Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
42602
Views
44
Helpful
13
Replies

Changing Native VLAN

Go to solution
Robert Juric
Level 1
Level 1

‎02-01-2010 06:26 PM - edited ‎03-06-2019 09:32 AM

I've been updating some of our sites, and in the process I changed the native VLAN from 1 to 10, which is our data VLAN. Is it bad practice to change the native VLAN? What should I take into consideration when thinking about changing the native VLAN?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-02-2010 12:38 AM 

robert.juric wrote:
I've been updating some of our sites, and in the process I changed the native VLAN from 1 to 10, which is our data VLAN. Is it bad practice to change the native VLAN? What should I take into consideration when thinking about changing the native VLAN?

Robert

It's not bad practice to change the native vlan, in fact it is recommended best practice to do so. When changing it you should -

1) create a new vlan eg. vlan 999

2) use this new vlan as the native vlan. No ports should be assigned to the native vlan ie. you do not have any end devices in the native vlan

3) You should not create a L3 vlan interface for vlan 999 because there is no need to route the native vlan

So if i understand correctly you have changed the native vlan to be the vlan that has your users in it. This is not recommended.

Jon

View solution in original post

13 Replies 13

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎02-01-2010 07:16 PM

Hello Robert,

The native VLAN is used primarily to transmit management information between switches, management information such as CDP packets, VTP packets, Spanning-tree information, and PaGP.  Cisco default for a Native VLAN is 1.  Because of security concerns, it is good practice to change VLAN 1 to 10 or any other number. Also once you change VLAN 1 to 10 make sure you you shut down VLAN 1 and move all unused ports and park them in a different VLAN (999).

HTH

Reza

Go to solution
Suchi
Level 1
Level 1
In response to Reza Sharifi

‎02-02-2010 09:36 PM

Hello Robert,

What happen, if we stop native vlan in trunks? (Limit Vlans by using switchport trunk allowed vlan)

Thanx

Sampath

0 Helpful

Go to solution
Robert Juric
Level 1
Level 1
In response to Suchi

‎02-03-2010 06:04 AM

You can't stop the native VLAN, it's always there, but you can change which VLAN is specified as the native VLAN. I think the important thing is to use a VLAN other than 1, with no access ports tied to it as the native VLAN. If you do not specify a different native VLAN it is by default VLAN 1. It's also important to note the native VLAN must match on both ends of a trunk.

Go to solution
francisco_1
Level 7
Level 7
In response to Suchi

‎02-03-2010 06:18 AM

VLAN 1 has a special significance in Catalyst networks.

As already mentioned, When trunking, the switch always uses the default VLAN, VLAN 1, in order to tag a number of control and management protocols. Such protocols include CDP, VTP, and PAgP. All switch ports, are configured by default to be members of VLAN 1. All trunks carry VLAN 1 by default.  The native VLAN is the VLAN to which a port returns when it is not trunking. Also, the native VLAN is the untagged VLAN on an IEEE 802.1Q trunk.

I

n summary,
CDP, VTP, and PAgP updates are always forwarded on trunks with a VLAN 1 tag. This is the case even if VLAN 1 has been cleared from the trunks and is not the native VLAN. If you clear VLAN 1 for user data, the action has no impact on control plane traffic that is still sent with the use of VLAN 1.

In PVST+, the 802.1Q IEEE BPDUs are forwarded untagged on the common Spanning Tree VLAN 1 for interoperability with other vendors, unless VLAN 1 has been cleared from the trunk. This is the case regardless of the native VLAN configuration. Cisco PVST+ BPDUs are sent and tagged for

Go to solution
Robert Juric
Level 1
Level 1
In response to francisco_1

‎02-03-2010 06:22 AM 

francisco_1 wrote:
 The native VLAN is the VLAN to which a port returns when it is not trunking.

I thought you had to specify a switchport access vlan in order to set the VLAN to be used when not trunking.

0 Helpful

Go to solution
francisco_1
Level 7
Level 7
In response to Robert Juric

‎02-03-2010 06:25 AM

if you loose a trunk port and the port is not setup wih "switchport access vlan", the port is default back to vlan 1

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎02-01-2010 09:32 PM 

I've been updating some of our sites, and in the process I changed the
native VLAN from 1 to 10, which is our data VLAN. Is it bad practice to
change the native VLAN? What should I take into consideration when
thinking about changing the native VLAN?

