Why Native VLAN exists on a Trunk?

Basically, A Native VLAN carries untagged traffic on a trunk line.
A trunk line allows mutiple VLAN traffic ( tagged traffic). So Why Native VLAN exists on a trunk.
Why Native VLAN was created?
I'm pretty confused up with VLANs.

Hi,
The second question - why PC Network adapters support VLAN tags - is actually easier to answer :)
First of all, with regards to VLANs and frame tagging, there is actually nothing special to support on a network adapter! The VLAN tag itself is in fact stored in the payload of a tagged frame. Even to the most dumb network adapter, a tagged frame looks like any other - Destination MAC, Source MAC, EtherType (set to 0x8100), Payload (holding the rest of the VLAN tag, the original EtherType and the original Payload), and the FCS. Supporting VLANs and frame tags is possible on a purely software level. The fact that network adapters often do have hardware support for VLANs is related to performance reasons: With hardware VLAN support, the tagging, de-tagging, filtering and/or sorting frames based on the VLAN tag value is faster and it allows offloading these operations from the computer's CPU to the network card. However, even if the network adapter did not have any kind of VLAN support, the VLANs could still be implemented purely in the card's software driver.
Ordinarily, you would not see a common PC send and receive tagged frames. However, there are situations in which even a PC would send or receive a tagged frame. One of reasons is the presence of the Class-of-Service (CoS) bits in a VLAN tag. You surely know that basic Ethernet frame format does not include any kind of priority marking. There is no field in an Ethernet header that would allow you to indicate that this or that frame requires a preferential treatment. VLAN tags, on the other hand, have a 3-bit CoS field that allows you to indicate the priority of the tagged frame. Should a PC need to send a frame that needs to be explicitly marked as more important than others, it can be done by inserting a VLAN tag into this frame and setting the CoS field to a non-zero value (with 3 bits, the maximum CoS value is 7).
Another reason for a computer to send and receive tagged frames would be when the computer itself would be intentionally placed into multiple VLANs. For example, the router-on-a-stick performing inter-VLAN routing is not a concept just for dedicated hardware routers. For example, any computer running Linux can be used in place of a Cisco router to perform inter-VLAN routing. Just like on a Cisco router, you would configure the Linux with subinterfaces for each VLAN it should be able to route from and to, assign IP addresses, and voila - you have a cheap and powerful inter-VLAN router. Yet another reason for receiving and sending tagged frames on a computer would be virtualization: You could have a server that runs multiple virtual operating systems in VirtualBox, VMWare, Xen or some other virtualization solution, and you want each of these virtual PCs to have a "separate" network card so that they can not talk to each other when they communicate with the outside world. You would do this again by creating subinterfaces on the physical machine, and bridging the individual virtual PCs with unique subinterfaces so that each virtual PC gets its own subinterface onto which it is bridged. As a result, the communication of individual virtual PCs would be tagged on the physical link depending on what virtual machine was speaking.
So, while not exactly a typical situation for an ordinary office PC, it is nonetheless quite normal to see a computer being connected to a trunk port. This, however, is always done with the prior knowledge that the computer will indeed need to talk to several VLANs simultaneously and directly. Otherwise there's no need for that.
Regarding the native VLAN on trunks - well, this is a neverending debate. I wish the native VLAN was never invented but well, it's here so we have to fight with it. Often, it is explained as "the VLAN that will save you if you happen to connect a normal PC to a trunk", and you have asked quite correctly - why on Earth would I want to connect a normal PC to a trunk, if not for reasons stated above? And you would be perfectly right - you wouldn't. The reason for native VLANs is different. If you try to study the IEEE 802.1Q standard you will learn that it does not recognize the terms access port and trunk port. It has no distinction for these port types. Instead, 802.1Q considers each port to be possibly associated with multiple VLANs at once. One of these VLANs is called the Primary VLAN, its number (ID) is called the Primary VLAN ID (PVID), and this VLAN is considered to be the one that is always associated with the port and thus does not need to use tags. Any other VLAN that is in addition associated with the port obviously has to use tags to be distinguishable. From this viewpoint, a port that is associated just with its PVID would be what Cisco calls an access port, and a port that is associated with VLAN IDs other than just its PVID would be what Cisco calls a trunk port, with the PVID being the trunk's native VLAN ID.
So in the way IEEE defines VLANs and their usage, PVID (= native VLAN ID) is a property of each port, so any implementation that claims compatibility with 802.1Q has to implement the PVID. Cisco decided to have a twist on the understanding of VLANs, and came up with access ports (i.e. ports associated just with their PVID and no other VLAN ID) and trunk ports (i.e. ports associated with many VLAN IDs including PVID), and so each trunk port must have its PVID - and that is what we call native VLAN and why we need to at least support it - although we do not need to make use of the native VLAN on trunks.
Quite convoluted.
Best regards,
Peter

