Native Vlan

Mr Big

This may be a stupid question, but I just want to know what is the purpose of a native VLAN and where do you use it?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Danman32

VLAN lets a switch act as if it were several switches, and several switches combined to act as one switch (with trunking support).
VLANs are broadcast domains. VLAN stands for Virtual LAN. So ports on a switch can be assigned to specific VLANs and appear as if they were on separate LANs. Communicating from one VLAN to another requires a router (or a layer 3 switch that can act as a router as well as a switch) even if the different VLANs are on the same switch.

Say you have 3 departments: Accounting, Sales, and Marketing. All the wiring goes to one closet, and you only have one switch. You want to keep broadcast traffic generated by the different departments to remain within that department. With VLAN support, you can have the Accounting on one VLAN, the sales on another VLAN, and Marketing on yet another VLAN all on the same switch, where before you needed 3 switches, one for each department, with a router routing between the 3 LANs. You still need the router, but you save on the costs and administration of the switch.

Mr Big

Danman32 wrote:

VLAN lets a switch act as if it were several switches, and several switches combined to act as one switch (with trunking support).
VLANs are broadcast domains. VLAN stands for Virtual LAN. So ports on a switch can be assigned to specific VLANs and appear as if they were on separate LANs. Communicating from one VLAN to another requires a router (or a layer 3 switch that can act as a router as well as a switch) even if the different VLANs are on the same switch.

Say you have 3 departments: Accounting, Sales, and Marketing. All the wiring goes to one closet, and you only have one switch. You want to keep broadcast traffic generated by the different departments to remain within that department. With VLAN support, you can have the Accounting on one VLAN, the sales on another VLAN, and Marketing on yet another VLAN all on the same switch, where before you needed 3 switches, one for each department, with a router routing between the 3 LANs. You still need the router, but you save on the costs and administration of the switch.

Thanks for clearing it up for me DanMan, but what is a NATIVE vlan? I was told say when you create Accounting VLAN then Sales VLAN, and you want to trunk them together, you have to create another VLAN called the Native VLAN. Is this wrong?

BubbaJ

Mr Big wrote:

This may be a stupid question, but I just want to know what is the purpose of a native VLAN and where do you use it?

When you trunk using 802.1Q, the frames are extended with a 4 byte field that has the VLAN information. The native VLAN does not have this field.

Danman32

Ah right, now I remember. It's like the default VLAN if no vlan ID is specified on a trunk.

Mr Big

ok, well my other question is...do vlans have to be port specific? Meaning, can I move computers around in the office (say switch from a human resources office to an accounting offive) and not have to worry about reassigning ports? Can VLANS be MAC address driven to follow the computer wherever it goes?

BubbaJ

Mr Big wrote:

ok, well my other question is...do vlans have to be port specific? Meaning, can I move computers around in the office (say switch from a human resources office to an accounting offive) and not have to worry about reassigning ports? Can VLANS be MAC address driven to follow the computer wherever it goes?

Yes, if you have a VMPS server.

Mr Big

BubbaJ wrote:

Mr Big wrote:

ok, well my other question is...do vlans have to be port specific? Meaning, can I move computers around in the office (say switch from a human resources office to an accounting offive) and not have to worry about reassigning ports? Can VLANS be MAC address driven to follow the computer wherever it goes?

Yes, if you have a VMPS server.

Is that something provided by Cisco? Is it software you have to install into a PC?

BubbaJ

VMPS is a MAC to VLAN database that you load on a device that is running a TFTP server. Cisco has this example:

[b]VMPS Database Configuration File Example[/b]

This example shows a sample VMPS database configuration file. A VMPS database configuration file is an ASCII text file that is stored on a TFTP server, which is accessible to the switch that is configured as the VMPS server. A summary of the configuration example follows:

•The security mode is open.

•The default is used for the fallback VLAN.

•MAC address-to-VLAN name mappings—The MAC address of each host and the VLAN to which each host belongs is defined.

•Port groups are defined.

•VLAN groups are defined.

•VLAN port policies are defined for the ports associated with restricted VLANs.

!VMPS File Format, version 1.1

! Always begin the configuration file with

! the word "VMPS"

!

!vmps domain <domain-name>

! The VMPS domain must be defined.

!vmps mode {open | secure}

! The default mode is open.

!vmps fallback <vlan-name>

!vmps no-domain-req { allow | deny }

!

! The default value is allow.

vmps domain WBU

vmps mode open

vmps fallback default

vmps no-domain-req deny

!

!

!MAC Addresses

!

vmps-mac-addrs

!

! address <addr> vlan-name <vlan_name>

!

address 0012.2233.4455 vlan-name hardware

address 0000.6509.a080 vlan-name hardware

address aabb.ccdd.eeff vlan-name Green

address 1223.5678.9abc vlan-name ExecStaff

address fedc.ba98.7654 vlan-name --NONE--

address fedc.ba23.1245 vlan-name Purple

!

!Port Groups

!

!vmps-port-group <group-name>

! device <device-id> { port <port-name> | all-ports }

!

vmps-port-group WiringCloset1

 device 198.92.30.32 port 3/2

 device 172.20.26.141 port 2/8

vmps-port-group "Executive Row"

 device 198.4.254.222 port 1/2

 device 198.4.254.222 port 1/3

 device 198.4.254.223 all-ports

!

!

!VLAN groups

!

!vmps-vlan-group <group-name>

! vlan-name <vlan-name>

!

vmps-vlan-group Engineering

vlan-name hardware

vlan-name software

!

!

!VLAN port Policies

!

!vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> }

! { port-group <group-name> | device <device-id> port <port-name> }

!

vmps-port-policies vlan-group Engineering

 port-group WiringCloset1

vmps-port-policies vlan-name Green

 device 198.92.30.32 port 4/8

vmps-port-policies vlan-name Purple

 device 198.4.254.22 port 1/2

 port-group "Executive Row"

Mr Big

Do all switches support this? I have a 2950

BubbaJ

Mr Big wrote:

Do all switches support this? I have a 2950

Apparently: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea2/2950scg/2950scg.pdf

marlon23

If you assign port on a switch with 802.1q trunks to native vlan, incomming frames wouldnt be tagged on the trunks. And untagged frames comming to trunk would be classified as native vlan frames and kept untagged. Purpose?

Practical one:
Switch port <

> VOIP Phone + PC (connected by hub for example, or build in switch in VOIP)

How you can do that PC and VOIP will be on separate vlans? VOIP knows 802.1q and it can tag his frames but PC cannot.
Switch will respect tagging(which VLAN, for example VLAN2) from VOIP and becouse frames from PC are untagged they will be putted to Native VLAN (for example VLAN1). And you have it! Each device is in different vlan.

The switch port will be 802.1q trunk.

Danman32

IF I recall correctly, I think many switches can be VMPS clients, but only some switches can be servers.

This is similar to RADIUS clients (which are RAS servers) versus RADIUS servers that provide the account information/clearance to the RAS.

BubbaJ

Danman32 wrote:

IF I recall correctly, I think many switches can be VMPS clients, but only some switches can be servers.

Probably. We don't use VMPS, and none of the other companies that I know of use it. We don't use it due to security concerns: all unused switch ports are to be disabled, and it only takes a few seconds to assign the VLAN when enabling the switch port.

It just seems like a lot of work to keep up with all the MAC addresses on machines that come and go and may change departments.