Solved

Cisco Vlan Configuration Commands

Posted on 2010-11-26
14
853 Views
Last Modified: 2012-05-10
I have the following configuration on my Cisco 3560 switch.  

interface FastEthernet0/5
 description WLS_Scanner_AP
 switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 801
 switchport mode trunk
 srr-queue bandwidth share 1 20 40 40
 priority-queue out
 mls qos vlan-based
 no snmp trap link-status
 no mdix auto
 spanning-tree portfast
 spanning-tree bpduguard enable

I connected a PC on that port with a static IP from vlan 801.  When I try to get a mac address from that port, nothing shows up even though the port shows up/up.  It’s only when I add the command ‘switchport trunk native vlan 801” that it works.  
When I configure the switchport as just trunk without any other additional configuration, the PC does not work until I configure the native vlan as 801.  It seems strange; shouldn’t it work with just trunk? The only other way it works is if I configure the port as access port and to access a specific vlan.

 Can someone explain to me why it doesn’t work without that command; the port is a trunk.  

I also read an article that recommends not using the default vlan as native vlan for security.  The article recommends to use a native vlan not used anywhere on the LAN to prevent vlan hopping.  Anytime I try using a native vlan not used, nothing works on the port.  What am I missing?
0
Comment
Question by:donemore2003
14 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 34219089
Why are you putting the port in trunk mode if you only have 1 pc with 1 vlan assigned to it?

Trunk mode is for routers and switches.
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 34219176
Mattvmotas is right. Here are the commands:

switchport mode access
switchport access vlan 801

0
 
LVL 22

Expert Comment

by:Matt V
ID: 34219211
If you have a valid reason for trunking that is different, like a VMware server or something similar.  But that technically falls under the category of router :)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:donemore2003
ID: 34219339
To all

My question is why those configurations don't work when the port is configured as a trunk.  Why is it necessary to configure a native vlan for the PC to work?  I understand configuring access ports as i indicated in my question.

Plus what about the second part of my question; using a native vlan that i snot used?

Thanks
0
 
LVL 22

Assisted Solution

by:Matt V
Matt V earned 166 total points
ID: 34219396
When the port is configured in trunk mode, it does not parse the vlan tagging.  The device you plug into the port is expected to parse the tag.

By assigning a native vlan, you are asking it to watch for tags for that vlan.

Cisco does recommend not using VLAN 1 as the native VLAN, but I have seen plenty of networks that use it.

It is a recommended best practice which is usually good advice.
0
 
LVL 10

Assisted Solution

by:lanboyo
lanboyo earned 166 total points
ID: 34219827
When you configured the port as a trunk with dot1q, it added an 8 bit vlan tag to every ethernet frame, and in turn expects an 8 bit vlan tag on every ethernet frame it revcieves.

If you configure native vlan it will send ethernet frames in that vlan without the vlan tag and any incoming packet without a vlan tag will be treated as incoming on the native vlan. Without special configuration that many operating systems are not capable of, dot1q framed ethernet packets can not be sent or understood by most workstations or devices.

The article is telling you not to use vlan 1 for native vlan. There are some security issues that native vlan on vlan 1 being enabled may allow.

The vlan you set as native vlan needs to be the same throughout the network. If you set a n arbritrary vlan as native, and no other devices or trunks are on that vlan then the device can not talk to anything. Also, since is 801 is the only vlan permitted on the trunk, the native vlan must be vlan 801, or you must permit the new native vlan.

Setting vlan 801 as native is ok as far as the article is concerned.
0
 
LVL 12

Expert Comment

by:jjmartineziii
ID: 34222791
the native vlan command tags untagged frames into the specific vlan. if you don't specify a vlan, they are tagged with vlan 1.

You don't have to put the native vlan command if you NIC supports vlan tagging.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 168 total points
ID: 34222905
It seems strange; shouldn’t it work with just trunk?

With the configuration:

1 switchport trunk encapsulation dot1q
2 switchport trunk allowed vlan 801
3 switchport mode trunk

Command 1 says that IF the port is a trunk, it will be an 802.1q trunk... Not an ISL trunk.

Command 2 says that IF the port is a trunk, only allows VLAN801 traffic in/out the port.

Command 3 is forcing the port to be a trunk. Which means the traffic from all VLANs are allowed in/out the port. The traffic from non-native VLANs will be tagged. The native VLAN (VLAN 1) will be untagged. However, command 2 is overriding the "all VLANs are allowed" part.

So when you connect a plain old PC to this port, it is sending out plain old ethernet frames (no tags). When the switch receives these untagged frames, they are assumed to be in the NATIVE VLAN (VLAN 1). But you're not allowing VLAN 1 traffic. So it's discarded.

But when you add the command "switchport trunk native vlan 801", you are redefining the native VLAN (untagged) to VLAN 801. So now when an untagged frame arrives on the port, the switch assumes that frame is in VLAN 801 (which is allowed) so it works.

Now, if you're only allowing one VLAN on a port, there's no reason for it to be a trunk in the first place.

>Anytime I try using a native vlan not used, nothing works on the port.  What am I missing?

Can you be more specific? Any VLAN can be the native VLAN. But it does have to exist.

0
 

Author Comment

by:donemore2003
ID: 34477813
I just hadn't had a chance to get back at the site.  I appreciate all the support I get on this site
0
 

Author Comment

by:donemore2003
ID: 34477814
Your support is greatly appreciated.  I have learned more since I became a member.  Thanks to all
0
 

Author Comment

by:donemore2003
ID: 34477815
No objection
0
 

Author Comment

by:donemore2003
ID: 34477824
No objection
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 34497801
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

774 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question