NATIVE VLAN on 802.1q

MACattackMACattack Member Posts: 121
Hi just want to ask if a port is not assign to native vlan, is it going to recieve the untagged frame or not? My answer is It will still received the untagged frame because by default all ports are assigned to vlan 1. If I change the default vlan to vlan 99 then the issue of receiving the untagged frame will not received due to that I changed the default vlan. If I assign a port to a native vlan 99 then it will received the untagged frame.
AM I RIGHT?


example:

SW1
HUB
SW2

SW1 native vlan 1
port 1-5 is set to vlan 2
port 6-7 set to native vlan
SW2 native vlan 1
port 1-5 is set to vlan 2
port 6 is set to native vlan but not port 7, it stay as access mode with no inherenet vlan.

I read that in enacap 802.1q if the recieving end doesn't understand about trunking the switch still ignore and forward the frame to end devices that doesn't understand trunking. The good example for this I see is when diagnosing the network, Servers that have NIC trunk capability.

Ports that are not configured as vlan 1 as there native vlan will not received the untagged frame.

Comments

  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    Not quite sure about your question, but if a port is NOT assigned to the native vlan, then no it will not read an untagged frame.

    By default the native vlan is vlan1 and by default all ports are in vlan1. So if you have a port that is assigned to anything other than vlan1, it will ignore an untagged frame IF you have trunks and multiple vlans. The only ports that will process an untagged frame are the ports assigned to the native vlan. If you chnage the native vlan to 99 then vlan1 will start tagging and anyports in vlan1 will ignore a tagless frame. Hope this answers your Q.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • MACattackMACattack Member Posts: 121
    YEs your correct, but by default all ports are assigned to vlan 1 and all untagged frame will received by ports assign to vlan 1.

    By default vlan 1 is the natvie vlan and this cause some security issue that's why it is recommended to put unused port to a separate vlan and not used vlan 1 as native vlan.
    If I disable vlan 1on trunk CDP will also stop as there a mismatch on native vlan let say both native vlan 1 on SW1 and SW2 native vlan 2.

    I read that vlan 1 is use by STP BPDU, CDP and DTP.
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    Interesting...Thats good to know.

    "I read that vlan 1 is use by STP BPDU, CDP and DTP"

    So basically these protocols use the native VLAN to get across the trunk. What you are saying is if there is a mismatched native VLAN, then these L2 protocols will cease to communicate? As well as any host assigned to the native vlan.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    I guess the key here is CDP, DTP, LACP, PaGP, VTP and other L2 protocols use the "default" VLAN, not the native VLAN. The default VLAN being VLAN 1 so even if you change the native VLAN it hs no effect on the operation of these protocols. Even if you change the allowed list of a trunk port to stop VLAN 1 (a good idea btw) the L2 protocols are still going to use VLAN 1 between the switches but it will prevent user traffic on VLAN1 from crossing the trunk.

    It is a good idea to specify an unused VLAN for the native VLAN or you can use the vlan dot1q tag native global configuration command on the switches to tell them to tag all traffic, including the native VLAN
    The only easy day was yesterday!
  • happy420goluckyhappy420golucky Member Posts: 78 ■■□□□□□□□□
    Okay, I am wonder about something. Let's just say that you shut down VLAN 1 *the default vlan* and assign all your ports besides your 802.1q trunk to ... umm vlan 2(native vlan). Then have another switch connected that has the same configuration applied to all it's ports and a configured 802.1q trunk. How is CDP, DTP, LACP, PaGP, VTP being advertised between the two switches since VLAN 1 is shutdown?
    Every passing minute is a chance to turn it all around.
  • MACattackMACattack Member Posts: 121
    SW1#
    *Mar 1 00:06:16.571: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent
    peer vlan id 2 on FastEthernet0/1 VLAN1.
    *Mar 1 00:06:16.575: %SPANTREE-2-BLOCK_PVID_PEER: Blocking FastEthernet0/1 on V
    LAN2. Inconsistent peer vlan.
    *Mar 1 00:06:16.715: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/1 on
    VLAN1. Inconsistent local vlan.

    ru
    SW1#show interfaces trunk

    Port Mode Encapsulation Status Native vlan
    Fa0/1 on 802.1q trunking 1

    Port Vlans allowed on trunk
    Fa0/1 1-1005

    Port Vlans allowed and active in management domain
    Fa0/1 1-3

    Port Vlans in spanning tree forwarding state and not pruned
    Fa0/1 3



    Port Mode Encapsulation Status Native vlan
    Fa0/1 on 802.1q trunking 2

    Port Vlans allowed on trunk
    Fa0/1 1-1005

    Port Vlans allowed and active in management domain
    Fa0/1 1-3

    Port Vlans in spanning tree forwarding state and not pruned
    Fa0/1 3
    SW2#
    When you change the dafult native vlan on each other end (mismatch vlan) you will received the above error and if you shutdown vlan 1 then CDP will not be transmitted.
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Okay, I am wonder about something. Let's just say that you shut down VLAN 1 *the default vlan* and assign all your ports besides your 802.1q trunk to ... umm vlan 2(native vlan). Then have another switch connected that has the same configuration applied to all it's ports and a configured 802.1q trunk. How is CDP, DTP, LACP, PaGP, VTP being advertised between the two switches since VLAN 1 is shutdown?
    SW1(config)#vlan 1
    SW1(config-vlan)#shutdown 
    %Command is only allowed on VLAN 2..1001.
    SW1(config-vlan)#
    

    You can't shut down vlan 1. It spans all switches and that is why it's a good idea to limit vlan 1 by removing it from the allowed list. Now if you misconfigure the native vlan on a 802.1q trunk it will place the interface in a blocking state which is different from shutting down the vlan or removing it from the allowed list. In that case the L2 protocols like CDP, VTP, PAgP, LACP, and DTP are blocked because the port is in a blocking (or discarding) state but vlan 1 is not shutdown on the switch. vlan 1 is subject to the same rules of spanning tree as any other vlan where there can be only 1 active path through the network and STP will block ports as necessary to remove loops.

