08-01-2007 07:43 AM - edited 03-05-2019 05:38 PM
What should the native vlan of a trunk port ideally be set to? I know that
native vlan is used when packets coming in aren't tagged and there has to be
some place to put those packets in. However, with trunk links, how would the
other side ever send untagged packets? What kind of scenario would that
happen with?
If I am not using vlan1 for anything at all, should I simply set that as
native vlan for all my inter-switch connection trunk ports? Or something
else?
Thank you
08-01-2007 09:18 AM
Hi,
If I remember 2 years ago I read something about a security vulnerability in the 802.1q standard when you use native vlan (in some way its possible to jump between vlans) so the recomendation was not to use native vlan.
It could be nice a native vlan for example when you are connecting ip phones to a switch and the pc to the ip phone (using the pc vlan like the native vlan), in that scenario if the ip phone fails or get damage you can connect the pc in a direct way to the switch.
I hope it helps.
08-01-2007 09:34 AM
Hi
It's best practice not to use vlan 1 as your native vlan. Best thing to do is to allocate a vlan that has no user ports in it and is non-routable ie. it has no layer 3 interface for it. We use vlan 999 for this purpose at work.
HTH
Jon
08-02-2007 11:57 PM
08-03-2007 12:34 AM
hi,
I only have one comment, even if we changed the native VLAN, then CDP, VTP and PAgP will still be transmitted over VLAN1.
HTH,
Mohammed Mahmoud.
08-03-2007 01:30 AM
True.
08-03-2007 02:41 AM
Hi Harish
Cisco actually recommend to change the native vlan to a dummy vlan ie. one that is unused and non-routable. Please see attached link for more details.
HTH
Jon
08-03-2007 07:59 AM
Hello..
The document says
"Configure the native VLAN to be an obvious dummy VLAN that is never enabled on the router. Cisco recommended VLAN 999 in the past, but the choice is purely arbitrary".
I am not sure why the Cisco documentation recommends vlan 999. What stops one from using vlan 999 as a user vlan?..
I would stick to vlan 1.
-Harish
08-03-2007 08:59 AM
Harish
Nothing stops vlan 999 being a user vlan but you can choose to make it a dummy vlan where you have no user ports and no routed interface. It doesn't have to be 999 it can be any number.
As to why you shouldn't use vlan 1 - there are quite a few good reasons in the document i gave a link to.
In short yes you can leave it as vlan 1 and everything will work fine so it's up to the network administrator. Best practices are just that, practices, they don't have to be followed slavishly but there is usually a very good reason why they should be.
Jon
08-03-2007 08:01 AM
Hello..
The document says
"Configure the native VLAN to be an obvious dummy VLAN that is never enabled on the router. Cisco recommended VLAN 999 in the past, but the choice is purely arbitrary".
I am not sure why the Cisco documentation recommends vlan 999. What stops one from using vlan 999 as a user vlan?..
I would stick to vlan 1.
-Harish
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: