Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Purpose of Native VLAN

Is there any other purpose of Native VLAN other than creating Trunk Ports. Can trunk ports be configured without Native VLAN. ? Please HELP ......

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Hi Ralph,

Hi Ralph,

I hope you are doing fine.

If I have van 1 (default) as native vlan (default) does that mean that all frames relating to vlan 1 will be untagged

yes

I see that the native vlan is supposed to be needed to pass untagged traffic along a trunk line but where does this untagged traffic come from as all the vlans involved will tag their ID into the ethernet frame

Please help with a clear simple answer

My friend Ralph, I apologize for what follows below, but I feel it is important to understand how switches decide when to use vlan tag or not.

I will use a few examples to illustrate that. Excuse my digression :)

################################################

Lets us first understand a simple case before we delve into use of native vlan for user's traffic.

H1( mac1)---f1/1-SW1 -F1/2--Trunk---F1/2-SW2-F1/1--H2 (mac)

Above we have one single vlan say vlan 2 and both H1 and H2 are in vlan 2

F1/1 on Sw1 and Sw2 are access ports: It means switch expect untagged traffic from attached hosts i.e H1 and H2 ( there is one exception where access port can accept tagged traffic, but it is a special case commonly refers as mini trunk when it is connected to IP phone within build-in switch, we save that discussion for later time:)

F1/2 is a trunk port; it means switch will attach vlan tag when forwarding the frame out of trunk port. It also means SW will accept tagged/untagged frames .

Let say H1 sends a frame to H2, we assume both Sw1 and Sw2 have  H1's mac1 and H2's mac in their CAM's tables. This frame is untagged 

Sw1 receives the frame, with source mac1 and destination mac2.  After all the necessary functions ( CRC check, resetting MAC ageing timer etc), Sw1 proceeds to perform the most important function:  Destination 's MAC look up. Since frame is received on f1/1 which is member of vlan 2,  therefore Sw1 consults the CAM table associated with  vlan2 and sees the frame needs to be sent out of F1/2. Sw1 also notices that it is trunk port. Sw1 therefore inserts vlan tag 2 and forwards the packet out of F1/2.

Sw2 receives the frame,it performs necessary functions( CRC check,checking van tag to see which CAM table should be consulted ,resetting mac's age timer associated with MAC2 entry in CAM table if entry already exists) , SW2 then perform the most important function like SW1 did earlier: Destination 's MAC look up.Using tag( vlan2) inserted by Sw1, Sw2 looks up CAM table associated with vlan 2

Based on the look up, SW2 notices that frame needs to be sent out of F1/1 which is access port. Since F1/1 is an access port , therefore Sw2 removes the vlan tag 2 and sends the untagged frame out of F1/1.

To sum it up, switches use vlan tag to determine which CAM table need to be consulted when receiving a frame on trunk port. 

If a frame needs to be send out of trunk port, SW impose the proper vlan tag,  if the frame needs to be sent out of access port, switch removes the tag.

#####################

Now we understand the basic forwarding of frame on switches, let consider a different scenario:  ( I am going somewhere with all this digression :) 

 

H1( mac1)----f1/1--SW1-F1/2--Trunk---f1/2-SW2-f1/1--H2(mac2)

H3( mac3)----f1/3                                                  -f1/4-H4( mac4)

 

Above H1 and H2 are in Vlan 2, H3 and H4 are vlan 3

 

Let say H1 sends a frame ( F1) to H2, H3 sends a frame (F2) to H4

Sw1 receives F1 on f1/1 and F2 on f1/3

Sw1 has two CAM tables ( we will ignore  CAM table associated with default vlan for now), one is associated with vlan 2 and the other is associated with vlan 3

Since f1 is received on F1/1 which is in vlan 2, SW1 will use CAM table associated with vlan2. Similarly  for F2, Sw1 will use CAM table associated with vlan 3

Sw1 will inserts vlan tag 2 for F1 because it needs to be sent out of trunk port ( f1/2)and vlan  tag 3 for F2 because it needs to be sent out of trunk port f1/2 as well,

 

Above we see we can use single link f1/2( trunk) to support traffic H1<--->H2 and H3<---->H4 using vlan tags. 

