thanx alot for the response. tried both suggestion: putting the configuration on the physical interface was my first guess. it didn`t work as well. putting the "native" in  the encapsulation command didn`t do the trick either.

the funny thing is that if I change the native vlan to 1 - it works like magic, so I guess it`s a bug on the packet-tracer (ver. 6.1). it doesn`t make any sense. 

anyhow, thanx for those security issues. I wasn`t aware of that at all. 

Masoud, can you please explain what do you mean in: 

"1-One is Native VLAN. set this VLAN as A Native on Trunk land do not use it any more."

why should I do that? 

Hello,

The good practice should be like this.

I have three vlans in my configuration.

vlan 10 for native  [ no ip address for this vlan]

vlan 11 for unused port [no ip address for this vlan. unused ports are shut]

vlan 30 for client

*************************************************************

switch

interface FastEthernet0/1

description to router

switchport trunk native vlan 10

switchport mode trunk

!

interface FastEthernet0/2

description to client

switchport access vlan 30

!

interface FastEthernet0/3

switchport access vlan 11

shutdown

!

interface FastEthernet0/4

switchport access vlan 11

shutdown

!

interface FastEthernet0/5

switchport access vlan 11

shutdown

*********************************************

router

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.10

encapsulation dot1Q 10 native

no ip address

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.1.1 255.255.255.0

*********************************************************

Masoud

I am not suggesting this config. Lets solve your problem, then we will go for the best practice.

I used packet tracer. Make sure you have created vlan 30.

Switch

**************************************************************

config terminal

 vlan 30

 name test

******************

interface FastEthernet0/1

description To-Router

switchport trunk native vlan 30

switchport mode trunk

!

interface FastEthernet0/2

description To-Client

switchport access vlan 30

**********************************************************

Router

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

***********************************************

My client has the IP address of 192.168.1.2. As you see, router does not have any subinterface.  Ping is working in my senario. I will get back to you in 3 hours. Please try the configuration and get back with the result.

Masoud

I had constructed the whole thing from scratch, thinking it would help. kept it as simple as possible.

Paul, my PT doesn`t support "|" so here is the cdp neighbors detail results:

Switch A

--------------

advertisement version: 2

Duplex: full

Device ID: Router

Entry address(es):

IP address : 30.0.0.1

Platform: cisco C1841, Capabilities: Router

Interface: FastEthernet0/2, Port ID (outgoing port): FastEthernet0/0.30

Holdtime: 153

Version :

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.

Compiled Wed 18-Jul-07 04:52 by pt_team

advertisement version: 2

Duplex: full

Switch B

------------------

Device ID: Switch

Entry address(es):

Platform: cisco 2950, Capabilities: Switch

Interface: FastEthernet0/1, Port ID (outgoing port): FastEthernet0/3

Holdtime: 158

Version :

Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1)

Copyright (c) 1986-2005 by cisco Systems, Inc.

Compiled Wed 18-May-05 22:31 by jharirba

advertisement version: 2

Duplex: full

-----------------------

as I said, the switches seem to work fine but the router says it does not have a sub-interface for that vlan...  

Masoud, your second configuration (from the last reply) includes the next line:

interface FastEthernet0/2

description To-Client

switchport access vlan 30

well, you just tagged the port with "vlan 30", ofcourse that will work, but that is not native vlan, it is a regular tagged vlan number 30. you can omit the "native" from the trunk ports and it would still work, since it`s a regular vlan, just like any other

the whole purpose of "native vlan" is to go to the other side untagged, and over there, according to the "native" statement - to the correct ports.

you can see it on PT when you do simulation mode: the untagged frame from the client goes out through any port of the switch that is a trunked port. if on the other side waits someone with the same "native vlan" statement - the untagged traffic would reach the destination. 

that is at least my opinion, but I may be getting this thing wrong, so please tell if so.

thanx

#################################################
here is the full (new) run config (except ports without any configuration):

client A (on Switch A) is 30.0.0.2, DG 30.0.0.1

client B (on Switch B) is 30.0.0.3, DG 30.0.0.1

##################################################

switch A

---------------------

version 12.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Switch

!

