Solved: Native VLAN vs trunk vs Default VLAN understanding

SJ K · ‎05-12-2015

Hi all,

Default VLAN as it is , is the defaulted VLAN in every switch setup which is 1.

Native VLAN is the VLAN that frames will not be tagged when transverse through a trunk link, and by default , it is 1 as well.

Assuming now i have a point to point connection setup between Switch 1 and 2 as a trunk.

q1) Does the above means that for management frames such as (VTP, STP, CDP) are all flowing through the trunk link untagged ?

q2) Does it also means that if I have done no explicit VLAN creation (default VLAN = 1), all traffic from devices connected to the switches are flowing through the trunk untagged ?

q3) If i change the native VLAN on switch 1 trunk port to e.g 10 -> does it means that now all traffic will be tagged as VLAN1 when flowing through the trunk ?

q4) and it will be dropped by the receiving trunk port at Switch 2 because the native vlan is still 1 over there and it should recieve the frame untagged.

q5) can default vlan be change from 1 to another number ? or can management frames be send using another VLAN number other then 1 ?

q6) i see in show ip int br that there is a default vlan 1 interface being shown. Is it created by default ?

With it being down, does it only means that I cannot access the management interface via IP, but whatever management frames and activities (cdp, stp, vtp etc) are still ongoing ?

Regards,
Noob

Mark Malone · ‎05-12-2015

q1)cdp/stp/vtp etc is management control traffic that's separate traffic from an actual packet being tagged , thats why some networks for security reasons have there vlan 1 shutdown so production traffic is not running alongside switch management traffic, im pretty sure though those packets do get tagged as 1 from running a wire shark before , even if you disallow the vlan 1 on the trunk it will still show vlan 1 in span session for cdp/stp control traffic

q2) if vlan 1 is your native then yes , what it also means is that if you have an un-managed switch/device on the network sending in packets without a specific vlan there untagged so they get put into the native vlan which is usually 1 and the native vlan does not tag the packets , if you change it to 10 then vlan 10 becomes untagged traffic ,

q3)If you change the native vlan to 10 like inq2) any untagged traffic will be put in vlan 10 instead of 1 now as you have altered the default native settings , a switch cannot accept untagged traffic if a native vlan is not enabled somewhere

q4)i dont think it gets dropped but its definitely miss-configuration , you should only have 1 native vlan per switch and it should match on opposite sides trunks , if you have 10 and 1 native on either side you will receive alerts in your logs to tell you there's a miss-match and issue with the native vlan settings , your telling each switch to put untagged traffic into different vlans even though they speak to each other, remember tagging traffic is just so the other switch knows where to send the traffic at layer 2 as there no routing and to segregate it from other traffic

q5)Always vlan 1 for management traffic even if you shut it down , its just the way that Cisco have it set

q6)Yes as vlan1 cannot be deleted as its the default you can have it run at layer 2 for your management traffic and shut it down at layer 3 SVI interface level so it does not participate any further than that and yes management traffic will always flow across vlan 1 you cant stop it using that vlan again Cisco default

View solution in original post

Richard Burts · ‎05-12-2015

Noob

1) Yes those management protocols flow through VLAN1 untagged.

2) Yes if you have done no explicit creation of VLANs then all switch traffic flows through the "trunk" as untagged frames. (Configuring a trunk when there are no VLANs created seems a bit odd, but certainly could be done and I guess this is what your question is about)

3) Yes if you configure the trunk on sw1 to use 10 as the native VLAN then traffic in VLAN 1 will be tagged.

4) It may depend on the switch platform and the version of spanning tree that you configure but for most switches the receiving switch will take the untagged frames and put them into its native VLAN. So sw2 will take the untagged frames (which were VLAN 10 on sw1) and put them into VLAN 1 and does not drop the frames.

