NATIVE VLAN on 802.1q

Hi just want to ask if a port is not assign to native vlan, is it going to recieve the untagged frame or not? My answer is It will still received the untagged frame because by default all ports are assigned to vlan 1. If I change the default vlan to vlan 99 then the issue of receiving the untagged frame will not received due to that I changed the default vlan. If I assign a port to a native vlan 99 then it will received the untagged frame.
AM I RIGHT?

example:

SW1

HUB

SW2

SW1 native vlan 1
port 1-5 is set to vlan 2
port 6-7 set to native vlan
SW2 native vlan 1
port 1-5 is set to vlan 2
port 6 is set to native vlan but not port 7, it stay as access mode with no inherenet vlan.

I read that in enacap 802.1q if the recieving end doesn't understand about trunking the switch still ignore and forward the frame to end devices that doesn't understand trunking. The good example for this I see is when diagnosing the network, Servers that have NIC trunk capability.

Ports that are not configured as vlan 1 as there native vlan will not received the untagged frame.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Netstudent

Not quite sure about your question, but if a port is NOT assigned to the native vlan, then no it will not read an untagged frame.

By default the native vlan is vlan1 and by default all ports are in vlan1. So if you have a port that is assigned to anything other than vlan1, it will ignore an untagged frame IF you have trunks and multiple vlans. The only ports that will process an untagged frame are the ports assigned to the native vlan. If you chnage the native vlan to 99 then vlan1 will start tagging and anyports in vlan1 will ignore a tagless frame. Hope this answers your Q.

MACattack

YEs your correct, but by default all ports are assigned to vlan 1 and all untagged frame will received by ports assign to vlan 1.

By default vlan 1 is the natvie vlan and this cause some security issue that's why it is recommended to put unused port to a separate vlan and not used vlan 1 as native vlan.
If I disable vlan 1on trunk CDP will also stop as there a mismatch on native vlan let say both native vlan 1 on SW1 and SW2 native vlan 2.

I read that vlan 1 is use by STP BPDU, CDP and DTP.

Netstudent

Interesting...Thats good to know.

"I read that vlan 1 is use by STP BPDU, CDP and DTP"

So basically these protocols use the native VLAN to get across the trunk. What you are saying is if there is a mismatched native VLAN, then these L2 protocols will cease to communicate? As well as any host assigned to the native vlan.

dtlokee

I guess the key here is CDP, DTP, LACP, PaGP, VTP and other L2 protocols use the "default" VLAN, not the native VLAN. The default VLAN being VLAN 1 so even if you change the native VLAN it hs no effect on the operation of these protocols. Even if you change the allowed list of a trunk port to stop VLAN 1 (a good idea btw) the L2 protocols are still going to use VLAN 1 between the switches but it will prevent user traffic on VLAN1 from crossing the trunk.

It is a good idea to specify an unused VLAN for the native VLAN or you can use the vlan dot1q tag native global configuration command on the switches to tell them to tag all traffic, including the native VLAN

happy420golucky

Okay, I am wonder about something. Let's just say that you shut down VLAN 1 *the default vlan* and assign all your ports besides your 802.1q trunk to ... umm vlan 2(native vlan). Then have another switch connected that has the same configuration applied to all it's ports and a configured 802.1q trunk. How is CDP, DTP, LACP, PaGP, VTP being advertised between the two switches since VLAN 1 is shutdown?

MACattack

SW1#
*Mar 1 00:06:16.571: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent
peer vlan id 2 on FastEthernet0/1 VLAN1.
*Mar 1 00:06:16.575: %SPANTREE-2-BLOCK_PVID_PEER: Blocking FastEthernet0/1 on V
LAN2. Inconsistent peer vlan.
*Mar 1 00:06:16.715: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/1 on
VLAN1. Inconsistent local vlan.

ru
SW1#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/1 1-1005

Port Vlans allowed and active in management domain
Fa0/1 1-3

Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 3

Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 2

Port Vlans allowed on trunk
Fa0/1 1-1005

Port Vlans allowed and active in management domain
Fa0/1 1-3

Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 3
SW2#
When you change the dafult native vlan on each other end (mismatch vlan) you will received the above error and if you shutdown vlan 1 then CDP will not be transmitted.

dtlokee

happy420golucky wrote:

Okay, I am wonder about something. Let's just say that you shut down VLAN 1 *the default vlan* and assign all your ports besides your 802.1q trunk to ... umm vlan 2(native vlan). Then have another switch connected that has the same configuration applied to all it's ports and a configured 802.1q trunk. How is CDP, DTP, LACP, PaGP, VTP being advertised between the two switches since VLAN 1 is shutdown?

