Native VLAN explanation

Mike 2 posts since Oct 29, 2009 Native VLAN explanation Oct 29, 2009 2:29 PM

Can someone explain to me what a native vlan is? How it compares to other types, i.e. management, default, etc. I am having a hard time with the terms.

Paul Stewart - CCIE Security, CCSI 4,375 posts since Jul 18, 2008 Reply 1. on page 1 Re: Native VLAN explanation Oct 29, 2009 2:39 PM

A native vlan is the untagged vlan on an 802.1q trunked switchport. The native vlan and management vlan could be the same, but it is better security practice that they aren't. Basically if a switch receives untagged frames on a trunkport, they are assumed to be part of the vlan that are designated on the switchport as the native vlan. Frames egressing a switchport on the native vlan are not tagged. This is the definition however more recent switch software often will allow you to tag all of the frames, even those in the native vlan. This gives some added security and allows the CoS bits to be carried between switches even on the native vlan. Let me know if you need further clarification.

Mike 2 posts since Oct 29, 2009 Reply 2. on page 1 Re: Native VLAN explanation Oct 29, 2009 4:24 PM in response to Paul Stewart - CCIE Security, CCSI

So by untagged it means that the frame has not had the extra information(tag) added to it that allows it to be "trunked" to the other switches? Couldn't there be more than one native lan? i.e if a switch, SW1, had vlan 10, vlan 20 and vlan 30 on it. Wouldnt all those vlans be native to SW1, but not necessarily native to the domain?

Paul Stewart - CCIE Security, CCSI 4,375 posts since Jul 18, 2008 Reply 3. on page 1 Re: Native VLAN explanation Oct 29, 2009 4:38 PM in response to Mike

In your example, all those vlans would all be native to the switch, but not native from the trunk port perspective. Native has to do with the trunk itself, not the switch. If we carry your definition to the trunk, you will see that if we don't tag vlan 10, 20 and 30, the connecting switches will be very confused. That is the reason we can only configure one native vlan per port. However, a switch with multiple ports, could have different vlans specified as the native vlan for that port. In other words, trunkport 2 could have a native vlan of 20, and

© 1992-2012 Cisco Systems Inc. All Rights Reserved.

Generated on 2012-01-08-07:00 1

I not certain that chopping and changing the Native from one of the network to the other is wise. I was concerned that the native vlan was to be nominated per switch or even for your whole campus when designing the LAN. |Server|----->|AP VLAN 20 TP with native 20| <------>|TP native 20 TP native 40|<--->|TP native 40 AP VLAN20| ---->|PC| So I am trying to get a packet on Vlan 20 Access Port to a PC on a Vlan 20 Access Port across two trunks with different native Vlans. All Rights Reserved. on page 2 Re: Native VLAN explanation Jun 11. My point is that you can mix up the native vlans but wanted to know what other people have experienced. kimbo 3 posts since Mar 31. to get from the server in question on vlan 20 I need to get a packet across three switch stacks (2 trunks). 2010 Reply 4.Native VLAN explanation trunkport 3 could have a native vlan of 30 (if you choose to be really complicated in your design)... Generated on 2012-01-08-07:00 2 .. It seems that because the trunks are configured in the correct pairs that traffic still pass to the correct vlans throughout the path. © 1992-2012 Cisco Systems Inc. This seems like an odd way of doing things to me. While I understand that native command on the trunk nominates the traffic that passes untagged. The switches on either end of the trunk just need to agree so strange things don't happen. 2010 7:47 AM I am looking at a network with different native vlans across multiple switches.

