?
Solved

native vlan and management vlan

Posted on 2012-08-21
11
Medium Priority
?
1,078 Views
Last Modified: 2012-09-05
I have a sample of config with a voice vlan, a data vlan, and a management vlan configured on a Catalyst 3560 (see below). It looks like the native vlan has changed to vlan 201 and there are PCs plugged into the VoIP phones. Now what if I have a PC plugged in Fa1/0/3 and I have no vlan switchport access configured for that port. Does it mean that the frame will be tagged with vlan10 by default and it will then traverse the trunk with vlan 10 tag on?

 interface FastEthernet1/0/2
 description PC and Voice
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 20
...
nterface GigabitEthernet5/0/1
 description TRUNK
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 201
 switchport mode trunk
 mls qos trust dscp
...
 interface Vlan1
 no ip address
 shutdown
!
interface Vlan201
 description Network_Management
 ip address 10.10.200.1 255.255.255.0
!
ip default-gateway 10.10.200.2
0
Comment
Question by:biggynet
  • 6
  • 4
11 Comments
 
LVL 25

Accepted Solution

by:
Ken Boone earned 2000 total points
ID: 38317817
Ok so here is the deal, the term native vlan refers to the single vlan on an 802.1q trunk port which is untagged.  On a trunk connection between two switches, the native vlan must match - or the untagged vlan must match.  

So the native vlan doesn't have to be same for everything.  Just between the two switchports that maintain a trunk connection.

In otherwords, if you trunk between switch 1 and switch 2 and use a native vlan of 10, you can then trunk between switch 1 and switch 3 and use a native vlan of 20 for that trunk.  Not sure why you would do that but you can.  The point is that the native vlan only applies to that specific connection.

Now in the case of the PC and phone...  although it is not configured specifically as a trunk when you have a phone connected it brings up an 802.1q trunk with the access vlan being the native vlan.  So the phone will tag the voice packets, and the PC packets will be untagged.

Also tags only apply to packets going over an 802.1q trunk.  So if you plug a PC into a switchport with access vlan 10 say, there is no 802.1q trunk, so there is no tagging.  Everything is untagged on that connection.  

If you don't configure an access vlan and you don't have the switchport setup to trunk, the switch will default to using vlan 1 as the access vlan.
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 38317823
do you have any configuration for  Fa1/0/3 ?

or did you meant  Fa1/0/2? if yes you are right you will get frames with encapsulation dot1q 10

Do you have any other configuration on this switch something like native vlan 10

you can set it up on trunk port
enable
config terminal
int Gi5/0/1
 switchport trunk native vlan 10
no shut


JAN MA CCNA
0
 
LVL 25

Assisted Solution

by:Ken Boone
Ken Boone earned 2000 total points
ID: 38317907
If you plug a PC in fa1/0/2 you will NOT get frames with encapsulation dot1q 10 because it will not be an 802.1q trunk.  The PC packets will be put onto vlan 10 as that will be the access vlan.  If the access vlan was not configured the PC packets would be on vlan 1.   This is because the PC is not going to establish an 802.1q trunk like the phone will.

If there is not an 802.1q trunk then there is nothing going on with 802.1q encapsulation or tagging..

Hope that helps.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:biggynet
ID: 38318004
So... In the case of my example, for fa1/0/2, the frames from the PC will be tagged as 10, frames from the voice as 20. My trunk gig5/0/1 will send frame tagged with 10, 20, 301. 301 is my native vlan on that trunk. So if I connect a PC to another port like fa1/0/3 (with no switchport access vlan command), it will be tagged as vlan 301. The purpose of the native vlan is to tag any untagged frames. Correct?
0
 
LVL 25

Assisted Solution

by:Ken Boone
Ken Boone earned 2000 total points
ID: 38318301
No - the configuration is confusing things since Cisco decided to add the voice vlan.  

Let's break it down.  
An 802.1q trunk only exists between 2 endpoints.  
Tags are only applied to traffic as it flows over the 802.1q trunk.

In your case on fa1/0/2.   If you plug a phone into that port and plug a PC into the phone, an 802.1q trunk gets established, with the native vlan being 10.  This means that the frames from the PC will be untagged as the packets flow from the internal switch in the phone to the switchport fa1/0/2.  10 will be the native vlan - the native vlan is always untagged.   All other vlans that flow over a trunk are tagged on the trunk.  The voice traffic on vlan 20 will be tagged as it flows from the internal switch in the phone to the swithcport fa1/0/2.

