cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1078
Views
10
Helpful
9
Replies

Native vlan

ciscors
Level 1
Level 1

What should the native vlan of a trunk port ideally be set to? I know that

native vlan is used when packets coming in aren't tagged and there has to be

some place to put those packets in. However, with trunk links, how would the

other side ever send untagged packets? What kind of scenario would that

happen with?

If I am not using vlan1 for anything at all, should I simply set that as

native vlan for all my inter-switch connection trunk ports? Or something

else?

Thank you

9 Replies 9

pedroquiroga
Level 1
Level 1

Hi,

If I remember 2 years ago I read something about a security vulnerability in the 802.1q standard when you use native vlan (in some way its possible to jump between vlans) so the recomendation was not to use native vlan.

It could be nice a native vlan for example when you are connecting ip phones to a switch and the pc to the ip phone (using the pc vlan like the native vlan), in that scenario if the ip phone fails or get damage you can connect the pc in a direct way to the switch.

I hope it helps.

Jon Marshall
Hall of Fame
Hall of Fame

Hi

It's best practice not to use vlan 1 as your native vlan. Best thing to do is to allocate a vlan that has no user ports in it and is non-routable ie. it has no layer 3 interface for it. We use vlan 999 for this purpose at work.

HTH

Jon

It is always recommended to use native vlan as vlan 1. Please see the attached document. Hope this helps. Please rate if it does

-Harish

hi,

I only have one comment, even if we changed the native VLAN, then CDP, VTP and PAgP will still be transmitted over VLAN1.

HTH,

Mohammed Mahmoud.

True.

Hi Harish

Cisco actually recommend to change the native vlan to a dummy vlan ie. one that is unused and non-routable. Please see attached link for more details.

http://www.cisco.com/en/US/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml#cg18

HTH

Jon

Hello..

The document says

"Configure the native VLAN to be an obvious dummy VLAN that is never enabled on the router. Cisco recommended VLAN 999 in the past, but the choice is purely arbitrary".

I am not sure why the Cisco documentation recommends vlan 999. What stops one from using vlan 999 as a user vlan?..

I would stick to vlan 1.

-Harish

Harish

Nothing stops vlan 999 being a user vlan but you can choose to make it a dummy vlan where you have no user ports and no routed interface. It doesn't have to be 999 it can be any number.

As to why you shouldn't use vlan 1 - there are quite a few good reasons in the document i gave a link to.

In short yes you can leave it as vlan 1 and everything will work fine so it's up to the network administrator. Best practices are just that, practices, they don't have to be followed slavishly but there is usually a very good reason why they should be.

Jon

Hello..

The document says

"Configure the native VLAN to be an obvious dummy VLAN that is never enabled on the router. Cisco recommended VLAN 999 in the past, but the choice is purely arbitrary".

I am not sure why the Cisco documentation recommends vlan 999. What stops one from using vlan 999 as a user vlan?..

I would stick to vlan 1.

-Harish

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: