Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
821
Views
5
Helpful
5
Replies

native vlan

nir.fisher
Level 1
Level 1

‎10-08-2010 02:46 PM - edited ‎03-04-2019 10:02 AM

need some clarification

native vlan is used to pass frames untagged over trunk links

is there any reason I should allow the native vlan to pass over the trunk? . or I can permit only the vlans I actually use and

not permit the native vlan in the trunk interface?

Labels:
0 Helpful
5 Replies 5

Jason Masker
Level 1
Level 1

‎10-08-2010 02:50 PM

There is no reason you need to allow the native VLAN. In fact, best security practice is either to not allow the native VLAN or to tag the native VLAN via the global 'vlan dot1q tag native' command.

Dan-Ciprian Cicioiu
Level 7
Level 7

‎10-09-2010 02:41 AM

Hi,

There are some protocols that are using the native vlan : CDP , Pagp ,VTP .

The best is to tag native vlan and also not using it (the main issue being vlan hopping )

HTH

Dan

0 Helpful

Jason Masker
Level 1
Level 1
In response to Dan-Ciprian Cicioiu

‎10-09-2010 07:34 AM

Dan,

This is not necessarily true. CDP & VTP both use vlan 1, if the native vlan is 1 they will be untagged, if the native vlan is anything other than 1 they will all be tagged with 1 and both will work regardless of whether or not vlan 1 is allowed on the trunk. DTP & BPDUs are never tagged but do not necessarily have any association with a vlan. This is typically how traffic that is intended to be switch to switch is treated, such as PAgP and LACP.

I have seen trouble with switch technologies working in the past when I disallowed the native vlan, but that was a bug which Cisco logged and fixed with 1000v. Otherwise, either tagging or disallowing the native vlan should be fine. Some switches do not support the tag native vlan option, so there may be no other choice besides disallowing it.

Jason

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎10-09-2010 10:37 AM

Just to add to Jason's posts -

the native vlan is by default vlan 1. The recommendation is to create a new vlan eg. vlan 999 is what we used, do not create a L3 SVI for it because the native vlan never needs to be routed, do not allocate any port into because no device ever needs to be in the native vlan and do not allow it on any trunk links.

Jon

0 Helpful

nir.fisher
Level 1
Level 1
In response to Jon Marshall

‎10-10-2010 09:32 AM

thank you all for the good information

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card