native vlan and management vlan

I have a sample of config with a voice vlan, a data vlan, and a management vlan configured on a Catalyst 3560 (see below). It looks like the native vlan has changed to vlan 201 and there are PCs plugged into the VoIP phones. Now what if I have a PC plugged in Fa1/0/3 and I have no vlan switchport access configured for that port. Does it mean that the frame will be tagged with vlan10 by default and it will then traverse the trunk with vlan 10 tag on?

 interface FastEthernet1/0/2
 description PC and Voice
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 20
...
nterface GigabitEthernet5/0/1
 description TRUNK
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 201
 switchport mode trunk
 mls qos trust dscp
...
 interface Vlan1
 no ip address
 shutdown
!
interface Vlan201
 description Network_Management
 ip address 10.10.200.1 255.255.255.0
!
ip default-gateway 10.10.200.2
biggynetAsked:
Who is Participating?
 
Ken BooneConnect With a Mentor Network ConsultantCommented:
Ok so here is the deal, the term native vlan refers to the single vlan on an 802.1q trunk port which is untagged.  On a trunk connection between two switches, the native vlan must match - or the untagged vlan must match.  

So the native vlan doesn't have to be same for everything.  Just between the two switchports that maintain a trunk connection.

In otherwords, if you trunk between switch 1 and switch 2 and use a native vlan of 10, you can then trunk between switch 1 and switch 3 and use a native vlan of 20 for that trunk.  Not sure why you would do that but you can.  The point is that the native vlan only applies to that specific connection.

Now in the case of the PC and phone...  although it is not configured specifically as a trunk when you have a phone connected it brings up an 802.1q trunk with the access vlan being the native vlan.  So the phone will tag the voice packets, and the PC packets will be untagged.

Also tags only apply to packets going over an 802.1q trunk.  So if you plug a PC into a switchport with access vlan 10 say, there is no 802.1q trunk, so there is no tagging.  Everything is untagged on that connection.  

If you don't configure an access vlan and you don't have the switchport setup to trunk, the switch will default to using vlan 1 as the access vlan.
0
 
JAN PAKULAICT Infranstructure ManagerCommented:
do you have any configuration for  Fa1/0/3 ?

or did you meant  Fa1/0/2? if yes you are right you will get frames with encapsulation dot1q 10

Do you have any other configuration on this switch something like native vlan 10

you can set it up on trunk port
enable
config terminal
int Gi5/0/1
 switchport trunk native vlan 10
no shut


JAN MA CCNA
0
 
Ken BooneConnect With a Mentor Network ConsultantCommented:
If you plug a PC in fa1/0/2 you will NOT get frames with encapsulation dot1q 10 because it will not be an 802.1q trunk.  The PC packets will be put onto vlan 10 as that will be the access vlan.  If the access vlan was not configured the PC packets would be on vlan 1.   This is because the PC is not going to establish an 802.1q trunk like the phone will.

If there is not an 802.1q trunk then there is nothing going on with 802.1q encapsulation or tagging..

Hope that helps.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
biggynetAuthor Commented:
So... In the case of my example, for fa1/0/2, the frames from the PC will be tagged as 10, frames from the voice as 20. My trunk gig5/0/1 will send frame tagged with 10, 20, 301. 301 is my native vlan on that trunk. So if I connect a PC to another port like fa1/0/3 (with no switchport access vlan command), it will be tagged as vlan 301. The purpose of the native vlan is to tag any untagged frames. Correct?
0
 
Ken BooneConnect With a Mentor Network ConsultantCommented:
No - the configuration is confusing things since Cisco decided to add the voice vlan.  

Let's break it down.  
An 802.1q trunk only exists between 2 endpoints.  
Tags are only applied to traffic as it flows over the 802.1q trunk.

In your case on fa1/0/2.   If you plug a phone into that port and plug a PC into the phone, an 802.1q trunk gets established, with the native vlan being 10.  This means that the frames from the PC will be untagged as the packets flow from the internal switch in the phone to the switchport fa1/0/2.  10 will be the native vlan - the native vlan is always untagged.   All other vlans that flow over a trunk are tagged on the trunk.  The voice traffic on vlan 20 will be tagged as it flows from the internal switch in the phone to the swithcport fa1/0/2.

You trunk on gig5/0/1 looked like this from above:

nterface GigabitEthernet5/0/1
 description TRUNK
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 201
 switchport mode trunk
 mls qos trust dscp

This means that the native vlan is 201, so if there are 3 vlans on the switch, 10,20 and 201, then any traffic on those 3 vlans can traverse the trunk.  Vlans 10 and 20 will be tagged as they flow across the trunk and vlan 201 will be untagged as it flows across the trunk.  The native vlan is always untagged.

The purpose of the native vlan is to allow the 802.1q protocol to communicate between the two endpoints.
0
 
biggynetAuthor Commented:
"10 will be the native vlan ". Vlan 10 is the native vlan even though it is not specified on the interface fa1/0/2. So if I understand correctly, by default the native vlan is the vlan configured with the switchport access vlan 10 on the trunk between the phone and the port switch.

I understand that 201 is the native vlan between two end points on this particular trunk configured on gig5/0/1. Now both side have to have the same native  vlan configured on both side. My other side is a router with the router-on-a stick type of setup. Does the router have the native vlan capability?

"The purpose of the native vlan is to allow the 802.1q protocol to communicate between the two endpoints. " So what if you configure trunk allowed 10 and 20 only. Does it mean that my native vlan 201 is not allowed to go across the trunk. Thus 802.1q will not communicate?
0
 
Ken BooneConnect With a Mentor Network ConsultantCommented:
ok so
interface FastEthernet1/0/2
 description PC and Voice
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 20

This is a special configuration in the cisco switch.  If a non 802.1q device connects - a PC, then it is an access port in vlan 10.

If a phone plugs into the port, then the port becomes an 802.1q trunk with 10 as the native vlan and 20 will be what the phone tags the voice with.

If a phone plugs then that switchport effectively becomes the same as this:

switchport encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 20

This is a special case situation that Cisco created for the phones when you use a voice vlan.

2nd paragraph question - yes the router port will participate in the 802.1q trunk. when you specify the subinterfaces on the router, one of them will need to be configured as the native vlan.

You do not need to specify the native vlan on the switchport trunk allowed vlan list.  The native vlan always flows on the trunk.  That command switchport trunk allowed vlan command says that you will allow the following vlans in addition to the native vlan.  If you don't specify the allowed vlan list, then all vlans flow across the trunk.
0
 
biggynetAuthor Commented:
kenboonejr,

Thanks for the explanation. It certainly helps me to understand the native vlan better. Now I read the CCNP switch book and it gets me confused as far as the security is concerned. It said that:
- Never use vlan1
- Assign the native vlan to an unused vlan
- Remove native vlan from the trunk with switchport trunk native vlan 300 and switchport trunk allowed vlan remove 300.

But you said that "The purpose of the native vlan is to allow the 802.1q protocol to communicate between the two endpoints". So how will this work?
0
 
Ken BooneNetwork ConsultantCommented:
So yes... the Cisco recommendation is to not use vlan1.

Assign the native vlan to an unused vlan.

So for instance - not in the case of phones.. but in the case of switch to switch trunk,  use say 999 as the native vlan.  So 999 will always be used as the native vlans on the switch trunks.

Not sure what you meant by remove native vlan from the trunk.  

To set or change the native vlan for a trunk the command is
switchport trunk native vlan xxx
If you don't have that command on a trunk port, then by default the native vlan will be 1.
The switchport trunk allowed vlan remove xxx command simply removes a vlan from the allowed vlan list.

For your last question the native vlan can be whatever you want it to be, but it has to match between the two switches that are involved in the trunk.
0
 
biggynetAuthor Commented:
"Not sure what you meant by remove native vlan from the trunk." CCNP SWITCH 642-813 pg433 - isbn-13:9781587203084 says that for best security practice at layer 2, remove the native vlan from the trunk. If that is the case then it will defeat the purpose of native vlan ("the purpose of the native vlan is to allow the 802.1q protocol to communicate between the two endpoints"). Correct?
0
 
Ken BooneNetwork ConsultantCommented:
So I am not sure exactly what they are saying.  I stated that the native vlan must match on an 802.1q trunk and that the native vlan is untagged.  It is possible to tag the native vlan as well but I didn't want to go there to avoid confusion.  The other thing they might be stating is that by default the native vlan is 1.  They might be stating don't use 1 for the native vlan.  Other than that, not sure what they are saying.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.