I know outband access server is best for management but this simulator labs Angela 733 posts since Jan 29.. CCSI 4. You can even go a step further and have mismatched native vlans on each end of a trunk. 2010 8:08 PM in response to Paul Stewart . It is never a good idea to design a network this way.CCIE Security.Native VLAN explanation I came across it troubleshooting ARP problems with a server. what I like to do is make a vlan for unused ports.CCIE Security. All Rights Reserved. Paul Stewart . on page 3 Re: Native VLAN explanation Jun 11. Maybe if there was some really weird requirement on a CCIE R&S lab or something. 2008 Reply 5. CCSI Hi. Prudee 31 posts since Jun 3. make a vlan for inband management (telnet. I can ping all other servers on VLAN 20 but not once in particular and clearing the arp cache restores connectivity for about 3mins. Generated on 2012-01-08-07:00 3 . In practice.. the native vlan on one side becomes part of the same broadcast domain as the native vlan of the other end. ssh) with SVI on each device (subnet managment network for different routers so can keep 1 network and dynamic routing protocols can advertise all (use ACL and access class) .the MAC in the cam drops out of the switch where the PC is. 2010 Reply 7. and make new native vlan with no SVI. 2010 10:59 AM in response to kimbo Your example should work. However. I know vlan 1 is still used no mattter what for certian protocols.375 posts since Jul 18. Also I shut int vlan 1.. but new native will be the one native on trunks. In my labs. 2010 Reply 6. 2010 9:32 PM in response to Prudee Would you guys mind if I pose a question here? © 1992-2012 Cisco Systems Inc. on page 3 Re: Native VLAN explanation Jun 13. In that case. it is way too confusing. on page 3 Re: Native VLAN explanation Jun 13. I agree.

All Rights Reserved. While SB does not expect its traffic destined for its native vlan to be tagged. © 1992-2012 Cisco Systems Inc. however. a native vlan mismatch would occur if the native vlan IDs doesnt match between ends of a trunk. how do you tell if it's for the native VLAN or some other VLAN? Advanced thanks Mohamed Sobair 271 posts since Oct 21. CCSI 4. when you tag traffic for native VLAN. I think frames on the native vlan would flow properly from SA to SB. but not from SB to SA. but traffic will only flow in one direction. 2010 2:12 AM in response to Mohamed Sobair Angela. 2008 Reply 8. HTH Mohamed Paul Stewart .375 posts since Jul 18. Since SA is configured to expect traffic received for its native vlan to be tagged. How do you tag a native vlan? a native vlan is untagged vlan. 2010 12:09 AM Hi Angela. on page 4 Re: Native VLAN explanation Jun 14. Generated on 2012-01-08-07:00 4 . This is not technically a native vlan mismatch.CCIE Security. SA tags its native VLAN while SB doesn't. Would a native VLAN mismatch occur? I mean. it will not reject it. but use the same native VLAN". In your scenario. 2008 Reply 9.Native VLAN explanation Scenario: "Switch A is connected to Switch B using a trunk. on page 4 Re: Native VLAN explanation Jun 14. it will discard the untagged traffic on a trunk.

2008 Reply 10. There are some exploits that can take advantage of this by stacking two sets of tags. Mohamed © 1992-2012 Cisco Systems Inc. 2010 3:19 AM Paul. ((If a user wants to build an outer tag for anative vlan))!!! Why would it be for a native vlan anyway? If the user builds an outer vlan tag traversing a trunk. the first tag will be removed when the frame traverses a the first trunk. on page 5 Re: Native VLAN explanation Jun 14. This global command is "vlan tag dot1q native". The frame already contains an inner vlan that matches the destination victim. the definition of a native vlan in 802.Native VLAN explanation Mohammed.. If a user builds a frame that has an outer dot1q tag for a known native vlan and an inner tag of a vlan he wishes to attack. Mohamed Sobair 271 posts since Oct 21. Yes. As a result. there is a new command introduced to tag all frames on a trunk. the lookup (in terms of Switching) is always going to be for the outer vlan if the intermidiate switch allows this vlan to be tunneled However. why would I need a native vlan for this to happen any way? I hope i have pointed out my point here. Why then a user needs a native vlan for that? If my out vlan tag is tunneled and the inner vlan is my destination . The next trunk that is encountered will put the frame on the vlan that is the attack destination. Generated on 2012-01-08-07:00 5 . All Rights Reserved..1q is an untagged vlan.

Native VLAN explanation Paul Stewart .cisco. that exposes the inner tag and allows the attacker onto the victim vlan. 2008 Reply 11. or even one hop upstream. All Rights Reserved. Double tagging with the native vlan as an outer tag can throw the switch a tag to discard.375 posts since Jul 18. CCSI 4. it might be restricted on the trunk he or she has attempted. Take a look at the double tagging example at the following url-- http://www.CCIE Security.shtml#wp39211 © 1992-2012 Cisco Systems products_white_paper09186a008013159f. In certain cases. 2010 5:08 AM in response to Mohamed Sobair If a user builds a frame with another VLAN. Generated on 2012-01-08-07:00 6 . on page 5 Re: Native VLAN explanation Jun 14.

Sign up to vote on this title
UsefulNot useful