Solved: Re: changing native vlan on a router - Page 2

willowklan1 · ‎11-15-2015

hi,

I'm pretty new in the IT field, so maybe my question will seem totally newbie...

I was trying to change the native vlan from 1 to 30. the communication between the switches worked fine, but upon arriving to the router it tells me I didn`t create the sub-interface for that vlan... which I did. I triple-checked my configuration and found nothing that can explain why does it happen.

the layout is pretty simple: one host with no vlan attached to my switch A. from the switch i got a trunk to switch B and from there to another client; also with no vlan attached. changing the native vlan to 30 worked fine for these two.

now from switch A I also got a trunk to the router. the router has a sub-interface configured to accept encapsulation dot1q 30 native, but as I said, it doesn`t work.

what is even more frustrating is that changin the native vlan to 1 (default) works fine with the router, so I really don`t get it...what am I missing here?

here is the configuration, left out any unrelated stuff:

on switch A

------------------

! this port goes to the router-

interface FastEthernet0/3

switchport trunk native vlan 30

switchport mode trunk

! this port goes to switch B -

interface FastEthernet0/6

switchport trunk native vlan 30

switchport mode trunk

! this port goes to the client -

interface FastEthernet0/5

switchport mode access

on switch B

----------------------

! this port is connected to switch A -

interface FastEthernet0/1

switchport trunk native vlan 30

switchport mode trunk

! this port is connected to the client -

interface FastEthernet0/2

switchport mode access

router

----------

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 10.0.0.1 255.0.0.0

interface FastEthernet0/0.20

encapsulation dot1Q 20

ip address 20.0.0.1 255.0.0.0

interface FastEthernet0/0.30

encapsulation dot1Q 30
ip address 30.0.0.1 255.0.0.0

------------------------------------------------------------

that`s pretty much it. the switches work fine, the router doesn`t. can someone please spot the problem here? thanks.

Masoud Pourshabanian · ‎11-15-2015

Adding to my previous comment.

When you set "switchport trunk native vlan 30" under the trunk interfaces, your router receives frame originate in VLAN 30 with no VLAN tag, so the main interface (fa0/0) will reply if it has ip address in the range of clients in VLAN 30.

Adding IP to native VLAN interface and main interface will make you router vulnerable to "VLAN hopping attack".

Best practice.

Create two VLANs. Do not create any SVIs for these VLANs. Your router main interface and native VLAN interface should not have any IP address

1-One is Native VLAN. set this VLAN as A Native on Trunk land do not use it any more.

2-Other VLAN for unsed port. Put all unused interfaces in this VLAN.

Masoud,

LvSrikanthLakshman · ‎07-10-2019

question was 4 years back, u were a newbie then..i am a newbie now...let me try so that i will get my understanding sharpened.

when the trunk's vlan is changed and access ports also in line with trunk's native vlan, the traffic from hosts on those access ports wont have vlan id tagged. The hosts will be able to communicate with each other as they are on the same vlan.

When the traffic goes to router, though u have a sub interface with dot1q 30 configured, the incoming traffic comes without vlan tag, there is no way for the router to know the implicit vlan id is 30. You will have to configure the sub interface's vlan id as native, because...by default native vlan is 1 and not 30.

int fa0/1.30

encapsulation dot1q 30 native

The above command changes the native vlan as seen by the router that traffic without vlan tags will be of vlan id 30.

If the above information not available, the packet will be discarded as there is not interface/sub interface configured to address vlan 1 (remember, from the router's prespective, native vlan is 1). Either create a subinterface with encapsulation dot1q 1 native or configure the ip address directly on the interface itself (the interface addresses calls to native vlan)

The reply wont be tagged with vlan id as the sub interface is marked as vlan native. When the traffic reaches the switch through the trunk, as trunk's native vlan is 30, the traffic is sent to the host as host is also from same vlan.

Interestingly, assuming you create another sub interface that handles traffic for native vlan 1 without native key word, the traffic will be reaching this interface and the replies will be tagged with vlan 1 as the interface address the traffic is of vlan 1. The traffic will not reach the host generating the ping. It will be a good experiment to have a host with same ip in vlan 1 and see the traffic reaching this host! However this host will drop the packet owing to difference in mac id.

When the interface itself is configured with the ip address, the interface, by default belonging to vlan 1 (native from router's perspective), the replies are sent out without vlan tagging. when the reply reaches switch, the switch forwards the reply to host whose vlan id is same as trunk native vlan.

LvSrikanthLakshman · ‎07-11-2019

Interestingly, assuming you create another sub interface that handles traffic for native vlan 1 without native key word, the traffic will be reaching this interface and the replies will be tagged with vlan 1 as the interface address the traffic is of vlan 1. The traffic will not reach the host generating the ping. It will be a good experiment to have a host with same ip in vlan 1 and see the traffic reaching this host! However this host will drop the packet owing to difference in mac id.

This is a tricky part which I could do in packet tracer. Not sure if this will work on real routers as well.

Technically, the router has to send back the traffic on the same sub-interface which it received. As the sub-interface will be configured with native vlan option, the return traffic will carry no tag. In order to reproduce the return traffic to have different vlanid to be tagged, once a first set of traffic is sent from the host to the router at a sub-interface which is configured to have native vlan.

For example encapsulation dot1q 999 native with an ip address in the same subnet of the host which tries to reach the router from vlan id (30 in this case) same as trunk's native vlan. Say the sub-interface G0/0.1 is configured with encapsulation dot1q 999 native and ip address 192.168.1.1 where as the host's ip is 192.168.1.1 and host's connecting port on the switch is of vlan 30 with switch's trunk too vlan 30. The router makes an entry to CEF table associating 192.168.1.1 with G0/0.1. When the host tries to send the traffic to router, host first generates ARP request to resolve router ip to interface MAC. Host then sends the traffic and the traffic reaches from host to switch and from switch to router untagged. G0/0.1 receives the traffic and at the time of reply router .

Now, remove the ip from G0/0.1 and add the same ip in G0/0.2 with encapsulation dot1q 1. The CEF is updated associating the IP with G0/0.2. When the host again tries to send traffic, the host already has router interface's mac id learnt from previous traffic. So, router's G0/0.1 receives the traffic and replies are sent from G0/0.2 with vlan id 1 tagged as CEF refers to G0/0.1 as the sub-interface associated wit give IP. As the native vlan is not 1 (it is 999), the frames are tagged with Vlanid 1. Once the reply reaches the switch, the switch will try to locate the host in Vlan 1 and will drop as the host is in Vlan 30.