• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 354
  • Last Modified:

NATIVE VLAN ISSUE

IF  a Trunk link connected to a server is using native Vlan 500 however the uplink to the Core for this switch is using native Vlan 90 would traffic originating as untagged pass thru to the uplink Trunk and be routed in the Core.

Effectively the traffic enters the ToR switch as untagged and it needs to be routed hence it is directed out the uplink trunk to the core.  Since the uplink tags Vlan 500 and the traffic originated as untagged will the traffic get tagged as it passed out the uplink  trunk??
0
sectel
Asked:
sectel
1 Solution
 
AkinsdNetwork AdministratorCommented:
Is this server hosting other servers eg hyperv or vmware. If so, there should already be tagging done on the NIC of the server.

The switch may forward or drop the packet (default action) depending on if "vlan dot1q tag native" is configured or not. Vlan prunning or allowed vlan configuration also may have inpact.

It is safer to have the switch drop untagged packets to prevent double-encapsulation attacks.

http://www.cisco.com/web/techdoc/dc/reference/cli/nxos/commands/l2/vlan_dot1Q_tag_native.html

https://supportforums.cisco.com/thread/2217944

I hope I understood your question correctly and if so, I hope this helps
0
 
askincakirCommented:
Hi,
Native Vlan config is in trunk port base. In one trunk port may be 500 in another it may be 100. When data of vlan 500 is passing from the port where the native vlan is 500 it will not be tagged. When the same data is passing from the port here native vlan is 100 , that data will be tagged. There is no any problem in this situation and we are using this in many situation, i mean it is regular issue.

PS: Just please try to do the same native vlan config in both ends of the link. Otherwise you will be faced with VLAN HOPPING issue. Data will still be passed trough the ports but you may have an unexpected problems.
0
 
Craig BeckCommented:
If traffic isn't tagged on egress from the NIC in the server it will be placed in VLAN 500.  That traffic would still be on VLAN 500 when it goes up to the core.

The native VLAN will only be applied to any traffic which comes IN to the port if it isn't tagged in a specific VLAN.  When that traffic goes out of a port the switch can only encapsulate it in an 802.1q header for the VLAN it was on when it passed through the switch.  It won't put the traffic into a different VLAN.  That would be a massive security issue!
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now