Native VLAN and trunk port.

Answered Question
May 19th, 2008

I read in one of the forum that it may create a problem if I allow native vlan through the trunk port connecting two switch.

But I am still not getting exact consquences of doing so?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 3 months ago

Subharoj

You need to decide whether you want to route or switch between the 2 pairs of switches.

What i would do with the information you have given so far is to connect A -> C and A -> D, B -> C, B -> D with L2 trunk links.

A & B would not have a trunk link between them but C & D would be interconnected via a L2 trunk.

Then migrate the L3 interfaces + HSRP configuration off A&B and move it on C&D. So A&B are not routing for any vlans any more they are simply access switches connecting back via L2 trunks to C&D.

This would give you a more standard setup.

Alaternatively you can leave the link between A&B and leave it routing for vlan 125 etc. and make the links back to C&D L3 routed links. And then run EIGRP between all the switches. Note that with CatOS you cannot actually have a L3 routed port ie. "no switchport". What you do is use a /30 subnet and create an SVI on each switch eg.

Switch A

int vlan 200

description L3 connection to C

ip address 192.168.5.1 255.255.255.252

Switch C

int vlan 200

description L3 connection to A

ip address 192.168.5.2 255.255.255.252

and then assign the port on A & C into vlan 200. Then repeat with a different subnet for

A -> D

B -> C

B -> D

Each has their advantages and disadvantages. If your switches are all running CatOS i would use the first option of L2 trunk uplinks and migration of L3 interfaces off A&B to C&D.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
gpulos Mon, 05/19/2008 - 08:58

A native vlan is required on Cisco Catalyst switches.

A native vlan is used to forward packets that do not have a tag when they get to the ingress of the trunk port.

A trunk will forward untagged packets to the native vlan that is configured.

(if a native vlan is not specifically configured, it defaults to vlan 1)

If a trunk gets a packet that does not have a tag, and there was no native vlan, it would not know how to forward it. This is what the native vlan provides; a way for the trunk to know where to forward the packet if the packet were not tagged.

When the trunk receives a packet without a tag, it forwards it to the native vlan.

Native vlan is defined in a clause in the 802.1Q standard for interoperability with older devices that do not understand 802.1Q.

Please see the following link for some info on trunks and native vlan:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/e_trunk.html#wp1021145

(to answer your question, for example, if you have disabled vlan1 and your native vlan is defaulted to vlan1, then any untagged packets into the trunk will ultimately be dropped from the network; that could be considered bad.)

subharojdahal Mon, 05/19/2008 - 09:09

thanks for your reponse.

I read the links but still unalble to find why not to allow native vlan over trunk link.

I doubt it might be for security reason but do not know how it happens.

subharojdahal Mon, 05/19/2008 - 10:13

Thanks jon

I understand why i should avoid native vlan to allow through trunk link.

Could you please clear my concepts about inter-vlan routing in multilayer switch?

There are four 6500 switch.

Node A1 in vlan 125 connected with switch A

wants to talk to server S1 in VLAN 100 connected with switch C.

Switch A, B are HSRP pair for VLAN 125 and C and D are core and HSRP pair and STP root for server vlan 25.

routing protocols is eigrp

RAPID PVST+ is enable.

what I know is when node N1 hits server S1 address, first it goes to gateway which is A, It looks at routing table and find the route and send it.

My question are while forwarding packet

1. does it tag VLAN identification or not ?

3.Does switch A sends both or either of one switch looking at routing talble? considering Server is connected either of two switch C and D as some of the servers are in switch c and rest are in D.

3. What is the process behind the scene while forwarding layer 3 traffic in switched network?

I would appreciate.

Jon Marshall Mon, 05/19/2008 - 10:18

Couple of quick questions

How are A&B connected to C&D ie. L2 trunks or L3 routed links.

You talk of Node A1 and then node N1 - presumably the same node ?

You talk of server being in vlan 100 then in vlan 25. Which one is it ?

