1 2 3 4 Previous Next 46 Replies Latest reply: May 5, 2015 9:43 AM by prince RSS

    What is the native vlan?

    prince
      Powerful, on-demand CCNA and CCNP Routing and Switching training resources:
      Cisco Learning Network Premium

       

      what is the point of the native vlan? i understand traffic in the vlan is untagged, but the tags are removed before they are sent out the access port, so why have traffic over the trunk links. ISL works without a "native vlan" why does 802.1q use it?

        • 1. Re: What is the native vlan?
          JP

          hi prince,

           

          I would say  when ISL trunking is used there is no native VLAN since all frames receive an ISL header. I am sure someone studying for CCIE or is a CCIE can elaborate.

          • 2. Re: What is the native vlan?
            prince

            i understand the headers in ISL  but it seems that the only thing the native vlan is for is to cause a security risk. Im studying for CCNP Securoty as well as for my CCIE Lab exam and im trying to understand a design reason for the native vlan. In the security studies im reading you should prune the native vlan across the trunks.  If I'm implementing vlans i want my traffic to have a vlan tag. If its not tagged then it shouldnt go across my trunks.

            • 3. Re: What is the native vlan?
              Paul Stewart  -  CCIE Security

              IEEE seems to really care about backward compatibility. A long time ago in a galaxy far, far away, a switch might not always connect to another switch directly.  So consider if you have the network below:

               

              <SW1>--------<HUB>-------<SW2>

               

              It is possible for SW1 and SW2 to have ports on more than one vlan. For that vlan information to be carried, we need an 802.1q (or ISL) trunk. But what about something connected to the hub? Well that's where the native vlan comes into play.  To be honest, I've never seen this in production. However, it is certainly possible and the main explanation I've heard.

              • 4. Re: What is the native vlan?
                Martin

                The native VLAN , aka 802.1Q trunking; If one of devices does not support trunking, the traffic for that one native VLAN can still be sent over the link. By default, the native VLAN is VLAN 1.

                STP on vlan 1 works without a trunk link, right?

                There is something else that needs Native vlan, I think, maybe will come back to me....

                • 5. Re: What is the native vlan?
                  JohnDonovan32

                  The native vlan is used to carry untagged traffic accross a trunk. However lets say your native vlan is 1 (by default). Best practices would say to disable vlan 1 and use a different for native vlan as a switchport not configured will be automatically in vlan 1.. The native vlan carries other traffic such as DTP updates. You want to seperate these from vlan 1 as well as the trunk links. set the native vlan to 999, shutdown vlan 1 and only allow tagged vlans as well as native vlan 999 accross.

                  • 6. Re: What is the native vlan?
                    Jordan - CCIE# 41293

                    Not a very good idea to disable VLAN 1.  The backwards compatible STP bpdu's only flow across a trunk that allows VLAN 1 specifically.  Try plugging the Cisco switch into an HP without allowing VLAN 1.  Only option then would be to use MST on every link.  VLAN 1 specifically must be allowed for those bpdu's. I would say that you should change your native vlan to 999 and then make sure that the VLAN never has any hosts in it.

                    • 7. Re: What is the native vlan?
                      Sudharsan Nammalwar

                      Native vlan.png

                      Hi Prince,

                       

                      If you look at the above diagram, we have SW1 and SW2 has a trunk port (802.1q) connected whereas for SW2 and HUB has an ACCESS Link connected.

                       

                      Now I have a special need that some computers connected to SW1 and SW2 need to talk to computers connected at the HUB. In this scenario if all the ports are part of a VLAN and tagged, then this information cannot be passed to a HUB which does not have any VLAN Tag understanding capability.

                       

                      So for that reason I can move the computers to NATIVE or LEGACY or BACKWARD compatible ports called NATIVE VLAN so that normal switch functionality can be performed where needed.

                       

                      This is one application for NATIVE VLANS. however you have some more application as well to it. Say for example other than data traffic, control traffic like CDP, PAgP, LaCP will not understand VLAN Tagging so we need a default VLAN which need not to be tagged.

                       

                      HTH,

                      Cheers,

                      Sudharsan.

                      • 8. Re: What is the native vlan?
                        Jordan - CCIE# 41293

                        Not trying to act like a know it all who corrects people, but you're a bit off Sudharsan.  Being a Cisco instructor, I teach this topic every other week.  Native VLANs are trunk port specific.  You can have a different Native VLAN on every trunk port if you like.  So to say that all these computers in your diagram are in the Native VLAN doesn't actually make sense.  They are access ports. Access ports do not use the concept of a native VLAN.  The data VLAN is untagged, and if there's a voice VLAN it is tagged. Whether that same access VLAN (let's call it VLAN 5) happens to be the Native VLAN over the one and only trunk in the diagram, means absolutely nothing to the hub.  There's absolutely nothing in your diagram that requires you to carry the native VLAN over the trunk.

