VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1

Hi All,
L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
Thanks,
HC

Hi HC,
the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
Simon

Similar Messages

  • Switchport trunk native vlan & switchport access vlan dual configuration

    I've discovered this dual configuration on a 3500xl switch while troubleshooting an incrementing runts issue. Could the config of this port be related to the issue at hand?
    port configuration:
    interface FastEthernet0/3
    duplex full
    speed 100
    switchport access vlan 203
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 203
    switchport trunk allowed vlan 1,203,204,220,1002-1005
    switchport mode trunk
    spanning-tree portfast

    Hi,
    The 'switchport access vlan' command will have no effect on the configuration you have on this port. The port will operate as a trunk and will dis-regard any config that pertains to an access port.
    Hope that helps ...
    Paresh

  • What is the effect of the command switchport trunk native vlan x

    Hello all,
    I have a SG500 switch. The port Gi0/19 is directly connected to a machine. When i show the running config file i find the following config in the interface gi0/19:
    switchport trunk native vlan 70
    I need to understand this command because i'm a bit confused that i know that only if we have a link between two switch that we put an interface in a trunk mode.
    Please Help :)

    Trunks can carry all the traffic(vlan 70,80,........Including vlan1)
    Access port can only be in one vlan (Say vlan 70)
    So if you configured as trunk and connect the server,  and since native vlan is 70, when traffic is of vlan 70, it will not be tagged so your server can understand it.(Assuming that server do not have the capacity to understand the tagged frames). Traffic in other vlan will also be received by this interface (say vlan 80,....vlan1....) but will be dropped.
    If you configure it as only access and in vlan 70, only untagged vlan 70 traffic will be received on the interface.
    Thanks

  • Switchport trunk native vlan question...

    What am I missing in regards to the following two lines assigned to a sw interface:
    switchport trunk native vlan 80
    switchport mode trunk
    Why assign a VLAN to the port when your trunking it (meaning you allowing all VLANs to pass)?
    Thank you.

    By default native VLAN is VLAN 1, but can be changed to any No. on the trunk port by command "switchport trunk native vlan #". This will make a new vlan# as native & allow all pkts from this vlan to pass thru trunk untagged.
    Native VLANs are used to carry CDP, PAgP & VTP messages. Thus the Frames on native VLAN are untagged. For these messages to propagate between devices, native VLANS must match on both sides of the trunk. In case of native VLAN mismatch on bothsides of the trunk, STP will put the trunk port in err-disabled state.

  • Switchport comparision, "trunk native vlan" versus "access vlan"

    I want to understand the logic when I install IP phone with PC attached. Is there any difference between two configurations. for exmaple, consideration to handle QoS.
    switchport access vlan 100
    switchport voice vlan 200
    versus
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 100
    switchport voice vlan 200
    switchport mode trunk
    Thanks in adance,

    The difference is that these applies to two different set of switches.
    The first set of configuration applies to the new series switches, Cisco 3550, 3560, 3750 series.
    The second set applies to the olders series Cisco 2900, Cisco 3500XL etc. In these switches, you need to configure the port as a trunk before the port can take both voice and data vlan.
    In the newer series, the port can take both voice and data vlan and still not run in trunk mode.
    Regards,
    Anup

  • Cisco SF302-08P пропадает с порта trunk native vlan, когда подключаю IP PHONE.

