Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3430
Views
10
Helpful
6
Replies

show int trunk - native vlan and spanning tree protocol

Go to solution
SJ K
Level 5
Level 5

‎01-18-2017 05:33 AM - edited ‎03-08-2019 08:57 AM

Hi all,

q1) If I have 2 links/trunks between 2 switches and both links 's native vlan is 1,  is the native vlan is subjected to STP ?

q2) is native vlan automatically allowed to transverse through a trunk ? do I need to specify "switchport trunk allowed vlan nativevlan" ?

show int trunk

Port        Mode             Encapsulation  Status        Native vlan
Po1         on               802.1q         trunking      1

Port        Vlans allowed on trunk
Po1         10-11

Port        Vlans allowed and active in management domain
Po1         10-11

Port        Vlans in spanning tree forwarding state and not pruned
Po1         10-11

is the native vlan1 allowed in the po1 ?

Regards,

Noob 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to SJ K

‎01-20-2017 12:26 AM

Hey yes was off myself yesterday

Just 1 trunk, you don't need a separate trunk to prevent prod traffic mixing with control traffic you just don't use vlan 1 for any users traffic at all , so you shut down the layer 3 interface to start

int vlan 1

shutdown

Then you would make sure no user/pc device is assigned to vlan 1 at layer 2 for any device in that broadcast domain , you would still allow it on a trunk but even if you dont it will still pass  from memory in testing anyway , even if you don't specify it as an allowed vlan it still passes between switches as its the default

The problem here is if your already using vlan 1 for users and want to separate for security reasons it will cause an impact as they need to be put in  another vlan , but very minimal impact usually

2 No you can never change the control traffic vlan , its 1 and always will be even if you change the native vlan to say 999 , vlan1 will still operate as the carrier for cdp/stp etc , its just the way its uilt designed there is no method available to change it , native can be altered but how the control traffic gets pushed between switches cannot , you can manipulate it in larger switches like 6500s with copp and mpp but that's about it , it still uses vlan 1 on those switches too

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎01-18-2017 05:50 AM

Hi

1 the native vlan by default is always 1 , its always running even when shutdown at L3 and cant be removed at l2 in the database as it carry's cdp/stp/dtp traffic etc , yes it is part of the STP domain , anything that is in the layer 2 vlan database is subject to STP, unless you disable STP for all the vlan ports which would not be recommended , it will always be part of the trunk due to it carrying certain mgmt. traffic , that why some prefer to not use vlan 1 for production traffic and is considered good practice not to use it for prod as it mixes mgmt. traffic with prod on the wire

2 yes always allowed when vlan 1 , if you changed the native to something else you would have to specify it to be allowed traverse the trunk as native  , theres no real need for native these days as most devices now understand tags , if you change it make sure it matches both sides of the trunk or you will have issues

is the native vlan1 allowed in the po1 ?

it wont be blocked due to it being vlan 1 , but of it was vlan 10 its still allowed once you specify it as allowed and as native vlan , again just make sure both sides match

native vlan is legacy now these days I believe from what I have read over time that it was originally introduced for devices that did not understand tagging such as hubs if they were inserted between switches onsite , but they rarely exist in designs these days , that I have seen anyway

Go to solution
SJ K
Level 5
Level 5
In response to Mark Malone

‎01-19-2017 06:20 AM

Hi mark,

Thanks for you reply and sorry for reverting late.

q1) how do we separate control traffic (cdp, vtp)  from production traffic then if they are on native vlan1 and from what you say, they are always allowed through the trunk ?

- do we create 2 trunk then ?

  a) 1 which allowed native vlan only and

       1 which allowed other production tagged vlan ?

q2) can we change the vlan for control traffic ?  if i have changed the native vlan for the trunk to some other number beside 1, will the control traffic (cdp, vtp) still reside in vlan1 ?

Regards,
Noob

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to SJ K

‎01-20-2017 12:26 AM

Hey yes was off myself yesterday

Just 1 trunk, you don't need a separate trunk to prevent prod traffic mixing with control traffic you just don't use vlan 1 for any users traffic at all , so you shut down the layer 3 interface to start

int vlan 1

shutdown

Then you would make sure no user/pc device is assigned to vlan 1 at layer 2 for any device in that broadcast domain , you would still allow it on a trunk but even if you dont it will still pass  from memory in testing anyway , even if you don't specify it as an allowed vlan it still passes between switches as its the default

The problem here is if your already using vlan 1 for users and want to separate for security reasons it will cause an impact as they need to be put in  another vlan , but very minimal impact usually

2 No you can never change the control traffic vlan , its 1 and always will be even if you change the native vlan to say 999 , vlan1 will still operate as the carrier for cdp/stp etc , its just the way its uilt designed there is no method available to change it , native can be altered but how the control traffic gets pushed between switches cannot , you can manipulate it in larger switches like 6500s with copp and mpp but that's about it , it still uses vlan 1 on those switches too

0 Helpful

Go to solution
SJ K
Level 5
Level 5
In response to Mark Malone

‎01-30-2017 08:42 AM

Hi Mark , Peter,

Thank you for your replies and i am so sorry to come back late (going through some rough schedule).

I hope you guys are still around..

======

In short,

q1) can i say VLAN1 is always allowed implicitly and is subjected to STP ?

q2) If I change my native VLAN to say 999, I still do not need to specify "allowed vlan 1"  in the trunk and vlan1 traffic will still go through the trunk ?

q3) By setting native vlan to xxx,  is there still a need to explicitly type

switchport trunk allowed vlan xxx to allow vlan xxx to pass through the trunk ?

q4) Peter mentioned earlier


"q2: you must explicitly add vlan1 to allowed vlan list if you need traffic on it"

That seems to contradict on what we have discuss, what's your though on it ?

Regards,
Noob

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to SJ K

‎01-30-2017 08:51 AM

Hi

1 always allowed for control traffic you cannot stop this or change it , will be subjected to STP if being used for passing standard user traffic

2 yes if using it for user traffic otherwise you don't need to specify it as its always allowed carry control protocols as per design , not using vlan 1 for prod traffic , it doesn't need to be specified

3 Yes , just because you changed it to another native number its still has user traffic so it must be allowed

4 if its being used for user traffic I agree should be allowed/specified , if shutdown at layer 3 and not being used by user traffic then no does not need to be specified but will still pass control traffic through the trunk anyway

http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=7

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7

‎01-22-2017 01:28 PM

q2: you must explicitly add vlan1 to allowed vlan list if you need traffic on it

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card