When are Native VLANs used? Are there times when a Native VLAN will never be used?
This is probably a simple one, but I am very new to VLANs.
I'd like to avoid using VLAN 1 as well as gain a better understanding of when native VLANs come into play when setting up a switch.
On an 8 port switch, if ports 1-4 are set as access ports (untagged) on VLAN 10, and ports 5-7 are set as access ports (untagged) on VLAN 20, if port 8 is set to trunk mode (tagged, to connect to another switch) with native VLAN still on VLAN 1, that native VLAN 1 would never actually be used, right, since all traffic is set to VLAN 10 and 20? If this is correct, what would the setup look like for traffic to use the native VLAN?
switch vlan switchport
edited Dec 7 at 17:58
jonathanjo
10.6k1833
asked Dec 7 at 16:23
vim_usr
1405
add a comment |
This is probably a simple one, but I am very new to VLANs.
I'd like to avoid using VLAN 1 as well as gain a better understanding of when native VLANs come into play when setting up a switch.
On an 8 port switch, if ports 1-4 are set as access ports (untagged) on VLAN 10, and ports 5-7 are set as access ports (untagged) on VLAN 20, if port 8 is set to trunk mode (tagged, to connect to another switch) with native VLAN still on VLAN 1, that native VLAN 1 would never actually be used, right, since all traffic is set to VLAN 10 and 20? If this is correct, what would the setup look like for traffic to use the native VLAN?
switch vlan switchport
edited Dec 7 at 17:58
jonathanjo
10.6k1833
asked Dec 7 at 16:23
vim_usr
1405
Is this a Cisco switch?
– Ron Maupin♦
Dec 7 at 16:26
I've been using Packet Tracer (Cisco), but also have access to an HP Procurve as well as Netgear managed switch...hence my terminology possibly being messy.
– vim_usr
Dec 7 at 16:28
You can set up Cisco to not trunk VLAN and have all VLANs on a trunk as tagged, so there is no native VLAN. Other vendors sometime need VLAN 1 as a native VLAN. It depends on the version of STP used.
– Ron Maupin♦
Dec 7 at 16:31
I assumed trunk = tagged. So when an untagged frame associated with a VLAN like VLAN 10, that frame would be tagged as 10 on the trunk. Is that not always the case?
– vim_usr
Dec 7 at 16:36
That depends on how it is configured. You could have VLAN 10 as the native VLAN, so it would not be tagged. You can simply leave VLAN 1 as the native (untagged) VLAN, and remove it from from the list of VLANs allowed on the trunk (a Cisco best practice). That may not work on other vendors.
– Ron Maupin♦
Dec 7 at 16:40
add a comment |
This is probably a simple one, but I am very new to VLANs.
I'd like to avoid using VLAN 1 as well as gain a better understanding of when native VLANs come into play when setting up a switch.
On an 8 port switch, if ports 1-4 are set as access ports (untagged) on VLAN 10, and ports 5-7 are set as access ports (untagged) on VLAN 20, if port 8 is set to trunk mode (tagged, to connect to another switch) with native VLAN still on VLAN 1, that native VLAN 1 would never actually be used, right, since all traffic is set to VLAN 10 and 20? If this is correct, what would the setup look like for traffic to use the native VLAN?
switch vlan switchport
edited Dec 7 at 17:58
jonathanjo
10.6k1833
asked Dec 7 at 16:23
vim_usr
1405
This is probably a simple one, but I am very new to VLANs.
I'd like to avoid using VLAN 1 as well as gain a better understanding of when native VLANs come into play when setting up a switch.
On an 8 port switch, if ports 1-4 are set as access ports (untagged) on VLAN 10, and ports 5-7 are set as access ports (untagged) on VLAN 20, if port 8 is set to trunk mode (tagged, to connect to another switch) with native VLAN still on VLAN 1, that native VLAN 1 would never actually be used, right, since all traffic is set to VLAN 10 and 20? If this is correct, what would the setup look like for traffic to use the native VLAN?
switch vlan switchport
switch vlan switchport
edited Dec 7 at 17:58
jonathanjo
10.6k1833
asked Dec 7 at 16:23
vim_usr
1405
edited Dec 7 at 17:58
jonathanjo
10.6k1833
asked Dec 7 at 16:23
vim_usr
1405
edited Dec 7 at 17:58
jonathanjo
10.6k1833
edited Dec 7 at 17:58
jonathanjo
10.6k1833
edited Dec 7 at 17:58
jonathanjo
10.6k1833
10.6k1833
asked Dec 7 at 16:23
vim_usr
1405
asked Dec 7 at 16:23
vim_usr
1405
asked Dec 7 at 16:23
vim_usr
1405
1405
Is this a Cisco switch?
