native vlan

Unanswered Question
Feb 24th, 2007

is there any real practical use for the native vlan on an 802.1q trunk port? i have read that the native vlan is also referred to as a managmement vlan. does this imply my management vlan and native vlan should be the same, and if so, why?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
hoogen_82 Sat, 02/24/2007 - 08:39

When you use an IEEE 802.1Q trunk port, all frames are tagged except those on the VLAN configured as the "native VLAN" for the port. Frames on the native VLAN are always transmitted untagged and are normally received untagged. This VLAN is implicitly used for all the untagged traffic received on an 802.1Q capable port. This is when you connect to other switches rather than cisco switches.

NO, native vlan's do not always neccesarily be management vlans. Management vlans can be different from the native vlans. And there is so no problem in having them as same too.

HTH

Hoogen

Do rate if I have helped :)

Jon Marshall Sat, 02/24/2007 - 09:52

Hi

As explained by the previous poster the native vlan is an IEEE decision that enabled dot1q to have backwards compatibility with other switches that did not carry or understand vlan tagged traffic.

I would argue strongly however that you should not have the native vlan as your management vlan. Just as Cisco recommend not to use vlan 1 as your management vlan they also recommend you should make your native vlan one that is unused for any type of traffic - management or user traffic.

Attached is a link to a security paper on vlans. Have a read on the 802.1Q tagging attacks section, this will explain why you should always have a separate dedicated vlan as the native vlan.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

HTH

Jon

pciaccio Sat, 02/24/2007 - 10:04

I strongly agree with the previous poster, Your native VLAN should be all by itself. You should have no user or management traffic on it. This way if you ever attach to any rogue switch via a trunk or have an unsecured environment then your native vlan (UNtagged) will not leak any important info into it... It is just another form of security that you should make a best practice for switches.....Good Luck....

Actions

This Discussion