Similar Messages

VLAN trunking, native vlan and management vlan

Hello all,
In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.

To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
Regards,
Leo

Switchport trunk native vlan question...

What am I missing in regards to the following two lines assigned to a sw interface:
switchport trunk native vlan 80
switchport mode trunk
Why assign a VLAN to the port when your trunking it (meaning you allowing all VLANs to pass)?
Thank you.

By default native VLAN is VLAN 1, but can be changed to any No. on the trunk port by command "switchport trunk native vlan #". This will make a new vlan# as native & allow all pkts from this vlan to pass thru trunk untagged.
Native VLANs are used to carry CDP, PAgP & VTP messages. Thus the Frames on native VLAN are untagged. For these messages to propagate between devices, native VLANS must match on both sides of the trunk. In case of native VLAN mismatch on bothsides of the trunk, STP will put the trunk port in err-disabled state.

Wireless AP native vlan and switch trunk

Hi,
I am unable to ping my ap, i think it is due to the multiple vlan issues, can provide some advise, my config for the ap and switch is as below
AP Config
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hostname
logging rate-limit console 9
enable secret 5 $1$ZxN/$eYOf/ngj7vVixlj.wjG2G0
no aaa new-model
ip cef
dot11 syslog
dot11 ssid Personal
   vlan 2
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 070E26451F5A17113741595D
crypto pki token default removal timeout 0
username Cisco password 7 1531021F0725
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
stbc
beamform ofdm
station-role root
no dot11 extension aironet
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
no dfs band block
stbc
beamform ofdm
channel dfs
station-role root
interface Dot11Radio1.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio1.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface GigabitEthernet0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.1.100 255.255.255.0
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
password 7 01181101521F
login
transport input all
end
Switch Port config
interface FastEthernet1/0/10
switchport trunk native vlan 100
switchport mode trunk

I will re-check the routing again but could it be some bridging issues ?
interface GigabitEthernet0
no ip address
duplex auto
speed auto
**** unable to put up this command on the giga port
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
I try to put this command on the gigaethernet port but it does not allow me, could this be the bridging issue ?

Native Vlan and Trunking

Hi Folks,
I am having a doubt with native Vlan in trunk ports.
In a topology of 3 switches. Switch A is connected with switchB and SwitchC on uplinks. Can I configure the different native vlans for 2 different trunk for switch A.
Like I am having 3 vlan,s configured in switch A with VTP domain transparent(1,500,900-Vlans configured). Same configuration is there in B & C too.
So can we use 999 as a native vlan for trunk between A&B and native vlan 1 for trunk configured between A&C.

yes possible, if specific reasons. Already discussed several times on this forum. Pls refer this link:
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe4e88

Native VLAN on switchport trunk

Is i possible to set more than ONE native vlan on a switchport trunk.
Thanks

Hi there,
Just to clarify, the native vlan is set in the trunk configuration. This means that you can set this per trunk.
You can only have 1 per trunk. If you had more than 1, which one would it send it to??
Hope that clarifys,
LH
Please rate all posts

Does the dot1q native VLAN need to be defined on the switch?

