Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
0
Helpful
2
Replies

VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1

hculver
Level 1
Level 1

‎09-14-2005 11:03 AM - edited ‎03-03-2019 12:03 AM

Hi All,

L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.

Thanks,

HC

Labels:
0 Helpful
2 Replies 2

sridharvaidyanathan
Level 1
Level 1

‎09-15-2005 12:31 AM

Please note that the native vlan on both the switches (switches on which vlans need to flow) should be the same, failure of which the vlans does not flow from one switch to the other. The native vlan is kept as vlan 1

since the switch running CATOS can interoperate with switch running IOS since both have their native vlans by default as Vlan1

0 Helpful

simonstoll
Level 1
Level 1

‎09-15-2005 03:07 AM

Hi HC,

the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.

Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.

If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!

Simon

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card