I have seen this happen is a network where switches had different native VLANs on their trunk ports. The result was a loop formed in the network which spanning tree did not detect. So it is an unfortunate thing to do to configure mismatched native VLANs

5) I am not sure that I understand your question - or perhaps the question is really about details of semantics. By definition the default VLAN is VLAN1 and you can not make some other VLAN be the default VLAN. But you certainly can make some VLAN other than 1 into the native VLAN and management frames can certainly be sent on a VLAN other than VLAN 1.

6) On most switches interface vlan 1 is created by default. If this interface is in the down state then you can not access the switch via IP. But traffic will still flow through the VLAN. The important thing to understand here is the difference between interface vlan 1 which provides layer 3 access to the vlan and vlan 1 which is a layer 2 vlan.

HTH

Rick

HTH

Rick

View solution in original post

Jon Marshall · ‎05-12-2015

q5) generally speaking no you can't.

As Mark said Cisco switches use vlan 1 for management protocols and if you change the native vlan the management protocols are simply tagged instead but still use the same vlan.

There are exceptions to this though ie.

CDP/VTP/PagP all use vlan 1 whatever you do.

STP is per vlan usually so it will send both tagged and untagged frames.

DTP is the only management protocol I know of that moves with the native vlan ie. if you change the native vlan to vlan 10 then DTP is then sent on vlan 10 untagged.

Jon

View solution in original post

Mark Malone · ‎05-12-2015

q1)cdp/stp/vtp etc is management control traffic that's separate traffic from an actual packet being tagged , thats why some networks for security reasons have there vlan 1 shutdown so production traffic is not running alongside switch management traffic, im pretty sure though those packets do get tagged as 1 from running a wire shark before , even if you disallow the vlan 1 on the trunk it will still show vlan 1 in span session for cdp/stp control traffic

q2) if vlan 1 is your native then yes , what it also means is that if you have an un-managed switch/device on the network sending in packets without a specific vlan there untagged so they get put into the native vlan which is usually 1 and the native vlan does not tag the packets , if you change it to 10 then vlan 10 becomes untagged traffic ,

q3)If you change the native vlan to 10 like inq2) any untagged traffic will be put in vlan 10 instead of 1 now as you have altered the default native settings , a switch cannot accept untagged traffic if a native vlan is not enabled somewhere

q4)i dont think it gets dropped but its definitely miss-configuration , you should only have 1 native vlan per switch and it should match on opposite sides trunks , if you have 10 and 1 native on either side you will receive alerts in your logs to tell you there's a miss-match and issue with the native vlan settings , your telling each switch to put untagged traffic into different vlans even though they speak to each other, remember tagging traffic is just so the other switch knows where to send the traffic at layer 2 as there no routing and to segregate it from other traffic

q5)Always vlan 1 for management traffic even if you shut it down , its just the way that Cisco have it set

q6)Yes as vlan1 cannot be deleted as its the default you can have it run at layer 2 for your management traffic and shut it down at layer 3 SVI interface level so it does not participate any further than that and yes management traffic will always flow across vlan 1 you cant stop it using that vlan again Cisco default

SJ K · ‎05-12-2015

Hi Mark,

Sorry for the late reply. Rick and Jon has got me brainstorming and testing out on Packet Tracer ;P.

With regards to

q1) management protocol/control frames are send in vlan1, and at the same time, native vlan is 1 as well. Why is it still tagged when it go through the trunk as per what you have mentioned.

thats why some networks for security reasons have there vlan 1 shutdown so production traffic is not running alongside switch management traffic

q1.5) does your vlan1 shutdown refers to shutting down the vlan interface ? in that case this only prevents IP / remote management traffic; but i can still have workstations connected to the switch in vlan1 and running along side with all these switch management traffic isn't it ?

q2) if vlan 1 is your native then yes  , what it also means is that if you have an un-managed switch/device on the network sending in packets without a specific vlan there untagged so they get put into the native vlan which is usually 1 and the native vlan does not tag the packets , if you change it to 10 then vlan 10 becomes untagged traffic

q2) I don't quite get you here. Does an unmanaged switch have a default vlan ? and can we use it to create trunk link ?

q5,6) Conclusion, vlan1 is always on at layer2 and in use/required.for cisco management protocols. Which also means the default vlan will always be 1. Although native vlan can be changed. - am i right ?

