Solved

NATIVE VLAN ISSUE

Posted on 2013-11-13
3
335 Views
Last Modified: 2013-11-18
IF  a Trunk link connected to a server is using native Vlan 500 however the uplink to the Core for this switch is using native Vlan 90 would traffic originating as untagged pass thru to the uplink Trunk and be routed in the Core.

Effectively the traffic enters the ToR switch as untagged and it needs to be routed hence it is directed out the uplink trunk to the core.  Since the uplink tags Vlan 500 and the traffic originated as untagged will the traffic get tagged as it passed out the uplink  trunk??
0
Comment
Question by:sectel
3 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 39646981
Is this server hosting other servers eg hyperv or vmware. If so, there should already be tagging done on the NIC of the server.

The switch may forward or drop the packet (default action) depending on if "vlan dot1q tag native" is configured or not. Vlan prunning or allowed vlan configuration also may have inpact.

It is safer to have the switch drop untagged packets to prevent double-encapsulation attacks.

http://www.cisco.com/web/techdoc/dc/reference/cli/nxos/commands/l2/vlan_dot1Q_tag_native.html

https://supportforums.cisco.com/thread/2217944

I hope I understood your question correctly and if so, I hope this helps
0
 
LVL 4

Expert Comment

by:askincakir
ID: 39647468
Hi,
Native Vlan config is in trunk port base. In one trunk port may be 500 in another it may be 100. When data of vlan 500 is passing from the port where the native vlan is 500 it will not be tagged. When the same data is passing from the port here native vlan is 100 , that data will be tagged. There is no any problem in this situation and we are using this in many situation, i mean it is regular issue.

PS: Just please try to do the same native vlan config in both ends of the link. Otherwise you will be faced with VLAN HOPPING issue. Data will still be passed trough the ports but you may have an unexpected problems.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39649185
If traffic isn't tagged on egress from the NIC in the server it will be placed in VLAN 500.  That traffic would still be on VLAN 500 when it goes up to the core.

The native VLAN will only be applied to any traffic which comes IN to the port if it isn't tagged in a specific VLAN.  When that traffic goes out of a port the switch can only encapsulate it in an 802.1q header for the VLAN it was on when it passed through the switch.  It won't put the traffic into a different VLAN.  That would be a massive security issue!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now