Changing Native VLAN

Answered Question
Feb 1st, 2010

I've been updating some of our sites, and in the process I changed the native VLAN from 1 to 10, which is our data VLAN. Is it bad practice to change the native VLAN? What should I take into consideration when thinking about changing the native VLAN?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 4 years 2 months ago

robert.juric wrote:

I've been updating some of our sites, and in the process I changed the native VLAN from 1 to 10, which is our data VLAN. Is it bad practice to change the native VLAN? What should I take into consideration when thinking about changing the native VLAN?

Robert

It's not bad practice to change the native vlan, in fact it is recommended best practice to do so. When changing it you should -

1) create a new vlan eg. vlan 999

2) use this new vlan as the native vlan. No ports should be assigned to the native vlan ie. you do not have any end devices in the native vlan

3) You should not create a L3 vlan interface for vlan 999 because there is no need to route the native vlan

So if i understand correctly you have changed the native vlan to be the vlan that has your users in it. This is not recommended.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.8 (5 ratings)
Reza Sharifi Mon, 02/01/2010 - 19:16

Hello Robert,

The native VLAN is used primarily to transmit management information between switches, management information such as CDP packets, VTP packets, Spanning-tree information, and PaGP.  Cisco default for a Native VLAN is 1.  Because of security concerns, it is good practice to change VLAN 1 to 10 or any other number. Also once you change VLAN 1 to 10 make sure you you shut down VLAN 1 and move all unused ports and park them in a different VLAN (999).

HTH

Reza

sampath@australia1 Tue, 02/02/2010 - 21:36

Hello Robert,

What happen, if we stop native vlan in trunks? (Limit Vlans by using switchport trunk allowed vlan)

Thanx

Sampath

robert.juric Wed, 02/03/2010 - 06:04

You can't stop the native VLAN, it's always there, but you can change which VLAN is specified as the native VLAN. I think the important thing is to use a VLAN other than 1, with no access ports tied to it as the native VLAN. If you do not specify a different native VLAN it is by default VLAN 1. It's also important to note the native VLAN must match on both ends of a trunk.

francisco_1 Wed, 02/03/2010 - 06:18

VLAN 1 has a special significance in Catalyst networks.

As already mentioned, When trunking, the switch always uses the default VLAN, VLAN 1, in order to tag a number of control and management protocols. Such protocols include CDP, VTP, and PAgP. All switch ports, are configured by default to be members of VLAN 1. All trunks carry VLAN 1 by default.  The native VLAN is the VLAN to which a port returns when it is not trunking. Also, the native VLAN is the untagged VLAN on an IEEE 802.1Q trunk.

I

n summary,
CDP, VTP, and PAgP updates are always forwarded on trunks with a VLAN 1 tag. This is the case even if VLAN 1 has been cleared from the trunks and is not the native VLAN. If you clear VLAN 1 for user data, the action has no impact on control plane traffic that is still sent with the use of VLAN 1.

In PVST+, the 802.1Q IEEE BPDUs are forwarded untagged on the common Spanning Tree VLAN 1 for interoperability with other vendors, unless VLAN 1 has been cleared from the trunk. This is the case regardless of the native VLAN configuration. Cisco PVST+ BPDUs are sent and tagged for

robert.juric Wed, 02/03/2010 - 06:22

francisco_1 wrote:

The native VLAN is the VLAN to which a port returns when it is not trunking.

I thought you had to specify a switchport access vlan in order to set the VLAN to be used when not trunking.

francisco_1 Wed, 02/03/2010 - 06:25

if you loose a trunk port and the port is not setup wih "switchport access vlan", the port is default back to vlan 1

ganeshh.iyer Mon, 02/01/2010 - 21:32
I've been updating some of our sites, and in the process I changed the
native VLAN from 1 to 10, which is our data VLAN. Is it bad practice to
change the native VLAN? What should I take into consideration when
thinking about changing the native VLAN?

Hi Robert,

If we changed it to say vlan 10, then any traffic on vlan 10 that was leaving a switch would be untagged. Any traffic arriving untagged would be assumed to be on vlan 10. Additionally, in this case, traffic leaving the switch that was on vlan 1 would be tagged just as any other traffic except the traffic that was from vlan 10. As stated, any traffic arriving untagged would be assumed to be part of vlan 10, and therefore cannot be part of vlan 1.

There is only one native vlan per trunk. This must match on both ends of the trunk and is responsible for all of the untagged traffic. The native vlan could also be called the untagged vlan.

Now the native VLAN. The purpose of the native VLAN is so that if untagged data finds its way traversing the trunk (usually because it entered the trunk somewhere in the middle, most likely from a connected hub so that the frame could not be tagged by the switch before entering the trunk), when that untagged frame gets to either end of the trunk, the switch then reads the frame sees that it is an untagged frame that ended up on the trunk and sends that untagged frame to the VLAN that has been assigned as the native VLAN.

Hope that help

If helpful do rate the post

Ganesh.H

acbennyma Tue, 02/02/2010 - 00:38

Dear Expert,

May I know what is the purpose to change the defaut native vlan from 1 to another native vlan number ?

Thanks !

JJBladester Thu, 02/02/2012 - 05:17

Jon,

I'm just reading the VLAN chapter in my Cisco book and I came across this post.  I don't think the information in that cisco link says that you shouldn't use VLAN 1 because of VLAN hopping.  I think if you change the native VLAN from 1 to anything else, double-encapsulation attacks (VLAN hopping) can still occur just as easily.

The take-home-message I get from the link is:

"Do not use VLAN 1 for inband management traffic and pick a different, specially dedicated VLAN that keeps management traffic separate from user data and protocol traffic."

I'm no expert in the field, though.  Just working on my CCNA and trying to make sense of this VLAN topic.

Correct Answer
Jon Marshall Tue, 02/02/2010 - 00:38

robert.juric wrote:

I've been updating some of our sites, and in the process I changed the native VLAN from 1 to 10, which is our data VLAN. Is it bad practice to change the native VLAN? What should I take into consideration when thinking about changing the native VLAN?

Robert

It's not bad practice to change the native vlan, in fact it is recommended best practice to do so. When changing it you should -

1) create a new vlan eg. vlan 999

2) use this new vlan as the native vlan. No ports should be assigned to the native vlan ie. you do not have any end devices in the native vlan

3) You should not create a L3 vlan interface for vlan 999 because there is no need to route the native vlan

So if i understand correctly you have changed the native vlan to be the vlan that has your users in it. This is not recommended.

Jon

robert.juric Tue, 02/02/2010 - 11:47

One thing I noticed while doing some research is that Cisco IT used a trunk VLAN as the native VLAN on all trunks except on trunks to Wireless Access Points, in which case they used the data VLAN, why is this?

Jon Marshall Tue, 02/02/2010 - 13:30

robert.juric wrote:

One thing I noticed while doing some research is that Cisco IT used a trunk VLAN as the native VLAN on all trunks except on trunks to Wireless Access Points, in which case they used the data VLAN, why is this?

Robert

Not entirely sure. I do know that there is a restriction on wireless access points that the management vlan must be the same as the native vlan. What this means is that if you assign an IP address from vlan 10 to the AP then vlan 10 must be the native vlan for you to be able to remotely connect to the AP and manage it. Perhaps this is what you were seeing. It's been a while since i have worked on APs so i don't if this restriction still applies.

On switches there is no such restriction. Your management vlan and native vlan can be completely different and indeed should be.

Jon

Actions

Login or Register to take actions

This Discussion

Posted February 1, 2010 at 6:26 PM
Stats:
Replies:13 Avg. Rating:4.75
Views:19624 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 14,997
2 8,150
3 7,720
4 7,078
5 6,710
Rank Username Points
195
80
59
57
57