biggynet
asked on
native vlan and management vlan
I have a sample of config with a voice vlan, a data vlan, and a management vlan configured on a Catalyst 3560 (see below). It looks like the native vlan has changed to vlan 201 and there are PCs plugged into the VoIP phones. Now what if I have a PC plugged in Fa1/0/3 and I have no vlan switchport access configured for that port. Does it mean that the frame will be tagged with vlan10 by default and it will then traverse the trunk with vlan 10 tag on?
interface FastEthernet1/0/2
description PC and Voice
switchport access vlan 10
switchport mode access
switchport voice vlan 20
...
nterface GigabitEthernet5/0/1
description TRUNK
switchport trunk encapsulation dot1q
switchport trunk native vlan 201
switchport mode trunk
mls qos trust dscp
...
interface Vlan1
no ip address
shutdown
!
interface Vlan201
description Network_Management
ip address 10.10.200.1 255.255.255.0
!
ip default-gateway 10.10.200.2
interface FastEthernet1/0/2
description PC and Voice
switchport access vlan 10
switchport mode access
switchport voice vlan 20
...
nterface GigabitEthernet5/0/1
description TRUNK
switchport trunk encapsulation dot1q
switchport trunk native vlan 201
switchport mode trunk
mls qos trust dscp
...
interface Vlan1
no ip address
shutdown
!
interface Vlan201
description Network_Management
ip address 10.10.200.1 255.255.255.0
!
ip default-gateway 10.10.200.2
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So... In the case of my example, for fa1/0/2, the frames from the PC will be tagged as 10, frames from the voice as 20. My trunk gig5/0/1 will send frame tagged with 10, 20, 301. 301 is my native vlan on that trunk. So if I connect a PC to another port like fa1/0/3 (with no switchport access vlan command), it will be tagged as vlan 301. The purpose of the native vlan is to tag any untagged frames. Correct?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"10 will be the native vlan ". Vlan 10 is the native vlan even though it is not specified on the interface fa1/0/2. So if I understand correctly, by default the native vlan is the vlan configured with the switchport access vlan 10 on the trunk between the phone and the port switch.
I understand that 201 is the native vlan between two end points on this particular trunk configured on gig5/0/1. Now both side have to have the same native vlan configured on both side. My other side is a router with the router-on-a stick type of setup. Does the router have the native vlan capability?
"The purpose of the native vlan is to allow the 802.1q protocol to communicate between the two endpoints. " So what if you configure trunk allowed 10 and 20 only. Does it mean that my native vlan 201 is not allowed to go across the trunk. Thus 802.1q will not communicate?
I understand that 201 is the native vlan between two end points on this particular trunk configured on gig5/0/1. Now both side have to have the same native vlan configured on both side. My other side is a router with the router-on-a stick type of setup. Does the router have the native vlan capability?
"The purpose of the native vlan is to allow the 802.1q protocol to communicate between the two endpoints. " So what if you configure trunk allowed 10 and 20 only. Does it mean that my native vlan 201 is not allowed to go across the trunk. Thus 802.1q will not communicate?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
kenboonejr,
Thanks for the explanation. It certainly helps me to understand the native vlan better. Now I read the CCNP switch book and it gets me confused as far as the security is concerned. It said that:
- Never use vlan1
- Assign the native vlan to an unused vlan
- Remove native vlan from the trunk with switchport trunk native vlan 300 and switchport trunk allowed vlan remove 300.
But you said that "The purpose of the native vlan is to allow the 802.1q protocol to communicate between the two endpoints". So how will this work?
Thanks for the explanation. It certainly helps me to understand the native vlan better. Now I read the CCNP switch book and it gets me confused as far as the security is concerned. It said that:
- Never use vlan1
- Assign the native vlan to an unused vlan
- Remove native vlan from the trunk with switchport trunk native vlan 300 and switchport trunk allowed vlan remove 300.
But you said that "The purpose of the native vlan is to allow the 802.1q protocol to communicate between the two endpoints". So how will this work?
So yes... the Cisco recommendation is to not use vlan1.
Assign the native vlan to an unused vlan.
So for instance - not in the case of phones.. but in the case of switch to switch trunk, use say 999 as the native vlan. So 999 will always be used as the native vlans on the switch trunks.
Not sure what you meant by remove native vlan from the trunk.
To set or change the native vlan for a trunk the command is
switchport trunk native vlan xxx
If you don't have that command on a trunk port, then by default the native vlan will be 1.
The switchport trunk allowed vlan remove xxx command simply removes a vlan from the allowed vlan list.
For your last question the native vlan can be whatever you want it to be, but it has to match between the two switches that are involved in the trunk.
Assign the native vlan to an unused vlan.
So for instance - not in the case of phones.. but in the case of switch to switch trunk, use say 999 as the native vlan. So 999 will always be used as the native vlans on the switch trunks.
Not sure what you meant by remove native vlan from the trunk.
To set or change the native vlan for a trunk the command is
switchport trunk native vlan xxx
If you don't have that command on a trunk port, then by default the native vlan will be 1.
The switchport trunk allowed vlan remove xxx command simply removes a vlan from the allowed vlan list.
For your last question the native vlan can be whatever you want it to be, but it has to match between the two switches that are involved in the trunk.
ASKER
"Not sure what you meant by remove native vlan from the trunk." CCNP SWITCH 642-813 pg433 - isbn-13:9781587203084 says that for best security practice at layer 2, remove the native vlan from the trunk. If that is the case then it will defeat the purpose of native vlan ("the purpose of the native vlan is to allow the 802.1q protocol to communicate between the two endpoints"). Correct?
So I am not sure exactly what they are saying. I stated that the native vlan must match on an 802.1q trunk and that the native vlan is untagged. It is possible to tag the native vlan as well but I didn't want to go there to avoid confusion. The other thing they might be stating is that by default the native vlan is 1. They might be stating don't use 1 for the native vlan. Other than that, not sure what they are saying.
or did you meant Fa1/0/2? if yes you are right you will get frames with encapsulation dot1q 10
Do you have any other configuration on this switch something like native vlan 10
you can set it up on trunk port
enable
config terminal
int Gi5/0/1
switchport trunk native vlan 10
no shut
JAN MA CCNA