I understand the issues with using VLAN 1 as the native VLAN on a dot1q trunk. I follow best practices and change the native VLAN to a VLAN that does not carry any other traffic (switchport trunk native vlan x). I usually go a step further and do not define the VLAN in the switch configuration. This way if traffic bleeds into the native VLAN because it is untagged then it cannot go anywhere. So if I use VLAN 999 as the native VLAN, I do not create VLAN 999 on the switch. I’m curious if anyone else does this or if there are any thoughts on whether this is a good or bad practice?

If you are tagging your native VLAN but do not have that VLAN in the vlan database - it makes no difference if the VLAN exists or not in my opinion. All the vlans on your trunks would be tagged anyway.
It seems like a clever idea, but not sure if it provides any benefit.

Native VLan on acess switch

I've 7 accesss switches from which one switch is connected to 2nd switch with RJ 45 Trunk and other switches cascaded with eachother.
My question is ,Is native vlan necessary on all access switches, if yes than ?
Overview:SW1-Trunkport Fa0/1 to SW2-Fa0/13.
SW2-SW3-SW4-SW5-SW6-SW7(Cascading).
SW4-Connected to core switch Trunk port.
Encapsulation type is dotlq and the cascaded switches are in half duplex but the switch that has the RJ45 trunk connectivity with 2nd switch is in Auto duplex and the connectivity for core switch is also in Auto duplex from one of access switch.
Is that affecting speed?

Thank you for that.
Last thing I want to know that , can i remove Native Vlans from the uplink and gb ports ,
Is that Necessary to keep in Native Vlan?
If no than why?
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 100******
switchport mode trunk
interface GigabitEthernet0/2
description *** Cascaded to...***
duplex half
switchport trunk encapsulation dot1q
switchport trunk native vlan 100****(Can I remove, if no use?)
switchport mode trunk

Native VLAN on Cisco 3750x vs Cisco 2960S

Hi,
I have a scenario where I connect my Cisco switch 2960s with Cisco router 1941 as photo below
My question is when i connect router with cisco 2960s I config interface Gi1/0/1 as a trunk. everything work fine, I can ping from router to switch(172.16.29.2).
But when I changed to cisco 3750x, i config interface Gi1/0/1 as a trunk, it cannot ping from router to switch(172.16.29.2). But after I add native vlan 30 on interface Gi1/0/1 I can ping from router to switch (172.16.29.2)
Any idea why ? is there any different of native vlan on cisco 2960s and 3750x ?
Thank you for your kind answer
John

Hi John
It seems for me that the 3750 is doing what it should do, if the router do not have subinterfaces and dot1q, it will send traffic without dot1q tag, and the 3750 will drop these packets because they arrive without a tag. That's why native vlan fixes the problem.
The 2960 should work the same way that 3750 do, so I wonder if there is some differences in the config between the switches.
Can You share the config for gi0/1 on the router and also the switchportconfig for both switches.
Also a "show interface gi1/0/1 switchport" for both switches.
/Mikael

UCS Native VLAN Question

All,
I have a problem that I just cannot wrap my mind around. We have UCS setup in a lab with 2 interconnects connected to 2 nexus 5510 switches. The nexus switches are uplinked to the network via a 4900m switch. All trunks are setup and tested as functional. All routing is setup and confirmed. I have an issue in UCS that is baffling me. In the lab I have kept the native VLAN at vlan1. I have setup test vlans 2-10 on all the switches and interconnects. I have created a service profile that contains 1 nic and placed it in VLAN 7. I have installed Windows 2008 on a blade using this service profile. In the OS I have statically IP'ed the NIC for the scheme used in VLAN 7. From the OS I cannot ping another device that is in vlan 7. I also cannot ping a host on another vlan. If I place a check on VLAN 1 as the native vlan I still cannot ping anything. If I place the check for native vlan to vlan 7 I can ping hosts within the same vlan as well as outside the vlan. So, why do I need to place vlan 7 as the native vlan when all my trunks are set up as vlan 1 being the native vlan?
Thanks for any help,
Ken