                        • 9. Re: What is the native vlan?
                          Narbik

                          The Native VLAN should be identical on both ends of the link or else the trunk port for the VLANs that are used on the endpoints (The Native VLANs) of the trunk will go into Spanning-tree blocking state. Now…..as long as that is OK with you, I do not see a problem, but as long as you are aware of it. You are ok.

                           

                          But on some IOS versions, I don’t remember which version/s, I have seen the end points configured in different Native VLANs with no problems whatsoever; as long as you know what’s going on, you should be fine. Here is an example:

                           

                          In the following case both switches (SW1 and SW2) are configured with VLAN 100 and they are both in the same VTP domain called “tst”, these switches are running "c3560-advipservicesk9-mz.122-25.SEE2.bin" with different Native VLANs:

                           

                           

                          SW1’s configuration:

                           

                          SW1#Sh run int f0/19 | b interface

                           

                          interface FastEthernet0/19

                          switchport trunk encapsulation dot1q

                          switchport mode trunk

                           

                          To verify:

                           

                          SW1#Show interface trunk

                           

                          Port        Mode         Encapsulation  Status        Native vlan

                          Fa0/19      on           802.1q         trunking      1

                           

                          Port        Vlans allowed on trunk

                          Fa0/19      1-4094

                           

                          Port        Vlans allowed and active in management domain

                          Fa0/19      1,100

                           

                          Port        Vlans in spanning tree forwarding state and not pruned

                          Fa0/19      none

                           

                           

                          SW2’s configuration:

                           

                          SW2#Sh run int f0/19 | B interface

                          interface FastEthernet0/19

                          switchport trunk encapsulation dot1q

                          switchport trunk native vlan 100

                          switchport mode trunk

                           

                          To verify:

                           

                          SW2#Show interface trunk

                           

                          Port        Mode         Encapsulation  Status        Native vlan

                          Fa0/19      on           802.1q         trunking      100

                           

                          Port        Vlans allowed on trunk

                          Fa0/19      1-4094

                           

                          Port        Vlans allowed and active in management domain

                          Fa0/19      1,100

                           

                          Port        Vlans in spanning tree forwarding state and not pruned

                          Fa0/19      none

                           

                          You can see that the Native VLANs do not match, and the trunk seems to be up with no problems, but check the output of the following show commands:

                           

                          On SW2

                           

                          SW2#Show spanning-tree blockedports

                           

                          Name                 Blocked Interfaces List

                          -------------------- ------------------------------------

                          VLAN0001             Fa0/19

                          VLAN0100             Fa0/19

                           

                          Number of blocked ports (segments) in the system : 2

                           

                          On SW1

                           

                          SW1#Show spanning-tree blockedports

                           

                          Name                 Blocked Interfaces List

                          -------------------- ------------------------------------

                          VLAN0001             Fa0/19

                          VLAN0100             Fa0/19

                           

                          Number of blocked ports (segments) in the system : 2

                           

                           

                          You should also see the following console error messages:

                           

                          %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/19 (1), with SW2 FastEthernet0/19 (100).


                          Blocking FastEthernet0/19 on VLAN0001. Inconsistent peer vlan.

                          Blocking FastEthernet0/19 on VLAN0100. Inconsistent local vlan.

                           

                           

                           

                          I hope this helped.

                           

                          Narbik Kocharians
                          CCSI#30832, CCIE# 12410 (R&S, SP, Security)
                          www.MicronicsTraining.com
                          Sr. Technical Instructor

                          YES! We take Cisco Learning Credits!
                          Training & Remote Racks available

                           

                          • 10. Re: What is the native vlan?
                            "RedNectar" Chris Welsh

                            The Access VLAN is dead.  Long live the Native VLAN.

                             

                            When a frame is forwarded on a port, it is sent either "Tagged" or "Untagged". I can see you clearly understand this by the wording of your question.

                             

                            For some vendors, that's the end of the story.  For a given port, you have "Tagged" or "Untagged" VLANs, but for Cisco:

                             

                            Tagged VLANs can be called:

                            • Tagged VLANs
                            • Voice VLANs
                            • Auxiliary VLANs (old terminology)

                             

                            Untagged VLANs can be called:

                            • Untagged VLANs
                            • Access VLANs
                            • Native VLANs

                             

                            Why Cisco has multiple names for the same concept is a mystery to me.  Although the terms "Native VLAN" and "Access VLAN" both refer to "Untagged VLANs", they cannot be used interchangeably.

