Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Use native vlan or not

Hi,

 

Say that 123 is the management vlan of switches in a VTP domain. Should this vlan be configured as native on the interswitch links or not? For security reasons I would think that this vlan should also be tagged between switches. What are the benefits/drawbacks of configuring it as native and what if it is tagged as all other vlans?

Would it cause a problem if some interswitch links (both sides) have 123 as native and others do not?


I cannot think of a situation where vlans traversing a trunk should not be tagged. Please share any examples...

 

Thank you in advance,

Katerina

  • LAN Switching and Routing
1 ACCEPTED SOLUTION

Accepted Solutions

Hey Katerina,My bad, i

Hey Katerina,

My bad, i misinterpreted the question, you are correct it will not cause broadcast domain overlapping and native vlan syslog messages.

And regarding your question:

So should all the topology have the native vlan configured or can I skip it for some devices for which I want more security? - Native vlan will be required for all the trunk links if you are deploying dot1q links however on those devices where more security is required, use an unused vlan as native.

HTH.

Regards,

RS.

5 REPLIES

native vlan 123 can be used

native vlan 123 can be used for example when you connect to trunk port noutbook and telnet or ssh to switch

and I think there is no security reasons

 

dont forget to rate post

Hey Katerina,Regarding your

Hey Katerina,

Regarding your queries:

Say that 123 is the management vlan of switches in a VTP domain. Should this vlan be configured as native on the interswitch links or not? - Keep it tagged.

For security reasons I would think that this vlan should also be tagged between switches. - Yes, keep it tagged.

What are the benefits/drawbacks of configuring it as native and what if it is tagged as all other vlans? - Well if its tagged then its ensured that even if a user accidentally or intentionally connects to a trunk port, it will not get access of management vlan as by default the traffic from PC is untagged.

Would it cause a problem if some interswitch links (both sides) have 123 as native and others do not? - Yes, it will cause broadcast domain overlapping and logging server will be filled with native vlan mismatch syslogs.

I cannot think of a situation where vlans traversing a trunk should not be tagged. Please share any examples - As I mentioned earlier if you want a user say yourself needs to access management vlan on a trunk port so you may keep vlan 123 native on that port.

HTH.

Regards,

RS.

 

 

New Member

Hi Rajeevsh, thanks for your

Hi Rajeevsh,

 

thanks for your answer. I get all the security issues related with using the native vlan.

What I don't understand is how it will cause broadcast domain overlapping and native-mismatch syslog messages. Both ends of the link will be either configured with native vlan or without it, so I believe that this configuration won't cause native vlan mismatch.

So should all the topology have the native vlan configured or can I skip it for some devices for which I want more security?

 

Thanks in advance,

Katerina


 

Hey Katerina,My bad, i

Hey Katerina,

My bad, i misinterpreted the question, you are correct it will not cause broadcast domain overlapping and native vlan syslog messages.

And regarding your question:

So should all the topology have the native vlan configured or can I skip it for some devices for which I want more security? - Native vlan will be required for all the trunk links if you are deploying dot1q links however on those devices where more security is required, use an unused vlan as native.

HTH.

Regards,

RS.

New Member

Hi Rajeevsh, thanks for the

Hi Rajeevsh,

 

thanks for the info!

174
Views
4
Helpful
5
Replies