cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
0
Helpful
7
Replies
Highlighted
Beginner

Native VLAN on Trunk Allowed List ...

Hello folks, 

 

Quick question re the native VLAN and trunk links between switches.  I'm just mocking up some stuff in the lab where I've changed the default vlan to something different. 

 

I then setup a trunk, allow all of my data vlans using the switchport trunk allow vlan <range> command.   However I don't include the native VLAN in that list.

 

All of this seems to work (Spanning tree looks like it converges and behaves as normal) but I guess the question is 'should' I be tagging that VLAN? 

 

Any issues with not doing so that I should know about? Any gotchas?

7 REPLIES 7
Highlighted
Hall of Fame Guru

 

You should be fine not allowing it on the trunk link as there should be no end devices in the native vlan. 

 

Unless you have a device that has to communicate on the native vlan leave it as you have it now. 

 

Jon

Highlighted
Contributor

By default, changing the default is always recommended for security but once you add that line (switchport trunk native vlan x), the switch does not put a tag on it.  The native vlan is always "untagged" since this is on a trunk usually between 2 switches.  You can tag it using vlan dot1q tag native, but then you would have any frames coming into the switch without a tag dropped.  Personally, I always change the native to an UNUSED vlan and do not tag that traffic.

 

HTH,

 

Vince

Highlighted

Hi folks, 

Thanks for the replies.  I always change the default VLAN to something unused and try to keep it that way across switches and I understand the reasons for doing so.  However I was a bit concerned if I didn't allow it on the trunk that it could cause issues with spanning-tree/cdp/VTP and other stuff which uses the native VLAN by default.  It doesn't sound like that's the case.

 

If thats not the case I am more than happy not to allow it on the trunk.  Just curious if the 'allowed vlan' command applied to only 'tagged' VLANs and not the 'untagged' VLANs ... I just wasn't sure.  

Highlighted

 

The allowed vlan command applies to all vlans. 

 

Jon

Highlighted

So if I don't allow the native vlan how come CDP/VTP and other stuff continues to work?

Highlighted

 

Because those control protocols always use vlan 1, whether you change the native vlan or not, and even if you don’t allow that vlan on your trunk links the control traffic is still allowed across the trunk link. 

 

Jon

Highlighted

Cheers.  Thats the sort of stuff I was looking for.  

Content for Community-Ad