SW1(config)#vlan 1
SW1(config-vlan)#shutdown 
%Command is only allowed on VLAN 2..1001.
SW1(config-vlan)#

You can't shut down vlan 1. It spans all switches and that is why it's a good idea to limit vlan 1 by removing it from the allowed list. Now if you misconfigure the native vlan on a 802.1q trunk it will place the interface in a blocking state which is different from shutting down the vlan or removing it from the allowed list. In that case the L2 protocols like CDP, VTP, PAgP, LACP, and DTP are blocked because the port is in a blocking (or discarding) state but vlan 1 is not shutdown on the switch. vlan 1 is subject to the same rules of spanning tree as any other vlan where there can be only 1 active path through the network and STP will block ports as necessary to remove loops.

HTH

MACattack

Your right vlan 1 cannot be shutdown as it is important in passing management traffic.

jeaii

Good topic of discussion:

Got a problem that I suspect maybe the changing of the Native Vlan and perhaps the changing of the vlan I put a management IP on from Vlan 1 to Vlan 11, puts Vlan 1 into shutdown. But when I show vlan on both switchs vlan 1 shows active.
http://www.ciscotaccc.com/kaidara-advisor/lanswitching/showcase?case=K11806453

My problem which has elluded me all day is, CDP isn't working. I am sending CDPv2, but not receiving on the other end.

Don't laugh - These are Cisco 3512s running
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC14, RELEASE SOFTWARE (fc1)

The question: Why isn't CDP working?????

SW1&2
show cdp ne
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID

show cdp traffic
CDP counters :
Total packets output: 38351, Input: 0
Hdr syntax: 0, Chksum error: 0, Encaps failed: 0
No memory: 0, Invalid packet: 0, Fragmented: 0
CDP version 1 advertisements output: 0, Input: 0
CDP version 2 advertisements output: 38351, Input: 0
Trigger responses sent: 0, throttled: 0

show cdp int
GigabitEthernet0/1 is up, line protocol is up
Encapsulation ARPA
Sending CDP packets every 60 seconds
Holdtime is 180 seconds

SW1
show int gig 0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Disabled
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 601 (VLAN0601)
Trunking VLANs Enabled: 1,11,631,635,1002-1005
Trunking VLANs Active: 1,11,631,635
Pruning VLANs Enabled: 2,3,601

Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none
Self Loopback: No

interface VLAN1
no ip address
no ip directed-broadcast
no ip route-cache
shutdown ---> Shows Shudown because another interface vlan has been created and addressed with IP.
!
interface VLAN11
ip address 172.26.152.26 255.255.255.128
no ip directed-broadcast
no ip route-cache

SW2
show int gig0/1 switchport
Name: Gi0/1
Switchport: Enabled
Administrative mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Disabled
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 601 (VLAN0601)
Trunking VLANs Enabled: 1,11,631,635,1002-1005
Trunking VLANs Active: 1,11,631,635
Pruning VLANs Enabled: 2,3,601

Priority for untagged frames: 0
Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none
Self Loopback: No
interface VLAN1
no ip address
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN11
ip address 172.26.152.27 255.255.255.128
no ip directed-broadcast
no ip route-cache

Netstudent

Were you recieving CDP traffic before you changed the management VLAN? I could be wrong but my first inclination wants to say that this has nothing to do with the native VLAN or the management IP's.

WHat is the output for these debugs?
debug cdp adjacency
debug cdp events
debug cdp packets

Are you running VTP on these switches? The reason I ask is because I'm wondering if maybe this could be a L2 multicast issue. VTP and CDP use the same multicast address. Do you have any IGMP related configs on the switches?

but if you are almost a CCIE, then you have probably alrerady thought of this and ruled it out.

datchcha

In a production invironment, is it wise to only have your trunk port part a member of VLAN1, and host/servers memebers of separate VLANs?

Netstudent

well everyone knows that vlan1 is the default vlan and that VLAN1 is native by default.

INlcuding hackers that know how to hop VLANS by using double tagged frames.

I'm not a security expert , but I would think that is would not be a good idea to use VLAN1. As stated earlier, VTP,CDP,PaGP use the default vlan1 for L2 communication. I believe this means that VLAN1 is always active, but you can still disallow user data from traversing a trunk on VLAN1.

I wouldn't use vlan1 as a management vlan, and I also wouldn't let it be the native vlan. If I were calling the shots on some network I wouldn't use VLAN1 for anything except for L2 protocol communication. You can never deactivate or shutdown VLAN1 because it is the default VLAN.

networker050184

I agree with Netstudent. In our network we use a seperate vlan for management. When I first started I asked why we didn't use VLAN 1 for mangement and that was the explanation I got. Security is BIG business these days and everything evolves around it.