Solved: Re: Native Vlan Tagging

shailendra harinkhede · ‎09-19-2017

I have blow switch configuration :

Created by: D-Default, S-Static, G-GVRP, R-Radius Assigned VLAN

Vlan Name Ports Created by
---- ----------------- --------------------------- ----------------
1 1 gi1-4,gi7-10,gi14-28,Po1-8 D
12 12 gi11-13 S
103 103 gi5-6 S
122 122 gi25 S

Can I add/pass new vlan 7 on gi11-13, these interface native vlan is1.

My doubt I if make the gi11-13 inorder to pass the vlan 7 (by using command switchport trunk allowed vlan) does it pass vlan 1 traffi as well?

How can we restrict traffic on gi11-13 for vlan 7 & 12.

)

Julio E. Moisa · ‎09-19-2017

Hi

Yes, I recommend create a new native vlan but consider in a future change the network under the VLAN 1 to other VLAN.

If you are going to keep the VLAN 1 for users (not recommended, as Jon mentioned previously it is used for CDP, VTP, etc) you should allow the VLAN 1 over the Trunk and configure a new Native VLAN under the trunk, for example:

conf t

vlan 999

name NATIVE-VLAN

interface gi11-13

switchport trunk encapsulation dot1q (if it is not already explicitily)

switchport trunk native vlan 999

switchport trunk allow vlan 1,7,22

switchport mode trunk

no shutdown

*Remember if you are going to add a new VLAN over the trunk you need to use: add, otherwise it will be overwritten.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎09-19-2017

Hi

The native VLAN is not required to pass over a trunk interface, You can filter the vlan 7 only and it will not generate any impact.

switchport trunk allow vlan 7,12

But is recommended to have the same native vlan on both ends.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

shailendra harinkhede · ‎09-19-2017

When I will add the bleow command on gi11-13, doesnt it pass the vlan 1 traffic ? and That can cause issue.

switchport trunk allowed vlan add 122

Julio E. Moisa · ‎09-19-2017

Hi

Nop it will not generate any issue, the native vlan can be omitted over a trunk.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Jon Marshall · ‎09-19-2017

The trunk will pass vlan 1 control plane traffic such as CDP, VTP etc. even if you do not allow it on the trunk but it will not pass any data traffic in that vlan.

So as Julio says no need to allow it on the trunk.

Jon

shailendra harinkhede · ‎09-19-2017

VLAN 1 is data Vlan configured in this switch

WebIntSw1#show running-config interface vlan 1
'interface vlan 1
ip address 172.30.0.23 255.255.255.0
no ip address dhcp
!

Julio E. Moisa · ‎09-19-2017

Hi

For security reason the vlan 1 should not be used and it should be shutdown, now you can create a specific native vlan but this vlan should not be used for other role in few words it should be used for any network or end user.

I suggest create a new vlan and assign the native vlan role.

If you want to should down the vlan 1 (recommended), you can execute the following commands:

configure terminal

interface vlan 1

shutdown

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

shailendra harinkhede · ‎09-19-2017

Thanks for help

In my case VLAN 1 already used, so I should create native VLAN for any new trunk prort.

So it should not pass VLAN 1 traffic

intreface gi11-13

#switchport trunk native vlan 3 (any non used vlan)

# switchport trunk allowed vlan add 7,12...

Julio E. Moisa · ‎09-19-2017

Hi

Yes, I recommend create a new native vlan but consider in a future change the network under the VLAN 1 to other VLAN.

If you are going to keep the VLAN 1 for users (not recommended, as Jon mentioned previously it is used for CDP, VTP, etc) you should allow the VLAN 1 over the Trunk and configure a new Native VLAN under the trunk, for example:

conf t

vlan 999

name NATIVE-VLAN

interface gi11-13

switchport trunk encapsulation dot1q (if it is not already explicitily)

switchport trunk native vlan 999

switchport trunk allow vlan 1,7,22

switchport mode trunk

no shutdown

*Remember if you are going to add a new VLAN over the trunk you need to use: add, otherwise it will be overwritten.

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<