Re: Native or Management VLAN

wrwiii122 · ‎08-10-2005

WHat is the difference between a managment Vlan and a native Vlan?

msocarras · ‎08-10-2005

Hi. When you have trunking configured between switches then native VLAN comes into play. 802.1q standard defines that there should be a native VLAN, when a 1q interface receives an untagged packet it will foward that packet to the native VLAN is has configured on that interface. When a trunk port is going to send a packet through a trunk`s VLAN and that VLAN is the native VLAN then the packet goes untagged. Thats why both trunk ends should have the same native VLAN configured. When they are not the same, the switch usually send a "native VLAN mismatch" warning.

Management VLAN is simply the VLAN that you define to administer the devices. On 2950s for example, the management VLAN is VLAN1 by default. You can change the management VLAN just by putting an IP address on another VLAN interface. It will let you configure just one administrative IP. It is recommended to change the management VLAN for another one different to VLAN1, for security and performance purposes.

Hope this explanation helps.

Mario S.

wrwiii122 · ‎08-11-2005

Thank you so much for that clarification. Is it considered a bad thing to have all devices using VLAN1 as the native VLAN? On the management VLAN I have a bunch of 2950's and 3550's and the managment VLAN is set to 2 and these devices have multiple IPs in them for each VLAN interface. I can go into each switch and configure it from any VLAN using the corresponding IP. I guess that is the thing that is confusing me about the management VLAN because it doesn't really seem like that setting matters.

msocarras · ‎08-11-2005

There is not much of an issue to have the native VLAN as 1. Just be sure your trunk ports have native VLAN 1 in all of them. One of the reasons of not using VLAN1 for passing data or management traffic is that some network information protocols such as CDP or VTP uses VLAN1. You can administer a L3 switch by any of its interfaces VLAN IP addresses. That works fine, but its not very safe to permit telnet or SSH into all of those ip vlan interfaces. You should use an ACL on the line VTY to permit just some stations to telnet the switch and use a defined VLAN for that. That way you can enforce security policies for that particular management VLAN.

Check this out.

"The Catalyst Supervisor Engine always uses the default VLAN, VLAN 1, to tag a number of control and management protocols when trunking, such as CDP, VTP and PAgP."

Also "The native VLAN is defined as the VLAN to which a port will return when not trunking, and is the untagged VLAN on an 802.1Q trunk."

Bottom line is: It may be OK to leave native VLAN as 1, just make sure not to pass any data traffic over that VLAN. For security, try to limit management access just for an specified VLAN.

hope this helps.

Mario.

wrwiii122 · ‎08-11-2005

Right now I use dynamic desireable on all my trunks which put it into VLAN 1 by default. So is this a bad thing? Should I use ISL or 1q so that I can set the navive to a non used VLAN?

msocarras · ‎08-12-2005

Hi!

I think its safer to statically configure the trunk ports rather than leaving them to negociate trunk parameters. Just set the trunk to on and configure dot1q as encapsulation. Some Cisco switches dont support ISL (really) so 1q is a better option. Once you have the trunk ports configured, you can change the native VLAN from interface configuration mode.

Mario S.

wrwiii122 · ‎08-12-2005

I have noticed that the 2950s dont offer ISL. Thanks so much for your input.

wrwiii122 · ‎08-15-2005

Should the native VLAN be seperate from VLAN1 because of the extra traffic on there?

wrwiii122 · ‎08-15-2005

Another point. Is it trouble to have a network of 30 switches all sharing a native VLAN?