When are Native VLANs used? Are there times when a Native VLAN will never be used?
up vote
1
down vote
favorite
This is probably a simple one, but I am very new to VLANs.
I'd like to avoid using VLAN 1 as well as gain a better understanding of when native VLANs come into play when setting up a switch.
On an 8 port switch, if ports 1-4 are set as access ports (untagged) on VLAN 10, and ports 5-7 are set as access ports (untagged) on VLAN 20, if port 8 is set to trunk mode (tagged, to connect to another switch) with native VLAN still on VLAN 1, that native VLAN 1 would never actually be used, right, since all traffic is set to VLAN 10 and 20? If this is correct, what would the setup look like for traffic to use the native VLAN?
switch vlan switchport
edited yesterday
jonathanjo
9,8061631
asked yesterday
vim_usr
1405
add a comment |
up vote
1
down vote
favorite
This is probably a simple one, but I am very new to VLANs.
I'd like to avoid using VLAN 1 as well as gain a better understanding of when native VLANs come into play when setting up a switch.
On an 8 port switch, if ports 1-4 are set as access ports (untagged) on VLAN 10, and ports 5-7 are set as access ports (untagged) on VLAN 20, if port 8 is set to trunk mode (tagged, to connect to another switch) with native VLAN still on VLAN 1, that native VLAN 1 would never actually be used, right, since all traffic is set to VLAN 10 and 20? If this is correct, what would the setup look like for traffic to use the native VLAN?
switch vlan switchport
edited yesterday
jonathanjo
9,8061631
asked yesterday
vim_usr
1405
Is this a Cisco switch?
– Ron Maupin♦
yesterday
I've been using Packet Tracer (Cisco), but also have access to an HP Procurve as well as Netgear managed switch...hence my terminology possibly being messy.
– vim_usr
yesterday
You can set up Cisco to not trunk VLAN and have all VLANs on a trunk as tagged, so there is no native VLAN. Other vendors sometime need VLAN 1 as a native VLAN. It depends on the version of STP used.
– Ron Maupin♦
yesterday
I assumed trunk = tagged. So when an untagged frame associated with a VLAN like VLAN 10, that frame would be tagged as 10 on the trunk. Is that not always the case?
– vim_usr
yesterday
That depends on how it is configured. You could have VLAN 10 as the native VLAN, so it would not be tagged. You can simply leave VLAN 1 as the native (untagged) VLAN, and remove it from from the list of VLANs allowed on the trunk (a Cisco best practice). That may not work on other vendors.
– Ron Maupin♦
yesterday
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
This is probably a simple one, but I am very new to VLANs.
I'd like to avoid using VLAN 1 as well as gain a better understanding of when native VLANs come into play when setting up a switch.
On an 8 port switch, if ports 1-4 are set as access ports (untagged) on VLAN 10, and ports 5-7 are set as access ports (untagged) on VLAN 20, if port 8 is set to trunk mode (tagged, to connect to another switch) with native VLAN still on VLAN 1, that native VLAN 1 would never actually be used, right, since all traffic is set to VLAN 10 and 20? If this is correct, what would the setup look like for traffic to use the native VLAN?
switch vlan switchport
edited yesterday
jonathanjo
9,8061631
asked yesterday
vim_usr
1405
This is probably a simple one, but I am very new to VLANs.
I'd like to avoid using VLAN 1 as well as gain a better understanding of when native VLANs come into play when setting up a switch.
On an 8 port switch, if ports 1-4 are set as access ports (untagged) on VLAN 10, and ports 5-7 are set as access ports (untagged) on VLAN 20, if port 8 is set to trunk mode (tagged, to connect to another switch) with native VLAN still on VLAN 1, that native VLAN 1 would never actually be used, right, since all traffic is set to VLAN 10 and 20? If this is correct, what would the setup look like for traffic to use the native VLAN?
switch vlan switchport
switch vlan switchport
edited yesterday
jonathanjo
9,8061631
asked yesterday
vim_usr
1405
edited yesterday
jonathanjo
9,8061631
asked yesterday
vim_usr
1405
edited yesterday
jonathanjo
9,8061631
edited yesterday
jonathanjo
9,8061631
edited yesterday
jonathanjo
9,8061631
9,8061631
asked yesterday
vim_usr
1405
asked yesterday
vim_usr
1405
asked yesterday
vim_usr
1405
1405
Is this a Cisco switch?
– Ron Maupin♦
yesterday
I've been using Packet Tracer (Cisco), but also have access to an HP Procurve as well as Netgear managed switch...hence my terminology possibly being messy.
– vim_usr
yesterday
You can set up Cisco to not trunk VLAN and have all VLANs on a trunk as tagged, so there is no native VLAN. Other vendors sometime need VLAN 1 as a native VLAN. It depends on the version of STP used.
– Ron Maupin♦
yesterday
I assumed trunk = tagged. So when an untagged frame associated with a VLAN like VLAN 10, that frame would be tagged as 10 on the trunk. Is that not always the case?