!

!

spanning-tree mode pvst

!

interface FastEthernet0/1

switchport mode access

!

interface FastEthernet0/2

switchport trunk native vlan 30

switchport mode trunk

!

interface FastEthernet0/3

switchport trunk native vlan 30

switchport mode trunk

!

interface Vlan1

no ip address

shutdown

!

!

!

!

line con 0

!

line vty 0 4

login

line vty 5 15

login

!

!

end

switch B

-------------------

version 12.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Switch

!

!

!

spanning-tree mode pvst

!

interface FastEthernet0/1

switchport trunk native vlan 30

switchport mode trunk

!

interface Vlan1

no ip address

shutdown

!

!

!

!

line con 0

!

line vty 0 4

login

line vty 5 15

login

!

!

end

Router

----------------

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30 native

ip address 30.0.0.1 255.0.0.0

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

Hello

client A (on Switch A) is 30.0.0.2, DG 30.0.0.1

client B (on Switch B) is 30.0.0.3, DG 30.0.0.1


I dont see the access ports configured on these switches - or have you just not added them to this post?

The access ports need to be in their respective vlan.

in fax/x
switchport access vlan x-

res
Paul

but if I put an attached vlan to the access-interface, the traffic would be tagged... and it will pass outside the networked tagged, defying the whole purpose of "native" which means : "no tag on this traffic", isn`t this so? 

that is the reason i only made the client ports in "access" mode, but attached to vlan to them, so they can travel with no tagging for an outside equipment that do not support encapsulation dot1q. I thought that is the whole reason of doing all that, isn`t it? 

well. I managed to figure it out, the default "native 1" was the problem.

Masoud, you are correct. when applying a vlan to a port, it gets a tag. when it arrives to the trunk, the trunk checks if the native is the same as the vlan that came to him. if so, it removes the tag and the frame travels to the other side. 

when arriving to the other side, the frame is untagged, thus it searches for a physical definition (i.e. the physical interface) but if it doesn`t find one, it searches for a "native" statement in the sub-interfaces. 

this is NOT how the default native vlan works. when you do not attach a vlan to a port, it travels with the default "vlan 1". when it comes to the the trunk - it looks what is the native vlan defined there. if it is the same (i.e. the default native vlan which is also 1) it travels unttaged to the other side

but unlike the other untagged traffic, the default MUST find a "native" statement on an encapsulation command. it DOES NOT look into the physical interface at all. although it is untagged, it still needs encapsulation dot1q, thus the security hole when using a natvie vlan of "1".

guys, I thank you for helping me figure this out, it took quite a-while... thanks alot for all the assistance. 

Hello

so they can travel with no tagging for an outside equipment that do not support encapsulation dot1q. I thought that is the whole reason of doing all that, isn`t it? 

 I have 100% misinterpreted your request here!, I was on the understating you wished to obtain communication using a different naive vlan   -But you don’t, you just dont want to tag traffic for certain hosts at all- correct?

res
paul

here is the *.pkt file, if you`d like to see that on your packet tracer

Hello WillowKlan1
Your config what you orignal posted is correct apart from I can see is the untagging of the subinterface .30  but then connection between host  should still work

Native vlan ( untagged) is link specifc not switch specifc - so as long as the switch interconnects are using the same native vlan this should work.

Please verity  "it still doesnt work"
What errror messages ( if any) are you receiving

Also can you post on the switches - sh cdp  neighbors detail | i N

res
Paul

You don’t need VLANs at all if there aren’t multiple subjects.

if you are dead set on it using a VLAN, you need remove the trunk native vlan 30 command and add switchport trunk allowed VLAN 30 to the switch trunk port. Then add switchport mode access and switchport access vlan 30 to the access ports.