Tagging traffic in the native vlan
Been at this game for 10 years, and I'm drawing a blank on this one...
Let's say our campus uses a native vlan of 99. So everything the switchports receive that's untagged gets sent along using the native vlan.
Now enter a device that allows you to logically seperate traffic into vlans (say, a wireless 5508 controller, for instance). A trunk is configured between this device and the catalyst switch its connected to. The switch's config might look like:
int G1/0/48
description *** Cisco_WC1 10.22.129.45 ***
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 129,200,151,99
switchport trunk native vlan 99
switchport mode trunk
So untagged traffic from the appliance to the network gets placed in the native vlan. If I make a mistake and put my management interface IN vlan 99, traffic will now show up tagged, though tagged with the value of the native vlan.
What happens? Are catalyst switches smart enough to strip the vlan 99 value and let the traffic pass untagged in the native vlan? or is the traffic dropped? or...
Thoughts?
I have never, at this point in my career, intentionally sent traffic to the native vlan, so this is something different.
Mike
Let's say our campus uses a native vlan of 99. So everything the switchports receive that's untagged gets sent along using the native vlan.
Now enter a device that allows you to logically seperate traffic into vlans (say, a wireless 5508 controller, for instance). A trunk is configured between this device and the catalyst switch its connected to. The switch's config might look like:
int G1/0/48
description *** Cisco_WC1 10.22.129.45 ***
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 129,200,151,99
switchport trunk native vlan 99
switchport mode trunk
So untagged traffic from the appliance to the network gets placed in the native vlan. If I make a mistake and put my management interface IN vlan 99, traffic will now show up tagged, though tagged with the value of the native vlan.
What happens? Are catalyst switches smart enough to strip the vlan 99 value and let the traffic pass untagged in the native vlan? or is the traffic dropped? or...
Thoughts?
I have never, at this point in my career, intentionally sent traffic to the native vlan, so this is something different.
Mike
There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Comments
-
vinbuck Member Posts: 785 ■■■■□□□□□□I'm going to try this on my lab and see what it does but in the meantime...take a look at this.
Core Networking and Security: Tagging the Native VLAN
If you can force the native VLAN to be tagged on trunks then I'm wondering if it will accept inbound traffic tagged for the native vlan and preserve the tag?Cisco was my first networking love, but my "other" router is a Mikrotik... -
networker050184 Mod Posts: 11,962 ModI believe a switch will drop the frame if it is received tagged with the native VLAN on a trunk. I'll try to find some supporting documentation though.An expert is a man who has made all the mistakes which can be made.
-
BroadcastStorm Member Posts: 496I'm trying to follow your configuration, it looks like the Native Vlan on both the switch and Access Point Controller matched, is this the behaviour for management interface if placed on the native vlan? it gets sent tagged?
If that's the case that frame will get discarded, since the end VLAN 99 is untagged, on my last job I've seen native vlan mismatch all over the place, and all kinds of weird stuff are happening, one of them is the switch are unable to build it's CAM table for some of the VLANs. -
mikearama Member Posts: 749No, the suggested behavior of the controller is to not send management traffic over the native vlan, but rather to put it in its own vlan... so in my config, all management traffic could be assigned to vlan 129.
In reading the config guides, the comment was made that the command to put the management interface on the native vlan was:
"config interface management vlan 0"
I thought, "how odd". I would have thought that the command would be "vlan 99" in my case, or "vlan 1" when the native vlan is left to defaults.
And yet, it makes sense... the controller, using a value of "0", will now send the packets un-tagged, which the switch will understand and apply to the native vlan.
It just made me wonder, what if I hadn't read the config guide, and I put in a value of "vlan 99" accidentally. Now the controller will send the traffic tagged, though the tag will belong to the native vlan. Hence, the question.
I have also seen vlan mismatch errors between switches before... I'm just not sure that this would generate such an error.
Just thinking out loud here, guys.There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
BroadcastStorm Member Posts: 496No, the suggested behavior of the controller is to not send management traffic over the native vlan, but rather to put it in its own vlan... so in my config, all management traffic could be assigned to vlan 129.
In reading the config guides, the comment was made that the command to put the management interface on the native vlan was:
"config interface management vlan 0"
I thought, "how odd". I would have thought that the command would be "vlan 99" in my case, or "vlan 1" when the native vlan is left to defaults.
And yet, it makes sense... the controller, using a value of "0", will now send the packets un-tagged, which the switch will understand and apply to the native vlan.
It just made me wonder, what if I hadn't read the config guide, and I put in a value of "vlan 99" accidentally. Now the controller will send the traffic tagged, though the tag will belong to the native vlan. Hence, the question.
I have also seen vlan mismatch errors between switches before... I'm just not sure that this would generate such an error.
Just thinking out loud here, guys.
Good job, thanks for posting this, it's good info...