– vim_usr
yesterday
That depends on how it is configured. You could have VLAN 10 as the native VLAN, so it would not be tagged. You can simply leave VLAN 1 as the native (untagged) VLAN, and remove it from from the list of VLANs allowed on the trunk (a Cisco best practice). That may not work on other vendors.
– Ron Maupin♦
yesterday
add a comment |
Is this a Cisco switch?
– Ron Maupin♦
yesterday
I've been using Packet Tracer (Cisco), but also have access to an HP Procurve as well as Netgear managed switch...hence my terminology possibly being messy.
– vim_usr
yesterday
You can set up Cisco to not trunk VLAN and have all VLANs on a trunk as tagged, so there is no native VLAN. Other vendors sometime need VLAN 1 as a native VLAN. It depends on the version of STP used.
– Ron Maupin♦
yesterday
I assumed trunk = tagged. So when an untagged frame associated with a VLAN like VLAN 10, that frame would be tagged as 10 on the trunk. Is that not always the case?
– vim_usr
yesterday
That depends on how it is configured. You could have VLAN 10 as the native VLAN, so it would not be tagged. You can simply leave VLAN 1 as the native (untagged) VLAN, and remove it from from the list of VLANs allowed on the trunk (a Cisco best practice). That may not work on other vendors.
– Ron Maupin♦
yesterday
Is this a Cisco switch?
– Ron Maupin♦
yesterday
Is this a Cisco switch?
– Ron Maupin♦
yesterday
I've been using Packet Tracer (Cisco), but also have access to an HP Procurve as well as Netgear managed switch...hence my terminology possibly being messy.
– vim_usr
yesterday
I've been using Packet Tracer (Cisco), but also have access to an HP Procurve as well as Netgear managed switch...hence my terminology possibly being messy.
– vim_usr
yesterday
You can set up Cisco to not trunk VLAN and have all VLANs on a trunk as tagged, so there is no native VLAN. Other vendors sometime need VLAN 1 as a native VLAN. It depends on the version of STP used.
– Ron Maupin♦
yesterday
You can set up Cisco to not trunk VLAN and have all VLANs on a trunk as tagged, so there is no native VLAN. Other vendors sometime need VLAN 1 as a native VLAN. It depends on the version of STP used.
– Ron Maupin♦
yesterday
I assumed trunk = tagged. So when an untagged frame associated with a VLAN like VLAN 10, that frame would be tagged as 10 on the trunk. Is that not always the case?
– vim_usr
yesterday
I assumed trunk = tagged. So when an untagged frame associated with a VLAN like VLAN 10, that frame would be tagged as 10 on the trunk. Is that not always the case?
– vim_usr
yesterday
That depends on how it is configured. You could have VLAN 10 as the native VLAN, so it would not be tagged. You can simply leave VLAN 1 as the native (untagged) VLAN, and remove it from from the list of VLANs allowed on the trunk (a Cisco best practice). That may not work on other vendors.
– Ron Maupin♦
yesterday
That depends on how it is configured. You could have VLAN 10 as the native VLAN, so it would not be tagged. You can simply leave VLAN 1 as the native (untagged) VLAN, and remove it from from the list of VLANs allowed on the trunk (a Cisco best practice). That may not work on other vendors.
– Ron Maupin♦
yesterday
add a comment |
1 Answer
1
active
oldest
votes
up vote
3
down vote
accepted
If you have an 8-port switch with ports 1-4 on VLAN 10, and 5-7 on VLAN 20, port 8 as trunk and default VLAN 1 ...
It's correct, VLAN 1 shouldn't be used
Watch for
- Untagged frames arriving on the trunk port 8
- Tagged-as-VLAN-1 frames arriving on the access ports or the trunk port
What happens with these depends on your manufacturer, model, and potentially other configuration. The normal goal would be to
- Drop any untagged frames arriving on a trunk
- Drop any unknown-VLAN tagged frames arriving anywhere
How you configure this depends on the particular switch.
Of course, if everything is configured correctly, you'll never get these untagged or tagged with unknown VLAN frames. But what's at the other end of all your wires? If there is any chance of malicious frames, or the ever-present certainty of configuration errors, this is just for protection. As a security matter, one of the first things the malcious systems do is mess with VLANs and MAC addresses.
answered yesterday
jonathanjo
9,8061631
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
yesterday
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
yesterday
Thank you for the clarification. That makes sense.
– vim_usr
yesterday
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
If you have an 8-port switch with ports 1-4 on VLAN 10, and 5-7 on VLAN 20, port 8 as trunk and default VLAN 1 ...
It's correct, VLAN 1 shouldn't be used
Watch for
- Untagged frames arriving on the trunk port 8
- Tagged-as-VLAN-1 frames arriving on the access ports or the trunk port
What happens with these depends on your manufacturer, model, and potentially other configuration. The normal goal would be to
- Drop any untagged frames arriving on a trunk
- Drop any unknown-VLAN tagged frames arriving anywhere
How you configure this depends on the particular switch.
Of course, if everything is configured correctly, you'll never get these untagged or tagged with unknown VLAN frames. But what's at the other end of all your wires? If there is any chance of malicious frames, or the ever-present certainty of configuration errors, this is just for protection. As a security matter, one of the first things the malcious systems do is mess with VLANs and MAC addresses.
answered yesterday
jonathanjo
9,8061631
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
yesterday
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
yesterday
Thank you for the clarification. That makes sense.
– vim_usr
yesterday
add a comment |
up vote
3
down vote
accepted
If you have an 8-port switch with ports 1-4 on VLAN 10, and 5-7 on VLAN 20, port 8 as trunk and default VLAN 1 ...
It's correct, VLAN 1 shouldn't be used
Watch for
- Untagged frames arriving on the trunk port 8
- Tagged-as-VLAN-1 frames arriving on the access ports or the trunk port
What happens with these depends on your manufacturer, model, and potentially other configuration. The normal goal would be to
- Drop any untagged frames arriving on a trunk
- Drop any unknown-VLAN tagged frames arriving anywhere
How you configure this depends on the particular switch.
Of course, if everything is configured correctly, you'll never get these untagged or tagged with unknown VLAN frames. But what's at the other end of all your wires? If there is any chance of malicious frames, or the ever-present certainty of configuration errors, this is just for protection. As a security matter, one of the first things the malcious systems do is mess with VLANs and MAC addresses.
answered yesterday
jonathanjo
9,8061631
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
yesterday
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
yesterday
Thank you for the clarification. That makes sense.
– vim_usr
yesterday
add a comment |
up vote
3
down vote
accepted
up vote
3
down vote
accepted
If you have an 8-port switch with ports 1-4 on VLAN 10, and 5-7 on VLAN 20, port 8 as trunk and default VLAN 1 ...
It's correct, VLAN 1 shouldn't be used
Watch for
- Untagged frames arriving on the trunk port 8
- Tagged-as-VLAN-1 frames arriving on the access ports or the trunk port
What happens with these depends on your manufacturer, model, and potentially other configuration. The normal goal would be to
- Drop any untagged frames arriving on a trunk
- Drop any unknown-VLAN tagged frames arriving anywhere
How you configure this depends on the particular switch.
Of course, if everything is configured correctly, you'll never get these untagged or tagged with unknown VLAN frames. But what's at the other end of all your wires? If there is any chance of malicious frames, or the ever-present certainty of configuration errors, this is just for protection. As a security matter, one of the first things the malcious systems do is mess with VLANs and MAC addresses.
answered yesterday
jonathanjo
9,8061631
If you have an 8-port switch with ports 1-4 on VLAN 10, and 5-7 on VLAN 20, port 8 as trunk and default VLAN 1 ...
It's correct, VLAN 1 shouldn't be used
Watch for
- Untagged frames arriving on the trunk port 8
- Tagged-as-VLAN-1 frames arriving on the access ports or the trunk port
What happens with these depends on your manufacturer, model, and potentially other configuration. The normal goal would be to
- Drop any untagged frames arriving on a trunk
- Drop any unknown-VLAN tagged frames arriving anywhere
How you configure this depends on the particular switch.
Of course, if everything is configured correctly, you'll never get these untagged or tagged with unknown VLAN frames. But what's at the other end of all your wires? If there is any chance of malicious frames, or the ever-present certainty of configuration errors, this is just for protection. As a security matter, one of the first things the malcious systems do is mess with VLANs and MAC addresses.
answered yesterday
jonathanjo
9,8061631
edited yesterday
answered yesterday
jonathanjo
9,8061631
answered yesterday
jonathanjo
9,8061631
answered yesterday
jonathanjo
9,8061631
9,8061631
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
yesterday
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
yesterday
Thank you for the clarification. That makes sense.
– vim_usr
yesterday
add a comment |
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
yesterday
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
yesterday
Thank you for the clarification. That makes sense.
– vim_usr
yesterday
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
yesterday
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
yesterday
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
yesterday
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
yesterday
Thank you for the clarification. That makes sense.
– vim_usr
yesterday
Thank you for the clarification. That makes sense.
– vim_usr
yesterday
add a comment |
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f55275%2fwhen-are-native-vlans-used-are-there-times-when-a-native-vlan-will-never-be-use%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Is this a Cisco switch?
– Ron Maupin♦
yesterday
I've been using Packet Tracer (Cisco), but also have access to an HP Procurve as well as Netgear managed switch...hence my terminology possibly being messy.
– vim_usr
yesterday
You can set up Cisco to not trunk VLAN and have all VLANs on a trunk as tagged, so there is no native VLAN. Other vendors sometime need VLAN 1 as a native VLAN. It depends on the version of STP used.
– Ron Maupin♦
yesterday
I assumed trunk = tagged. So when an untagged frame associated with a VLAN like VLAN 10, that frame would be tagged as 10 on the trunk. Is that not always the case?
– vim_usr
yesterday
That depends on how it is configured. You could have VLAN 10 as the native VLAN, so it would not be tagged. You can simply leave VLAN 1 as the native (untagged) VLAN, and remove it from from the list of VLANs allowed on the trunk (a Cisco best practice). That may not work on other vendors.
– Ron Maupin♦
yesterday