Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

native vlan

need some clarification

native vlan is used to pass frames untagged over trunk links

is there any reason I should allow the native vlan to pass over the trunk? . or I can permit only the vlans I actually use and

not permit the native vlan in the trunk interface?

5 REPLIES

Re: native vlan

There is no reason you need to allow the native VLAN. In fact, best security practice is either to not allow the native VLAN or to tag the native VLAN via the global 'vlan dot1q tag native' command.

Re: native vlan

Hi,

There are some protocols that are using the native vlan : CDP , Pagp ,VTP .

The best is to tag native vlan and also not using it (the main issue being vlan hopping )

HTH

Dan

Re: native vlan

Dan,

This is not necessarily true. CDP & VTP both use vlan 1, if the native vlan is 1 they will be untagged, if the native vlan is anything other than 1 they will all be tagged with 1 and both will work regardless of whether or not vlan 1 is allowed on the trunk. DTP & BPDUs are never tagged but do not necessarily have any association with a vlan. This is typically how traffic that is intended to be switch to switch is treated, such as PAgP and LACP.

I have seen trouble with switch technologies working in the past when I disallowed the native vlan, but that was a bug which Cisco logged and fixed with 1000v. Otherwise, either tagging or disallowing the native vlan should be fine. Some switches do not support the tag native vlan option, so there may be no other choice besides disallowing it.

Jason

Hall of Fame Super Blue

Re: native vlan

Just to add to Jason's posts -

the native vlan is by default vlan 1. The recommendation is to create a new vlan eg. vlan 999 is what we used, do not create a L3 SVI for it because the native vlan never needs to be routed, do not allocate any port into because no device ever needs to be in the native vlan and do not allow it on any trunk links.

Jon

New Member

Re: native vlan

thank you all for the good information

601
Views
5
Helpful
5
Replies
CreatePlease login to create content