Skip navigation
Cisco Learning Home > CCIE Routing and Switching Study Group > Discussions
This Question is Not Answered 1 Correct Answer available (4 pts) 1 Helpful Answer available (2 pts)
39672 Views 46 Replies Latest reply: Mar 6, 2014 7:27 AM by Michal RSS 1 2 3 4 Previous Next

Currently Being Moderated

What is the native vlan?

Mar 12, 2014 3:38 AM

prince 94 posts since
Jan 20, 2009

what is the point of the native vlan? i understand traffic in the vlan is untagged, but the tags are removed before they are sent out the access port, so why have traffic over the trunk links. ISL works without a "native vlan" why does 802.1q use it?

  • JP 157 posts since
    Jan 20, 2010
    Currently Being Moderated
    1. Mar 7, 2012 4:45 PM (in response to prince)
    Re: What is the native vlan?

    hi prince,

     

    I would say  when ISL trunking is used there is no native VLAN since all frames receive an ISL header. I am sure someone studying for CCIE or is a CCIE can elaborate.

  • Paul Stewart  -  CCIE Security, CCSI 6,952 posts since
    Jul 18, 2008
    Currently Being Moderated
    3. Mar 7, 2012 6:46 PM (in response to prince)
    Re: What is the native vlan?

    IEEE seems to really care about backward compatibility. A long time ago in a galaxy far, far away, a switch might not always connect to another switch directly.  So consider if you have the network below:

     

    <SW1>--------<HUB>-------<SW2>

     

    It is possible for SW1 and SW2 to have ports on more than one vlan. For that vlan information to be carried, we need an 802.1q (or ISL) trunk. But what about something connected to the hub? Well that's where the native vlan comes into play.  To be honest, I've never seen this in production. However, it is certainly possible and the main explanation I've heard.

  • Martin 13,070 posts since
    Jan 16, 2009
    Currently Being Moderated
    4. Mar 7, 2012 6:58 PM (in response to prince)
    Re: What is the native vlan?

    The native VLAN , aka 802.1Q trunking; If one of devices does not support trunking, the traffic for that one native VLAN can still be sent over the link. By default, the native VLAN is VLAN 1.

    STP on vlan 1 works without a trunk link, right?

    There is something else that needs Native vlan, I think, maybe will come back to me....

  • JohnDonovan32 4 posts since
    Oct 22, 2009
    Currently Being Moderated
    5. Mar 8, 2012 3:52 AM (in response to prince)
    Re: What is the native vlan?

    The native vlan is used to carry untagged traffic accross a trunk. However lets say your native vlan is 1 (by default). Best practices would say to disable vlan 1 and use a different for native vlan as a switchport not configured will be automatically in vlan 1.. The native vlan carries other traffic such as DTP updates. You want to seperate these from vlan 1 as well as the trunk links. set the native vlan to 999, shutdown vlan 1 and only allow tagged vlans as well as native vlan 999 accross.

  • Jordan - CCIE# 41293 68 posts since
    Sep 28, 2009
    Currently Being Moderated
    6. Mar 8, 2012 6:28 PM (in response to JohnDonovan32)
    Re: What is the native vlan?

    Not a very good idea to disable VLAN 1.  The backwards compatible STP bpdu's only flow across a trunk that allows VLAN 1 specifically.  Try plugging the Cisco switch into an HP without allowing VLAN 1.  Only option then would be to use MST on every link.  VLAN 1 specifically must be allowed for those bpdu's. I would say that you should change your native vlan to 999 and then make sure that the VLAN never has any hosts in it.

  • Sudharsan Nammalwar 9 posts since
    Jul 27, 2010
    Currently Being Moderated
    7. Mar 9, 2012 8:54 PM (in response to prince)
    Re: What is the native vlan?

    Native vlan.png

    Hi Prince,

     

    If you look at the above diagram, we have SW1 and SW2 has a trunk port (802.1q) connected whereas for SW2 and HUB has an ACCESS Link connected.

     

    Now I have a special need that some computers connected to SW1 and SW2 need to talk to computers connected at the HUB. In this scenario if all the ports are part of a VLAN and tagged, then this information cannot be passed to a HUB which does not have any VLAN Tag understanding capability.

     

    So for that reason I can move the computers to NATIVE or LEGACY or BACKWARD compatible ports called NATIVE VLAN so that normal switch functionality can be performed where needed.

     

    This is one application for NATIVE VLANS. however you have some more application as well to it. Say for example other than data traffic, control traffic like CDP, PAgP, LaCP will not understand VLAN Tagging so we need a default VLAN which need not to be tagged.

     

    HTH,

    Cheers,

    Sudharsan.

  • Jordan - CCIE# 41293 68 posts since
    Sep 28, 2009
    Currently Being Moderated
    8. Mar 10, 2012 2:42 PM (in response to Sudharsan Nammalwar)
    Re: What is the native vlan?

    Not trying to act like a know it all who corrects people, but you're a bit off Sudharsan.  Being a Cisco instructor, I teach this topic every other week.  Native VLANs are trunk port specific.  You can have a different Native VLAN on every trunk port if you like.  So to say that all these computers in your diagram are in the Native VLAN doesn't actually make sense.  They are access ports. Access ports do not use the concept of a native VLAN.  The data VLAN is untagged, and if there's a voice VLAN it is tagged. Whether that same access VLAN (let's call it VLAN 5) happens to be the Native VLAN over the one and only trunk in the diagram, means absolutely nothing to the hub.  There's absolutely nothing in your diagram that requires you to carry the native VLAN over the trunk.

  • Narbik 141 posts since
    Jun 15, 2011
    Currently Being Moderated
    9. Mar 10, 2012 3:35 PM (in response to prince)
    Re: What is the native vlan?

    The Native VLAN should be identical on both ends of the link or else the trunk port for the VLANs that are used on the endpoints (The Native VLANs) of the trunk will go into Spanning-tree blocking state. Now…..as long as that is OK with you, I do not see a problem, but as long as you are aware of it. You are ok.

     

    But on some IOS versions, I don’t remember which version/s, I have seen the end points configured in different Native VLANs with no problems whatsoever; as long as you know what’s going on, you should be fine. Here is an example:

     

    In the following case both switches (SW1 and SW2) are configured with VLAN 100 and they are both in the same VTP domain called “tst”, these switches are running "c3560-advipservicesk9-mz.122-25.SEE2.bin" with different Native VLANs:

     

     

    SW1’s configuration:

     

    SW1#Sh run int f0/19 | b interface

     

    interface FastEthernet0/19

    switchport trunk encapsulation dot1q

    switchport mode trunk

     

    To verify:

     

    SW1#Show interface trunk

     

    Port        Mode         Encapsulation  Status        Native vlan

    Fa0/19      on           802.1q         trunking      1

     

    Port        Vlans allowed on trunk

    Fa0/19      1-4094

     

    Port        Vlans allowed and active in management domain

    Fa0/19      1,100

     

    Port        Vlans in spanning tree forwarding state and not pruned

    Fa0/19      none

     

     

    SW2’s configuration:

     

    SW2#Sh run int f0/19 | B interface

    interface FastEthernet0/19

    switchport trunk encapsulation dot1q

    switchport trunk native vlan 100

    switchport mode trunk

     

    To verify:

     

    SW2#Show interface trunk

     

    Port        Mode         Encapsulation  Status        Native vlan

    Fa0/19      on           802.1q         trunking      100

     

    Port        Vlans allowed on trunk

    Fa0/19      1-4094

     

    Port        Vlans allowed and active in management domain

    Fa0/19      1,100

     

    Port        Vlans in spanning tree forwarding state and not pruned

    Fa0/19      none

     

