Vlan's themselves do not use IP addresses. Vlan Interfaces do though. In addition to Vlan interfaces needing an IP for routing purposes on a layer 3 switch, Vlan interfaces will also need IP addresses for management of the device.

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Some expansion to Steven's post (and he's quite correct to make the distinction between VLANs and VLAN interfaces).

A gateway could be on a switch not hosting the VLAN, common on L2 switches.

A L2 switch, generally, only needs one VLAN interface with an address for management.

A L3 switch, doesn't need any VLAN interfaces for management.

JosephDoherty,

This is exactly my point about not needing to define the native vlan as an interface in my L3 switch but where exactly do I find the documentation to support your point (and mine)? Thanks.

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Hmm, not sure there's any one place that documents it, especially as it really falls under my of general understanding of VLANs, i.e. not device specific.

Actually, don't see defining the VLAN as native or not on the port matters either (regarding needing an interface).

A tip my teacher gave me besides that using a  dummy-vlan for the native-vlan is that you can use different  native-vlans on different links, becuse it's configured on a  link-by-link basis. This adds an extra layer of security.

+ The native-vlan doesn't even have to be included as an allowed vlan over the trunk.

Henrik,

Personally, I would not recommend using different native VLANs on different trunk links. Doing so makes the configuration much more prone to configuration errors because of possible native VLAN mismatches and more complex to troubleshoot and maintain. There is also a more serious aspect to this: a technique exists that allows stations connected to access ports to send double-tagged frames in such a way that the traffic will leak from one VLAN to another - a so-called VLAN hopping attack. Without going into much detail, this attack can be successfully accomplished if the station is itself placed into an access VLAN that is also used as a native VLAN on a trunk. In other words, if a VLAN is both used as a native VLAN on a certain trunk and as an access VLAN for some stations, these stations may exploit this concidence and leak their traffic to other VLANs. So to avoid this attack, you would need to make sure that none of the VLANs that is used as a native VLAN on some trunk is used as an access VLAN. Having many trunks configured with unique native VLANs would therefore lead to many VLANs being unusable as access VLANs if you wanted to avoid this kind of attack.

My personal recommendation is therefore:

• Hands off the VLAN1 - don't touch it, don't use it, move all ports away from it. This VLAN transports certain protocols used by switches themselves so leave it there for switches' use and don't mix it with user traffic.
• Configure all trunks with the same different native VLAN. After that, hands off that VLAN as well. Leave it otherwise unused and don't place any stations into it.

Best regards,

Peter

Thanks Peter, interesting discussion. I totally need to confront my teach with this!

Glen.Grant,

I disagree with you that the native vlan specifially needs to be defined in the configuration file. This is my main point which has been tested in my lab. I am just looking for the specific documentation that states this is correct.

Thanks.