Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3508
Views
10
Helpful
5
Replies

Vlan and Inter-VLAN Routing

Go to solution
Thedentist
Level 1
Level 1

‎05-25-2019 10:36 AM

Hi all, 

 

i'm studying vlan and Inter-VLAN Routing.

I am following laboratories on this topic. The professor said that putting the native vlan between all the trunk switches makes sense, but it makes no sense to put it on the fa2 / 1 interface of switch 0. It gave as a rule that reads like this "the native vlan only makes sense between the two switches, while between switches and routers it doesn't make sense "
In that case obviously the connection is a "Router-on-a-stick" for inter-vlan.

Labels:
Preview file
137 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Thedentist

‎05-25-2019 01:57 PM - edited ‎05-25-2019 02:07 PM

Hello Thedentist,

 

>>

switchport mode trunk

switchport trunk native vlan 99

 

And i think is correct because the request say "for all network trunk"

 

Yes this is correct

 

>> Would it be correct, however, to insert the native on that inter-Vlan trunk(fa2/1 Switch0)? I did it and I had no connection problems, I wanted to know if the problem was conceptual or in any case it is useless to use it.

 

To allow native vlan 99 on the switch port to the router in the list of allowed Vlans has not impact.

 

Yes, the requirement is only conceptual as explained in previous posts by me and by Joseph is possible to use native vlan in a router in a stick scenario. Until you not define a router subif with

int fas0/0.99

enc dot1q 99 native

ip address

AND

you not define an IP address under the physical interface

THEN You are satisfying the requirement by your teacher.

On the other hand, if no routing service is required for Vlan 99 you are correct.

But I see

>> "Vlan 99 as managment VLAN and Native Vlan for all network trunks"

I think in a real world scenario, you would need routing services for Vlan 99 on the router to allow telnet/SSH to the switches from outside the vlan 99.

In this case I would consider to use a default native vlan 1 only on the switch port connected to router interface + config of subif fas0/0.99 in the router itself (without the native keyword this time)

I should suggest you to discuss the alternate solutions with your teacher. I'm sure he/she will be positive about thinking about how to reach management Vlan99 from outside.

Also you need to think about the fact that the native vlan is not a global parameter but can be different on each trunk link. For building a working trunk both ends of the same link must agree on the Vlan-id number.

 

Ideally, for L2 security reason the native Vlan should be a dedicated Vlan not used in any access port in your network  and not used for L3 services.

This is to avoid some type of L2 attacks called double vlan hopping.

So it would be better to use Vlan 99 as native vlan on trunks and another Vlan (not 1) as the management Vlan.

 

However, in your exercise vlan 99 is used both as native vlan on trunks and as management Vlan This means all switches should be managed via SVI int Vlan 99 configured on each of them.

 

Hope to help

Giuseppe

 

View solution in original post

5 Replies 5

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎05-25-2019 10:48 AM - edited ‎05-25-2019 10:48 AM

I'm unsure why your professor believes a native (i.e. untagged) trunk link is good for switches but bad for routers. You might ask him to expand on "why".

In the case of routers the native (untagged) VLAN would map to the main interface (while tagged VLANs would map to subinterfaces on the same router port).

0 Helpful

Go to solution
Thedentist
Level 1
Level 1
In response to Joseph W. Doherty

‎05-25-2019 12:06 PM

It made me understand as if it didn't need, but it was obligatory for the switches. (perhaps in our specific case).

I always try to ask many questions, but the answers are always vague, so I decided to inform myself personally.
I prefer to understand rather than type commands without even knowing what the difference is.
0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-25-2019 10:56 AM

Hello Thedentist,

I don't know what is exact question.

From a technical point of view a native vlan can be used also on a router - switch link.

 

From the router side the native vlan can be:

a) associated to the physical interface configuring an IP address over it

b) associated to a subinterface using

interface fas0/0.3

encapsulation dot1q 3 native

However, if your teacher wants you to avoid to use native Vlan on router-switch link:

Do not configure an IP address on physical interface fas0/0

do not use the native vlan 1 (the default native vlan ) on the router side.

IF you need to route between several Vlans using the router on a stick

Use vlans like 10,20,30.40.50

Configure the switch side as trunk ( routers do not support negotiation DTP protocol)

switch side

interface fas 1/24

desc to router

switchport

swiitchport mode trunk

switchport trunk enc dot1q

switchport trunk allowed vlan 10,20,30.40.50

no shut

!