    Здравствуйте!
    У меня возникла проблема с коммутатором Cisco SF302-08P. В частности проблема заключается в настройке порта для IP phone и ПК.
    Как известно это PoE коммутатор.
    vlan database
    vlan 47,147
    exit
    voice vlan id 147
    voice vlan oui-table add 0001e3 Siemens_AG_phone________
    voice vlan oui-table add 00036b Cisco_phone_____________
    voice vlan oui-table add 00096e Avaya___________________
    voice vlan oui-table add 000fe2 H3C_Aolynk______________
    voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
    voice vlan oui-table add 00d01e Pingtel_phone___________
    voice vlan oui-table add 00e075 Polycom/Veritel_phone___
    voice vlan oui-table add 00e0bb 3Com_phone______________
    hostname DepGrajdIniciativ
    ip ssh server
    snmp-server server
    ip telnet server
    interface vlan 47
     ip address 172.27.47.253 255.255.255.0
     no ip address dhcp
    interface fastethernet1
     storm-control broadcast enable
     storm-control broadcast level 10
     storm-control include-multicast
     port security max 10
     port security mode max-addresses
     port security discard trap 60
     spanning-tree portfast
     switchport trunk allowed vlan add 147
     switchport trunk native vlan 47                 <-----               
     macro description ip_phone_desktop
     !next command is internal.
     macro auto smartport dynamic_type ip_phone_desktop
    147 влан для Ip phone. 47 влан для компьютера.
    Дело в том, что когда, например, на 1 порт подключаю IP phone (cisco 6921), с порта пропадает настройка  "switchport trunk native vlan 47", соотвественно, на компьютере, который подключен к телефону на порт "computer", пропадает связь (теряется vlan 47?).  Приходится по новой прописывать, но он сохраняется до следующей перезагрзуки коммутатора или телефона.
    P.S. настройки на коммутаторе сохраняем командой "copy run start" или "wr". На телефоне "admin vlan" указан 147. 
    P.S.S. телефон питается по PoE.
    В чем может быть проблема? я работал со многими cisco коммутаторами, но нигде такой картины не видел....

  • Trunk Native VLAN

    Don't configure a native VLAN unless you have to. You're increasing you attack surface with the potential of VLAN hopping (Dot1q hopping some call it).
    http://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/
    https://en.wikipedia.org/wiki/VLAN_hopping
    Edit:Spelling

    Hello,
    I'm trying to understand better native vlan trunking. Maybe someone can please help explain? I understand trunking and vlans and I know that on the trunked port I can allow whatever vlans I want to and I know that the native vlan carries non tagged frames.
    So for example, if I have say 3 vlans and a native vlan
    vlan 10, vlan 20, vlan 30 and I have the command on the trunked port "switchport trunk allowed vlan 10,20,30"
    so all those vlans will pass on the trunk correct? And native vlan 1 will pass all the telnet, cdp, traffic etc, correct?
    Also how do I change the native vlan?
    Thanks.
    This topic first appeared in the Spiceworks Community

  • VLAN trunking, native vlan and management vlan

    Hello all,
    In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
    We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.

    To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
    Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
    When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
    I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
    Regards,
    Leo

  • Native VLAN on switchport trunk

    Is i possible to set more than ONE native vlan on a switchport trunk.
    Thanks

    Hi there,
    Just to clarify, the native vlan is set in the trunk configuration. This means that you can set this per trunk.
    You can only have 1 per trunk. If you had more than 1, which one would it send it to??
    Hope that clarifys,
    LH
    Please rate all posts

  • If VLAN 1 is the native VLAN, then does that mean thier can only be one?

    If VLAN 1 is native, does that mean when you assign another VLAn to be native, VLAN 1 is no longer native and the other VLAN is? meaning you can only have one?

    Let us start by being clear that the concept of native vlan is related to a particular interface doing trunking. If you have two interfaces doing trunking it is quite possible that the first one would have vlan 1 as native and the other one might have vlan 2 as native.
    On a particular interface doing trunking it is quite true that there can be only a single native vlan for that trunk.
    HTH
    Rick

