Native vlan Tagging over trunks.

Unanswered Question
May 31st, 2012

Hi all,

i am having a query for Native vlan concepts.

i am using a default vlan001 in a multiple switches network.

But on the trunks between all switches, have removed passage of all vlans. But just allowed another vlan 10 which i am using for some purpose.

Here my question raises, do my untagged  data(Native Vlan data) will be able to travel over these trunk links or not.

My surprise is if native vlan does not uses and vlan tag over trunks then, removing that default vlan001 from trunks does not allows even untagged data to flow.

Please let me know How it actually should be, and this all comes into play.

Thanks

Sourav.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
viswamin Thu, 05/31/2012 - 02:37

Hi Sourav,

sourav goyal wrote:

Hi all,

i am having a query for Native vlan concepts.

i am using a default vlan001 in a multiple switches network.

But on the trunks between all switches, have removed passage of all vlans. But just allowed another vlan 10 which i am using for some purpose.

Here my question raises, do my untagged  data(Native Vlan data) will be able to travel over these trunk links or not.

My surprise is if native vlan does not uses and vlan tag over trunks then, removing that default vlan001 from trunks does not allows even untagged data to flow.

Please let me know How it actually should be, and this all comes into play.

Thanks

Sourav.

Since on the Trunk you are allowing only Vlan 10 , only Vlan 10 traffic would be allowed to pass through the trunk link. In your case, Native vlan traffic (Vlan 1) will not be allowed over the trunk link.

The Native Vlan is on trunk link basis (dont confuse with default vlan) and typically native vlan traffic are untagged.

As an example, if on a trunk link if native vlan is 99, then all traffic on vlan 99 would be untagged and sent over the trunk link.

HTH

-Vijay

sourav6388 Thu, 05/31/2012 - 02:48

Hi Vijay,

ok i can understand if we prevent a Vlan over trunk then its data will not pass from that trunk link, but i want to know more

that how it comes possible that when a native vlan whose data have no identity tag for VLAN ID, how it would be checked that this data is also needed to be prevented to flow over link.

because frames identity is tag and it comes from tag that this tag is to be prevented.

not having a TAG and at same time preventing it to flow is quite a process.

please explain.

and i also want to to know can there be mulitple native vlans over a switch. is that possible.

Thanks

Sourav

viswamin Thu, 05/31/2012 - 03:03

Well the way switch work is, lets say that the frame is coming out from a port which is in vlan 'x'.

When the switches receives the frame on a trunk port, it finds out if that vlan 'x' is allowed on the trunk. if it is allowed, then it checks the native vlan configured on the trunk link. if the native vlan configured on the trunk link is also 'x' then the switch decides not to tag the frame and transmits as it is.

if the native vlan configured on the trunk link is 'y' then the switch decides to send the frame with the tag 'x'

if the vlan 'x' is not allowed then it drops the frame rightaway.

and i also want to to know can there be mulitple native vlans over a switch. is that possible.

Each of the trunk link can be assigned with different native vlan. so a switch can have multiple native vlan's

HTH

-Vijay

sourav6388 Thu, 05/31/2012 - 04:49

Hi Vijay,

can you explanin bit clearly difference btw, default vlan and native vlan.

do both of them offer/process untagged packtes ?

and i can not understand conccept for multiple native vlans, i am confused. if we have multiple native vlan in a switch then it would be like having untagged data from multiple vlans sources.

please clarify with some short example, would be really greatfull.

Thanks

viswamin Thu, 05/31/2012 - 05:07

Hi Sourav,

Lets consider a new switch. all the ports belongs to the default vlan which is vlan 1.

Native vlan is something that is defined on the trunk port.

Lets say that SW1 --- SW2 and the link b/w these switches is trunk.

when you dont configure anything on this trunk link then the native vlan = default vlan = vlan 1

now lets assume that you have configured "switchport trunk native vlan 99" on the trunk link (both ends)

then here in this case, native vlan = 99 and it is locally significant on that trunk link. the default vlan is still vlan 1 on that swtich.

Now lets assume that you have two trunk links between SW1 - SW2 and you have configured

trunk 1 - "switchport trunk native vlan 99"

trunk2 - "switchport trunk native vlan 100"

here in this case, the native vlan are 99 and 100 for trunk1 and trunk2 respectively. so native vlans are locally significant on trunk.

This is my undrestanding.

I'm dont work on switches ..may be experts can comment.

-Vijay

sourav6388 Thu, 05/31/2012 - 05:42

so Vijay,

as per disscusion and understanding i can conclude that there can multiple native vlans, good.

so now i think we can not have multiple default vlans in a switch. as default vlan is a concept for whole switch rather than depending for a single.

so putting it to purpose native vlan concept is used for utilizing untagged to be streamed to particuler vlan.

" like native vlan is order for trunk port that :- put this untagged data coming on this trunk as tagged for defined native vlan"

if this is likely true ????? please comment.

and then using this tricky native vlan concept, we shall ignore native vlan mismatch error, as this mismatch is solving a definite purpose for us.

and Default vlan is purposefull for pushing untagged data from one trunk to another making it commonly avaiable in our switched network.

Please comment.