What is the active HSRP switch for v125 out of A & B

what is the active HSRP switch for v25 out of C & D

Jon

subharojdahal Mon, 05/19/2008 - 10:28

thanks for prompt response

A and B are connected with C and D as

A<--->C

A<--->D

B<--->C

B<--->D

ie. redundant connection

node A1 and N1 are same. sorry for typo

servers are vlan 25 ( some of them are connected in C and some of are in D)

Active hsrp for vlan 125 is A

Active hsrp for vlan 25 is D

Jon Marshall Mon, 05/19/2008 - 10:30

The connections between A -> C, A -> D, B -> C, B -> D, are they L2 trunks or L3 connections.

A & B are definitely HSRP for node A1 ?

Jon

subharojdahal Mon, 05/19/2008 - 10:33

They are L2 trunks

Yes A & b are HSRP for node A1 and switch A has higher HSRP priority over switch B

i.e 120 over 110.

Jon Marshall Mon, 05/19/2008 - 10:46

It's a little bit confusing to have A & B running for HSRP clients then using L2 trunks to connect back to C&D.

Sorry for all the questions but does the server vlan only exist on C&D ie. it is not on A&B. What i'm trying to understand is why the links are L2 trunks and not L3 routed links from A&B -> C&D.

So node A1 sends packet to it's default-gateway which is the HSRP active address on switch A.

Now it gets a bit confusing. If the uplinks afe L2 trunks what vlans are you running across these trunks. Presumably not vlan 125 because that is routed off A & B.

What about vlan 25 ?

Jon

subharojdahal Mon, 05/19/2008 - 10:56

yes server vlan only exists on C&D.

yes you are right, vlan 125 is not allowed but vlan 25 is allowed in the trunk link.

All the switces are running CatOs. for just to make sure, L3 link means issuing command no shitchport on interface mode of trunk interface??

If so , then in my understanding all the connection are L2 with dot1q encapsulation ?

please let me know if you need more info.

thanks alot .

Jon Marshall Mon, 05/19/2008 - 11:11

"L3 link means issuing command no shitchport on interface mode of trunk interface?? "

It does if the switches are running IOS but not if they are running CatOS.

If you do a "sh trunk" on your A & B switches do you see the links to C & D.

I'm also assuming A has a L2 trunk to B and that C has a L2 trunk to D. Please let me know if this is not the case.

Basically if vlan 25 is allowed on the link and it is a trunk link

Node A1 sends packet to it's default-gateway which is on switch A. Now it depends which uplink is blocking on STP.

If A to C is blocking then A forwards packet to B which then forwards it on to D. If the active NIC for S1 is on D it is then sent straight to S1. If it is on C, D sends packet to C and C forwards it on.

If A to C is not blocking A sends packet straight to C.

It is important to note that the packet is only routed on switch A. Because vlan 25 is on the L2 trunk link then it will simply be switched from A to it's destination.

Jon

subharojdahal Mon, 05/19/2008 - 11:22

Thanks Jon.

I am just curious to know that when A forward packet to D through trunk link, does A awared that the packet belongs to vlan 25. I mean to say Switch have any idea about VLAN 25 ( tagging ??) or it just look ip block and forward the packet with out knowing which VLAN the packet falls under ??

Jon Marshall Mon, 05/19/2008 - 11:29

If the uplink is a trunk link and the native vlan is not vlan 25 then yes the packet will be tagged with a vlan id of 25.

Jon

subharojdahal Mon, 05/19/2008 - 11:35

You mean to say the blocked port will be determined by STP instance of vlan 25 and Switch A will forward traffic only in designated port !!!

What if native vlan is 25, I just wanted to see the possible consequences.

Jon Marshall Mon, 05/19/2008 - 11:41

Switch A will forward traffic to vlan 25 on it's root port if C/D are STP root for vlan 25. Root ports lead to the root switch. Designated ports lead away from the root switch.

If native vlan was 25 then the packet would be sent across the trunk link untagged. Not a good idea to have servers in the native vlan though.

Jon

subharojdahal Mon, 05/19/2008 - 11:47

Jon

As I told you before there is active EIGRP protocol among those core switches. I can see different route from one switch to other ( and from one vlan to other)

I didn't see any sense of configuring EIGRP in MSFC of those switch. I am sorry but kinda confused in L2 trunk and L3 routing.

I hope you will help me to get the hell out from this confusion.

Jon Marshall Mon, 05/19/2008 - 11:51

Yes it is a bit confusing.

When you run the command "sh trunk" on switch A what do you see ?

You should see a link to B.

And if you are correct you should see a link to C and a link to D.

But i'm thinking you may be using L3 routed links from A&B -> C&D and using EIGRP to exchange routes between your switches. If that is the case then ignore what i said before as to how the packet get from A1 to S1.

Key thing to work out is what are the links from A&B to C&D.

Jon

subharojdahal Mon, 05/19/2008 - 12:03

Let me give you clear picure of what I have and what I am trying to do.

Currently, I have link from A to B, B to C, C to D. I have EIGRP running and trunk links among all connection. C and D are core switches. All are 6513 catalyst.

What I wanted to do

--------------------

As I told you earlier, I wanted to make core network fully redundant by connecting A<-->C, A<-->D, B<--->C, and B<-->D.

On the basis of above scnario

-------------------------------

I just wanted to know from you that what are the isseues that i have to know other than just configuring each new link as trunk and assignging same native vlan on either side of new trunk (redundant) trunk link.

I would appreciate your help jon.

Correct Answer
Jon Marshall Mon, 05/19/2008 - 12:28

Subharoj

You need to decide whether you want to route or switch between the 2 pairs of switches.

What i would do with the information you have given so far is to connect A -> C and A -> D, B -> C, B -> D with L2 trunk links.

A & B would not have a trunk link between them but C & D would be interconnected via a L2 trunk.

Then migrate the L3 interfaces + HSRP configuration off A&B and move it on C&D. So A&B are not routing for any vlans any more they are simply access switches connecting back via L2 trunks to C&D.

This would give you a more standard setup.

Alaternatively you can leave the link between A&B and leave it routing for vlan 125 etc. and make the links back to C&D L3 routed links. And then run EIGRP between all the switches. Note that with CatOS you cannot actually have a L3 routed port ie. "no switchport". What you do is use a /30 subnet and create an SVI on each switch eg.

Switch A

int vlan 200

description L3 connection to C

ip address 192.168.5.1 255.255.255.252

Switch C

int vlan 200

description L3 connection to A

ip address 192.168.5.2 255.255.255.252

and then assign the port on A & C into vlan 200. Then repeat with a different subnet for

A -> D

B -> C

B -> D

Each has their advantages and disadvantages. If your switches are all running CatOS i would use the first option of L2 trunk uplinks and migration of L3 interfaces off A&B to C&D.

Jon

subharojdahal Mon, 05/19/2008 - 12:41

Thanks lot jon

You gave me a very good solutions. but i got a different work place where I work as consultant. Its hard for them to tolarate downtime other that larger than time taken by STP to converge.

My concerned is what happen if I create trunk link for my new connection and let the EIGRP do its work. Considering the fact that I know root switch for each vlan and wondering if EIGRP could forward packet through designated trunk port among core switches.

They have more than 20 local vlan under switch A and B, so they wanna move to core C and D.

jon, Is that possible keeping current configuration intact and creating new trunk line and let the EiGRP does its work??

subharojdahal Mon, 05/19/2008 - 13:28

jon

I know you must be busy. I would appreciate if you look at my issue if you few moment.

Jon Marshall Mon, 05/19/2008 - 13:35

I appreciate that you are trying to avoid downtime so we need to be careful. What you can do is take option 2 from my previous e-mail. That would be the least disruption to your network.

I would suggest using an unused vlan for the uplinks. Do not make them trunk links because they don't need to be.

This is assuming that vlans on C&D don't need to be on A&B and vice-versa. If you have vlans that need to be on all 4 switches at the same time then you will have to make the links trunk links.

Jon

Actions

This Discussion