the update process, it went to restart, but my itunes got an error and had to close the process on the computer, and my ipod ended in a black screen. Now it will not turn on or connect to my compu

  • Change the Value of column of the internal table at run time

    Hello Experts, With the below code i am able to determine the value hold by internal table at run time for a sepcific column but i am not getting the way of how to update the internal if one of the value is changed,   lr_desc_table ?= cl_abap_typedes

  • Essbase Export outline issue in 11.1.2

    Hi Essbase folks, I'm working in Essbase 11.1.2.1 and am trying to export outline using maxl command. When I execute Maxl,I see statment executed successfully for all the statements. But I do not see output either in server or in my local machine in

  • Is there a way to block robocalls?

    Is there a way to block robocalls?

  • New Forum Design

    Hi OTN, May I suggest that all new posts be defaulted to a "Question", since most of the posts are questions. If it is not then that's the time you give us 15 minutes to change it to something else. Thank you for your consideration. Bob