Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
4
Helpful
3
Replies

native vlan

matt_heff
Level 1
Level 1

‎02-24-2007 08:07 AM - edited ‎03-05-2019 02:33 PM

is there any real practical use for the native vlan on an 802.1q trunk port? i have read that the native vlan is also referred to as a managmement vlan. does this imply my management vlan and native vlan should be the same, and if so, why?

Labels:
0 Helpful
3 Replies 3

hoogen_82
Level 4
Level 4

‎02-24-2007 08:39 AM

When you use an IEEE 802.1Q trunk port, all frames are tagged except those on the VLAN configured as the "native VLAN" for the port. Frames on the native VLAN are always transmitted untagged and are normally received untagged. This VLAN is implicitly used for all the untagged traffic received on an 802.1Q capable port. This is when you connect to other switches rather than cisco switches.

NO, native vlan's do not always neccesarily be management vlans. Management vlans can be different from the native vlans. And there is so no problem in having them as same too.

HTH

Hoogen

Do rate if I have helped :)

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎02-24-2007 09:52 AM

Hi

As explained by the previous poster the native vlan is an IEEE decision that enabled dot1q to have backwards compatibility with other switches that did not carry or understand vlan tagged traffic.

I would argue strongly however that you should not have the native vlan as your management vlan. Just as Cisco recommend not to use vlan 1 as your management vlan they also recommend you should make your native vlan one that is unused for any type of traffic - management or user traffic.

Attached is a link to a security paper on vlans. Have a read on the 802.1Q tagging attacks section, this will explain why you should always have a separate dedicated vlan as the native vlan.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

HTH

Jon

pciaccio
Level 4
Level 4
In response to Jon Marshall

‎02-24-2007 10:04 AM

I strongly agree with the previous poster, Your native VLAN should be all by itself. You should have no user or management traffic on it. This way if you ever attach to any rogue switch via a trunk or have an unsecured environment then your native vlan (UNtagged) will not leak any important info into it... It is just another form of security that you should make a best practice for switches.....Good Luck....

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card