  • SG-300 52p POE and the case of Native vlan forgotten on a Port-channel

    Hi
    We have recently changed our access switched to Cisco Small Business SG-300 52p on which is working firmware
    SW version    1.3.5.58
    We found out a very annoying problem on Port-channel and default vlan topic.
    Our switch have a default vlan diffrent to the vlan 1 that depends on the floor they are, and this native vlan is at first defined on the portchannel of our central switch, a Cisco 3750
    Example of a central switch port-channel with a define native vlan:
    interface Port-channel2
    description TO 1F
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 6
    switchport trunk allowed vlan 4-6,11,13
    switchport mode trunk
    on the SG300 side the configuration is this:
    interface Port-channel2
    description 1F
    switchport trunk allowed vlan add 4-5,11,13
    !next command is internal.
    macro auto smartport dynamic_type switch
    As you can see there is no "switchport trunk native vlan 6" simply because the SG300 once i write it on the command line, it accepts the command but the command sentence is not written on the conf (why?!)
    the result is that everytime the SG300 is restarted on the port-channel i got two AUTO CREATED commands on the configuration "
    switchport trunk native vlan 1
    switchport default-vlan tagged
    that let not work the network on that floor until i manually write on the SG300
    no switchport default-vlan tagged
    switchport trunk native vlan 6
    These command, as said, works once i write them but are not viewed on a "sh run" and so saved on the conf so every time SG 300 is restarted i need to re-write them.
    Is this a bug?
    have i made some mistake?
    Please let me know
    regards
    Pietro

    Figure out!
    the problem was on macro i have to write this:
    macro auto processing type switch disabled
    and then everything starts going as it should be
    Regards
    Pietro

  • 1240 AP does not honor native vlan diffent then 1

    Hi,
    I stumple with a cracy issue and hope someone have an idea what is going wrong.
    I have an older 1240 Autonomous AP where I cannot figure out why the device is using vlan1 instead the required vlan 1616 for management traffic.
    Anyway clients can connect, getting IP adresses and traffic is routed but the ap can be managed only via serial console cable or temp. by configuring
    the port on the 3750 from trunk to an access port.
    1240 config.
    version 12.4
    hostname ap
    dot11 mbssid
    dot11 ssid vlan1621
       vlan 1621
    dot11 ssid vlan1630
       vlan 1630
    bridge irb
    interface Dot11Radio0
     no ip address
     no ip route-cache
     encryption vlan 1621 mode ciphers aes-ccm
     encryption vlan 1630 mode ciphers aes-ccm tkip
     ssid vlan1621
     ssid vlan1630
     station-role root
     no cdp enable
    interface Dot11Radio0.21
     encapsulation dot1Q 1621
     no ip route-cache
     bridge-group 21
    interface Dot11Radio0.30
     encapsulation dot1Q 1630
     no ip route-cache
     bridge-group 30
    interface FastEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
    interface FastEthernet0.16
     encapsulation dot1Q 1616 native
     no ip route-cache
     bridge-group 1
    interface FastEthernet0.21
     encapsulation dot1Q 1621
     no ip route-cache
     bridge-group 21
    interface FastEthernet0.30
     encapsulation dot1Q 1630
     no ip route-cache
     bridge-group 30
    interface BVI1
     ip address 192.168.16.11 255.255.255.0
     ip helper-address 192.168.18.20
     no ip route-cache
    ip default-gateway 192.168.16.1
    bridge 1 route ip
    3750g config:
    interface GigabitEthernet1/0/39
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 1616
     switchport trunk allowed vlan 1616-1630
     switchport mode trunk
     switchport nonegotiate
    Changing the bridge-group on the fa0.16 subinterface from 1 to anything different was also without success.
    tested 1240 firmware: c1240-k9w7- 123-8.JA2 / 124-25d.JA1 / 124-25d.JA2

    Hi
    I have applied your config onto 1252 AP directly connect to 3560 switch as shown below & config works as expected.
    +++++++ Switch Config ++++++
    vlan 1616,1621,1630
    interface GigabitEthernet0/1
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 1616
     switchport trunk allowed vlan 1616-1630
     switchport mode trunk
    interface Vlan1616
     ip address 192.168.16.1 255.255.255.0
    ++++++++++ AP Config ++++++++++
    dot11 ssid vlan1621
       vlan 1621
    dot11 ssid vlan1630
       vlan 1630
    interface Dot11Radio0
     encryption vlan 1621 mode ciphers aes-ccm
     encryption vlan 1630 mode ciphers aes-ccm tkip
     ssid vlan1621
     ssid vlan1630
    interface Dot11Radio0.21
     encapsulation dot1Q 1621
     bridge-group 21
    interface Dot11Radio0.30
     encapsulation dot1Q 1630
     bridge-group 30
    interface GigabitEthernet0.16
     encapsulation dot1Q 1616 native
     bridge-group 1
    interface GigabitEthernet0.21
     encapsulation dot1Q 1621
     bridge-group 21
    interface GigabitEthernet0.30
     encapsulation dot1Q 1630
     bridge-group 30
    interface BVI1
     ip address 192.168.16.11 255.255.255.0
    ip default-gateway 192.168.16.1
    AAP1#ping 192.168.16.1                                                       
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.16.1, timeout is 2 seconds:
    If it does not work for you, I would check vlan 1616 is available in all your switches upto where SVI for vlan 1616 defined.
    In your case interface vlan 1616 defined on AP directly connected switch ?
    HTH
    Rasika
    **** Pls rate all useful resposnes ****