    HTH
    The only easy day was yesterday!
  • MACattackMACattack Member Posts: 121
    Your right vlan 1 cannot be shutdown as it is important in passing management traffic.
  • jeaiijeaii Member Posts: 1 ■□□□□□□□□□
    Good topic of discussion:

    Got a problem that I suspect maybe the changing of the Native Vlan and perhaps the changing of the vlan I put a management IP on from Vlan 1 to Vlan 11, puts Vlan 1 into shutdown. But when I show vlan on both switchs vlan 1 shows active.
    http://www.ciscotaccc.com/kaidara-advisor/lanswitching/showcase?case=K11806453

    My problem which has elluded me all day is, CDP isn't working. I am sending CDPv2, but not receiving on the other end.

    Don't laugh - These are Cisco 3512s running
    IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC14, RELEASE SOFTWARE (fc1)

    The question: Why isn't CDP working?????


    SW1&2
    show cdp ne
    Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
    S - Switch, H - Host, I - IGMP, r - Repeater

    Device ID Local Intrfce Holdtme Capability Platform Port ID

    show cdp traffic
    CDP counters :
    Total packets output: 38351, Input: 0
    Hdr syntax: 0, Chksum error: 0, Encaps failed: 0
    No memory: 0, Invalid packet: 0, Fragmented: 0
    CDP version 1 advertisements output: 0, Input: 0
    CDP version 2 advertisements output: 38351, Input: 0
    Trigger responses sent: 0, throttled: 0

    show cdp int
    GigabitEthernet0/1 is up, line protocol is up
    Encapsulation ARPA
    Sending CDP packets every 60 seconds
    Holdtime is 180 seconds


    SW1
    show int gig 0/1 switchport
    Name: Gi0/1
    Switchport: Enabled
    Administrative mode: trunk
    Operational Mode: trunk
    Administrative Trunking Encapsulation: dot1q
    Operational Trunking Encapsulation: dot1q
    Negotiation of Trunking: Disabled
    Access Mode VLAN: 0 ((Inactive))
    Trunking Native Mode VLAN: 601 (VLAN0601)
    Trunking VLANs Enabled: 1,11,631,635,1002-1005
    Trunking VLANs Active: 1,11,631,635
    Pruning VLANs Enabled: 2,3,601

    Priority for untagged frames: 0
    Override vlan tag priority: FALSE
    Voice VLAN: none
    Appliance trust: none
    Self Loopback: No

    interface VLAN1
    no ip address
    no ip directed-broadcast
    no ip route-cache
    shutdown ---> Shows Shudown because another interface vlan has been created and addressed with IP.
    !
    interface VLAN11
    ip address 172.26.152.26 255.255.255.128
    no ip directed-broadcast
    no ip route-cache

    SW2
    show int gig0/1 switchport
    Name: Gi0/1
    Switchport: Enabled
    Administrative mode: trunk
    Operational Mode: trunk
    Administrative Trunking Encapsulation: dot1q
    Operational Trunking Encapsulation: dot1q
    Negotiation of Trunking: Disabled
    Access Mode VLAN: 0 ((Inactive))
    Trunking Native Mode VLAN: 601 (VLAN0601)
    Trunking VLANs Enabled: 1,11,631,635,1002-1005
    Trunking VLANs Active: 1,11,631,635
    Pruning VLANs Enabled: 2,3,601

    Priority for untagged frames: 0
    Override vlan tag priority: FALSE
    Voice VLAN: none
    Appliance trust: none
    Self Loopback: No
    interface VLAN1
    no ip address
    no ip directed-broadcast
    no ip route-cache
    shutdown
    !
    interface VLAN11
    ip address 172.26.152.27 255.255.255.128
    no ip directed-broadcast
    no ip route-cache
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    Were you recieving CDP traffic before you changed the management VLAN? I could be wrong but my first inclination wants to say that this has nothing to do with the native VLAN or the management IP's.

    WHat is the output for these debugs?
    debug cdp adjacency
    debug cdp events
    debug cdp packets

    Are you running VTP on these switches? The reason I ask is because I'm wondering if maybe this could be a L2 multicast issue. VTP and CDP use the same multicast address. Do you have any IGMP related configs on the switches?

    but if you are almost a CCIE, then you have probably alrerady thought of this and ruled it out.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • datchchadatchcha Member Posts: 265
    In a production invironment, is it wise to only have your trunk port part a member of VLAN1, and host/servers memebers of separate VLANs?
    Arrakis
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    well everyone knows that vlan1 is the default vlan and that VLAN1 is native by default.

    INlcuding hackers that know how to hop VLANS by using double tagged frames.

    I'm not a security expert , but I would think that is would not be a good idea to use VLAN1. As stated earlier, VTP,CDP,PaGP use the default vlan1 for L2 communication. I believe this means that VLAN1 is always active, but you can still disallow user data from traversing a trunk on VLAN1.

    I wouldn't use vlan1 as a management vlan, and I also wouldn't let it be the native vlan. If I were calling the shots on some network I wouldn't use VLAN1 for anything except for L2 protocol communication. You can never deactivate or shutdown VLAN1 because it is the default VLAN.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
  • networker050184networker050184 Mod Posts: 11,962 Mod
    I agree with Netstudent. In our network we use a seperate vlan for management. When I first started I asked why we didn't use VLAN 1 for mangement and that was the explanation I got. Security is BIG business these days and everything evolves around it.
    An expert is a man who has made all the mistakes which can be made.
Sign In or Register to comment.