 

on router side

interface fas0/0

no ip address

interface fas0/0.10

enc dot1q 10

ip address 10.10.10.1 255.255.255.0

!

interface fas0/0.20

enc dot1q 20

ip address 10.10.20.1 255.255.255.0

!

interface fas0/0.30

enc dot1q 30

ip address 10.10.30.1 255.255.255.0

!

interface fas0/0.40

enc dot1q 40

ip address 10.10.40.1 255.255.255.0

!

interface fas0/0.50

enc dot1q 50

ip address 10.10.50.1 255.255.255.0

!

 

This is just an example of a configuration that satisfies the requirements for your lab

 

Hope to help

Giuseppe

 

Go to solution
Thedentist
Level 1
Level 1
In response to Giuseppe Larosa

‎05-25-2019 11:58 AM

thanks for very complete reply. 

In my case, in the lab i use configuration like you wrote (very similar). 

There a request that say 

"Vlan 99 as managment VLAN and Native Vlan for all network trunks"

 

So i put Vlan 99 in all switch in CLI with

 

Vlan 99

 

and for all trunk connection i define : 

 

switchport mode trunk 

switchport trunk native vlan 99

 

Bye the way the fa2/1 is in trunk mode for me (because is Router on Stick) so when configure it i put again :

 

switchport mode trunk 

switchport trunk native vlan 99

 

And i think is correct because the request say "for all network trunk"

That's why I thought :

1- likely that fa2 / 1 of the switch0 is not intended as a network?

2- It is possible that the request to use the native Lan is made before the Inter-Vlan, so when we are asked about all the trunks, that interface is not used yet (because the next request is to define an inter-VLAN between 15 and the 20), so it is not necessary to put it there because it is not explicitly requested by the delivery?

 

Would it be correct, however, to insert the native on that inter-Vlan trunk(fa2/1 Switch0)? I did it and I had no connection problems, I wanted to know if the problem was conceptual or in any case it is useless to use it.

 

 

Thanks so much for you fast reply. 

 

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Thedentist

‎05-25-2019 01:57 PM - edited ‎05-25-2019 02:07 PM

Hello Thedentist,

 

>>

switchport mode trunk

switchport trunk native vlan 99

 

And i think is correct because the request say "for all network trunk"

 

Yes this is correct

 

>> Would it be correct, however, to insert the native on that inter-Vlan trunk(fa2/1 Switch0)? I did it and I had no connection problems, I wanted to know if the problem was conceptual or in any case it is useless to use it.

 

To allow native vlan 99 on the switch port to the router in the list of allowed Vlans has not impact.

 

Yes, the requirement is only conceptual as explained in previous posts by me and by Joseph is possible to use native vlan in a router in a stick scenario. Until you not define a router subif with

int fas0/0.99

enc dot1q 99 native

ip address

AND

you not define an IP address under the physical interface

THEN You are satisfying the requirement by your teacher.

On the other hand, if no routing service is required for Vlan 99 you are correct.

But I see

>> "Vlan 99 as managment VLAN and Native Vlan for all network trunks"

I think in a real world scenario, you would need routing services for Vlan 99 on the router to allow telnet/SSH to the switches from outside the vlan 99.

In this case I would consider to use a default native vlan 1 only on the switch port connected to router interface + config of subif fas0/0.99 in the router itself (without the native keyword this time)

I should suggest you to discuss the alternate solutions with your teacher. I'm sure he/she will be positive about thinking about how to reach management Vlan99 from outside.

Also you need to think about the fact that the native vlan is not a global parameter but can be different on each trunk link. For building a working trunk both ends of the same link must agree on the Vlan-id number.

 

Ideally, for L2 security reason the native Vlan should be a dedicated Vlan not used in any access port in your network  and not used for L3 services.

This is to avoid some type of L2 attacks called double vlan hopping.

So it would be better to use Vlan 99 as native vlan on trunks and another Vlan (not 1) as the management Vlan.

 

However, in your exercise vlan 99 is used both as native vlan on trunks and as management Vlan This means all switches should be managed via SVI int Vlan 99 configured on each of them.

 

Hope to help

Giuseppe

 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card