Thanks

sourav

rettuc_ccnp Thu, 05/31/2012 - 06:23

To clarify a few other points;

1. difference between default vlan and native vlan

Default VLAN only applies to ACCESS ports...The reason is because for a switch to work in a plug & play fashion the ports must all belong to the same vlan as part of the IOS default configuration.

Default Native vlan only applies to TRUNK ports

2. Similar to multiple access ports on the same switch belonging to different vlans...trunk ports on the same switch can also have different native vlans.

3 - traffic is only tagged at the outgoing interface and interpreted at the other end at the incoming interface.  There is no benefit or reason for having mismatched native vlans.  Native vlan mismatch errors should be fixed and not ignored as this is a sign of either a misconfiguration or a bad design. 

I hope this information has helped clear things up for the group.

Regards.

Jon Marshall Thu, 05/31/2012 - 05:05

The default vlan is vlan 1. All ports by default on a switch wihout any configuration are in vlan 1. So if you just connnected clients to a switch and booted up the switch wthout any actual configuration on your part then all clients would be in vlan 1. The default vlan will always be vlan 1 but obviously you can assign ports into different vlans.

The native vlan by default (note default here is used in a dfferent context than when we talk about the default vlan) is also vlan 1 but you can change this on a per trunk basis.

Note that for both of the above ie. ports by default in vlan 1 and the native vlan being vlan 1 the Cisco recommendation is to use a different vlan. So you would have -

1) ports allocated to another vlan or more likely multiple vlans for end devices

2) native vlan set to a different vlan

3) additionaly any managment vlan for the actual switches should not be vlan 1 either.

As for multiple native vlans - you can do this if you want and it would work because each trunk link is independent of other trunk links on the switch. So if a switch had 2 trunk links and one was using native vlan 10 (t1) and one native vlan 11 (t2) it would work simply because when the switch receives an untagged packet on t1 it assumes it to be in vlan 10 and when it receives an untagged packet on t2 it assumes it to be in vlan 11. The key thing to understand is that the native vlan concept is local to the switch (the switch and specific trunk link actually).

However you probably wouldn't do this as it simply complicates things. It is best to use a single native vlan across all your switches otherwise configuration and possible mistakes are more likely to occur.

Jon

sourav6388 Thu, 05/31/2012 - 05:32

Hi Jon,

thanks for your response, quite clear your answer is.

can you help in understanding exact usage for native vlan.

like on a Switch SW1,a  T1(trunk) link have native vlan as10.

so any untagged data that will be reieved on T1 link of this switch would be coming out like tagged for vlan 10.

and for T2(Trunk-2) on switch SW1 whose defined native vlan is 30, similarly any untagged data recieved on it would be coming out as tagged for vlan 20 .

and then all these packets which got named using native vlan concept can be used for further sharing to other links.

please advice if my example is taking it right.

rettuc_ccnp Thu, 05/31/2012 - 06:01

So the exact answer to the question is that the native vlan of a trunk link does allow untagged traffic to traverse the link.

In other words a trunk link (by default) will not drop untagged traffic.  When this untagged traffic arrives on the other end of the link it is logically treated as belonging to the native vlan.  With that said...when your trunk port is configured to only allow vlan 10 it will actually allow both vlan 10 and the untagged/native vlan traffic to traverse the link. 

If you don't want to allow the native vlan traffic to traverse the link you will need to tag the traffic first.  To do this use the "vlan dot1q tag native" command in global configuration mode.  This will effectively allow only the 802.1q tagged frames to traverse the trunk link and any untagged traffic will be dropped if the native vlan isn't included in the vlans allowed per your trunk port configuration.  So by tagging the native vlan traffic your trunk port will only allow vlan 10 across that link.

Summary:

1. By default native vlan traffic is untagged and allowed across a pruned trunk.

2. To tag native vlan traffic use the "vlan dot1q tag native" global configuration mode command.  By doing this all untagged traffic will not only be considered as belonging to the native vlan but it will also be tagged.

3. Tagged native vlan traffic will also be treated as all other tagged traffic and dropped if not configured to be allowed on a pruned trunk port.

sourav6388 Thu, 05/31/2012 - 06:21

so what i am understanding is defining a native vlan for a trunk recieve untagged data from that link.

and will tag it using that native vlan id used on that port link.

if not then what is other puspose of fixing a particular native vlan id over a trunk...

Thanks

rettuc_ccnp Thu, 05/31/2012 - 18:07

Generally speaking there are security concerns with using native vlans and since everyone knows that the default native vlan id is 1 it's always a good idea to change it.

Regards.

rettuc_ccnp Wed, 06/27/2012 - 09:12

Hello,

I was just checking on this posting and noticed it still shows "not answered".  Everything I mentioned should address your original questions but if not please feel free to send an update and I'm sure we can get any other details figured out.  If this did help answer your question can you change the status of the posted to "answered" and leave ratings accordingly?  Thanks!

Actions

Login or Register to take actions

This Discussion

Posted May 31, 2012 at 2:01 AM
Stats:
Replies:14 Avg. Rating:
Views:6524 Votes:0
Shares:0
Categories: Switches
+

Related Content

Discussions Leaderboard

Rank Username Points
1 14,997
2 8,150
3 7,720
4 7,078
5 6,710
Rank Username Points
190
80
59
57
57