Should a Trunk Native Blackhole VLAN be Disabled at L2?

JEEd · ‎11-05-2018

I wonder if someone older and wise than I can assist with a design best practice question please?

I'm familiar with the Cisco recommended practice of using a Blackhole VLAN (e.g. VLAN999) as a Native VLAN on a Trunk.

I've recently encountered a setup where that has been implemented and then VLAN999 has been shutdown at L2 on the switches at both ends of the Trunk.

Is disabling the blackhole Native VLAN at L2 Cisco recommended practice?

The reason I ask is that there is still untagged (native) traffic finding its way onto the circuit and because Spanning-Tree doesn't operate on the shutdown native VLAN it appears to be causing a loop in our dual-redundant L2 circuits.

One suggestion (that's coming up against some internal "best practice" debate) is to enable the native VLAN at L2 so STP can operate on the Native VLAN and block the secondary circuit.

I would really welcome people's thoughts on this.

Thanks for your help,

J.

balaji.bandi · ‎11-05-2018

Understanding the Native VLAN ID for Trunk Ports

A trunk port can carry untagged packets simultaneously with the 802.1Q tagged packets. When you assign a default port VLAN ID to the trunk port, all untagged traffic travels on the default port VLAN ID for the trunk port, and all untagged traffic is assumed to belong to this VLAN. This VLAN is referred to as the native VLAN ID for a trunk port. The native VLAN ID is the VLAN that carries untagged traffic on trunk ports.

The trunk port sends an egressing packet with a VLAN that is equal to the default port VLAN ID as untagged; all the other egressing packets are tagged by the trunk port. If you do not configure a native VLAN ID, the trunk port uses the default VLAN.

Understanding Allowed VLANs

By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs are allowed on each trunk. However, you can remove VLANs from this inclusive list to prevent traffic from the specified VLANs from passing over the trunk. You can add any specific VLANs later that you may want the trunk to carry traffic for back to the list.

To partition spanning tree protocol (STP) topology for the default VLAN, you can remove VLAN1 from the list of allowed VLANs. Otherwise, VLAN1, which is enabled on all ports by default, will have a very big STP topology, which can result in problems during STP convergence. When you remove VLAN1, all data traffic for VLAN1 on this port is blocked, but the control traffic continues to move on the port.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎11-05-2018

Hello

The native vlan marks traffic in that vlan untagged, be it the default vlan 1 or whatever vlan you specify to be the native for that interconnect trunk.

Bare in mind specifying a native vlan other than vlan1 doesn't negate the control traffic like dtp,vtp,cdp etc from using vlan 1 this will still be used, this is why on some switch vlan1 isn't eligible to be pruned off a trunk and even when it is the control traffic will still traverse the trunk.

Lastly when you specify a vlan to be native, you can as I do suspend/shutdown that vlan and assign all my used access ports to it and it still can be used for a native vlan on a trunk.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

JEEd · ‎11-05-2018

Thanks Paul & Balaji for your quick replies.

I'm familiar with the use/purpose of the Native VLAN my question is really one of "best practice" in terms of implementing a blackhole Native VLAN.

Here's the current Trunk config:

int Eth1/1

switchport trunk native vlan 999
switchport mode trunk
switchport trunk allowed vlan 1-10
switchport nonegotiate

int Eth1/2

switchport trunk native vlan 999
switchport mode trunk
switchport trunk allowed vlan 1-10
switchport nonegotiate

and the VLAN config:

vlan 999
name blackhole
shutdown

Both Eth1/1 and Eth1/2 are dual-redundant WAN circuits terminating on the same remote switch.

One interface is forwarding and the other blocking (using STP). This works for the VLAN1-10 but there is no spanning-tree for VLAN999 (as it is shutdown).

That said, we are still noticing some untagged ARP broadcast traffic being transmitted on the Active circuit and being received down the Standby circuit.

Our theory is that the Native VLAN cannot be completely shut (otherwise nothing untagged should be egressing the interface - right?) but because it's in a state of shut/unshut limbo ("show vlan" shows a state of "act/lshut") STP isn't operating on the link and therefore isn't blocking untagged traffic and is therefore not stopping a loop.

All the recommendations and best practice I find in the forums and from Cisco textbooks is quite specific about using something other than VLAN1 for the Native VLAN on trunks. - That's fine, I understand that and we have that. We also have VLAN1 allowed on the link for control traffic.

I've also seen recommendations about using the blackhole VLAN on unused interfaces and shutting the interface down. - That's also fine, but that sounds like a L1 shutdown on the physical interface, not a VLAN shutdown at L2 on a trunk.

I've never seen anything that states specifically one way or the other about shutting the blackhole VLAN itself down at L2 and I'm trying to determine if having a shut native VLAN on a pair of links relying on STP could be an unsupported/unrecommended configuration condition that could be the cause of my unusual network traffic issues.

Thanks for your help,

J.