Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VLANs - Default, Native and Management

Okay, please help in understanding the concept of VLANs by confirming whether the following is true or not, and based on that please help me to clear my doubts.

 

 

Default vlan - Always Vlan 1 on a switch and cannot be changed. It's purpose is to account the interfaces/ports which are not assigned with a vlan explicitly.

Native vlan - By default, it is also vlan 1 in a switch, but can be changed. Frames belonging to the native vlan are sent across the trunk link untagged. It's sole purpose is to provide back ward compatibility to the devices that doesn't understand frame tagging, as per 802.1q.

Management vlan- for managing switches.

 

 

Now my doubts ::

 

1. Can anyone please draw and explain a scenario in which NATIVe vlan comes into use, so that I can understand its purpose completely.

2. Management vlan- how they are created/assigned and is used ?

 

6 REPLIES
Hall of Fame Super Silver

I would say that the

I would say that the understanding of vlans which you describe was fine.

 

1) first scenario for native vlan. think about a situation in which some device (perhaps your PC) that does not understand tagged frames is connected to a switch port. That switch port is configured as a trunk. If the switch sends frames over that port that are tagged the device will not understand them. But the frames sent on the native vlan are not tagged and the device will understand them and process them.

 

2) scenario for management vlan. think about a network where users are in a vlan (perhaps it is vlan 5). They can observe traffic in vlan 5. Perhaps they might even run wireshark on their PC and capture traffic on vlan 5. Would you want the traffic that manages your devices to be visible to those users? If you  configure vlan 10, configure addressing for vlan 10 and assign the management interface of the switch in vlan 10 then all the management traffic is in vlan 10 and is not visible to users in vlan5.

 

HTH

 

Rick

Bronze

1) Just to give a couple of

1) Just to give a couple of examples where the native VLAN would be used.

Wireless access points, where you use the native VLAN for the AP’s management traffic, but the port is configured as a trunk so it can support different VLAN’s on the wireless networks.

Some Non Cisco IP phones, again where you want a trunk to use the PC port in a different VLAN, the native would be used for the voice communications.

2) As Rick said you decide on the VLAN you are going to use for management then simply configure a VLAN IP address on all your switches. As you said VLAN 1 is the default so it is fairly common to leave the VLAN 1 interface with no IP address and shut down so the switch can’t be managed by the default VLAN.

Hope that helps!

Matty

New Member

Hi Richard,Thanks for the

Hi Richard,

Thanks for the response.

 

1) Suppose I have a server used by my sales(vlan 10), Marketing(vlan 20) and Finance(vlan 30) departments. Can I connect it to the port of a switch which is in trunking mode with encapsulation 802.1q, so that I can have the traffic of all vlans traverse through this trunk link to the server? If yes, then what role native vlan has here?

Hall of Fame Super Silver

Are you saying that your

Are you saying that your server has a Ethernet card that can do dot1q trunking? If your server Ethernet does support trunking and is correctly configured for these three vlans then you should be able to connect the server to a switch trunk port and have the various departments access the server directly.

 

HTH

 

Rick

HelloFrom a security

Hello

From a security perspective its best practice to not use vlan1 whatsoever as it well documented that all cisco switches default to this vlan.

Also it is best to define a native vlan that will be not used.

 

This is due to something I think is called ( double tagging or vlan hopping) - and it when a hacker knowing that vlan 1 is untagged and the default vlan  can apply an outer tag to a encapsulated packet and send this into your network, then when this outer tag is stripped away the native vlan1 is seen by the switch which is excepted into your network.and sent on its merry way toward its destination.

So to negate this threat it is best to either tagged ALL vlans or define a unused native vlan  and a tagged management vlan and not allow the native vlan to cross any trunks
 

example:

vlan 1 = shutdown
vlan 10 = management
vlan 11-49 - user vlans
vlan 50 = native

 

conf t

vlan 2-50
exit

int vlan 1
shut

 

int vlan 10
ip address x.x.x.x y.y.y.y.y

 

interface gig x/x
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 2-49


res

Paul


 

 

 

 

 

 

 

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Hi Paul, Thanks for those

Hi Paul,

 

Thanks for those explanation with commands.

 

1) Suppose I have a server used by my sales(vlan 10), Marketing(vlan 20) and Finance(vlan 30) departments. Can I connect it to the port of a switch which is in trunking mode with encapsulation 802.1q, so that I can have the traffic of all vlans traverse through this trunk link to the server? If yes, then what role native vlan 50 has here?

 

 

2) Default vlan - 1 , native vlan - 2

Fa0/1 - vlan 1 (vlan unassigned) , Fa0/2 - vlan 2 (assigned vlan)

 

these configurations are done on Sw-A and Sw-B. Then can a frame from Fa0/1 pf Sw-A contact with Fa0/2 of Sw-B. If not , why exactly and what would be the tagging on this frame?

211
Views
0
Helpful
6
Replies