    You can see that the Native VLANs do not match, and the trunk seems to be up with no problems, but check the output of the following show commands:

     

    On SW2

     

    SW2#Show spanning-tree blockedports

     

    Name                 Blocked Interfaces List

    -------------------- ------------------------------------

    VLAN0001             Fa0/19

    VLAN0100             Fa0/19

     

    Number of blocked ports (segments) in the system : 2

     

    On SW1

     

    SW1#Show spanning-tree blockedports

     

    Name                 Blocked Interfaces List

    -------------------- ------------------------------------

    VLAN0001             Fa0/19

    VLAN0100             Fa0/19

     

    Number of blocked ports (segments) in the system : 2

     

     

    You should also see the following console error messages:

     

    %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/19 (1), with SW2 FastEthernet0/19 (100).


    Blocking FastEthernet0/19 on VLAN0001. Inconsistent peer vlan.

    Blocking FastEthernet0/19 on VLAN0100. Inconsistent local vlan.

     

     

     

    I hope this helped.

     

    Narbik Kocharians
    CCSI#30832, CCIE# 12410 (R&S, SP, Security)
    www.MicronicsTraining.com
    Sr. Technical Instructor

    YES! We take Cisco Learning Credits!
    Training & Remote Racks available

     

  • "RedNectar" Chris Welsh 51 posts since
    Oct 20, 2008
    Currently Being Moderated
    10. Mar 10, 2012 10:59 PM (in response to prince)
    Re: What is the native vlan?

    The Access VLAN is dead.  Long live the Native VLAN.

     

    When a frame is forwarded on a port, it is sent either "Tagged" or "Untagged". I can see you clearly understand this by the wording of your question.

     

    For some vendors, that's the end of the story.  For a given port, you have "Tagged" or "Untagged" VLANs, but for Cisco:

     

    Tagged VLANs can be called:

    • Tagged VLANs
    • Voice VLANs
    • Auxiliary VLANs (old terminology)

     

    Untagged VLANs can be called:

    • Untagged VLANs
    • Access VLANs
    • Native VLANs

     

    Why Cisco has multiple names for the same concept is a mystery to me.  Although the terms "Native VLAN" and "Access VLAN" both refer to "Untagged VLANs", they cannot be used interchangeably.

     

    On a port, which is an Access Port, the Untagged VLAN is called the Access VLAN

    On a port, which is a Trunk Port, the Untagged VLAN is called the Native VLAN.

     

    So Cisco has two methods of handling "Untagged" traffic on a port.  In fact, it is possible to have a port assigned to "Access VLAN x" and to "Native VLAN y" simultaneously.  This can be especially confusing if the port also determines its "Trunking" configuration dynamically.  If such a port were connected to a PC, untagged traffic would be classified as belonging to VLAN x, whereas if it were connected to another Cisco Trunk port, untagged traffic would be classified as being on VLAN y.

     

    Now back to your original question. "What is the point of the Native VLAN?" 

     

    Quite simply, the point of the Native VLAN is to specify which VLAN should handle untagged traffic for a given Trunk Port.

     

    I think many of the answers here explain why it is necessary to have the ability to handle "Untagged" traffic as well as "Tagged" traffic.  However, the "point" of having both the concept of an "Access VLAN" AND a "Native VLAN" I can't help you with.  But I will help you with a few scenarios that you ought to be aware of when dealing with the "Native VLAN".

     

    Firstly, you are going to find in the future that you will need tagged packets on more and more ports - ports that connect to servers often need to see tagged packets, IP phones like to see tagged packets, some IP cameras use tagged packets, Video equipment, etc., etc. - the list grows longer every day.

     

    So get used to the idea that pretty soon you'll need to make lots of ports Trunk ports, so I'll suggest now that you make ALL your ports trunk ports, and treat the Native VLAN as the VLAN that handles untagged traffic for that port.  Consider the following two configuration options for a switchport.

     

    Option 1: Traditional Cisco

    interface Ethernet 0/2

      switchport

      switchport mode access

      switchport access vlan 10

      spanning-tree portfast

     

    Option 2: My preferred method 

    interface Ethernet 0/2

      switchport

      switchport mode trunk

      switchport trunk native vlan 10

      switchport trunk allowed vlan 10

      spanning-tree portfast trunk

     

     

    Both configurations will result in the same behaviour.  Only VLAN 10 traffic will be forwarded on each port, and it will be forwarded untagged.  Any untagged traffic arriving at the port will be classified into VLAN 10.

     

    But now assume you want to create a Virtual Machine on your PC that's plugged into Ethernet 0/2, and you want that VM to be assigned to VLAN 20*.  You'd now need to alter your configuration to:

     

    Option 1: Traditional Cisco

    interface Ethernet 0/2

      no  switchport access vlan 10 !Optional

      switchport mode trunk

      switchport trunk native vlan 10

      switchport trunk allowed vlan 10,20

      spanning-tree portfast trunk

     

     

    Option 2: My preferred method 

    interface Ethernet 0/2

      switchport trunk add vlan 20

     

     

    I think the second option is much easier.

     

    Now the same story could be repeated for the following scenarios:

    I want to add an IP camera.

    I want to add a (forgive me - a NON-Cisco) IP Phone

    I want to add [insert your own scenario here]

     

    The Access VLAN is dead.  Long live the Native VLAN.

     

    I will mention that there are a couple of disadvantages to making all ports Trunk Ports.

     

    1. The "show interfaces status" command now shows all ports as trunk ports, and doesn’t show you which VLAN untagged traffic will be classified on, however the command "show interfaces trunk | in Mode|q" does a pretty god job instead.
    2. The "show vlan" command only shows inactive ports (at least on ver 12.1(22)EA13 on a C2950).  I know NX-OS behaves differently with the output of the "show vlan" command, but I don’t have a Nexus 7K at my desk to try!

     

    Let me finish with one more gem about the native VLAN.  And it concerns the "switchport trunk allowed vlan" command.  I want to tell you that you need to be very careful to include the "Native VLAN" in the list of allowed VLANs – especially if the port is connected to another switch.  Why? Because all those control protocol frames – CDP, VTP, DTP, STP etc are all sent on the Native (untagged) VLAN.  If the Native VLAN is NOT in the list of allowed VLANs, then these frames may not be transmitted. (I say MAY not, because with different switches and different version of IOS, different protocols are included or excluded).  This can lead to the creation of loops due to the lack of Spanning Tree BPDUs being transmitted, and unexpected behaviour if you rely on dynamic trunking or the Vlan Trunking Protocol to disseminate VLAN information.

     

    So in conclusion:

    • The terms "Native VLAN" and "Access VLAN" are two different ways of referring to untagged VLANs on Cisco switches – each term is tied to a port type.  Native VLANs for Trunk Ports and Access VLANs for Access ports.
    • If you make all your ports trunk ports, you won’t have to worry about "Access VLANs" any more, and your configuration will be more flexible.

     

     

    Footnote:

    *This assumes you have a PC that supports tagged frames.  My OS X does, and I've done it on Linux.  I don't know about Windows.

     

    Chris Welsh

     

    A slightly expanded version of this answer appears on my blog at http://rednectar.net/2012/03/11/the-access-vlan-is-dead-long-live-the-native-vlan/

  • Sudharsan Nammalwar 9 posts since
    Jul 27, 2010
    Currently Being Moderated
    11. Mar 11, 2012 8:04 AM (in response to Jordan - CCIE# 41293)
    Re: What is the native vlan?

    Hi Jorruiz,

    The diagram depicts PCs with different color belongs to that VLAN. For example the SW1 has Blue, Red and Green VLAN and the PCs with the background color, if you notice that belong to the corresponding VLANs. The PCs without color background, has been written as NATIVE VLAN.

