Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
843
Views
4
Helpful
5
Replies

Use native vlan or not

Go to solution
katerina.dardoufa
Level 4
Level 4

‎08-07-2014 01:00 AM - edited ‎03-07-2019 08:18 PM

Hi,

 

Say that 123 is the management vlan of switches in a VTP domain. Should this vlan be configured as native on the interswitch links or not? For security reasons I would think that this vlan should also be tagged between switches. What are the benefits/drawbacks of configuring it as native and what if it is tagged as all other vlans?

Would it cause a problem if some interswitch links (both sides) have 123 as native and others do not?


I cannot think of a situation where vlans traversing a trunk should not be tagged. Please share any examples...

 

Thank you in advance,

Katerina

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rajeev Sharma
Cisco Employee
Cisco Employee
In response to katerina.dardoufa

‎08-08-2014 11:33 AM

Hey Katerina,

My bad, i misinterpreted the question, you are correct it will not cause broadcast domain overlapping and native vlan syslog messages.

And regarding your question:

So should all the topology have the native vlan configured or can I skip it for some devices for which I want more security? - Native vlan will be required for all the trunk links if you are deploying dot1q links however on those devices where more security is required, use an unused vlan as native.

HTH.

Regards,

RS.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Tagir Temirgaliyev
Spotlight
Spotlight

‎08-07-2014 03:27 AM

native vlan 123 can be used for example when you connect to trunk port noutbook and telnet or ssh to switch

and I think there is no security reasons

 

dont forget to rate post

0 Helpful

Go to solution
Rajeev Sharma
Cisco Employee
Cisco Employee

‎08-07-2014 09:53 AM

Hey Katerina,

Regarding your queries:

Say that 123 is the management vlan of switches in a VTP domain. Should this vlan be configured as native on the interswitch links or not? - Keep it tagged.

For security reasons I would think that this vlan should also be tagged between switches. - Yes, keep it tagged.

What are the benefits/drawbacks of configuring it as native and what if it is tagged as all other vlans? - Well if its tagged then its ensured that even if a user accidentally or intentionally connects to a trunk port, it will not get access of management vlan as by default the traffic from PC is untagged.

Would it cause a problem if some interswitch links (both sides) have 123 as native and others do not? - Yes, it will cause broadcast domain overlapping and logging server will be filled with native vlan mismatch syslogs.

I cannot think of a situation where vlans traversing a trunk should not be tagged. Please share any examples - As I mentioned earlier if you want a user say yourself needs to access management vlan on a trunk port so you may keep vlan 123 native on that port.

HTH.

Regards,

RS.

 

 

Go to solution
katerina.dardoufa
Level 4
Level 4
In response to Rajeev Sharma

‎08-08-2014 03:17 AM

Hi Rajeevsh,

 

thanks for your answer. I get all the security issues related with using the native vlan.

What I don't understand is how it will cause broadcast domain overlapping and native-mismatch syslog messages. Both ends of the link will be either configured with native vlan or without it, so I believe that this configuration won't cause native vlan mismatch.

So should all the topology have the native vlan configured or can I skip it for some devices for which I want more security?

 

Thanks in advance,

Katerina


 

0 Helpful

Go to solution
Rajeev Sharma
Cisco Employee
Cisco Employee
In response to katerina.dardoufa

‎08-08-2014 11:33 AM

Hey Katerina,

My bad, i misinterpreted the question, you are correct it will not cause broadcast domain overlapping and native vlan syslog messages.

And regarding your question:

So should all the topology have the native vlan configured or can I skip it for some devices for which I want more security? - Native vlan will be required for all the trunk links if you are deploying dot1q links however on those devices where more security is required, use an unused vlan as native.

HTH.

Regards,

RS.

0 Helpful

Go to solution
katerina.dardoufa
Level 4
Level 4
In response to Rajeev Sharma

‎08-11-2014 11:12 PM

Hi Rajeevsh,

 

thanks for the info!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card