Re: FlexConnect and Native VLAN?

Ronni Feldt · ‎05-30-2017

Hi,

We are implementing a new wireless network using Cisco.

Our design is using FlexConnect and multiple SSID.

Each SSID is associated to a VLAN:

SSID1 - VLAN 100

SSID2 - VLAN 200

SSID7 - VLAN 700

etc.

The interface for the AP's is a trunk:

interface GigabitEthernet1/0/2

switchport trunk native vlan 102

switchport trunk allowed vlan 100,102,200,300,400,500,600,700,800,900

switchport mode trunk

switchport nonegotiate

!

The native VLAN (102) on the trunk is a "point-to-point"-VLAN between the distribution and access-switch and stretches to the access interfaces on the access-switch and the trunk interfaces for the AP's.

The native VLAN is untagged.

Now, when configuring FlexConnect I have to enalbe VLAN Support under the FlexConnect tab and specify a Native VLAN ID.

Why do I have to specify a VLAN ID for an untagged native VLAN?

What is it used for?

Untagged traffic is untagged, so what does the AP use this information for?

I haven't been able to find an answer besides "do this...", no why I have to and what it's used for.

Does anyone know?

Emerson Rodrigues · ‎05-31-2017

Native VLAN for AP should be 102 as you declared the native VLAN 102 on switch interface, if you declare native VLAN 1, you can use native 1 on AP as well...

interface GigabitEthernet1/0/2

switchport trunk native vlan 102

switchport trunk allowed vlan 100,102,200,300,400,500,600,700,800,900

switchport mode trunk

switchport nonegotiate

ammahend · ‎05-31-2017

Why do I have to specify a VLAN ID for an untagged native VLAN?

What is it used for?

Untagged traffic is untagged, so what does the AP use this information for?

Native vlan has to match on both sides of the trunk for the link to be up, other wise you will native vlan mismatch. Think of AP as a switch here connected to a another switch and there is trunk between both. So the native vlan has to match, so you configure native vlan on AP side as well as on switch side.

I believe if you don't mention, by default it would be vlan 1 on AP side leading to vlan mismatch.

you can perform a packet capture on AP port and verify this.

You are right its not mentioned anywhere but that's the only logical explanation I can think of.

**rate helpful posts**

-hope this helps-

Ronni Feldt · ‎06-01-2017

I don't know if I agree a 100% on this.

The AP should be able to just send untagged traffic without knowing the native VLAN, and the switch will put the untagged traffic in the native VLAN specified on the interface.

The native VLAN mismatch is a CDP thing.

So why does the AP need to know the native VLAN, it doesn't have to tag the traffic, just send it.

Massimo Baschieri · ‎06-01-2017

Maybe the answer is in the correspondng configuration on the ap:

interface GigabitEthernet0
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.140
encapsulation dot1Q 140
no ip route-cache
bridge-group 5
bridge-group 5 spanning-disabled
no bridge-group 5 source-learning
!
interface GigabitEthernet0.150
encapsulation dot1Q 150
no ip route-cache
bridge-group 7
bridge-group 7 spanning-disabled
no bridge-group 7 source-learning
!
interface GigabitEthernet0.155
encapsulation dot1Q 155
no ip route-cache
bridge-group 6
bridge-group 6 spanning-disabled
no bridge-group 6 source-learning
!
interface GigabitEthernet0.220
encapsulation dot1Q 220 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!

It seems that the ap creates a sub interface for each vlan, even for the untagged one, that way I think you need to specify which one of them is the untagged.

LJ Gabrillo · ‎09-12-2017

You can actually skip setting the native VLAN on the AP. So what's the purpose of this config? Well, it is to avoid Native VLAN mismatch

Just imagine the AP as another switch, if you connect the switch and AP, in a trunk port with different native VLANs, you'd expect the switch to nag native VLAN mismatch logs.

It is always recommended to match native VLAN settings. It's just for security purposes and avoid VLAN hopping attacks, w/c can be exploited on devices with native vlan mismatches :)

Jun Zhou · ‎08-14-2018

On switch side you have to config native vlan , because you need to add a tag to those capwap traffic from AP(wlc-ap management and central switching ssid traffic is untagged by default unless you enable vlan tagging on AP ) before forward the traffic inside switch.

On AP side, the native vlan id is just for psychological comfort, because AP do nothing if these is a untagged packet income from the wired interface. Even no CDP warning and STP risk, because LWAP never care them.

So config the native vlan on AP is just useless.

Freerk Terpstra · ‎08-15-2018

"So config the native vlan on AP is just useless." - This is not correct.

The FlexConnect AP needs to be aware of the native VLAN in case a client needs to be bridged to the same VLAN as where the AP itself is located in. This way the AP knows that the outgoing client frames should not be tagged and that incoming frames won't have a VLAN tag either. I recommend to always use separate VLANs, but that is another story :-)

Please rate useful posts... :-)

aleopoldie · ‎10-27-2018

Hello all,

i am going on this discussion as I am having an issue with this native vlan story.

With 2800 APs, when I put native vlan for the AP on vlan X, and also the SSID on the vlan X, it’s not working.

i am doing the same with other models like 1600, it’s working.

any idea?