                             

                            On a port, which is an Access Port, the Untagged VLAN is called the Access VLAN

                            On a port, which is a Trunk Port, the Untagged VLAN is called the Native VLAN.

                             

                            So Cisco has two methods of handling "Untagged" traffic on a port.  In fact, it is possible to have a port assigned to "Access VLAN x" and to "Native VLAN y" simultaneously.  This can be especially confusing if the port also determines its "Trunking" configuration dynamically.  If such a port were connected to a PC, untagged traffic would be classified as belonging to VLAN x, whereas if it were connected to another Cisco Trunk port, untagged traffic would be classified as being on VLAN y.

                             

                            Now back to your original question. "What is the point of the Native VLAN?" 

                             

                            Quite simply, the point of the Native VLAN is to specify which VLAN should handle untagged traffic for a given Trunk Port.

                             

                            I think many of the answers here explain why it is necessary to have the ability to handle "Untagged" traffic as well as "Tagged" traffic.  However, the "point" of having both the concept of an "Access VLAN" AND a "Native VLAN" I can't help you with.  But I will help you with a few scenarios that you ought to be aware of when dealing with the "Native VLAN".

                             

                            Firstly, you are going to find in the future that you will need tagged packets on more and more ports - ports that connect to servers often need to see tagged packets, IP phones like to see tagged packets, some IP cameras use tagged packets, Video equipment, etc., etc. - the list grows longer every day.

                             

                            So get used to the idea that pretty soon you'll need to make lots of ports Trunk ports, so I'll suggest now that you make ALL your ports trunk ports, and treat the Native VLAN as the VLAN that handles untagged traffic for that port.  Consider the following two configuration options for a switchport.

                             

                            Option 1: Traditional Cisco

                            interface Ethernet 0/2

                              switchport

                              switchport mode access

                              switchport access vlan 10

                              spanning-tree portfast

                             

                            Option 2: My preferred method 

                            interface Ethernet 0/2

                              switchport

                              switchport mode trunk

                              switchport trunk native vlan 10

                              switchport trunk allowed vlan 10

                              spanning-tree portfast trunk

                             

                             

                            Both configurations will result in the same behaviour.  Only VLAN 10 traffic will be forwarded on each port, and it will be forwarded untagged.  Any untagged traffic arriving at the port will be classified into VLAN 10.

                             

                            But now assume you want to create a Virtual Machine on your PC that's plugged into Ethernet 0/2, and you want that VM to be assigned to VLAN 20*.  You'd now need to alter your configuration to:

                             

                            Option 1: Traditional Cisco

                            interface Ethernet 0/2

                              no  switchport access vlan 10 !Optional

                              switchport mode trunk

                              switchport trunk native vlan 10

                              switchport trunk allowed vlan 10,20

                              spanning-tree portfast trunk

                             

                             

                            Option 2: My preferred method 

                            interface Ethernet 0/2

                              switchport trunk add vlan 20

                             

                             

                            I think the second option is much easier.

                             

                            Now the same story could be repeated for the following scenarios:

                            I want to add an IP camera.

                            I want to add a (forgive me - a NON-Cisco) IP Phone

                            I want to add [insert your own scenario here]

                             

                            The Access VLAN is dead.  Long live the Native VLAN.

                             

                            I will mention that there are a couple of disadvantages to making all ports Trunk Ports.

                             

                            1. The "show interfaces status" command now shows all ports as trunk ports, and doesn’t show you which VLAN untagged traffic will be classified on, however the command "show interfaces trunk | in Mode|q" does a pretty god job instead.
                            2. The "show vlan" command only shows inactive ports (at least on ver 12.1(22)EA13 on a C2950).  I know NX-OS behaves differently with the output of the "show vlan" command, but I don’t have a Nexus 7K at my desk to try!

                             

                            Let me finish with one more gem about the native VLAN.  And it concerns the "switchport trunk allowed vlan" command.  I want to tell you that you need to be very careful to include the "Native VLAN" in the list of allowed VLANs – especially if the port is connected to another switch.  Why? Because all those control protocol frames – CDP, VTP, DTP, STP etc are all sent on the Native (untagged) VLAN.  If the Native VLAN is NOT in the list of allowed VLANs, then these frames may not be transmitted. (I say MAY not, because with different switches and different version of IOS, different protocols are included or excluded).  This can lead to the creation of loops due to the lack of Spanning Tree BPDUs being transmitted, and unexpected behaviour if you rely on dynamic trunking or the Vlan Trunking Protocol to disseminate VLAN information.

