Question about native vlan

Answered Question
Nov 13th, 2008

If I have the following

Host A:

int fa0/1

switc mode access

switch access vlan 2

int fa0/24

switc mode access

swit access vlan 2

Int fa0/24 connects directly with another switch on its fa0/24 and it's configuration is:

int fa0/24

switc mode access

swit access vlan 10

Host B is on:

int fa0/1

switc mode access

swit access vlan 10

If these are on the same subnet, can they ping each other? My initial thought is "NO", but according to a book I was reading they will be able to because the traffic is untagged. Ok, so by default, a workstation traffic is untagged, BUT when you switch that port to an access port, it changes the native vlan to the vlan that it's a member of, in this case Host A's native is 2 and Host B's native is 10.

Am I incorrect?

Thanks!

John

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 4 weeks ago

Right, i've sobered up now and after rereading this i should probably retire from NetPro :-)

"In fact, the two interfaces that connect the switches together are in different vlans. I figure that the host in vlan 2 wouldn't be able to ping to vlan 10 because it would be looking for a vlan 2 on the other switch"

The key difference here is that although the switches each know internally which vlan the packet belongs to they have no way of communicating that information to each other across an access port because packets are not tagged on an access port. So each switch can only map the packet to the vlan that the access port is in.

So when you say "the host in vlan 2 would be looking for a vlan 2 on the other switch" this is not really how it works. The packet would leave the first switch on vlan 2 but because the second switch has mapped the receiving port to vlan 10 then the second switch this packet is now destined for a vlan 10 device.

Jon

Correct Answer by Istvan_Rabai about 8 years 4 weeks ago

Hi Jon,

I meant the following:

Of course switch1 internally knows that the frame is going out of the port on vlan x, because the port is kept track to be part of vlan x.

But the frame is sent out of this port (member of vlan x) to switch2's access port (member of vlan y) in untagged format.

Switch2 will tie this frame to vlan y internally (it's port is kept track to be part of vlan y) and forward it on vlan y, because it will treat this frame as a normal ethernet frame coming from a host connected to this port. (No vlan information on the frame itself).

This is a somewhat dangerous scenario because it can create switching or routing loops in some situations.

Cheers:

Istvan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Giuseppe Larosa Thu, 11/13/2008 - 08:45

Hello John,

you are correct only in part

in this way you are joining two broadcast domains to form only one.

Being all ports access ports there is no native vlan issue/concept here.

I used this trick once to join two management vlans.

you can get a CDP vlan mismatch warning but that's all.

if you try to do this with trunk ports PVST detects the mismatch in native vlan and can put in errordisable the port because STP bdpus have a field inside that tells what vlan they are associated with and it is compared to the vlan in which the frame is received (consistency check)

Hope to help

Giuseppe

Istvan_Rabai Thu, 11/13/2008 - 09:14

Hi John,

A small addition to Giuseppe's post:

The reason why HostA and HostB can ping each other lies behind the configuration the fa0/24 ports are connected with each other:

Both of them are configured as access ports.

Access ports transmit frames untagged (as traditional Ethernet frames), therefore the receiving switch has no information on what vlan the frame is coming from and it will treat the incoming frame as a normal Ethernet frame and will accept it.

So the frame may come from vlan X (first switch) and end up on vlan Y (on second switch) as a result of this configuration.

Cheers:

Istvan

John Blakley Thu, 11/13/2008 - 11:33

Am I right in stating that when a port is an access port, and that port is in, say, vlan 10, that it makes the native vlan for the device connected to that port 10?

--John

Jon Marshall Thu, 11/13/2008 - 11:39

John

The native vlan is only relative to an 802.1q trunk port. An access port does not have a concept of a native vlan.

Jon

John Blakley Thu, 11/13/2008 - 11:44

I guess I have another question. The following output is from a port on my switch:

Name: Gi5/0/24

Switchport: Enabled

Administrative Mode: static access

Operational Mode: down

Administrative Trunking Encapsulation: negotiate

Negotiation of Trunking: Off

Access Mode VLAN: 127 (WORKSTATIONS)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

Let's say that I hook an unmanaged switch to this port. The port is set up as an access port on vlan127. Because I have routing enabled on my switch, I have an address of:

192.168.127.1

on the SVI. On this switch that's connected to the port that's an access port for vlan127, I have a workstation and a printer. The workstation is in the same subnet as the SVI, but the printer is not.

If access ports don't understand the concept of native tagging (which I thought was only in ISL), then why can I not see the printer from another device that connects into another switchport?

Does the switch tag whatever is coming in on that port as vlan127 in order to cross the trunk?

I may just give up on this question...it sounds so long and convoluted.

--John

Jon Marshall Thu, 11/13/2008 - 11:52

John

I may not be understanding fully what you are asking so if i don't just let me know.

If you connect a hub to a switch and the port on the switch is in vlan 127 then any traffic coming from any device attached to the hub will be seen as being in vlan 127.

Tagging does not happen on access ports at all. But the switch does know which port is in which vlan so internally it will always be able to do the "right thing". If the packet needs to be sent across a trunk link it will tag it with a vlan ID of 127 unless vlan 127 is the native vlan for the trunk link in which case it is sent untagged. Note this only applies to 802.1q. ISL tags all packets.

Jon

John Blakley Thu, 11/13/2008 - 12:04

So I've attached a diagram :-)

I "know" why this doesn't work, but I would like to know more of the inner workings of it. The main switch has ip routing enabled on it.

Thanks!

Jon Marshall Thu, 11/13/2008 - 12:17

What is the device that the workstation and printer connect to - is it a hub.

Anyway when the packet comes in on vlan 10 to the switch it may not have a tag in the packet but the switch still knows that the port is in vlan 10 and internally can keep track of the fact that this packet is associated with vlan 10. So it can only forward this packet to another port within vlan 10.

This actually comes back to a recent question we were both involved in with Sarah about per vlan mac-address tables. It raises some interesting points and even though i'm on a very long holiday i'm very tempted to dig out my 3550 switches and do some testing.

I suspect what is happening is that switch has a vlan 10 mac-address table and so the packet coming in is "contained" within vlan 10.

Jon

John Blakley Thu, 11/13/2008 - 12:23

That's why I don't understand my original question.

If the frame is coming in on a port that's a member of a vlan, then that frame can only get forwarded to other members of that vlan.

In my original question, I have 2 different vlans: 2 and 10

One switch was vlan 2 and the other was vlan 10. I'm not understanding how we have 2 separate broadcast domains, yet they can communicate without a L3 device.

In fact, the two interfaces that connect the switches together are in different vlans. I figure that the host in vlan 2 wouldn't be able to ping to vlan 10 because it would be looking for a vlan 2 on the other switch, if in fact the tag is carried across the non-trunked link. For some reason, this one is really confusing me.

Oh, and it's a switch that the hosts are connected to, but unmanaged.

--John

Jon Marshall Thu, 11/13/2008 - 12:39

Yep, i admit i'm a little confused as well !

A switch must be able to tie an access port to a vlan otherwise vlans would be useless. And i always believed that a switch recorded the port to vlan always.

Jon

Jon Marshall Thu, 11/13/2008 - 12:49

No not at all. It's one of those things that you think you know but when you have to look into it it's not that simple.

Jon

Correct Answer
Jon Marshall Thu, 11/13/2008 - 22:14

Right, i've sobered up now and after rereading this i should probably retire from NetPro :-)

"In fact, the two interfaces that connect the switches together are in different vlans. I figure that the host in vlan 2 wouldn't be able to ping to vlan 10 because it would be looking for a vlan 2 on the other switch"

The key difference here is that although the switches each know internally which vlan the packet belongs to they have no way of communicating that information to each other across an access port because packets are not tagged on an access port. So each switch can only map the packet to the vlan that the access port is in.

So when you say "the host in vlan 2 would be looking for a vlan 2 on the other switch" this is not really how it works. The packet would leave the first switch on vlan 2 but because the second switch has mapped the receiving port to vlan 10 then the second switch this packet is now destined for a vlan 10 device.

Jon

John Blakley Fri, 11/14/2008 - 04:04

Ah! That makes sense!

I've taken a host and made it vlan 2, and then I've taken the switch port and made it vlan 10.

LOL! Interesting.....

John

Jon Marshall Thu, 11/13/2008 - 12:37

Istvan

I'm getting a bit confused about this. Both may be configured as access ports but the switch still knows which vlan these access ports are assigned to. So surely internally to the switch it knows this packet must stay with vlan 10.

Because if you argue that access ports receive untagged frames then a switch would surely have to send the frame to all other ports because it can't tie it to a vlan.

Maybe i'm just having a bad day !

Jon

Correct Answer
Istvan_Rabai Thu, 11/13/2008 - 21:24

Hi Jon,

I meant the following:

Of course switch1 internally knows that the frame is going out of the port on vlan x, because the port is kept track to be part of vlan x.

But the frame is sent out of this port (member of vlan x) to switch2's access port (member of vlan y) in untagged format.

Switch2 will tie this frame to vlan y internally (it's port is kept track to be part of vlan y) and forward it on vlan y, because it will treat this frame as a normal ethernet frame coming from a host connected to this port. (No vlan information on the frame itself).

This is a somewhat dangerous scenario because it can create switching or routing loops in some situations.

Cheers:

Istvan

Jon Marshall Thu, 11/13/2008 - 22:15

Istvan

Thanks. Feel a bit embarrassed - last time i do NetPro while under the influence :-).

Jon

Istvan_Rabai Thu, 11/13/2008 - 22:51

Hi Jon,

I feel honored to receive this rating, especially that it is from you.

Cheers:

Istvan

John Blakley Fri, 11/14/2008 - 04:00

I just wanted to let everyone know that I had to test this :-)

It worked. The following layout was:

871(fa11)vlan10-2950(fa01)vlan10 --> 2950(fa01)vlan50-2801(fa03)vlan50.

I could ping both ways with no problems. My next question though is:

If there's no concept of the native vlan, why does CDP give a native vlan mismatch on the connecting switchports?

Oh, and I thought frames were sent untagged within the switch, but once they left the switch they needed a tag.

This was a great discussion guys...thank you all!!

--John

Giuseppe Larosa Fri, 11/14/2008 - 05:39

Hello John,

happy to see it works

>> why does CDP give a native vlan mismatch on the connecting switchports?

simply because the CDP PDU frame contains different information fields including the native vlan/vlan so they can check and complain about this

Hope to help

Giuseppe

John Blakley Fri, 11/14/2008 - 07:02

Jon, Giuseppe, and Istvan,

You guys are awesome! Thank you for clearing this up for me!

--John

John Blakley Fri, 11/14/2008 - 04:09

Istvan,

So in other theory, since switch 1's host is in vlan 2 and connected to switch 2 on vlan 10, theoretically if I have a host in vlan 100 on switch 2 on the same subnet as on switch 1, I WON'T be able to see it because that traffic will stay in vlan 10?

Thanks for all of your responses!

John

Istvan_Rabai Sat, 11/15/2008 - 03:37

Hi John,

I wouldn't want to dive into the complexities of such a scenario.

It may be an interesting thing to play with such a configuration and you can of course try it in your lab.

In practical life, however, such configurations aren't viable and they are out of the design recommendations of Cisco.

So for practical life I would prefer to stay as simple as possible.

Cheers:

Istvan

Jon Marshall Thu, 11/13/2008 - 12:43

Giuseppe

Sorry, same question as i asked Istvan as i'm getting a bit confused.

If a packet coming in on an access port is not tagged then how does the concept of vlans work at all because a packet coming in on an access port would have to be sent to all ports if the switch doesn't know which vlan it is in ?

I thought the switch internally kept a record of which vlan a port was in.

Jon

Mohamed Sobair Sat, 11/15/2008 - 03:52

Hi Guys,

I just have one comment to add:

as Jon mentioned,(access ports) have the concept of tagging, the frames are tagged at the egress port of the Switch , so internally the Switch knows which ports are part of which Vlans.

The frames are sent untagged at the ingress port of the Switch.

Native Vlans, are vlans sent untagged across 802.1Q trunks Only and not ISL.

HTH

Mohamed

Actions

This Discussion