Solved

Cisco Vlan Configuration Commands

Posted on 2010-11-26
14
835 Views
Last Modified: 2012-05-10
I have the following configuration on my Cisco 3560 switch.  

interface FastEthernet0/5
 description WLS_Scanner_AP
 switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 801
 switchport mode trunk
 srr-queue bandwidth share 1 20 40 40
 priority-queue out
 mls qos vlan-based
 no snmp trap link-status
 no mdix auto
 spanning-tree portfast
 spanning-tree bpduguard enable

I connected a PC on that port with a static IP from vlan 801.  When I try to get a mac address from that port, nothing shows up even though the port shows up/up.  It’s only when I add the command ‘switchport trunk native vlan 801” that it works.  
When I configure the switchport as just trunk without any other additional configuration, the PC does not work until I configure the native vlan as 801.  It seems strange; shouldn’t it work with just trunk? The only other way it works is if I configure the port as access port and to access a specific vlan.

 Can someone explain to me why it doesn’t work without that command; the port is a trunk.  

I also read an article that recommends not using the default vlan as native vlan for security.  The article recommends to use a native vlan not used anywhere on the LAN to prevent vlan hopping.  Anytime I try using a native vlan not used, nothing works on the port.  What am I missing?
0
Comment
Question by:donemore2003
14 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 34219089
Why are you putting the port in trunk mode if you only have 1 pc with 1 vlan assigned to it?

Trunk mode is for routers and switches.
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 34219176
Mattvmotas is right. Here are the commands:

switchport mode access
switchport access vlan 801

0
 
LVL 22

Expert Comment

by:Matt V
ID: 34219211
If you have a valid reason for trunking that is different, like a VMware server or something similar.  But that technically falls under the category of router :)
0
 

Author Comment

by:donemore2003
ID: 34219339
To all

My question is why those configurations don't work when the port is configured as a trunk.  Why is it necessary to configure a native vlan for the PC to work?  I understand configuring access ports as i indicated in my question.

Plus what about the second part of my question; using a native vlan that i snot used?

Thanks
0
 
LVL 22

Assisted Solution

by:Matt V
Matt V earned 166 total points
ID: 34219396
When the port is configured in trunk mode, it does not parse the vlan tagging.  The device you plug into the port is expected to parse the tag.

By assigning a native vlan, you are asking it to watch for tags for that vlan.

Cisco does recommend not using VLAN 1 as the native VLAN, but I have seen plenty of networks that use it.

It is a recommended best practice which is usually good advice.
0
 
LVL 10

Assisted Solution

by:lanboyo
lanboyo earned 166 total points
ID: 34219827
When you configured the port as a trunk with dot1q, it added an 8 bit vlan tag to every ethernet frame, and in turn expects an 8 bit vlan tag on every ethernet frame it revcieves.

If you configure native vlan it will send ethernet frames in that vlan without the vlan tag and any incoming packet without a vlan tag will be treated as incoming on the native vlan. Without special configuration that many operating systems are not capable of, dot1q framed ethernet packets can not be sent or understood by most workstations or devices.

The article is telling you not to use vlan 1 for native vlan. There are some security issues that native vlan on vlan 1 being enabled may allow.

The vlan you set as native vlan needs to be the same throughout the network. If you set a n arbritrary vlan as native, and no other devices or trunks are on that vlan then the device can not talk to anything. Also, since is 801 is the only vlan permitted on the trunk, the native vlan must be vlan 801, or you must permit the new native vlan.

Setting vlan 801 as native is ok as far as the article is concerned.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 12

Expert Comment

by:jjmartineziii
ID: 34222791
the native vlan command tags untagged frames into the specific vlan. if you don't specify a vlan, they are tagged with vlan 1.

You don't have to put the native vlan command if you NIC supports vlan tagging.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 168 total points
ID: 34222905
It seems strange; shouldn’t it work with just trunk?

With the configuration:

1 switchport trunk encapsulation dot1q
2 switchport trunk allowed vlan 801
3 switchport mode trunk

Command 1 says that IF the port is a trunk, it will be an 802.1q trunk... Not an ISL trunk.

Command 2 says that IF the port is a trunk, only allows VLAN801 traffic in/out the port.

Command 3 is forcing the port to be a trunk. Which means the traffic from all VLANs are allowed in/out the port. The traffic from non-native VLANs will be tagged. The native VLAN (VLAN 1) will be untagged. However, command 2 is overriding the "all VLANs are allowed" part.

So when you connect a plain old PC to this port, it is sending out plain old ethernet frames (no tags). When the switch receives these untagged frames, they are assumed to be in the NATIVE VLAN (VLAN 1). But you're not allowing VLAN 1 traffic. So it's discarded.

But when you add the command "switchport trunk native vlan 801", you are redefining the native VLAN (untagged) to VLAN 801. So now when an untagged frame arrives on the port, the switch assumes that frame is in VLAN 801 (which is allowed) so it works.

Now, if you're only allowing one VLAN on a port, there's no reason for it to be a trunk in the first place.

>Anytime I try using a native vlan not used, nothing works on the port.  What am I missing?

Can you be more specific? Any VLAN can be the native VLAN. But it does have to exist.

0
 

Author Comment

by:donemore2003
ID: 34477813
I just hadn't had a chance to get back at the site.  I appreciate all the support I get on this site
0
 

Author Comment

by:donemore2003
ID: 34477814
Your support is greatly appreciated.  I have learned more since I became a member.  Thanks to all
0
 

Author Comment

by:donemore2003
ID: 34477815
No objection
0
 

Author Comment

by:donemore2003
ID: 34477824
No objection
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34497801
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now