In summary, SW needs to determine which CAM table to consult when it receives  a frame. SW determines that by:

1) If the frame is received on access port, use the CAM table associated with the Vlan the port is member of.

2) If the frame is received on a trunk port, SW uses  the inserted vlan tag to determine the proper cam table for look up.

##############################

H1( mac1)-f1/1--SW1-f1/2 (trunk)-f1/2-SW2-f1/1-H2(mac2)

H3(mac3)-f1/3                                                f1/3-H4(mac4)

Above H3 and H4 are in same Vlan 3, H1 and H2 are not any vlan as per se. Since we do not instruct sw1 and sw2 about the membership of f1/1 , SW1 and SW2 regard  f1/1 to be in vlan 1.

Sw1 and Sw2 has a mutual understanding and agreement about the native/default vlan1

( they use CDP, STP to communicate what they consider default/native vlan and it has to match ; we do not need to use vlan 1 as default vlan; we can use any valid vlan id as a default vlan using : switchport trunk native vlan XX )

Sw1 and Sw2 also agreed they will send any frame that belongs to default vlan as untagged out of trunk port.

Keeping the above " mutual understanding" between Sw1 and Sw2 in view, let see how ta frame from H1 to H2 gets forwarded.

H1 sends a frame F1 to Host2.

Sw1 receives F1 on f1/1. Sw1 notices that F1/1 is not assigned to any vlan explicitly, therefore SW1 considers F1/1 to be member of vlan 1 ( default /native vlan).  SW1 performs necessary functions as described above  and then performs destination mac look up using CAM table associated with VLAN1.

CAM tables shows F1 needs to be sent out f1/2 ( trunkport).  Honoring the agreement with SW2, SW1 forwards the F1 out without inserting any tag.

Sw2 receives the F1 on its trunk port f1/1. Since F1 is received on a  trunk port, SW1 checks for vlan tag so that it can choose proper CAM table look up.  Since there is no tag,  as per agreement with Sw1, Sw2 will use CAM table associated with default/native vlan1 and forwards the F1 out of f1/1 

##################################3

I hope you understand how we use default vlan for use traffic .  

One more thing before I take my beauty sleep:)

Switches do not control directly  how the attached devices send traffic (tagged/ untagged) to them . Switches only know if they are  expecting tagged traffic or untagged traffic or both on a certain port.

Some examples are in order:

H1--- f1/1 ( access port) SW

H1 should send untagged traffic or risk communication issues with other host machines

H1---f1/1(trunk) SW

SW can accept untagged and tagged traffic from H1. In case of untagged traffic, SW will use default vlan to forward it. In case of tagged traffic, SW will use CAM associated with received vlan tag to forward it.

Please ask if you have any more questions:)

Happy Holidays!!

18 REPLIES

Purpose of Native VLAN

Concept of native is to sent frames untagged on that particular vlan.

All the other frames on other vlans will be tagged with particular vlan tag, once it transverses between switch to switch or switch to router.

HTH,

Smitesh

Hall of Fame Super Silver

Purpose of Native VLAN

Muhammad

There is no purpose for native VLAN other than on a trunk.

If you are doing dot1Q trunking then there will be a native VLAN. The specification of the trunking protocol is very clear that it includes a native VLAN. You do not have to configure a VLAN as native VLAN, and you do not have to use a VLAN as native VLAN (all of the frames sent on VLANs on the trunk may be tagged) but some VLAN will be designated as the native VLAN.

HTH

Rick

New Member

Hi There

Hi There

I'm confused by the native vlan also

If I have vlan 1 (default) as native vlan (default) does that mean that all frames relating to vlan 1 will be untagged

I see that the native vlan is supposed to be needed to pass untagged traffic along a trunk line but where does this untagged traffic come from as all the vlans involved will tag their ID into the ethernet frame

Please help with a clear simple answer

Thank you

Ralph

Bronze

Hi Ralph,

Hi Ralph,

I hope you are doing fine.