Duly noted for the rest of the answers.

Regards,
Noob

Richard Burts · ‎05-12-2015

Noob

1) Yes those management protocols flow through VLAN1 untagged.

2) Yes if you have done no explicit creation of VLANs then all switch traffic flows through the "trunk" as untagged frames. (Configuring a trunk when there are no VLANs created seems a bit odd, but certainly could be done and I guess this is what your question is about)

3) Yes if you configure the trunk on sw1 to use 10 as the native VLAN then traffic in VLAN 1 will be tagged.

4) It may depend on the switch platform and the version of spanning tree that you configure but for most switches the receiving switch will take the untagged frames and put them into its native VLAN. So sw2 will take the untagged frames (which were VLAN 10 on sw1) and put them into VLAN 1 and does not drop the frames.

I have seen this happen is a network where switches had different native VLANs on their trunk ports. The result was a loop formed in the network which spanning tree did not detect. So it is an unfortunate thing to do to configure mismatched native VLANs

5) I am not sure that I understand your question - or perhaps the question is really about details of semantics. By definition the default VLAN is VLAN1 and you can not make some other VLAN be the default VLAN. But you certainly can make some VLAN other than 1 into the native VLAN and management frames can certainly be sent on a VLAN other than VLAN 1.

6) On most switches interface vlan 1 is created by default. If this interface is in the down state then you can not access the switch via IP. But traffic will still flow through the VLAN. The important thing to understand here is the difference between interface vlan 1 which provides layer 3 access to the vlan and vlan 1 which is a layer 2 vlan.

HTH

Rick

HTH

Rick

SJ K · ‎05-12-2015

Hi Rick,

Thanks for replying.

For q1 and q2) Just out of curiosity, does the frame coming in from the access ports ever get tag inside the switch; and just before it egress out of the trunk port, it will be check against if the vlan tag is the same as the native vlan configured and get untag before being send out.

Is "native vlan" and overall switch configuration setting or just applicable to trunk interface and trunks only ?

Meaning if i set my native vlan to 10 and assign port fa0/1 to vlan 10. When a frame go into fa0/1, does it get tagged with vlan10 only to get untagged when it is going to transverse through the trunk link ?

4) It may depend on the switch platform and the version of spanning tree that you configure but for most switches the receiving switch will take the untagged frames and put them into its native VLAN. So sw2 will take the untagged frames (which were VLAN 10 on sw1) and put them into VLAN 1 and does not drop the frames

For q4) As per the above explanation, I am not sure why the frames will be untagged

Now with the native vlan set as 10, all current frames will be tagged with vlan1 when egressing out of the trunk port at switch 1, when the receiving end of the trunk saw these frames, it will realize that it matches its current native vlan, but the frame come as tag with vlan1 matching the native vlan; hence will drop the frame. I am getting my understanding from the below on paragraph "Tagged Frames on the Native VLAN" http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=5 ->

q5) I am so sorry for the confusion. What i meant is errhm.. the default vlan is vlan1. This is also where all the management frames (STP,VTP,CDP etc) are running on.

Can i create a new vlan, maybe vlan100 and have the management frames running there instead ?

(for the word "management", i am not talking about telnet, ssh, remoting/consoling in the switch terminal for management purposes, but the management data/frames of the switch built-in capabilities)

Thanks alot.

Regards,

Noob

Richard Burts · ‎05-12-2015

Noob

It is my understanding that Cisco switches do not tag frames on access ports, and that frames inside the switch are not tagged. So a frame from an access port would be untagged until it is being forwarded out a trunk port and only at that point is a tag applied to the frame.