  • Native VLan on acess switch

    I've 7 accesss switches from which one switch is connected to 2nd switch with RJ 45 Trunk and other switches cascaded with eachother.
    My question is ,Is native vlan necessary on all access switches, if yes than ?
    Overview:SW1-Trunkport Fa0/1 to SW2-Fa0/13.
    SW2-SW3-SW4-SW5-SW6-SW7(Cascading).
    SW4-Connected to core switch Trunk port.
    Encapsulation type is dotlq and the cascaded switches are in half duplex but the switch that has the RJ45 trunk connectivity with 2nd switch is in Auto duplex and the connectivity for core switch is also in Auto duplex from one of access switch.
    Is that affecting speed?

    Thank you for that.
    Last thing I want to know that , can i remove Native Vlans from the uplink and gb ports ,
    Is that Necessary to keep in Native Vlan?
    If no than why?
    interface GigabitEthernet0/1
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 100******
    switchport mode trunk
    interface GigabitEthernet0/2
    description *** Cascaded to...***
    duplex half
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 100****(Can I remove, if no use?)
    switchport mode trunk

  • Native vlan query

    (CE)--Trunk-port-via.wi-max-device--(PE-Switch)--Trunk port--(PE-Router)
    In above scenario suppse CE router is unable to create sub-interface so to communicate with PE router I have used
    switchport trunk native vlan 834 and it's working
    But when I use
    encapsulation dot1Q 834 native on router sub-interface it is not working
    ##########Working config#################
    PE-Switch#
    interface FastEthernet1/0/5
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 834
    switchport trunk allowed vlan 503,834
    switchport mode trunk
    speed 100
    duplex full
    PE-Router#
    interface GigabitEthernet1/0/1.834
    bandwidth 128
    encapsulation dot1Q 834
    ip vrf forwarding ABC
    ip address 172.34.63.69 255.255.255.252
    end
    PE-Router#ping vrf ABC 172.34.63.70
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.34.63.70, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
    ##########Non-Working config#################
    PE-Switch#
    interface FastEthernet1/0/5
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 503,834
    switchport mode trunk
    speed 100
    duplex full
    PE-Router#
    interface GigabitEthernet1/0/1.834
    bandwidth 128
    encapsulation dot1Q 834 native
    ip vrf forwarding ABC
    ip address 172.34.63.69 255.255.255.252
    end
    PE-Router#ping vrf ABC 172.34.63.70
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 172.34.63.70, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    Thanks & Regards
    Mahesh

    Hi,
    I'm confused with your configuration because the switchport trunk native vlan 834 command is gone in your non-working configuration.
    Also is Fas1/0/5 connected to your CE or PE-Router.
    Let's say Fas1/0/5 is connected to your CE and 1/0/6 to your PE-Router. A working configuration should be:
    PE-Switch#
    interface FastEthernet1/0/5
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 834
    switchport trunk allowed vlan 503,834
    switchport mode trunk
    speed 100
    duplex full
    interface FastEthernet1/0/6
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 834
    switchport trunk allowed vlan 503,834
    switchport mode trunk
    speed 100
    duplex full
    PE-Router#
    interface GigabitEthernet1/0/1.834
    bandwidth 128
    encapsulation dot1Q 834 native
    ip vrf forwarding ABC
    ip address 172.34.63.69 255.255.255.252
    end
    Be sure your native VLAN is consistant on all your trunk or you could have traffic leaking between VLAN 1 (default native VLAN) and VLAN 834
    HTH
    Laurent.