                             

                            So in conclusion:

                            • The terms "Native VLAN" and "Access VLAN" are two different ways of referring to untagged VLANs on Cisco switches – each term is tied to a port type.  Native VLANs for Trunk Ports and Access VLANs for Access ports.
                            • If you make all your ports trunk ports, you won’t have to worry about "Access VLANs" any more, and your configuration will be more flexible.

                             

                             

                            Footnote:

                            *This assumes you have a PC that supports tagged frames.  My OS X does, and I've done it on Linux.  I don't know about Windows.

                             

                            Chris Welsh

                             

                            A slightly expanded version of this answer appears on my blog at http://rednectar.net/2012/03/11/the-access-vlan-is-dead-long-live-the-native-vlan/

                            • 11. Re: What is the native vlan?
                              Sudharsan Nammalwar

                              Hi Jorruiz,

                              The diagram depicts PCs with different color belongs to that VLAN. For example the SW1 has Blue, Red and Green VLAN and the PCs with the background color, if you notice that belong to the corresponding VLANs. The PCs without color background, has been written as NATIVE VLAN.

                               

                              If I would have put the legend saying all the details about the picture, it would be easy for you to understand. Sorry for that.

                               

                              If you consider the explanation of the diagram, now can you comprehend and does it make sense to you?

                               

                              But really I do not understand what made you to think of me " act like a know it all who corrects people " !

                              This is a forum, people post some questions anybody can try to answer it (No need that I need to be an expert). This is a forum to help each other with what we know and understand. The reply to a post may be correct or may be not. If I say something incorrect I get corrected by fellow people and at the end I learn.

                               

                              Cheers,

                              Sudharsan.


                              • 12. Re: What is the native vlan?
                                Paul Stewart  -  CCIE Security

                                Sudharsan Nammalwar wrote:

                                 

                                Native vlan.png

                                Hi Prince,

                                 

                                If you look at the above diagram, we have SW1 and SW2 has a trunk port (802.1q) connected whereas for SW2 and HUB has an ACCESS Link connected.

                                 

                                Now I have a special need that some computers connected to SW1 and SW2 need to talk to computers connected at the HUB. In this scenario if all the ports are part of a VLAN and tagged, then this information cannot be passed to a HUB which does not have any VLAN Tag understanding capability.

                                 

                                So for that reason I can move the computers to NATIVE or LEGACY or BACKWARD compatible ports called NATIVE VLAN so that normal switch functionality can be performed where needed.

                                 

                                This is one application for NATIVE VLANS. however you have some more application as well to it. Say for example other than data traffic, control traffic like CDP, PAgP, LaCP will not understand VLAN Tagging so we need a default VLAN which need not to be tagged.

                                 

                                HTH,

                                Cheers,

                                Sudharsan.

                                 

                                This example confuses me a bit. The reason I say that is that the computers connected to SW1 and SW2 and shown as "NATIVE" would actually be on access ports. The access port configuration connected to the hub would actually determine what vlan the hub connect PC's could communicate with (and which vlans could send traffic to the hub connected pc's). Could you configure a native vlan on a pc connected switchport? Sure, but that would be hard coding the switchport to trunk mode.  You basically have an access port that is in the vlan specified by the native configuration. Additionally, it has the security issues of having a trunk port configured for and end station.

                                • 13. Re: What is the native vlan?
                                  Jordan - CCIE# 41293

                                  My point was that a native VLAN can be different on every trunk link.  Yes, the native VLAN must match on both sides of the trunk, but there could be ten different trunks in the diagram with ten different native VLANs and no issue.  People often think of the native VLAN as needing to be the same across all switches, and that doesn't matter. Just needs to be agreed upon on both sides of the trunk. Therefore, labeling computers in a diagram as being part of the native vlan doesn't make sense.  They are in a numbered VLAN which may or may not be tagged over individual trunks. And you're right, this is a forum where people are just trying to learn.  I wasn't critisizing you with that comment, I was simply trying to say that I am not trying to act like a know it all.  Just trying to correct you on that point.

                                  • 14. Re: What is the native vlan?
                                    Jordan - CCIE# 41293

                                    Hey Chris,

                                    Great post.  Just a couple of extra points.  It's specifically VLAN 1 that must be allowed for STP bpdu's, not the native VLAN.  Regardless of native VLAN, if you don't allow VLAN 1, you don't get the backwards compatible IEEE bpdus on a trunk.  Also, only problem I see with making every access port a trunk as you show is with "switchport voice vlan x".  That command tells an attached Cisco phone how to tag its traffic.  I was under the impression that that will only work with access ports.  Also, port security will not be an option on trunk ports.

                                    1 2 3 4 Previous Next