Ken,
When allowing certain VLANs on your Service Profile vNICs you need to set the native VLAN. This is because the way you have it configured currently you're only "allowing VLAN 15", but you're not tagging it. This would work fine for ESX or Linux where you can assign the dot1q tag at the host. With Windows unless you have specific drivers doing the tagging for you, you'll need to do this at the vNIC level within UCS.
Two ways to see this in action. When creating a service profile in the "Basic" method - not "Expert", you will select a single VLAN for your interfaces. This will treat the interfaces pretty much like an "Access Port". Conversely when you use the "Expert mode you're enable the vNIC as a trunk, in which you will "allow" all the VLANs you'd like access to. Sounds like this is the method you have performed.
For a Windows OS, set the VLAN as Native for the VLAN you want it to access and you'll be sweet. Unchecking that "Native VLAN" option box is allowing the traffic to traverse out of UCS on the Native VLAN of your network - VLAN 1, which is why it's MAC appears on the other fabric under VLAN1
Regards,
Robert

Does it need add the native vlan to allowed vlan list ?

If I confiured the port like this "
switchport trunk native vlan 10
switchport trunk allowed vlan 11,12"
does the vlan 10 allowed passing ? or it still need add vlan 10 to the allowed vlan list like "
switchport trunk native vlan 10
switchport trunk allowed vlan 10,11,12"
Thanks

Yes you can remove the native VLAN from the list, and it does prevent the native VLAN from traversing the trunk. That is, if you look at the Spanning Tree for the native VLAN, the trunk will be absent from the list of ports on the VLAN.
The question of untagged frames is a different one. There are some control protocols, particularly link-local ones, that are sent untagged, and these will traverse the trunk regardless. However, they are not considered as part of the native VLAN Spanning Tree as such.
But beware: there is a bug in earlier IOS and in all CatOS switches! If you use a non-1 VLAN as your trunk native VLAN, and you disallow it from the trunks, and there are no other ports carrying that native VLAN, then the Spanning Tree for that VLAN shut down. That is fair enough. But the bug is that the Spanning Tree for VLAN 1 also breaks down, sending your network into meltdown.
Kevin Dorrell
Luxembourg

Nexus 7k and native vlan 1

Hi, is it recommended to use a native vlan other than 1 on the trunks connecting Nexus box's. It used to be that you should not use native vlan 1 on the trunks between switches. Is this not an issue anymore.
Thanks

Hi Chuck,
It is recomended to use a different vlan other than vlan 1 as your default vlan.
This is one of the best practices for secure the overall network.
For eg.
In a switch spoofing attack, an attacking host imitates a trunking switch by speaking the tagging and trunking protocols (e.g. Multiple VLAN Registration Protocol, IEEE 802.1Q, VLAN Trunking Protocol) used in maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.
HTH,
Aman

Native Vlan Effect on the Overall Network Performance

Dear Experts,
I would like to know that did Native Vlan affect the overall Network performance and make the whole network slow and can be cause for all Network devices to be failure or disconnect. I am facing this issue for the network that after apply Vlan dot1q tag native" in global Config the user disconnect from the network and also the devices.
Kindly assist on this issue with the practical scenario and result oriented conclusion.
Further I have following Devices in the Network Catalyst 4500, Nexus 5548, FIC 6248, UCS 5018 and Catalyst 3750.
The issue is this the VLAN 50 which is for UCS is not able to access from the LAN network even we added the VLAN 50 on all the Switches and it propogated to whole network so we make Vlan 50 as Native and added "switchport trunk native vlan 50 on trunks ports from Nexux 5548 to Fabric Interconnect and to Core Switch 4500. After added vlan 50 as native vlan we can access the UCS from LAN.
But after adding native vlan 50 on all trunks the Network Administrator complaining that network is slow and few servers are disconnecting.
here for the information that server vlan is 1.
Waiting for the answer.
Thanks,
JH
Thanks,
JH

Hello.
1. Could you please draw interconnectivity diagram of all the devices?
2. Could you chose any LAN device (on the same switch as UCS) and post here running config of the device that interconnects them?

