11-05-2004 12:22 PM - edited 03-02-2019 07:46 PM
Need some help to clear up some confussion im having.
I have switchs configured for 3 Vlans.
1(data) ,10(voice),100(manage).
Heres my Phone/Computer port config
--------------------
switchport trunk encapsulation dot1q
switchport mode trunk
switchport voice vlan 10
spanning-tree portfast
--------------------
Heres my uplink port config
--------------------
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
--------------------
I was going through some of the configurations on the other switches on this network and find that on switches their Uplink ports have the Default native Vlan of 1.
My question is what are the effects of that while other switches have a native vlan of 100 on other uplink configs?
Also since my phone/computer ports are trunking data should they also be configured for a Native Vlan of 100? or are they fine the way they are?
Thanks for reading
Please bare with me as I will have more questions probably. :)
11-07-2004 10:53 PM
I beleive vlan 1 is always the native vlan if ir is present, so in the uplink where all vlans are present then i think you will get a problem,
why not make the data vlan 100
then on the phone/data ports config as
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
switchport voice vlan 10
spanning-tree portfast
then leave the uplink ports as default
11-08-2004 01:01 AM
Hi,
1) Native VLAN has only a locval meaning on the trunk.
You can configure native VLAN 100 on one trunk (uplink) and native VLAN 1 on other trunks (uplinks) with no problem (I suppose both VLANs are enabled on all trunks).
2) See
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swvoip.htm
for voice VLAN explanantion.
Note: "You should configure voice VLAN on switch access ports." in that guide.
Regards,
Milan
11-08-2004 05:50 AM
Hi,
Native vlan is the fallback vlan, when the trunk is broken. When the trunk is broken, switch will continue to receive/send (under interface/line protocol up) on native vlan (vlan 100).
This has got only local significance. You should analyse which vlan you need to retain in case the trunk is broken.
Moreover, you need to set the same native vlan on both ends of the trunk.
Vlan 1 is default native vlan, which can be modified.
Rgds,
Vijay V
11-08-2004 06:29 AM
Sorry, but I disagree. When the trunk is broken, it falls back to the access vlan, as defined by the command switchport access vlan n. The native VLAN of the trunk is the untagged VLAN during normal trunk operation, as defined by the command switchport trunk native vlan n. They both have VLAN 1 as default, but they are two different things.
Kevin Dorrell
Luxembourg
11-08-2004 06:43 AM
I have to say I appreciate EVERYONES information.
So this raises me to ask.
If my uplinks are trunking and I have my data/phone ports as trunks with a different native trunk how is the data being passed?
This is how i understand it in my head Switch recieves a packet from a data/phone port it then says "Oh hey no Vlan Tag" so it sends it to vlan 1 (like it should). Where does it go from there? or how does the data path look?
We can say that the switch mentioned above is a 3550 non L3. it goes to a 6509 (which has the servers plugged into another port configured for phone/data).
11-08-2004 06:49 AM
So, it receives a packet from the phone/data port, and it says "Hey, no VLAN tag .... must be for the native VLAN of this (trunk) port ... ah yes, VLAN 1. Now where shall I send it ... up the uplink. But careful - the native VLAN of the uplink is 100, so I must tag it as VLAN 1 before I send it."
The 6509 should know that the native VLAN of the trunk is 100 (a mismatch would be a real no-no), so it shouldn't have any problem with the frame being tagged as VLAN 1.
Take it from there ....
Kevin Dorrell
Luxembourg
11-08-2004 06:58 AM
Okay very cool.
I should of figured that but was really unsure. Thanks!!
So really my management vlan is only being used for trunking between switches and not its intended purpose to configure/maintain switches? Thats still being sent over vlan 1.
Edit: I just rememberd what caused me to ask this in the first place. On the 6509 I Have 2 switches comeing in swith A is trunking between itself and the core on 100. Switch B is trunking between the core and itself on 1. Is there any consequence? This is how its setup on our switch here. I don't think the net admin before me did it on purpose that way and it doesn't seem to be having any effect. Just curious as to what could happen.
11-09-2004 01:55 AM
Hi,
are you saying that you have different native VLANs (1,100) configured on different trunks in your network and VLAN100 has a "management" description, while VLAN1 is being used for switch management effectively?
Generally:
1) Most network admins use the same native VLAN on all trunks in the network. It's comfortable and you are always sure which VLAN is the native one in troubleshooting times.
2) It's recommended not to use the deafult VLAN1 as the native VLAN on trunks. The reason is security.
A "paranoid" security even says the native VLAN should not be used as an access VLAN in your network at all (possible VLAN hopping attack) and VLAN1 should be disabled (it's disabled for user data effectively, control plane protocols are still sent through it.)
3) It's also recommended not to use neither VLAN1 nor native VLAN as the management VLAN. Again, security reasons.
4) The more secure your network is, the less comfortable is to administer it. If you choose "paranoid" security, you have to configure many things before connecting a new switch to your network. And troubleshooting may get more complicated, of course.
On the other hand, leaving everything default makes your network "plug and play". But insecure.
(or http://www.cisco.com/warp/public/473/185.pdf for the same article)
for better understanding and decision.
Regards,
Milan
11-09-2004 01:27 AM
Kevin,
you are correct.
This misunderstnding comes from CatOS, where there is no special command for native VLAN trunk configuration.
Native VLAN is derived from the port access VLAN then, i.e. the native VLAN = access VLAN.
You can even read "When a trunk port with VLAN 1 disabled becomes a nontrunk port, it is added to the native VLAN. If the native VLAN is VLAN 1, the port is enabled and added to VLAN 1." in CatOS documantation (see http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/8_3/configur/e_trunk.htm)
But again, this is corect only in CatOS world.
Regards,
Milan
11-09-2004 07:18 AM
I took over a network and am fixing all the loose ends, or trying to.
And yes there are links to switches with different Native Vlans configured for them (Switch A - Core Native 100[Management] | Switch B - Core Native 1[Data]). I was wondering what the consequence of this is. Seems like if a person is security paranoid then there is a problem.
Thanks for everyones advice and information.
11-09-2004 09:56 PM
Hi Milan / Kerry,
I have a doubt. If I have a configuration on the switchport where it is configured for native vlan 100 and no access vlan configured. during not trunk condition, will the switch port revert back to native vlan (100) or vlan 1? or will it stay disconnected.
does it vary with CatOS / IOS?
Rgds,
Vijay V
11-09-2004 11:34 PM
Yes,
there is a difference between IOS and CatOS:
In IOS:
switchport trunk native vlan 100
applies only in 802.1q trunk mode.
If there is nothing else configured, the port remains in the default VLAN1 while in access mode.
You can configure
switchport access vlan 10
e.g., and the port will move to VLAN10 when not-trunking. But native VLAN will be VLAN100 while trunking.
In CatOS:
There is no special command to configure the trunk native VLAN.
set vlan n mod/port
is used instead.
This command configures the access VLAN if port is in access mode and native VLAN if the port is in 802.1q trunking mode.
You can use sh int fa 0/x switchport
command to check the port status in IOS.
Check the following output lines especially:
Operational Mode: trunk
Operational Trunking Encapsulation: dot1q
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 1 (default)
You can use sh trunk ...
command in CatOS to see current trunk status and native VLAN used.
Regards,
Milan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide