cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4126
Views
14
Helpful
6
Replies

Native VLAN and Management VLAN

o.primous
Level 1
Level 1

After reading some documentation I am begining to doubt my my understanding with Native VLANs and Network Management VLAN.

If you have a huge network say 25 buildings including HQ, would you want them all to have the same Native VLAN or different Native VLANs? The building connect back to HQ with a gi truck.

I would think different Native Vlans because they should not hear anything from the other building.

WIth a network management VLAN I should be able to keep all the switches and routers in one VLAN across the entire network and it will never touch the Native VLAN correct?

They reason I am asking is that I am trying to secure my network so that the network devices and traffic are not able to be seen by the data network. In trying to do this, I am also trying not to create an VLAN Leak.

6 Replies 6

rwagner
Level 1
Level 1

You asked a very broad question without any real details about the connections.

So I will talk in some generics, but if you have questions just post them.

Let's say that you have 25 buildings in 1 country, but not all of them have dedicated lines.

Your HQ (bldg1-HQ) has dedicated lines to 5 other buildings bldg2-P, bldg3-P, bldg4-P, bldg5-P, bldg6-P.  All of the other buildings are connected to a primary building or the HQ via site to site VPN.  Something i like to call a standard spoke and sproket medium size network.

Each bldg has uses STP to support redundancy within the buildings routing/switching devices.

You have STP deployed in a larger configuration to connect the HQ and 5 primary buildings as well.  You may even deploy STP for each primary bldg and the smaller bldgs that are site to site connected to create additional redundancy.  Using additional site to site vpns as needed to create those connections.

Now we have a spoke, sproket, and web design.

Even with native vlan set to the default of 1 you should not have traffic free flowing because as you configured your STPs and Site-SiteVPN you should have been using different vlans.  When you define what vlans can go over those connections you are also, hopefully, not adding your native vlan.

vlans do more then just add security.  They also add in seperation of traffic so that the traffic is optomized.

If none of your switches have ports set to vlan1 and you don't make routing mistakes that change people to vlan1 then the your native vlan is a moot topic.

If you are using native vlan anywhere on the network that has traffic then you may have some problems, but it is easily resolvable by removing the native vlan from the interconnecting routes.  Then I would start working on ensuring all workstations are on a seperate vlans.  Then go thru the rest of the systems and devices and configure the network to have proper segmentation.

I just changed jobs and trying to correct what another vendor has done.

There are no VPN connections connecting the building together. There a local network shop that is connecting the buildings in the city together so that we can just trunk the switches. The network is acting like one big network which I would like to brake down by buildings.

My network is layout: HQ (all network servers, LDAP, DHCP, DNS, internet access, etc) from HQ there are 10 branch offices through out the city that are trunked with fiber 1G to HQ connecting to the Cisco 4500. We will be adding more office in the future.


Native VLAN currently is 1 which also has the network devices. VLAN 100, 10.20.0.0/16 is for all the users devices throughout the buildings. Ruffly 3500 user devices. VLAN 172, 172.20.0.0/16 are for the phone system. Ruffly 1500 phones. Each location has a router just for the phone system routing. The data routing is all done on the 4500 back at HQ. Three of the buildings have over 40 switches including HQ and the rest have 15 or under.

For the Native VLAN, I wanted to give each location their own and then moved the network devices for each location to there own network, 192.168.location#.0. Down the road I would like to place a router or configure a switch port as a router at each location but currently unaware of what all services and ports are used and needed opened. Also sooner then later brake the buildings up into subnets.

I was hoping that this would help me brake down the network and give me the ability to touch each piece of equipment so that I can learn their locations. There is a ton of traffic and thought that this might help. I was reading that having multiple Native VLANs would create a VLAN Mismatch.

I generally avoid native vlans being included in any interconnecting traffic.  The reason is as you described with the mismatch and the reason it does this is because native vlans generally do not include vlan #'s (hence the native part).  So let's say you have bldg1 with native vlan set to 1 and bldg2 set to native vlan 101.  if 1 or 101 is allowed between the 2 buildings then packets will be sent without a vlan indicated and cause traffic from vlan 1 to bleed to 101 (or vice versa if it was traffic from bldg2 to bldg1).

So what your saying is if I have the 2 Native VLANs I need to have them prunned  from the opposite network.

Example:

data = v10

phone= v172

HQ NV=100

sw trunk native 100

sw trunk allow vlan 10,100,172   

BR2 NV=200 Trunk

sw trunk native 200

sw trunk allow vlan 10,172,200

So let say you did not have the sw trunk allow command, would that allow the phones on v172 to receive an IP for v10 DHCP scope?

Jon Marshall
Hall of Fame
Hall of Fame

o.primous wrote:

After reading some documentation I am begining to doubt my my understanding with Native VLANs and Network Management VLAN.

If you have a huge network say 25 buildings including HQ, would you want them all to have the same Native VLAN or different Native VLANs? The building connect back to HQ with a gi truck.

I would think different Native Vlans because they should not hear anything from the other building.

WIth a network management VLAN I should be able to keep all the switches and routers in one VLAN across the entire network and it will never touch the Native VLAN correct?

They reason I am asking is that I am trying to secure my network so that the network devices and traffic are not able to be seen by the data network. In trying to do this, I am also trying not to create an VLAN Leak.

Ryan makes a very good point ie. if at all possible you should try and avoid any vlan spanning all buildings because a broadcast storm etc. in one building could affect all buildings. So ideally routing between buildings is preferable rather than switch. If each building does not have L3 switches then dedicate vlans to each buliding and route them via HQ but each building has it's own unique vlans.

As for the native vlan. It only needs to be the same on either ends of the same trunk. Each building could quite easily have it's own native vlan or you could simply clear the native vlan off all trunks then it will not span your entire topology. The native vlan does not need a L3 SVI.

Your switch management network should not be the native vlan and it shouldn't be vlan 1. Again it would be better if it didn't span across all sites.

Jon

Thank you Jon, thats what I was looking for. I was reading up on whiching things up and found alot about vlan mismatching when I came to the phones and could cause issues. Guess I doubted my self afterwards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco