cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1357
Views
15
Helpful
27
Replies

Question about native vlan

John Blakley
VIP Alumni
VIP Alumni

If I have the following

Host A:

int fa0/1

switc mode access

switch access vlan 2

int fa0/24

switc mode access

swit access vlan 2

Int fa0/24 connects directly with another switch on its fa0/24 and it's configuration is:

int fa0/24

switc mode access

swit access vlan 10

Host B is on:

int fa0/1

switc mode access

swit access vlan 10

If these are on the same subnet, can they ping each other? My initial thought is "NO", but according to a book I was reading they will be able to because the traffic is untagged. Ok, so by default, a workstation traffic is untagged, BUT when you switch that port to an access port, it changes the native vlan to the vlan that it's a member of, in this case Host A's native is 2 and Host B's native is 10.

Am I incorrect?

Thanks!

John

HTH, John *** Please rate all useful posts ***
2 Accepted Solutions

Accepted Solutions

Hi Jon,

I meant the following:

Of course switch1 internally knows that the frame is going out of the port on vlan x, because the port is kept track to be part of vlan x.

But the frame is sent out of this port (member of vlan x) to switch2's access port (member of vlan y) in untagged format.

Switch2 will tie this frame to vlan y internally (it's port is kept track to be part of vlan y) and forward it on vlan y, because it will treat this frame as a normal ethernet frame coming from a host connected to this port. (No vlan information on the frame itself).

This is a somewhat dangerous scenario because it can create switching or routing loops in some situations.

Cheers:

Istvan

View solution in original post

Right, i've sobered up now and after rereading this i should probably retire from NetPro :-)

"In fact, the two interfaces that connect the switches together are in different vlans. I figure that the host in vlan 2 wouldn't be able to ping to vlan 10 because it would be looking for a vlan 2 on the other switch"

The key difference here is that although the switches each know internally which vlan the packet belongs to they have no way of communicating that information to each other across an access port because packets are not tagged on an access port. So each switch can only map the packet to the vlan that the access port is in.

So when you say "the host in vlan 2 would be looking for a vlan 2 on the other switch" this is not really how it works. The packet would leave the first switch on vlan 2 but because the second switch has mapped the receiving port to vlan 10 then the second switch this packet is now destined for a vlan 10 device.

Jon

View solution in original post

27 Replies 27

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello John,

you are correct only in part

in this way you are joining two broadcast domains to form only one.

Being all ports access ports there is no native vlan issue/concept here.

I used this trick once to join two management vlans.

you can get a CDP vlan mismatch warning but that's all.

if you try to do this with trunk ports PVST detects the mismatch in native vlan and can put in errordisable the port because STP bdpus have a field inside that tells what vlan they are associated with and it is compared to the vlan in which the frame is received (consistency check)

Hope to help

Giuseppe

Hi John,

A small addition to Giuseppe's post:

The reason why HostA and HostB can ping each other lies behind the configuration the fa0/24 ports are connected with each other:

Both of them are configured as access ports.

Access ports transmit frames untagged (as traditional Ethernet frames), therefore the receiving switch has no information on what vlan the frame is coming from and it will treat the incoming frame as a normal Ethernet frame and will accept it.

So the frame may come from vlan X (first switch) and end up on vlan Y (on second switch) as a result of this configuration.

Cheers:

Istvan

Am I right in stating that when a port is an access port, and that port is in, say, vlan 10, that it makes the native vlan for the device connected to that port 10?

--John

HTH, John *** Please rate all useful posts ***

John

The native vlan is only relative to an 802.1q trunk port. An access port does not have a concept of a native vlan.

Jon

I guess I have another question. The following output is from a port on my switch:

Name: Gi5/0/24

Switchport: Enabled

Administrative Mode: static access

Operational Mode: down

Administrative Trunking Encapsulation: negotiate

Negotiation of Trunking: Off

Access Mode VLAN: 127 (WORKSTATIONS)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

Let's say that I hook an unmanaged switch to this port. The port is set up as an access port on vlan127. Because I have routing enabled on my switch, I have an address of:

192.168.127.1

on the SVI. On this switch that's connected to the port that's an access port for vlan127, I have a workstation and a printer. The workstation is in the same subnet as the SVI, but the printer is not.

If access ports don't understand the concept of native tagging (which I thought was only in ISL), then why can I not see the printer from another device that connects into another switchport?

Does the switch tag whatever is coming in on that port as vlan127 in order to cross the trunk?

I may just give up on this question...it sounds so long and convoluted.

--John

HTH, John *** Please rate all useful posts ***

John

I may not be understanding fully what you are asking so if i don't just let me know.

If you connect a hub to a switch and the port on the switch is in vlan 127 then any traffic coming from any device attached to the hub will be seen as being in vlan 127.

Tagging does not happen on access ports at all. But the switch does know which port is in which vlan so internally it will always be able to do the "right thing". If the packet needs to be sent across a trunk link it will tag it with a vlan ID of 127 unless vlan 127 is the native vlan for the trunk link in which case it is sent untagged. Note this only applies to 802.1q. ISL tags all packets.

Jon

So I've attached a diagram :-)

I "know" why this doesn't work, but I would like to know more of the inner workings of it. The main switch has ip routing enabled on it.

Thanks!

HTH, John *** Please rate all useful posts ***

What is the device that the workstation and printer connect to - is it a hub.

Anyway when the packet comes in on vlan 10 to the switch it may not have a tag in the packet but the switch still knows that the port is in vlan 10 and internally can keep track of the fact that this packet is associated with vlan 10. So it can only forward this packet to another port within vlan 10.

This actually comes back to a recent question we were both involved in with Sarah about per vlan mac-address tables. It raises some interesting points and even though i'm on a very long holiday i'm very tempted to dig out my 3550 switches and do some testing.

I suspect what is happening is that switch has a vlan 10 mac-address table and so the packet coming in is "contained" within vlan 10.

Jon

That's why I don't understand my original question.

If the frame is coming in on a port that's a member of a vlan, then that frame can only get forwarded to other members of that vlan.

In my original question, I have 2 different vlans: 2 and 10

One switch was vlan 2 and the other was vlan 10. I'm not understanding how we have 2 separate broadcast domains, yet they can communicate without a L3 device.

In fact, the two interfaces that connect the switches together are in different vlans. I figure that the host in vlan 2 wouldn't be able to ping to vlan 10 because it would be looking for a vlan 2 on the other switch, if in fact the tag is carried across the non-trunked link. For some reason, this one is really confusing me.

Oh, and it's a switch that the hosts are connected to, but unmanaged.

--John

HTH, John *** Please rate all useful posts ***

Yep, i admit i'm a little confused as well !

A switch must be able to tie an access port to a vlan otherwise vlans would be useless. And i always believed that a switch recorded the port to vlan always.

Jon

Whew! At least I may not be losing my mind!

HTH, John *** Please rate all useful posts ***

No not at all. It's one of those things that you think you know but when you have to look into it it's not that simple.

Jon

Right, i've sobered up now and after rereading this i should probably retire from NetPro :-)

"In fact, the two interfaces that connect the switches together are in different vlans. I figure that the host in vlan 2 wouldn't be able to ping to vlan 10 because it would be looking for a vlan 2 on the other switch"

The key difference here is that although the switches each know internally which vlan the packet belongs to they have no way of communicating that information to each other across an access port because packets are not tagged on an access port. So each switch can only map the packet to the vlan that the access port is in.

So when you say "the host in vlan 2 would be looking for a vlan 2 on the other switch" this is not really how it works. The packet would leave the first switch on vlan 2 but because the second switch has mapped the receiving port to vlan 10 then the second switch this packet is now destined for a vlan 10 device.

Jon

Ah! That makes sense!

I've taken a host and made it vlan 2, and then I've taken the switch port and made it vlan 10.

LOL! Interesting.....

John

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: