cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13328
Views
0
Helpful
6
Replies

Command switchport trunk native vlan

Cody Ridge
Level 1
Level 1

Hello,

I am doing a review of a network and looking for some clarity on the current switch configuration

 

There are 2 L2 switches – SW1 and SW2

 

VLANS have been configured as:

Network Data – VLAN 555

DMZ 1 – VLAN 600

DMZ 2 – VLAN 700

 

The two switches are connected with a trunk port as below:

 

SW1

interface GigabitEthernet0/24

 description link to switch 2

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 555

 switchport mode trunk

 spanning-tree link-type point-to-point

 

SW2

interface GigabitEthernet0/24

 description link to switch 1

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 555

 switchport mode trunk

 spanning-tree link-type point-to-point

 

Network user data frames are carried on VLAN 555

On Switch 2 there is a configured trunk port connected to an ESX VMWARE server vswitch

 

SW2 Trunk port connected to VM Server:

 

interface GigabitEthernet0/20

 description connection to VM vswitch

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 555

 switchport mode trunk

 spanning-tree link-type point-to-point

 

On the VM vswitch there are 3 configured VLAN IDs

 

Network Data – VLAN ID 0

DMZ 1 – VLAN ID 600

DMZ 2 – VLAN ID 700

 

Based on the above configuration, I am trying to understand if the frames on VLAN 555 are being tagged or are traversing the network untagged.  From what I understand, VLAN ID 0 on a vswitch is equivalent to an untagged access port.

 

On the switch side, is setting switchport trunk native vlan 555 on the interface applying a tag to 555 traffic?  Or does this setting explicitly pass the frame as untagged?

 

It seems odd to me that the native vlan would be associated with data traffic.  I thought best practice was to use an obscure native vlan.

 

Any insight on this scenario would be helpful.

 

Thank you.

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Any frames in the native vlan are untagged on trunk links.

I agree, it is unusual ie.  if you go to the trouble of setting the native vlan you usually use a vlan with no end user ports in it.

Jon

Thank you for the feedback Jon.

I am considering the following changes

 

On SW 1 and SW 2 add the following command:

switchport trunk native vlan 999

 

On the VM vswitch I will change the VLAN ID 0 to VLAN ID 555

 

Would this ensure that I have tagged VLAN 555 frames and separated the network user data from the native vlan?

 

 

 

If you made those changes then yes all user data traffic would be tagged on all trunk links.

I don't have any experience with virtual switches though so I can't say for sure it will work but I can't see why it wouldn't ie you are already sending tagged traffic to that switch for the other vlans.

Jon

Yes, that should work --- then you would end up with something along these lines:

interface GigabitEthernet0/20
 description description connection to VM vswitch
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 555

 

The native vlan does carry untagged information, like DTP updates, so that's why you would make sure you have a native vlan that is separate from the vlan you do want tagged.

 

Thank you both for the information.

I have another question concerning the current scenario.

 

As stated earlier:

The vm vswitch has a configured VLAN ID 600

On Switch 2 there is a configured trunk port connected to an ESX VMWARE server vswitch

 

What if the Switch 2 trunk port connected to the vm vswitch was configured as follows:

interface GigabitEthernet0/20

 description description connection to VM vswitch

 switchport trunk encapsulation dot1q

 switchport trunk native vlan 600

 

So the vswitch is tagging vlan 600, but the native vlan on the connecting physical switch is also 600.

Does the physical switch strip the 600 vlan tag from frames coming from the vswitch?

Will tagged vlan 600 frames coming from the physical switch destined for the vswitch also be stripped of the vlan tag?

 

I am trying to better understand how an interface with the command "switchport trunk native vlan 600" handles sending or receiving frames containing a vlan 600 tagged frame.

 

Thanks again.

 

If the switch has the native vlan set to 600 on that trunk it means -

1) it sends any frames for vlan 600 on that trunk link with no tag.

If the switch on the other end is expecting tags for that frame it isn't going to work.  

and

2) any frames received on that trunk link with no tag are assumed to be in vlan 600.

Again if the switch is receiving tagged frames for vlan 600 it isn't going to work.

That is why you need to match up the native vlan on either side because if there is no tag the switches have no way of knowing the vlan other than what you have told them.

Jon

 

Review Cisco Networking for a $25 gift card