Whats difference between native vlan and pvid

whats difference between native vlan and pvid ?

Hi,
a port VLAN ID is the assigned VLAN of an access-port.
The native VLAN is used in a trunk. A trunk is used to connect another switch or a device which belongs to more than 1 VLAN. Since a standard ethernet frame doesn't provide a field to distinguish VLANs, a special field is inserted, this is called "tagging". Nevertheless, frames belonging to the native VLAN are transmitted without such a tag (in other words: the ethernet frames are not modified). In this way, traffic forwaring is possible in the native VLAN even when the trunk is not working correctly.
In theory, when you would connect a trunkport from one switch to an accessport of another, communication for the native VLAN would be possible. In such a scenario, the native VLAN-ID doesn't have to match the PVID. Hope, this isn't to confusing.
You can find more details in discussion https://learningnetwork.cisco.com/thread/8721#39225
Regards,
Rolf

Various questions on uplink profiles, CoS, native VLAN, downlink trunking

I will be using vPC End Host Mode with MAC-pinning. I see I can further configure MAC-Pinning. Is this required or will it automatically forward packets by just turning it on? Is it also best not to enable failover for the vnics in this configuration? See this text from the Cisco 1000V deployment Guide:
Fabric Fail-Over Mode
Within the Cisco UCS M71KR-E, M71KR-Q and M81KR adapter types, the Cisco Unified Computing System can
enable a fabric failover capability in which loss of connectivity on a path in use will cause remapping of traffic
through a redundant path within the Cisco Unified Computing System. It is recommended to allow the Cisco Nexus
1000V redundancy mechanism to provide the redundancy and not to enable fabric fail-over when creating the
network interfaces within the UCS Service Profiles. Figure 3 shows the dialog box. Make sure the Enable Failover
checkbox is not checked."
What is the 1000V redundancy?? I didn't know it has redundancy. Is it the MAC-Pinning set up in the 1000V? Is it Network State Tracking?
The 1000V has redundancy and we can even pin VLANs to whatever vNIC we want. See Cisco's Best Practices for Nexus 1000V and UCS.
Nexus1000V management VLAN. Can I use the same VLAN for this and for ESX-management and for Switch management? E.g VLan 3 for everything.
According to the below text (1000V Deployment Guide), I can have them all in the same vlan:
There are no best practices that specify whether the VSM
and the VMware ESX management interface should be on the same VLAN. If the management VLAN for
network devices is a different VLAN than that used for server management, the VSM management
interface should be on the management VLAN used for the network devices. Otherwise, the VSM and the
VMware ESX management interfaces should share the same VLAN.
I will also be using CoS and Qos to prioritize the traffic. The CoS can either be set in the 1000V (Host control Full) or per virtual adapter (Host control none) in UCS. Since I don't know how to configure CoS on the 1000V, I wonder if I can just set it in UCS (per adapter) as before when using the 1000V, ie. we have 2 choices.
Yes, you can still manage CoS using QoS on the vnics when using 1000V:
The recommended action in the Cisco Nexus 1000V Series is to assign a class of service (CoS) of 6 to the VMware service console and VMkernel flows and to honor these QoS markings on the data center switch to which the Cisco UCS 6100 Series Fabric Interconnect connects. Marking of QoS values can be performed on the Cisco Nexus 1000V Series Switch in all cases, or it can be performed on a per-VIF basis on the Cisco UCS M81KR or P81E within the Cisco Unified Computing System with or without the Cisco Nexus 1000V Series Switch.
Something else: Native VLANs
Is it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1? I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.
Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?
And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...
What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup described here with 1000V and MAC-pinning.
No, port channel should not be configured when MAC-pinning is configured.
[Robert] The VSM doesn't participate in STP so it will never send BPDU's. However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter. PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs. I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.
-Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?
Edit: 26 July 14:23. Found answers to many of my many questions...

