trunk and the vlans within 4

[lillium]

4 kitus.
If you still have some doubts, this paper helped me clarify the difference between the native, the user, and the management vlans. So go here:

http://www.chabotcollege.edu/faculty/netacad/prot/sem3/study_sheets/NativeVLAN-CCNA.pdf

I hope it helps.
lill

 

[burtsbees]

Great simple, comprehensive PDF. Enjoy your star.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ISPKing]

Enjoy Two.

 

[HungryHouse]

This is a very good brief on VLANs, so thanks lil.
It brings to mind a question about Cisco switched networks out there...

I'd like to learn whether most of y'all are truly changing your management VLAN from VLAN,1 and what you're currently using VLAN1 for besides control traffic?

Looking for real world practice, not what we know is ideal.

Thanks,
HH

 

[ISPKing]

Yes, most companies that actually use vlans do not use vlan 1, for mostly security reasons and best practice, vlan hopping is just about mitigated when changing the native vlan. Also Control traffic is not ever put on vlan 1 when designing a network infrastructure for so many reasons. I usually point Vlan1 into nowhere.

Of course you have your exceptions to the rule, admins who don't know cross over cable from straight through and they end up in charge of the network.

 

[burtsbees]

Definitely change from vlan 1---too many hackers guess vlan 1, since it is the default.

Also, for the outside switch (if you trunk to your firewall from a switch on the outside of the network with a WAN IP), you should do switchport security on all interfaces, and any LAN switch interface for public/vendor use.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[meneerB]

we have 2000 ports and also don't use vlan1.

 

[HungryHouse]

Thank you for all your insight.
Much appreciated.

-HH

 

[HungryHouse]

Lillium et al,
According to the document that you posted, my understanding is that switch trunk links (802.1q) naturally will receive native VLAN traffic as untagged, however, normal IOS router subinterfaces need to have the encapsulation specified as not only "dot1q" but also "native VLAN"?

As per the document, page 4 summary
"The subinterface on the router that is used to send and receive native VLAN traffic must be configured with the native option on the encapsulation interface command. This will let the router know that any frames coming in untagged belong to that subinterface and are a member of VLAN 1, the native VLAN. This is assuming that the native VLAN is the VLAN 1, the default native VLAN."

This appears to be somewhat of a conflict/discrepancey with the native VLAN information in Cisco's documentation on this topic, which indicated that when native is VLAN1 no need to specify such on the router subinterface:
"Step 2

Router(config-subif)# encap dot1q vlan-id native
Uses 802.1Q to encapsulate Ethernet frames sent from the subinterface with a header that maintains the specified native vlan-id between network nodes.


--------------------------------------------------------------------------------
Note By default, VLAN 1 is the native VLAN, so it is not necessary to specify native when specifying the encapsulation for VLAN 1. To specify a different VLAN as the native VLAN, you must specify native when specifying the encapsulation. "
This is from the following doc:

http://www.cisco.com/en/US/products...on_guide_chapter09186a008007d65c.html#1042909

Help me out on this...I'm a tad confused now.

Thanks, HH

Real trouble call:
Customer: "I have a huge problem. A friend has put a screensaver on my computer, but every time I move the mouse, it disappears!"

 

[drewdown]

HungryHouse,

You can create any number of 'native' vlans. IE I have a separate native VLAN configured for each trunk. Out of the box the native VLAN is 1. Which per best practice, shouldn't be used anywhere.

Snipet from my core switch:

...
vlan 900
 name Native-900
.....
vlan 905 
 name Native-905
......
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 900
 switchport trunk allowed vlan 2,9-11,22,55,99,224,300
 switchport mode trunk
 switchport nonegotiate
.....
interface GigabitEthernet1/0/2
 description TRUNK TO SW-05
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 905
 switchport trunk allowed vlan 2,9,10,22,55,99
 switchport mode trunk
 switchport nonegotiate

Matching native vlan's on the other side as well.

 

[lillium]

To: HungryHouse,

I’m a Cisco person, whatever they say is ok with me, but let’s don’t forget that they like to update their equipment as often as possible, and yes you are right it is confusing and I double check on your questions and documents, and what I can get out of them is that:

And yes you are right if the vlan in use is vlan1 then the encapsulation shouldn’t have to be specified.
I apologize for that information, I found it for kitus, he needed to know about the traffic within the trunk, so my mistake for not reading the whole thing, but thanks and have a great day.

According to Cisco:
Note By default, VLAN 1 is the native VLAN, so it is not necessary to specify native when specifying the encapsulation for VLAN 1. To specify a different VLAN as the native VLAN, you must specify native when specifying the encapsulation.(Cisco document)


I found this document on the Cisco site:

http://www.cisco.com/en/US/docs/swi...1E/native/command/reference/V1.html#wp1073623

vlan dot1q tag native
To enable dot1q tagging for all VLANs in a trunk, use the vlan dot1q tag native command. Use the no form of this command to clear the configuration.
vlan dot1q tag native
no vlan dot1q tag native
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Release Modification
12.1(11b)EX Support for this command was introduced on the Catalyst 6500 series switches.
12.1(13)E Support for this command on the Catalyst 6500 series switches was extended to the 12.1 E release.

Usage Guidelines
The vlan dot1q tag native command configures the switch to tag native VLAN traffic and admit only 802.1Q tagged frames on 802.1Q trunks, dropping any untagged traffic, including untagged traffic in the native VLAN.
Follow these configuration guidelines when configuring Layer 2 protocol tunneling:
• On all the service provider edge switches, you must enable spanning tree BPDU filtering on the 802.1Q tunnel ports by entering the spanning-tree bpdufilter enable command.
• Ensure that at least one VLAN is available for native VLAN tagging. If you use all the available VLANs and then enter the vlan dot1q tag native command, native VLAN tagging will not be enabled.
• On all the service provider core switches, enter the vlan dot1q tag native command to tag native VLAN egress traffic and drop untagged native VLAN ingress traffic.
• On all the customer switches, either enable or disable native VLAN tagging on each switch.

________________________________________
Note If this feature is enabled on one switch and disabled on another switch, all traffic is dropped; you must identically configure this feature on each switch.
________________________________________
Examples
This example shows how to enable dot1q tagging for all VLANs in a trunk:
Router(config)# vlan dot1q tag native


This is from the posted document:

The native VLAN can be modified to a VLAN other than VLAN 1 with the following interface command:
Switch(config-if)#switchport trunk native vlan vlan-id

So then is wht you have to use the encapsulation.