Hi Robert,

If we changed it to say vlan 10, then any traffic on vlan 10 that was leaving a switch would be untagged. Any traffic arriving untagged would be assumed to be on vlan 10. Additionally, in this case, traffic leaving the switch that was on vlan 1 would be tagged just as any other traffic except the traffic that was from vlan 10. As stated, any traffic arriving untagged would be assumed to be part of vlan 10, and therefore cannot be part of vlan 1.

There is only one native vlan per trunk. This must match on both ends of the trunk and is responsible for all of the untagged traffic. The native vlan could also be called the untagged vlan.

Now the native VLAN. The purpose of the native VLAN is so that if untagged data finds its way traversing the trunk (usually because it entered the trunk somewhere in the middle, most likely from a connected hub so that the frame could not be tagged by the switch before entering the trunk), when that untagged frame gets to either end of the trunk, the switch then reads the frame sees that it is an untagged frame that ended up on the trunk and sends that untagged frame to the VLAN that has been assigned as the native VLAN.

Hope that help

If helpful do rate the post

Ganesh.H

Go to solution
acbennyma
Level 1
Level 1
In response to Ganesh Hariharan

‎02-02-2010 12:38 AM

Dear Expert,

May I know what is the purpose to change the defaut native vlan from 1 to another native vlan number ?

Thanks !

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to acbennyma

‎02-02-2010 12:57 AM 

acbennyma wrote:
Dear Expert,
May I know what is the purpose to change the defaut native vlan from 1 to another native vlan number ?
Thanks !

The reason is primarily to do with vlan hopping, see this link for full details -

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39211

Jon

0 Helpful

Go to solution
JJBladester
Level 1
Level 1
In response to Jon Marshall

‎02-02-2012 05:17 AM

Jon,

I'm just reading the VLAN chapter in my Cisco book and I came across this post.  I don't think the information in that cisco link says that you shouldn't use VLAN 1 because of VLAN hopping.  I think if you change the native VLAN from 1 to anything else, double-encapsulation attacks (VLAN hopping) can still occur just as easily.

The take-home-message I get from the link is:

"Do not use VLAN 1 for inband management traffic and pick a different, specially dedicated VLAN that keeps management traffic separate from user data and protocol traffic."

I'm no expert in the field, though.  Just working on my CCNA and trying to make sense of this VLAN topic.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-02-2010 12:38 AM 

robert.juric wrote:
I've been updating some of our sites, and in the process I changed the native VLAN from 1 to 10, which is our data VLAN. Is it bad practice to change the native VLAN? What should I take into consideration when thinking about changing the native VLAN?

Robert

It's not bad practice to change the native vlan, in fact it is recommended best practice to do so. When changing it you should -

1) create a new vlan eg. vlan 999

2) use this new vlan as the native vlan. No ports should be assigned to the native vlan ie. you do not have any end devices in the native vlan

3) You should not create a L3 vlan interface for vlan 999 because there is no need to route the native vlan

So if i understand correctly you have changed the native vlan to be the vlan that has your users in it. This is not recommended.

Jon

Go to solution
Robert Juric
Level 1
Level 1
In response to Jon Marshall

‎02-02-2010 11:47 AM

One thing I noticed while doing some research is that Cisco IT used a trunk VLAN as the native VLAN on all trunks except on trunks to Wireless Access Points, in which case they used the data VLAN, why is this?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Robert Juric

‎02-02-2010 01:30 PM 

robert.juric wrote:
One thing I noticed while doing some research is that Cisco IT used a trunk VLAN as the native VLAN on all trunks except on trunks to Wireless Access Points, in which case they used the data VLAN, why is this?

Robert

Not entirely sure. I do know that there is a restriction on wireless access points that the management vlan must be the same as the native vlan. What this means is that if you assign an IP address from vlan 10 to the AP then vlan 10 must be the native vlan for you to be able to remotely connect to the AP and manage it. Perhaps this is what you were seeing. It's been a while since i have worked on APs so i don't if this restriction still applies.

On switches there is no such restriction. Your management vlan and native vlan can be completely different and indeed should be.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card