Answers inline.
Atle Dale wrote:
Something else: Native VLANsIs it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1? I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.[Robert] The native VLAN is assigned per hop. This means between the 1000v Uplinks port profile and your UCS vNIC definition, the native VLAN should be the same. If you're not using a native VLAN, the "default" VLAN will be used for control traffic communication. The native VLAN and default VLAN are not necessarily the same. Native refers to VLAN traffic without an 802.1q header and can be assigned or not. A default VLAN is mandatory. This happens to start as VLAN 1 in UCS but can be changed. The default VLAN will be used for control traffic communication. If you look at any switch (including the 1000v or Fabric Interconnects) and do a "show int trunk" from the NXOS CLI, you'll see there's always one VLAN allowed on every interface (by default VLAN 1) - This is your default VLAN.Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?[Robert] There's no VLAN 0. An access port doesn't use a native VLAN - as its assigned to only to a single VLAN. A trunk on the other hand carries multiple VLANs and can have a native vlan assigned. Remember your native vlan usage must be matched between each hop. Most network admins setup the native vlan to be the same throughout their network for simplicity. In your example, you wouldn't set your VM's port profile to be in VLAN 0 (doens't exist), but rather VLAN 2 as an access port. If VLAN 2 also happens to be your Native VLAN northbound of UCS, then you would configured VLAN 2 as the Native VLAN on your UCS ethernet uplinks. On switch northbound of the UCS Interconnects you'll want to ensure on the receiving trunk interface VLAN 2 is set as the native vlan also. Summary:1000v - VM vEthernet port profile set as access port VLAN 21000v - Ethernet Uplink Port profile set as trunk with Native VLAN 2UCS - vNIC in Service Profile allowing all required VLANs, and VLAN 2 set as NativeUCS - Uplink Interface(s) or Port Channel set as trunk with VLAN 2 as Native VLANUpstream Switch from UCS - Set as trunk interface with Native VLAN 2From this example, your VM will be reachable on VLAN 2 from any device - assuming you have L3/routing configured correctly also.And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...[Robert] This statement recommends "not" to use a native VLAN. This is a practice by some people. Rather than using a native VLAN throughout their network, they tag everything. This doesn't change the operation or reachability of any VLAN or device - it's simply a design descision. The reason some people opt not to use a native VLAN is that almost all switches use VLAN 1 as the native by default. So if you're using the native VLAN 1 for management access to all your devices, and someone connects in (without your knowing) another switch and simply plug into it - they'd land on the same VLAN as your management devices and potentially do harm.What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup descrived here with 1000V and MAC-pinning.[Robert] On the first generation hardware (6100 FI and 2104 IOM) port channeling is not possible. With the latest HW (6200 and 2200) you can create port channels with all the IOM - FI server links. This is not configurable. You either tell the system to use Port Channel or Individual Links. The major bonus of using a Port Channel is losing a link doesn't impact any pinned interfaces - as it would with individual server interfaces. To fix a failed link when configured as "Individual" you must re-ack the Chassis to re-pinn the virtual interfaces to the remaining server uplinks. In regards to 1000v uplinks - the only supported port channeling method is "Mac Pinning". This is because you can't port channel physical interfaces going to separate Fabrics (one to A and one to B). Mac Pinning gets around this by using pinning so all uplinks can be utilized at the same time.--[Robert] The VSM doesn't participate in STP so it will never send BPDU's. However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter. PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs. I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.-Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?[Robert] The two STP commands would be used only when the VEM (ESX host) is directly connected to an upstream switch. For UCS these two commands to NOT apply.

Why Native VLAN exists on a Trunk?

Similar Messages

Maybe you are looking for