cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15002
Views
19
Helpful
10
Replies

Does Native Vlan need IP address?

hufa97
Level 1
Level 1

I believe that a native vlan does not need to be configured (name, ip address) with anything specific as do other non-native vlans. For example in my brief config below, only vlan 16 is configured with non-default values while the native vlan 500 has no specific values for IP address, name, etc. I have tested this in my lab but need documentation which I cannot find. Thank you.

config file example:

!

vlan 16

name Data

!

interface GigabitEthernet1/1

description Server-Connection

switchport

switchport access vlan 16

switchport mode access

no shutdown

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

!

interface GigabitEthernet4/30

description Switch-Trunk-Connection

switchport

switchport access vlan 666

switchport trunk encapsulation dot1q

switchport trunk native vlan 500

switchport trunk allowed vlan 16,500

switchport mode trunk

no shutdown

!

interface Vlan16

description Data

ip address xx.xx.xx.xx xx.xx.xx.xx

no ip redirects

no ip unreachables

no ip proxy-arp

no shutdown

!

end

Thank you.

10 Replies 10

John Blakley
VIP Alumni
VIP Alumni

No vlan "needs" an address, but the hosts that are on the vlan will need to be able to communicate with each other. The only time you'll really need an address is if you need to route to other subnets. In that case, you'll need to have an address configured on your L3 SVI that's attached to the vlan in order to be able to use it as the default gateway for hosts.

HTH, John *** Please rate all useful posts ***

Vlan's themselves do not use IP addresses. Vlan Interfaces do though. In addition to Vlan interfaces needing an IP for routing purposes on a layer 3 switch, Vlan interfaces will also need IP addresses for management of the device.

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Some expansion to Steven's post (and he's quite correct to make the distinction between VLANs and VLAN interfaces).

A gateway could be on a switch not hosting the VLAN, common on L2 switches.

A L2 switch, generally, only needs one VLAN interface with an address for management.

A L3 switch, doesn't need any VLAN interfaces for management.

JosephDoherty,

This is exactly my point about not needing to define the native vlan as an interface in my L3 switch but where exactly do I find the documentation to support your point (and mine)? Thanks.

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Hmm, not sure there's any one place that documents it, especially as it really falls under my of general understanding of VLANs, i.e. not device specific.

Actually, don't see defining the VLAN as native or not on the port matters either (regarding needing an interface).

glen.grant
VIP Alumni
VIP Alumni

  I believe I have read as best practice that you actually use a so called  dummy vlan as native , otherwords a vlan that has no users on it as native.  This is probably what you are seeing .  You should see vlan 500 in the config though just like vlan 16 but I don't see it in there.

A tip my teacher gave me besides that using a  dummy-vlan for the native-vlan is that you can use different  native-vlans on different links, becuse it's configured on a  link-by-link basis. This adds an extra layer of security.

+ The native-vlan doesn't even have to be included as an allowed vlan over the trunk.

Henrik,

Personally, I would not recommend using different native VLANs on different trunk links. Doing so makes the configuration much more prone to configuration errors because of possible native VLAN mismatches and more complex to troubleshoot and maintain. There is also a more serious aspect to this: a technique exists that allows stations connected to access ports to send double-tagged frames in such a way that the traffic will leak from one VLAN to another - a so-called VLAN hopping attack. Without going into much detail, this attack can be successfully accomplished if the station is itself placed into an access VLAN that is also used as a native VLAN on a trunk. In other words, if a VLAN is both used as a native VLAN on a certain trunk and as an access VLAN for some stations, these stations may exploit this concidence and leak their traffic to other VLANs. So to avoid this attack, you would need to make sure that none of the VLANs that is used as a native VLAN on some trunk is used as an access VLAN. Having many trunks configured with unique native VLANs would therefore lead to many VLANs being unusable as access VLANs if you wanted to avoid this kind of attack.

My personal recommendation is therefore:

  • Hands off the VLAN1 - don't touch it, don't use it, move all ports away from it. This VLAN transports certain protocols used by switches themselves so leave it there for switches' use and don't mix it with user traffic.
  • Configure all trunks with the same different native VLAN. After that, hands off that VLAN as well. Leave it otherwise unused and don't place any stations into it.

Best regards,

Peter

Thanks Peter, interesting discussion. I totally need to confront my teach with this!

Glen.Grant,

I disagree with you that the native vlan specifially needs to be defined in the configuration file. This is my main point which has been tested in my lab. I am just looking for the specific documentation that states this is correct.

Thanks.

Review Cisco Networking for a $25 gift card