If I have van 1 (default) as native vlan (default) does that mean that all frames relating to vlan 1 will be untagged

yes

I see that the native vlan is supposed to be needed to pass untagged traffic along a trunk line but where does this untagged traffic come from as all the vlans involved will tag their ID into the ethernet frame

Please help with a clear simple answer

My friend Ralph, I apologize for what follows below, but I feel it is important to understand how switches decide when to use vlan tag or not.

I will use a few examples to illustrate that. Excuse my digression :)

################################################

Lets us first understand a simple case before we delve into use of native vlan for user's traffic.

H1( mac1)---f1/1-SW1 -F1/2--Trunk---F1/2-SW2-F1/1--H2 (mac)

Above we have one single vlan say vlan 2 and both H1 and H2 are in vlan 2

F1/1 on Sw1 and Sw2 are access ports: It means switch expect untagged traffic from attached hosts i.e H1 and H2 ( there is one exception where access port can accept tagged traffic, but it is a special case commonly refers as mini trunk when it is connected to IP phone within build-in switch, we save that discussion for later time:)

F1/2 is a trunk port; it means switch will attach vlan tag when forwarding the frame out of trunk port. It also means SW will accept tagged/untagged frames .

Let say H1 sends a frame to H2, we assume both Sw1 and Sw2 have  H1's mac1 and H2's mac in their CAM's tables. This frame is untagged 

Sw1 receives the frame, with source mac1 and destination mac2.  After all the necessary functions ( CRC check, resetting MAC ageing timer etc), Sw1 proceeds to perform the most important function:  Destination 's MAC look up. Since frame is received on f1/1 which is member of vlan 2,  therefore Sw1 consults the CAM table associated with  vlan2 and sees the frame needs to be sent out of F1/2. Sw1 also notices that it is trunk port. Sw1 therefore inserts vlan tag 2 and forwards the packet out of F1/2.

Sw2 receives the frame,it performs necessary functions( CRC check,checking van tag to see which CAM table should be consulted ,resetting mac's age timer associated with MAC2 entry in CAM table if entry already exists) , SW2 then perform the most important function like SW1 did earlier: Destination 's MAC look up.Using tag( vlan2) inserted by Sw1, Sw2 looks up CAM table associated with vlan 2

Based on the look up, SW2 notices that frame needs to be sent out of F1/1 which is access port. Since F1/1 is an access port , therefore Sw2 removes the vlan tag 2 and sends the untagged frame out of F1/1.

To sum it up, switches use vlan tag to determine which CAM table need to be consulted when receiving a frame on trunk port. 

If a frame needs to be send out of trunk port, SW impose the proper vlan tag,  if the frame needs to be sent out of access port, switch removes the tag.

#####################

Now we understand the basic forwarding of frame on switches, let consider a different scenario:  ( I am going somewhere with all this digression :) 

 

H1( mac1)----f1/1--SW1-F1/2--Trunk---f1/2-SW2-f1/1--H2(mac2)

H3( mac3)----f1/3                                                  -f1/4-H4( mac4)

 

Above H1 and H2 are in Vlan 2, H3 and H4 are vlan 3

 

Let say H1 sends a frame ( F1) to H2, H3 sends a frame (F2) to H4

Sw1 receives F1 on f1/1 and F2 on f1/3

Sw1 has two CAM tables ( we will ignore  CAM table associated with default vlan for now), one is associated with vlan 2 and the other is associated with vlan 3

Since f1 is received on F1/1 which is in vlan 2, SW1 will use CAM table associated with vlan2. Similarly  for F2, Sw1 will use CAM table associated with vlan 3

Sw1 will inserts vlan tag 2 for F1 because it needs to be sent out of trunk port ( f1/2)and vlan  tag 3 for F2 because it needs to be sent out of trunk port f1/2 as well,

 

Above we see we can use single link f1/2( trunk) to support traffic H1<--->H2 and H3<---->H4 using vlan tags. 