  • 1200: Native VLAN & Management VLAN

    I want to keep the management VLAN and native VLAN seperate. Is this the correct setup when using VLAN 999 as the native VLAN and VLAN 100 for the management VLAN.
    Management VLAN 100 (10.100.0.0/24)
    ### Trunk SW ###
    description "AP"
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 999
    switchport trunk allowed vlan
    switchport mode trunk
    switchport nonegotiate
    speed 100
    duplex full
    ### AP ###
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption vlan 99 key 1 size 128bit 7 3831CB248113D952741376BEC352 transmit-key
    encryption vlan 99 mode wep mandatory
    encryption vlan 11 mode ciphers tkip
    ssid xoxoxo
    vlan 11
    authentication open eap eap_methods
    authentication network-eap eap_methods
    authentication key-management wpa
    ssid xxx
    vlan 99
    authentication network-eap eap_methods
    speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
    rts threshold 2312
    station-role root
    interface Dot11Radio0.11
    encapsulation dot1Q 11
    no ip route-cache
    bridge-group 11
    bridge-group 11 subscriber-loop-control
    bridge-group 11 block-unknown-source
    no bridge-group 11 source-learning
    no bridge-group 11 unicast-flooding
    bridge-group 11 spanning-disabled
    interface Dot11Radio0.99
    encapsulation dot1Q 99
    no ip route-cache
    bridge-group 99
    bridge-group 99 subscriber-loop-control
    bridge-group 99 block-unknown-source
    no bridge-group 99 source-learning
    no bridge-group 99 unicast-flooding
    bridge-group 99 spanning-disabled
    interface dot11radio 0.999
    encapsulation dot1q 999 native
    interface dot11radio 0.100
    encapsulation dot1q 100
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    ntp broadcast client
    interface FastEthernet0.11
    encapsulation dot1Q 11
    no ip route-cache
    bridge-group 11
    no bridge-group 11 source-learning
    bridge-group 11 spanning-disabled
    interface FastEthernet0.99
    encapsulation dot1Q 99
    no ip route-cache
    bridge-group 99
    no bridge-group 99 source-learning
    bridge-group 99 spanning-disabled
    interface fastethernet 0.999
    encapsulation dot1q 999 native
    interface fastethernet 0.100
    encapsulation dot1q 100
    interface BVI100
    ip address 10.100.0.110 255.255.255.0
    no ip route-cache
    ip default-gateway 10.100.0.1

    This looks correct to me. Do you have a non_root bridge on their other side?
    Are you able to trunk all 4 VLANS with this config?

Maybe you are looking for

  • To get f4 help for salesperson field ,transaction me21n & me22n

    Hi Super-Techies, I am a new-bie in the world of enhancement. The reuirement here is I need to create a custom table with 1 field (prep_name). (This is done) Now the reuirement is that whenever user goes to transaction ME21N/ME22N, he wants me to add

  • Photo shop is not allowing me to use the "Intersect with current selection"

    Photoshop is not allowing me to use the "Itersect with current selection" marquee. (The "UNION" between two selection marquees.) When I press the [Shift] + [Option] keys while dragging on a first selection marquee, this just creates a new selection a

  • Steps to configure FBA in office 365

    hi, i need to integrate users in SQL list to office 365 , is it possible to achieve this using Form based authentication??  if yes , then give some guidance steps to did integration.   if not , then suggest me a best and simple way to do this.  Pleas

  • Captivate 5.5 zoom area shifts from what's in the Zoom Source

    Captivate 5.5 Windows 7 Lots of memory and space I have seen some postings on this topic, but they are either left unresolved or the suggested work around was for a specific user. I draw the Zoom Source rectangle and corresponding Zoom Destination re

  • Help required with optical drive issues on a 2008 Mac Book Pro

    I've got a problem with my Optical Drive not accepting CD, DVD etc. All the disks I put in just whirr around for a few seconds and then spit out the discs. First I've read on loads of discussion forums that the symptoms said the optical drive was cap