     

    If I would have put the legend saying all the details about the picture, it would be easy for you to understand. Sorry for that.

     

    If you consider the explanation of the diagram, now can you comprehend and does it make sense to you?

     

    But really I do not understand what made you to think of me " act like a know it all who corrects people " !

    This is a forum, people post some questions anybody can try to answer it (No need that I need to be an expert). This is a forum to help each other with what we know and understand. The reply to a post may be correct or may be not. If I say something incorrect I get corrected by fellow people and at the end I learn.

     

    Cheers,

    Sudharsan.


  • Paul Stewart  -  CCIE Security, CCSI 6,952 posts since
    Jul 18, 2008
    Currently Being Moderated
    12. Mar 11, 2012 8:31 AM (in response to Sudharsan Nammalwar)
    Re: What is the native vlan?

    Sudharsan Nammalwar wrote:

     

    Native vlan.png

    Hi Prince,

     

    If you look at the above diagram, we have SW1 and SW2 has a trunk port (802.1q) connected whereas for SW2 and HUB has an ACCESS Link connected.

     

    Now I have a special need that some computers connected to SW1 and SW2 need to talk to computers connected at the HUB. In this scenario if all the ports are part of a VLAN and tagged, then this information cannot be passed to a HUB which does not have any VLAN Tag understanding capability.

     

    So for that reason I can move the computers to NATIVE or LEGACY or BACKWARD compatible ports called NATIVE VLAN so that normal switch functionality can be performed where needed.

     

    This is one application for NATIVE VLANS. however you have some more application as well to it. Say for example other than data traffic, control traffic like CDP, PAgP, LaCP will not understand VLAN Tagging so we need a default VLAN which need not to be tagged.

     

    HTH,

    Cheers,

    Sudharsan.

     

    This example confuses me a bit. The reason I say that is that the computers connected to SW1 and SW2 and shown as "NATIVE" would actually be on access ports. The access port configuration connected to the hub would actually determine what vlan the hub connect PC's could communicate with (and which vlans could send traffic to the hub connected pc's). Could you configure a native vlan on a pc connected switchport? Sure, but that would be hard coding the switchport to trunk mode.  You basically have an access port that is in the vlan specified by the native configuration. Additionally, it has the security issues of having a trunk port configured for and end station.

  • Jordan - CCIE# 41293 68 posts since
    Sep 28, 2009
    Currently Being Moderated
    13. Mar 12, 2012 9:48 AM (in response to Sudharsan Nammalwar)
    Re: What is the native vlan?

    My point was that a native VLAN can be different on every trunk link.  Yes, the native VLAN must match on both sides of the trunk, but there could be ten different trunks in the diagram with ten different native VLANs and no issue.  People often think of the native VLAN as needing to be the same across all switches, and that doesn't matter. Just needs to be agreed upon on both sides of the trunk. Therefore, labeling computers in a diagram as being part of the native vlan doesn't make sense.  They are in a numbered VLAN which may or may not be tagged over individual trunks. And you're right, this is a forum where people are just trying to learn.  I wasn't critisizing you with that comment, I was simply trying to say that I am not trying to act like a know it all.  Just trying to correct you on that point.

  • Jordan - CCIE# 41293 68 posts since
    Sep 28, 2009
    Currently Being Moderated
    Re: What is the native vlan?

    Hey Chris,

    Great post.  Just a couple of extra points.  It's specifically VLAN 1 that must be allowed for STP bpdu's, not the native VLAN.  Regardless of native VLAN, if you don't allow VLAN 1, you don't get the backwards compatible IEEE bpdus on a trunk.  Also, only problem I see with making every access port a trunk as you show is with "switchport voice vlan x".  That command tells an attached Cisco phone how to tag its traffic.  I was under the impression that that will only work with access ports.  Also, port security will not be an option on trunk ports.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (10)