Solved: Native VLAN Question

Chris Pohlad-Thomas · ‎02-20-2013

In our network environment, we have a 2960 switch sitting behind our router. Off of this we have a lot of external connections, like our external DNS, firewall, and VPN concentrators. I've configured a VLAN other than the default, moved everything into it and then shut VLAN 1. In this hardening guide it says that your native VLAN should be something other than the user VLAN, but if I am not using any trunk links, wouldn't I not really have a native VLAN? I attempted to make the link to our firewall a trunk link and then set the native VLAN to something else, but that broke everything, so I removed it.

I realize in its current setup it is really just like a plain managed switch,

Thoughts?

Sent from Cisco Technical Support iPad App

Edison Ortiz · ‎02-20-2013

If your FW isn't carrying multiple subnets/Vlans, then you don't need to configure trunk links on the switch.

The native Vlan will be your access vlan and based on your detailed information, you've done so.

If you want to manage the switch, you also need to create a virtual interface on the newly created Vlan and enter and IP address.

You will also need a 'ip default-gateway' command in the switch for network reachability.

Regards,

View solution in original post

Edison Ortiz · ‎02-20-2013

If your FW isn't carrying multiple subnets/Vlans, then you don't need to configure trunk links on the switch.

The native Vlan will be your access vlan and based on your detailed information, you've done so.

If you want to manage the switch, you also need to create a virtual interface on the newly created Vlan and enter and IP address.

You will also need a 'ip default-gateway' command in the switch for network reachability.

Regards,

Chris Pohlad-Thomas · ‎02-20-2013

The outside interface of the firewall that is connected to this switch, along with the router that is connected to it (and every other thing connected to it) is in the same subnet. So, that is why I guess I don't need any trunk links?

If I don't have a trunk port, then is the concept of a native VLAN moot?

Chris Pohlad-Thomas · ‎02-20-2013

And also, along these same lines... I have another switch that is connected to two NICs on our firewall. Each NIC has their own IP. Right now, one of the ports is an access port and one is a trunk port. Theoretically, I could change the other one to an access port and make sure it's on the same subnet and vlan as the firewall end. I assume this would work because the firewall would route out the appropriate NIC right? The only reason why it would need to be a trunk port is if we had one NIC on the firewall and it was not tagging the traffic appropriately?

Edison Ortiz · ‎02-20-2013

The native lan instructs the switch to deliver packets untagged. This is used along with a trunk configuration port.

In an access Vlan scenario, your defined vlan is the native vlan as packets are delivered untagged by nature.

Regarding your 2nd post, the only reason a trunk would be configured as a trunk is for carrying multiple vlans.

Having an IP on the FW side without encapsulation configured indicates you can configured the port as access on the switch side.

Regards,

jawad-mukhtar · ‎02-20-2013

Configure Trunks where needed but if u have only one vlan hardcore that port as access vlan.

Jawad