I did not correctly understand what you were asking in q4. I thought that your question focused on the untagged frames sent by sw 1 (which would be VLAN 10 frames). At sw 2 those untagged frames would be sent into the native VLAN which is VLAN 1. There is a VLAN mismatch but sw 2 would not drop those frames. (CDP will detect the mismatch and I believe that MSTP would detect it but not the usual implementation of standard spanning tree on Cisco switches). I recognize now that the focus of your question was on frames in VLAN 1 which would be tagged as they are sent from sw 1.

HTH

Rick

HTH

Rick

SJ K · ‎05-12-2015

Hi Rick,

Thanks for the reply and sorry for the confusion created.

Regards,

Noob

Richard Burts · ‎05-12-2015

Noob

No problem about confusion. I am glad that we were able to clarify these things.

HTH

Rick

HTH

Rick

SJ K · ‎05-12-2015

Hi Rick,

Thanks a million.

I have checked back some of the forum threads and discussion, you guys are around since years back. It really take passion and perseverance to stick around and help us newcomers out of good will.

I must say you and the folks here are really gems in the cisco forum and the network community.

I would never have understand so much despite all the materials online.

Thank you.

Regards,

Noob

Jon Marshall · ‎05-12-2015

q5) generally speaking no you can't.

As Mark said Cisco switches use vlan 1 for management protocols and if you change the native vlan the management protocols are simply tagged instead but still use the same vlan.

There are exceptions to this though ie.

CDP/VTP/PagP all use vlan 1 whatever you do.

STP is per vlan usually so it will send both tagged and untagged frames.

DTP is the only management protocol I know of that moves with the native vlan ie. if you change the native vlan to vlan 10 then DTP is then sent on vlan 10 untagged.

Jon

SJ K · ‎05-12-2015

Hi Jon,

In that case, does it means that vlan1 will always be in use and there is no way to have another vlan to replace vlan1 ?

Reason for asking this is because I have heard my network engineers saying " i will shut down vlan1 for security purposes and have the management on another vlan".

I believe now what he is trying to say is he will shutdown the IP interface of vlan1 and have the management (which is remote access, vty etc) on another vlan IP interface.

Am i right ?

Regards,
Noob

Jon Marshall · ‎05-12-2015

Yes, that is what it means.

Management in terms of the switch ie. telnet etc. is different from Cisco management protocols.

Jon

SJ K · ‎05-12-2015

Ah.. Duly noted Jon.

Thanks a million.

SJ K · ‎05-13-2015

Dear all,

I just setup a router on a stick configuration and assign subinterfaces on the router to vlan 10 and vlan 20.

Vlan1 is my default and native vlan on the switch

Hence i believe vlan1 will travel through the trunk untagged and when it reaches the router, it will fall into the native vlan of the router ? is there such concept of native vlan in router ?

If i change my native vlan of the trunk to 2, will a cdp frame be tagged with vlan1 and send up the trunk to the router ? what will happen then ?

Regards,
Noob

Richard Burts · ‎05-13-2015

Noob

There certainly is the concept of native VLAN when you configure subinterfaces for dot1q trunking on an IOS router. By default the untagged frames in the native vlan would be processed by the physical interface of the router. There is an optional configuration parameter as you configure the subinterfaces to set some other VLAN as the native VLAN.

So if your switch still has VLAN 1 as the native VLAN and has VLANs 10 and 20 as tagged VLANs on the trunk, then I would expect that CDP frames would be sent as untagged frames and would be processed by the physical interface on the router. If you change the switch to make the native VLAN be VLAN 2 then CDP frames should still be sent in VLAN 1 and be sent as tagged frames. The router will still process untagged frames on the physical interface. If your router config does not have a subinterface for tagged frames in VKAN 1 then I would expect that the router would not process the CDP frames from the switch.

HTH

Rick

HTH

Rick