cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1140
Views
20
Helpful
9
Replies
Highlighted
Beginner

Native vlan question

What is best practice for native vlan?

 

Please let me know if my understanding of the native vlan is correct.  The native vlan exists only on trunk ports and it is the sole untagged vlan traversing that trunk where all other vlans on it would be tagged.  Any access ports on the switch that do not belong to a vlan will have their traffic included in the native vlan and sent across the trunk untagged.

 

I know that the default native vlan on a port that has beeen configured as a trunk is vlan 1.  What are the best practices and reasons why the native vlan should be changed to something other than vlan1?

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Guru

All access ports belong to a

All access ports belong to a vlan even if it is only vlan 1.

By default the native vlan is also vlan 1 so I can see where you are coming from.

Other than that you are right, the native vlan should be changed to something else on the switch primarily because by default all ports are in vlan 1 and vlan 1 is also used for other things as well.

Make the native vlan an unused vlan eg. vlan 999 is a common one.

There should be no end port assigned into it, no SVI (L3 vlan interface for it) and you do not need to allow it across the trunk link either.

Jon

9 REPLIES 9
Hall of Fame Guru

All access ports belong to a

All access ports belong to a vlan even if it is only vlan 1.

By default the native vlan is also vlan 1 so I can see where you are coming from.

Other than that you are right, the native vlan should be changed to something else on the switch primarily because by default all ports are in vlan 1 and vlan 1 is also used for other things as well.

Make the native vlan an unused vlan eg. vlan 999 is a common one.

There should be no end port assigned into it, no SVI (L3 vlan interface for it) and you do not need to allow it across the trunk link either.

Jon

Beginner

So when you say make the

So when you say make the native vlan something other than 1 on the switch I'm inferring that there is a global command to change the native vlan on the switch and once that has been issued all trunks that I configure would automatically default to that native vlan?  Is that correct? 

I'm asking because I understood that you can set the native vlan on a trunk to whatever vlan id you want and that it would be independent and separate from the native vlan on other trunks on that switch.

Also, from your response I'm also inferring that the native vlan really serves no functional purpose in most network environments.  is that an accurate statement?

Hall of Fame Guru

There is no global command,

There is no global command, you need to set it on each trunk link and yes it can be different per trunk link but there is very little reason to do this ie. just use the same one for all trunks.

The native vlan concept is really for backwards compatibility with switches that do not understand tagging.

However nowadays virtually all switches do so all the native vlan does is confuse a lot of people (me included when I first started in networking) :-)

Jon 

Beginner

I'm just getting started

I'm just getting started myself and appreciate all your help Jon.

I have been reading a lot of the Cisco documentation but sometimes it's much easier and more efficient use of time to ask those of you on here with knowledge to share because many of you have a knack for explaining complex networking concepts in plain language.

Thanks for clarifying the native vlan for me.

Hall of Fame Guru

No problem, and I understand

No problem, and I understand what you mean by clarifying things as the documentation can sometimes be a bit confusing to say the least.

And apologies for the somewhat misleading information about it being largely useless, it obviously does have it uses as you can see, just not things I usually do :-)

Jon

Contributor

Hey Jon, the comment you

Hey Jon, the comment you mentioned is completely right, one of the use cases of native vlan is also backwards comparability with switches that do not do any tagging and all traffic coming from non tagging compatible switch to put into native vlan.

keep posting :)

-Rate helpful posts-
Contributor

Native vlan is very important

Native vlan is very important in any network, and its best use case is a Voip phone or wireless deployments, there are many more... I have put 2 examples below they are specific to dotq vlan tagging technique, in which native vlan in untagged.

for e.g you connect your phone to a switch port and your computer to the phone, one for voice another for data and both needs to be in separate vlan yet on the same port of the switch. Native vlans save the day here. because the Phones can tag vlans (lets say voice vlan is 10) but end computers can not, so when a switch port receives frame and looks into vlan header it knows its a  phone and when it do not see any vlan header (means native vlan) it understands its a computer (data).. now if you changed the native vlan to 20 for e.g. the data will be in vlan 20 and phone as discussed will be n vlan 10.

 

Another e.g. in wireless flexconnect deployment, different SSID are in different vlans, however the AP management traffic has no tag so is put into native vlan , so here if you define the port connecting to AP with native vlan of 20 for e.g then the AP management traffic will be a part of vlan 20.

 

Also remember that unlike switch on a wireless controller, native vlan (or untagged vlan) mean vlan 0 and not vlan 1.

 

feel free to rate the post if it helps you!

-Rate helpful posts-
Hall of Fame Guru

Good points and you can

Good points and you can probably tell I don't do a lot of VoIP or wireless.

So it does have it's uses, just not much in my areas :-)

Thanks for adding to the post.

Jon

Beginner

All the access port on the

All the access port on the switch belong to a VLAN, but if not configured differently they will be in VLAN 1, not in native VLAN.

Also, by default, you are not tagging native VLAN, but you might chose to do so(command for it can be global, or only under specific interfaces). This is actually a common practice in big networks, cause untagged packages can be a tricky thing. If you have 300+ switches, different equipment(wireless controller has native vlan 0, srx firewall has native vlan 3, etc, etc.. ), you want to have every packet tagged... trust me :)

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards