what is native vlan

Hi !

 

I want to known what is native vlan, and when do i using it ???

Comments

  • dcanceriandcancerian ✭✭✭

    Native VLAN is relevant only when there is 802.1q trunking between switches or a switch and a router ( in case of router on stick). Native VLAN has no significance when ISL trunking is used.

    In 802.1q trunking each frame is being tagged by 4 bytes field in the ethernet header and before IP header (assume IP traffic). The 4 bytes tag field contains vlan number (12 bit), 3 bit field for layer 2 QoS, TPID (16 bits) field in order to identified the tagged frame(this is set to 0x8100 for 802.1q) etc.

    The native VLAN does not have the 4 bytes tag in the frame. When one switch sends native vlan traffic to the other switch over the 802.1q trunk, the receving switch must also have same native vlan configure in order to accept the native vlan from other switch. If the receiving switch has different native vlan than what it is receiving in that case this switch may leak the received native vlan traffic in to its own native valn traffic. Switches have protection mechanisms in order to prevent this to happen by throughing error messages saying "native vlan mismatch" these error came out because negotiation of native vlan between the switches is a part of DTP and CDP. If these two protocols are disabled this error message will not appear but traffic can still leak.

    By default VLAN 1 is the native VLAN in CISCO switches and can be configured to any vlan as native. It is normally used for management traffic.

     

    Hope this may help

    Deepak Sharma

  •  

    It is Good Explanation by Deepak Sharma. So in summary, Native VLAN frames are sent on a 802.1Q trunk as untagged, and when untagged frames are received on the trunk port they are assumed to belong to the Native VLAN. Native VLAN can be used in the following cases:-

     

    1. A legacy design where a hub is located on a trunk between two switches. Now end hosts connected to the hub need to be assigned to some access VALN, but since they are connected to switches' trunk port through the hub, Native VLAN should be used. Frames sent by the hosts will be typically untagged, but when they are received by the switches, they will be assumed to belong to the Native VLAN so they will not be dropped and will be assigned to this VLAN. In the other direction, when frames are sent to hosts on this VLAN, they will be sent on the trunk as untagged and hosts will not have an issue dealing with them.
    2. When there is an IPS/IDS that can not understand tagged frames, Native VLAN should be used.
    3. On the other hand, if a device on the path does not understand untagged frames, Native VLAN should be disabled. To do so, use the VLAN dot1q tag native global command which will affect all trunk ports and cause Native VLAN frames to be tagged. This can be for example one of the solutions for a router on stick design case where the switch has some configured Native VLAN on its connected trunk port to the router. Now the router has to know how to deal with untagged packets, either by configuring the Native VLAN on one of its sub-interfaces -or the main interface by assging an IP address to it-, or by using the mentioned command on the switch. Another case for using this command is when dot1q-tunnelling is used and the Native VLAN is the same as the Metro VLAN. In this case, this command has to be configurd on provider switches to prevent traffic leaking.

     

  • On the other hand, if a device on the path does not understand untagged frames, Native VLAN should be disabled. To do so, use the VLAN dot1q tag native global command which will affect all trunk ports and cause Native VLAN frames to be tagged.

    Another point to note is that this command causes all native VLAN traffic to be dot1q tagged at egress with the appropriate VLAN ID in the dot1q tag.  However the switch can receive the native VLAN either dot1q tagged or untagged.

    This command is all or nothing on the Catalyst 3560 - however on some other platforms (Cat 6500) you can enable globally and then disable on a per port basis with no switchport trunk dot1q native vlan tag

     

     

     

  • dcanceriandcancerian ✭✭✭

    Another point to note is that this command causes all native VLAN traffic to be dot1q tagged at egress with the appropriate VLAN ID in the dot1q tag.  However the switch can receive the native VLAN either dot1q tagged or untagged.

    Important point to note though a carefully designed working network won't face this situation.

Sign In or Register to comment.