In summary, SW needs to determine which CAM table to consult when it receives  a frame. SW determines that by:

1) If the frame is received on access port, use the CAM table associated with the Vlan the port is member of.

2) If the frame is received on a trunk port, SW uses  the inserted vlan tag to determine the proper cam table for look up.

##############################

H1( mac1)-f1/1--SW1-f1/2 (trunk)-f1/2-SW2-f1/1-H2(mac2)

H3(mac3)-f1/3                                                f1/3-H4(mac4)

Above H3 and H4 are in same Vlan 3, H1 and H2 are not any vlan as per se. Since we do not instruct sw1 and sw2 about the membership of f1/1 , SW1 and SW2 regard  f1/1 to be in vlan 1.

Sw1 and Sw2 has a mutual understanding and agreement about the native/default vlan1

( they use CDP, STP to communicate what they consider default/native vlan and it has to match ; we do not need to use vlan 1 as default vlan; we can use any valid vlan id as a default vlan using : switchport trunk native vlan XX )

Sw1 and Sw2 also agreed they will send any frame that belongs to default vlan as untagged out of trunk port.

Keeping the above " mutual understanding" between Sw1 and Sw2 in view, let see how ta frame from H1 to H2 gets forwarded.

H1 sends a frame F1 to Host2.

Sw1 receives F1 on f1/1. Sw1 notices that F1/1 is not assigned to any vlan explicitly, therefore SW1 considers F1/1 to be member of vlan 1 ( default /native vlan).  SW1 performs necessary functions as described above  and then performs destination mac look up using CAM table associated with VLAN1.

CAM tables shows F1 needs to be sent out f1/2 ( trunkport).  Honoring the agreement with SW2, SW1 forwards the F1 out without inserting any tag.

Sw2 receives the F1 on its trunk port f1/1. Since F1 is received on a  trunk port, SW1 checks for vlan tag so that it can choose proper CAM table look up.  Since there is no tag,  as per agreement with Sw1, Sw2 will use CAM table associated with default/native vlan1 and forwards the F1 out of f1/1 

##################################3

I hope you understand how we use default vlan for use traffic .  

One more thing before I take my beauty sleep:)

Switches do not control directly  how the attached devices send traffic (tagged/ untagged) to them . Switches only know if they are  expecting tagged traffic or untagged traffic or both on a certain port.

Some examples are in order:

H1--- f1/1 ( access port) SW

H1 should send untagged traffic or risk communication issues with other host machines

H1---f1/1(trunk) SW

SW can accept untagged and tagged traffic from H1. In case of untagged traffic, SW will use default vlan to forward it. In case of tagged traffic, SW will use CAM associated with received vlan tag to forward it.

Please ask if you have any more questions:)

Happy Holidays!!

Hall of Fame Super Silver

The response from sarahr202

The response from sarahr202 is well worked out and is a good explanation of the relationship of access port vs trunk port and of tagged frames vs untagged frames. I would like to address one aspect of Ralph's question. He says that "as all the vlans involved will tag their ID into the ethernet frame". That is a misunderstanding on his part. On a dot1Q trunk there is always one vlan that does not tag its frames.

HTH

Rick

Bronze

Purpose of Native VLAN

Here's how it made sense to me:

If the trunk fails (negotiation or something weird) the link will still pass the native vlan traffic.

Possible use:

If you create a "management" vlan and make it your native vlan, it could be a saving grace if the trunk fails and you want to remotely configure the distant-end switch.

Ven

Ven Taylor
New Member

Purpose of Native VLAN

Old topic but passing management traffic makes perfect sense.

New Member

Hi there

Hi there

Thank you so much for taking the time to explain this concept to me. Much appreciated

I think I am getting to grips with this now.

