Native VLAN

Unanswered Question
Oct 31st, 2007
User Badges:

Can someone explain to me in non-book terms what the native vlan is used for. In other words, I know that the native vlan is the vlan that untagged traffic travels over. And even when you ask people, they say the same thing. However, when do you use this untagged vlan and how does that apply in the real world. Why would we ever change it from vlan 1? Why when you are configuring a switchport connected to a WLC or a AP, does it recommend setting the native vlan to the same vlan (subnet) as the management interface or even in some cases the data vlan? If I remember correctly, the native vlan is what also carries information for the link such as STP, VTP. Again, why change it from the default vlan 1.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
Rolf Fischer Thu, 11/01/2007 - 01:49
User Badges:

Cisco uses a proprietary implemetation of "standard" Spanning Tree (802.1d) for EVERY vlan.

To be interoperable to Non-Cisco switches, on the native vlan BPDUs (the "packets" of STP) are transmitted in regular 802.1d-Format.

The Non-Cisco switch wouldn't be able to identify the per-vlan-spanning-tree (PVSTP) BPDUs on a trunk - they are different to 802.1d-BPDUs. In order to avoid loops, BPDUs on the native vlan are like those of Non-Cisco switches.

That's the theory - in practice you often have problems with STP between Cisco and Non-Cisco switches and one solution is to change the native vlan to a dummy-ID.

If you like to know more, watch sheets 7 and 8 of this presentation: http://iws.ccccd.edu/sbutler/ccnp3ppt/mod4-Intervlan_Routing.ppt

(very good page for learnig/preparing!!)


There are also security-issues with native vlan. This is what you find in the link of the post above. If vlan 1 is your management-vlan there are many scenarios how to get unauthorized access to the management.


I know, this are not really non-book terms but I can't explain better...



HTH

Rolf

amolwaghmare Thu, 11/01/2007 - 11:13
User Badges:

1)Native vlan is used because if packets are unable to go through trunk they can be passed in normal way through native vlan.


2)CST BPDU are transferred to other switches without tagging i.e. on native vlan and not on trunk


3)If the trunk fails then the traffic of native vlan will only pass.


Hope this helps if need any other details please ask


**********************************************

Rate the good posts

**********************************************

tsmarcyes Thu, 11/01/2007 - 17:48
User Badges:

The link above recommends pruning the native vlan from any trunk ports as much as possible. My question is if the native vlan is used for traffic such as DTP, STP, etc...then if your prune it from the trunk link, wont this cause problems because now the switch on the edge side of the pruned native vlan cant send DTP, STP, etc. messages across the trunk?

Rolf Fischer Fri, 11/02/2007 - 00:09
User Badges:

I do not recommend pruning the native vlan from any trunk ports generally.

But sometimes (e.g. connecting Non-Cisco devices) you have to in order to avoid problems.

When connecting a Non-Cisco device you can't use DTP anyway ( switchport nonegotiate).

For the most services you can configure source interface vlan xxx.

Spanning-tree is indeed a problem in configurations like those.

You need to have a loop-free design.

If possible, you should use the newer STP impementations like Rapid SP or Multible STP. Those are normally compatible to other switches.

But, like mentioned before, STP is only one aspect associated with native vlan.

For security reasons, many administrators change the native vlan from 1 to e.g. 99 and disable CDP.

http://www.mirrors.wiretapped.net/security/info/reference/nsa-guides/cisco/cisco-ios-switch-security-configuration-guide.pdf


bvsnarayana03 Fri, 11/02/2007 - 05:48
User Badges:
  • Silver, 250 points or more

Actions

This Discussion