Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17439
Views
25
Helpful
8
Replies

VLANs - Default, Native and Management

nareshpratap90
Level 1
Level 1

‎06-06-2014 01:19 PM - edited ‎03-07-2019 07:39 PM

Okay, please help in understanding the concept of VLANs by confirming whether the following is true or not, and based on that please help me to clear my doubts.

 

 

Default vlan - Always Vlan 1 on a switch and cannot be changed. It's purpose is to account the interfaces/ports which are not assigned with a vlan explicitly.

Native vlan - By default, it is also vlan 1 in a switch, but can be changed. Frames belonging to the native vlan are sent across the trunk link untagged. It's sole purpose is to provide back ward compatibility to the devices that doesn't understand frame tagging, as per 802.1q.

Management vlan- for managing switches.

 

 

Now my doubts ::

 

1. Can anyone please draw and explain a scenario in which NATIVe vlan comes into use, so that I can understand its purpose completely.

2. Management vlan- how they are created/assigned and is used ?

 

Labels:
0 Helpful
8 Replies 8

Richard Burts
Hall of Fame
Hall of Fame

‎06-06-2014 02:12 PM

I would say that the understanding of vlans which you describe was fine.

 

1) first scenario for native vlan. think about a situation in which some device (perhaps your PC) that does not understand tagged frames is connected to a switch port. That switch port is configured as a trunk. If the switch sends frames over that port that are tagged the device will not understand them. But the frames sent on the native vlan are not tagged and the device will understand them and process them.

 

2) scenario for management vlan. think about a network where users are in a vlan (perhaps it is vlan 5). They can observe traffic in vlan 5. Perhaps they might even run wireshark on their PC and capture traffic on vlan 5. Would you want the traffic that manages your devices to be visible to those users? If you  configure vlan 10, configure addressing for vlan 10 and assign the management interface of the switch in vlan 10 then all the management traffic is in vlan 10 and is not visible to users in vlan5.

 

HTH

 

Rick

HTH

Rick

mmoulson1
Level 4
Level 4
In response to Richard Burts

‎06-09-2014 01:39 AM

1) Just to give a couple of examples where the native VLAN would be used.

Wireless access points, where you use the native VLAN for the AP’s management traffic, but the port is configured as a trunk so it can support different VLAN’s on the wireless networks.

Some Non Cisco IP phones, again where you want a trunk to use the PC port in a different VLAN, the native would be used for the voice communications.

2) As Rick said you decide on the VLAN you are going to use for management then simply configure a VLAN IP address on all your switches. As you said VLAN 1 is the default so it is fairly common to leave the VLAN 1 interface with no IP address and shut down so the switch can’t be managed by the default VLAN.

Hope that helps!

Matty

nareshpratap90
Level 1
Level 1
In response to Richard Burts

‎06-15-2014 02:07 PM

Hi Richard,

Thanks for the response.

 

1) Suppose I have a server used by my sales(vlan 10), Marketing(vlan 20) and Finance(vlan 30) departments. Can I connect it to the port of a switch which is in trunking mode with encapsulation 802.1q, so that I can have the traffic of all vlans traverse through this trunk link to the server? If yes, then what role native vlan has here?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to nareshpratap90

‎06-15-2014 05:53 PM

Are you saying that your server has a Ethernet card that can do dot1q trunking? If your server Ethernet does support trunking and is correctly configured for these three vlans then you should be able to connect the server to a switch trunk port and have the various departments access the server directly.

 

HTH

 

Rick

HTH

Rick
0 Helpful

paul driver
VIP
VIP

‎06-10-2014 03:45 AM

Hello

From a security perspective its best practice to not use vlan1 whatsoever as it well documented that all cisco switches default to this vlan.

Also it is best to define a native vlan that will be not used.

 

This is due to something I think is called ( double tagging or vlan hopping) - and it when a hacker knowing that vlan 1 is untagged and the default vlan  can apply an outer tag to a encapsulated packet and send this into your network, then when this outer tag is stripped away the native vlan1 is seen by the switch which is excepted into your network.and sent on its merry way toward its destination.

So to negate this threat it is best to either tagged ALL vlans or define a unused native vlan  and a tagged management vlan and not allow the native vlan to cross any trunks
 

example:

vlan 1 = shutdown
vlan 10 = management
vlan 11-49 - user vlans
vlan 50 = native

 

conf t

vlan 2-50
exit

int vlan 1
shut
 

int vlan 10
ip address x.x.x.x y.y.y.y.y

 

interface gig x/x
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 2-49


res

Paul


 

 

 

 

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

nareshpratap90
Level 1
Level 1
In response to paul driver

‎06-15-2014 02:20 PM

Hi Paul,

 

Thanks for those explanation with commands.

 

1) Suppose I have a server used by my sales(vlan 10), Marketing(vlan 20) and Finance(vlan 30) departments. Can I connect it to the port of a switch which is in trunking mode with encapsulation 802.1q, so that I can have the traffic of all vlans traverse through this trunk link to the server? If yes, then what role native vlan 50 has here?

 

 

2) Default vlan - 1 , native vlan - 2

Fa0/1 - vlan 1 (vlan unassigned) , Fa0/2 - vlan 2 (assigned vlan)

 

these configurations are done on Sw-A and Sw-B. Then can a frame from Fa0/1 pf Sw-A contact with Fa0/2 of Sw-B. If not , why exactly and what would be the tagging on this frame?

0 Helpful

echip3
Level 1
Level 1

‎05-18-2022 10:00 AM

1. Can anyone please draw and explain a scenario in which NATIVe vlan comes into use, so that I can understand its purpose completely.

I have used native vlans on the trunks that connect with servers that do not understand 802.1q, so that they can have mgmt ip over that native vlan.

0 Helpful

Jitendra Kumar
Spotlight
Spotlight

‎05-19-2022 01:25 AM

Default VLAN: This can refer to one of two types. Typically, the default VLAN refers to the one that all of the ports on a device belong to when it is switched on. On most switches, this default is VLAN 1 and should be changed for security reasons. Some network managers may use the term “default VLAN” to refer to a VLAN to which all ports are assigned when they’re not being used.

 

Native VLAN: The native VLAN is the one into which untagged traffic will be put when it’s received on a trunk port. This makes it possible for your VLAN to support legacy devices or devices that don’t tag their traffic like some wireless access points and simply network attached devices.

 

 

Thanks,

Jitendra

Thanks,
Jitendra
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card