You trunk on gig5/0/1 looked like this from above:

nterface GigabitEthernet5/0/1
 description TRUNK
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 201
 switchport mode trunk
 mls qos trust dscp

This means that the native vlan is 201, so if there are 3 vlans on the switch, 10,20 and 201, then any traffic on those 3 vlans can traverse the trunk.  Vlans 10 and 20 will be tagged as they flow across the trunk and vlan 201 will be untagged as it flows across the trunk.  The native vlan is always untagged.

The purpose of the native vlan is to allow the 802.1q protocol to communicate between the two endpoints.
0
 

Author Comment

by:biggynet
ID: 38318819
"10 will be the native vlan ". Vlan 10 is the native vlan even though it is not specified on the interface fa1/0/2. So if I understand correctly, by default the native vlan is the vlan configured with the switchport access vlan 10 on the trunk between the phone and the port switch.

I understand that 201 is the native vlan between two end points on this particular trunk configured on gig5/0/1. Now both side have to have the same native  vlan configured on both side. My other side is a router with the router-on-a stick type of setup. Does the router have the native vlan capability?

"The purpose of the native vlan is to allow the 802.1q protocol to communicate between the two endpoints. " So what if you configure trunk allowed 10 and 20 only. Does it mean that my native vlan 201 is not allowed to go across the trunk. Thus 802.1q will not communicate?
0
 
LVL 25

Assisted Solution

by:Ken Boone
Ken Boone earned 2000 total points
ID: 38319000
ok so
interface FastEthernet1/0/2
 description PC and Voice
 switchport access vlan 10
 switchport mode access
 switchport voice vlan 20

This is a special configuration in the cisco switch.  If a non 802.1q device connects - a PC, then it is an access port in vlan 10.

If a phone plugs into the port, then the port becomes an 802.1q trunk with 10 as the native vlan and 20 will be what the phone tags the voice with.

If a phone plugs then that switchport effectively becomes the same as this:

switchport encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 20

This is a special case situation that Cisco created for the phones when you use a voice vlan.

2nd paragraph question - yes the router port will participate in the 802.1q trunk. when you specify the subinterfaces on the router, one of them will need to be configured as the native vlan.

You do not need to specify the native vlan on the switchport trunk allowed vlan list.  The native vlan always flows on the trunk.  That command switchport trunk allowed vlan command says that you will allow the following vlans in addition to the native vlan.  If you don't specify the allowed vlan list, then all vlans flow across the trunk.
0
 

Author Comment

by:biggynet
ID: 38320468
kenboonejr,

Thanks for the explanation. It certainly helps me to understand the native vlan better. Now I read the CCNP switch book and it gets me confused as far as the security is concerned. It said that:
- Never use vlan1
- Assign the native vlan to an unused vlan
- Remove native vlan from the trunk with switchport trunk native vlan 300 and switchport trunk allowed vlan remove 300.

But you said that "The purpose of the native vlan is to allow the 802.1q protocol to communicate between the two endpoints". So how will this work?
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 38320880
So yes... the Cisco recommendation is to not use vlan1.

Assign the native vlan to an unused vlan.

So for instance - not in the case of phones.. but in the case of switch to switch trunk,  use say 999 as the native vlan.  So 999 will always be used as the native vlans on the switch trunks.

Not sure what you meant by remove native vlan from the trunk.  

To set or change the native vlan for a trunk the command is
switchport trunk native vlan xxx
If you don't have that command on a trunk port, then by default the native vlan will be 1.
The switchport trunk allowed vlan remove xxx command simply removes a vlan from the allowed vlan list.

For your last question the native vlan can be whatever you want it to be, but it has to match between the two switches that are involved in the trunk.
0
 

Author Comment

by:biggynet
ID: 38320993
"Not sure what you meant by remove native vlan from the trunk." CCNP SWITCH 642-813 pg433 - isbn-13:9781587203084 says that for best security practice at layer 2, remove the native vlan from the trunk. If that is the case then it will defeat the purpose of native vlan ("the purpose of the native vlan is to allow the 802.1q protocol to communicate between the two endpoints"). Correct?
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 38321035
So I am not sure exactly what they are saying.  I stated that the native vlan must match on an 802.1q trunk and that the native vlan is untagged.  It is possible to tag the native vlan as well but I didn't want to go there to avoid confusion.  The other thing they might be stating is that by default the native vlan is 1.  They might be stating don't use 1 for the native vlan.  Other than that, not sure what they are saying.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question