Sorry, but I disagree. When the trunk is broken, it falls back to the access vlan, as defined by the command switchport access vlan n. The native VLAN of the trunk is the untagged VLAN during normal trunk operation, as defined by the command switchport trunk native vlan n. They both have VLAN 1 as default, but they are two different things.

Kevin Dorrell

Luxembourg

I have to say I appreciate EVERYONES information.

So this raises me to ask.

If my uplinks are trunking and I have my data/phone ports as trunks with a different native trunk how is the data being passed?

This is how i understand it in my head Switch recieves a packet from a data/phone port it then says "Oh hey no Vlan Tag" so it sends it to vlan 1 (like it should). Where does it go from there? or how does the data path look?

We can say that the switch mentioned above is a 3550 non L3. it goes to a 6509 (which has the servers plugged into another port configured for phone/data).

So, it receives a packet from the phone/data port, and it says "Hey, no VLAN tag .... must be for the native VLAN of this (trunk) port ... ah yes, VLAN 1. Now where shall I send it ... up the uplink. But careful - the native VLAN of the uplink is 100, so I must tag it as VLAN 1 before I send it."

The 6509 should know that the native VLAN of the trunk is 100 (a mismatch would be a real no-no), so it shouldn't have any problem with the frame being tagged as VLAN 1.

Take it from there ....

Kevin Dorrell

Luxembourg

Okay very cool.

I should of figured that but was really unsure. Thanks!!

So really my management vlan is only being used for trunking between switches and not its intended purpose to configure/maintain switches? Thats still being sent over vlan 1.

Edit: I just rememberd what caused me to ask this in the first place. On the 6509 I Have 2 switches comeing in swith A is trunking between itself and the core on 100. Switch B is trunking between the core and itself on 1. Is there any consequence? This is how its setup on our switch here. I don't think the net admin before me did it on purpose that way and it doesn't seem to be having any effect. Just curious as to what could happen.

Hi,

are you saying that you have different native VLANs (1,100) configured on different trunks in your network and VLAN100 has a "management" description, while VLAN1 is being used for switch management effectively?

Generally:

1) Most network admins use the same native VLAN on all trunks in the network. It's comfortable and you are always sure which VLAN is the native one in troubleshooting times.

2) It's recommended not to use the deafult VLAN1 as the native VLAN on trunks. The reason is security.

A "paranoid" security even says the native VLAN should not be used as an access VLAN in your network at all (possible VLAN hopping attack) and VLAN1 should be disabled (it's disabled for user data effectively, control plane protocols are still sent through it.)

3) It's also recommended not to use neither VLAN1 nor native VLAN as the management VLAN. Again, security reasons.

4) The more secure your network is, the less comfortable is to administer it. If you choose "paranoid" security, you have to configure many things before connecting a new switch to your network. And troubleshooting may get more complicated, of course.

On the other hand, leaving everything default makes your network "plug and play". But insecure.

See http://www.cisco.com/en/US/customer/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml#pre6

(or http://www.cisco.com/warp/public/473/185.pdf for the same article)

for better understanding and decision.

Regards,

Milan

Kevin,

you are correct.

This misunderstnding comes from CatOS, where there is no special command for native VLAN trunk configuration.

Native VLAN is derived from the port access VLAN then, i.e. the native VLAN = access VLAN.

You can even read "When a trunk port with VLAN 1 disabled becomes a nontrunk port, it is added to the native VLAN. If the native VLAN is VLAN 1, the port is enabled and added to VLAN 1." in CatOS documantation (see http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/8_3/configur/e_trunk.htm)

But again, this is corect only in CatOS world.

Regards,

Milan

I took over a network and am fixing all the loose ends, or trying to.

And yes there are links to switches with different Native Vlans configured for them (Switch A - Core Native 100[Management] | Switch B - Core Native 1[Data]). I was wondering what the consequence of this is. Seems like if a person is security paranoid then there is a problem.

Thanks for everyones advice and information.

Hi Milan / Kerry,

I have a doubt. If I have a configuration on the switchport where it is configured for native vlan 100 and no access vlan configured. during not trunk condition, will the switch port revert back to native vlan (100) or vlan 1? or will it stay disconnected.

does it vary with CatOS / IOS?

Rgds,

Vijay V

Yes,

there is a difference between IOS and CatOS:

In IOS:

switchport trunk native vlan 100

applies only in 802.1q trunk mode.

If there is nothing else configured, the port remains in the default VLAN1 while in access mode.

You can configure

switchport access vlan 10

e.g., and the port will move to VLAN10 when not-trunking. But native VLAN will be VLAN100 while trunking.

In CatOS:

There is no special command to configure the trunk native VLAN.

set vlan n mod/port

is used instead.

This command configures the access VLAN if port is in access mode and native VLAN if the port is in 802.1q trunking mode.

You can use sh int fa 0/x switchport

command to check the port status in IOS.

Check the following output lines especially:

Operational Mode: trunk

Operational Trunking Encapsulation: dot1q

Access Mode VLAN: 0 ((Inactive))

Trunking Native Mode VLAN: 1 (default)

You can use sh trunk ...

command in CatOS to see current trunk status and native VLAN used.

Regards,

Milan