The part in brackets:

"( they use CDP, STP to communicate what they consider default/native vlan and it has to match ; we do not need to use vlan 1 as default vlan; we can use any valid vlan id as a default vlan using  switchport trunk native vlan XX )

I assume that you are referring to the point that the native vlan can be assigned any number within the range.  But the default vlan is always vlan1.  Then that would mean that if the native vlan is not changed, away from being default vlan1, then all ports in vlan 1 would be working untagged

Regards

Ralph

Hall of Fame Super Silver

Ralph

Ralph

I think you have it right. But let me restate it in a slightly different way and you can tell us if anything I am saying is different from what you meant.

- on a dot1Q trunk there is always a native vlan.

- frames on the native vlan are transmitted on the trunk without tags while frames in other vlans are always transmitted with tags.

- by default the native vlan is vlan 1.

- but any vlan can be designated as the native vlan.

- there is a default vlan which is vlan 1. Any switchport not configured with a vlan assignment will be assigned membership in the default vlan (which is vlan 1).

I want to be sure that we are not confusing the concept of native vlan and default vlan when you say " if the native vlan is not changed, away from being default vlan1, then all ports in vlan 1 would be working untagged ".

HTH

Rick

Bronze

Hi Ralph,

Hi Ralph,

"( they use CDP, STP to communicate what they consider default/native vlan and it has to match ; we do not need to use vlan 1 as default vlan; we can use any valid vlan id as a default vlan using  switchport trunk native vlan XX )

I assume that you are referring to the point that the native vlan can be assigned any number within the range.  But the default vlan is always vlan1.  Then that would mean that if the native vlan is not changed, away from being default vlan1, then all ports in vlan 1 would be working untagged

Yes,  the key word is native vlan , by default all traffic belonging to native vlan are sent untagged on dot1 trunk.

if you do not change anything native vlan=default vlan1

My apology for lack of clarity :

I should have said:

( they use CDP, STP to communicate what they consider native vlan and it has to match ; we do not need to use vlan 1 as native vlan ; we can use any valid vlan id as a native vlan using  switchport trunk native vlan XX )

As Richard pointed out, there is a difference between default vlan and native vlan.

Native vlan:  simply means traffic belonging to native vlan will be sent untagged on dot1q trunk.

 Switches use protocols such as cdp.pagp,dtp,vtp use native vlan  to communicate messages between them.  

DEFAULT VLAN:  As name indicates something already exists without any user intervention.

Switches need these protocols( CDP,VTP,PAGP,DTP) . To support out of box operation, Cisco uses default vlan 1 as a native vlan.

SOME ILLUSTRATIONS:

H1--f1/1-SW1--f1/2--trunk--F1/2-SW2-f1/1--H2

H3-f1/3                                                 f1/3--H4

Above H1 and H2 are in vlan  3 because they are connected to f1/1 on Sw1 and Sw2 which are in Vlan 3. H3 and H4 are in default van 1

COMMUNICATION BETWEEN H1 and H2:

On Sw1 and Sw2:

interface f1/2

switchport trunk native vlan 3

interface f1/1 

switch access vlan 3

All frames between H1<-->H2 will be sent out as untagged on trunk port ( f1/2) , because H1 and H2 are connected to f1/1 which are in native vlan 3.  So switches simply send frames untagged out of trunk port for native vlan.

All frames between H1<--->H2 will be sent out as untagged on f1/1( access ports) just like for any other non native vlan,  So this behaviours stays the same  regardless of native or non-native vlan.

PROTOCOLS:

Protocols such as CDP,DTP, PAGP, VTP, will use VLAN 3 because VALN 3 is a native vlan.

Before , they were using vlan 1 because vlan 1 is regarded as native vlan 1 by default.

COMMUNICATION BW H3 and H4:

All traffic between H3 and H4 will be sent with vlan tag 1 out of trunk port f1/1. This is because Vlan 1 is no longer native vlan  as we configured as vlan 3 as a native vlan

All traffic between H3 and H4 will be sent out as untagged out of access ports  , as mentioned earlier this behavior does not change regardless of vlan type i.e native or non native.

Please feel free to ask any more question.

Have a great weekend!!

Hi Sarah,

Hi Sarah,

it's several years already I've been playing with these features but I'd not 100% agree with the sentence

"Protocols such as CDP,DTP, PAGP, VTP, will use VLAN 3 because VLAN 3 is a native vlan."

As stated in this Cisco document

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/24330-185.html#pre6 

"On an 802.1Q trunk, DTP packets are sent on the native VLAN."

BUT

"CDP, VTP, and PAgP updates are always forwarded on trunks with a VLAN 1 tag."

So CDP, PAgP and VTP frames would be sent with the VLAN1 tag on the trunk between the switches in your example, wouldn't they?

Best regards,

Milan

Bronze

Hi Milan,

Hi Milan,

Thanks for the response.

Even though it was  my understanding as well that --some protocols traffic always use vlan 1. I should have been more specific. I should have mentioned only CDP not other protcols ( DTP,PAGP, VTP) use native vlan . If we change the native vlan  say vlan 2, CDP will use vlan 2. 

As for other protocols, ( PAGP,VTP, DTP) I still have to lab it up,even though there are Cisco doc and text books which do say they use vlan 1 even if we change the native vlan and one of the main reason not to prune vlan1,

Please see the attached lab. 

In short this is what I observed:

 H3( 199.199.199.3)-----f6/1-SW1 f6/0-( trunk)—f6/0-SW2-----f6/1---199.199.199.4)H4

H1( 1.1.1.1)----------------f1/1                                                      F1/1---------H2( 1.1.1.2)

H3 and H4 are in Vlan 2,

H1 and H2 are in Vlan 1

When I changed the native vlan to vlan 2, i see traffic between H3 and H4 are untagged; CDP traffic is also untagged.

All vlan1 traffic are tagged.

If CDP always use VLAN1 no matter what is native vlan is, then we must see CDP traffic being tagged with vlan id 1 but we don't.

Not sure if this behavior is particular this IOS version. 

thanks,

Hi,

Hi,

very interesting!

I remember I also read somewhere CDP is always sent untagged...

How do you capture frames on the trunk exactly?

Thanks,

Milan

Bronze

Wireshark and with SPAN on

Wireshark and with SPAN on the switch

By Milan ==

By Milan ==

"CDP, VTP, and PAgP updates are always forwarded on trunks with a VLAN 1 tag."

So CDP, PAgP and VTP frames would be sent with the VLAN1 tag on the trunk between the switches in your example, wouldn't they?

So CDP,PAgp and VTP frames would be sent with thte VLAN1 tag on the trunk between the switches, what will happen if we admin down VLAN1. In our office we don't use VLAN1.

Could you please explain me about Native VLAN concept, since we admin down the default VLAN whenever adding a New access switch into production.

My current setup is cisco Two tier architecture. Core-access layer)

Hi,

Hi,

the document I was referring to

http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/24330-185.html#cg18

is saying:

" You can limit the VLAN 1 transmission of user data and operation of STP on an interface. Simply do not configure the VLAN on the trunk interface.This configuration does not stop the transmission of control packets from switch to switch in VLAN 1, as with a network analyzer. But no data are forwarded, and STP is not run over this link."

In other words:

If you disable VLAN1 on a trunk, the user data and STP traffic is disabled only within it.

But not the control protocols like CDP, PAgP and VTP.

I have not captured frames to confirm, it's just what Cisco document says.

Best regards,

Milan

And please let me know, is

And please let me know, is there any necessary to allow VLAN 1 on trunk. If not what will happen? Will that untagged traffic move on trunk link?

Hi,

Hi,

my understanding of the document is:

If you disable VLAN1 on  a trunk, user data and STP frames will not be sent through it. But the control protocols like CDP, VTP and PaGP will still be sent in VLAN1 on the trunk. Untagged if VLAN1 is left as the native VLAN or tagged if you configure a different VLAN as native.

BR,

Milan

5468
Views
8
Helpful
18
Replies
CreatePlease login to create content