– Ron Maupin♦
Dec 7 at 16:26
I've been using Packet Tracer (Cisco), but also have access to an HP Procurve as well as Netgear managed switch...hence my terminology possibly being messy.
– vim_usr
Dec 7 at 16:28
You can set up Cisco to not trunk VLAN and have all VLANs on a trunk as tagged, so there is no native VLAN. Other vendors sometime need VLAN 1 as a native VLAN. It depends on the version of STP used.
– Ron Maupin♦
Dec 7 at 16:31
I assumed trunk = tagged. So when an untagged frame associated with a VLAN like VLAN 10, that frame would be tagged as 10 on the trunk. Is that not always the case?
– vim_usr
Dec 7 at 16:36
That depends on how it is configured. You could have VLAN 10 as the native VLAN, so it would not be tagged. You can simply leave VLAN 1 as the native (untagged) VLAN, and remove it from from the list of VLANs allowed on the trunk (a Cisco best practice). That may not work on other vendors.
– Ron Maupin♦
Dec 7 at 16:40
add a comment |
Is this a Cisco switch?
– Ron Maupin♦
Dec 7 at 16:26
I've been using Packet Tracer (Cisco), but also have access to an HP Procurve as well as Netgear managed switch...hence my terminology possibly being messy.
– vim_usr
Dec 7 at 16:28
You can set up Cisco to not trunk VLAN and have all VLANs on a trunk as tagged, so there is no native VLAN. Other vendors sometime need VLAN 1 as a native VLAN. It depends on the version of STP used.
– Ron Maupin♦
Dec 7 at 16:31
I assumed trunk = tagged. So when an untagged frame associated with a VLAN like VLAN 10, that frame would be tagged as 10 on the trunk. Is that not always the case?
– vim_usr
Dec 7 at 16:36
That depends on how it is configured. You could have VLAN 10 as the native VLAN, so it would not be tagged. You can simply leave VLAN 1 as the native (untagged) VLAN, and remove it from from the list of VLANs allowed on the trunk (a Cisco best practice). That may not work on other vendors.
– Ron Maupin♦
Dec 7 at 16:40
Is this a Cisco switch?
– Ron Maupin♦
Dec 7 at 16:26
Is this a Cisco switch?
– Ron Maupin♦
Dec 7 at 16:26
I've been using Packet Tracer (Cisco), but also have access to an HP Procurve as well as Netgear managed switch...hence my terminology possibly being messy.
– vim_usr
Dec 7 at 16:28
I've been using Packet Tracer (Cisco), but also have access to an HP Procurve as well as Netgear managed switch...hence my terminology possibly being messy.
– vim_usr
Dec 7 at 16:28
You can set up Cisco to not trunk VLAN and have all VLANs on a trunk as tagged, so there is no native VLAN. Other vendors sometime need VLAN 1 as a native VLAN. It depends on the version of STP used.
– Ron Maupin♦
Dec 7 at 16:31
You can set up Cisco to not trunk VLAN and have all VLANs on a trunk as tagged, so there is no native VLAN. Other vendors sometime need VLAN 1 as a native VLAN. It depends on the version of STP used.
– Ron Maupin♦
Dec 7 at 16:31
I assumed trunk = tagged. So when an untagged frame associated with a VLAN like VLAN 10, that frame would be tagged as 10 on the trunk. Is that not always the case?
– vim_usr
Dec 7 at 16:36
I assumed trunk = tagged. So when an untagged frame associated with a VLAN like VLAN 10, that frame would be tagged as 10 on the trunk. Is that not always the case?
– vim_usr
Dec 7 at 16:36
That depends on how it is configured. You could have VLAN 10 as the native VLAN, so it would not be tagged. You can simply leave VLAN 1 as the native (untagged) VLAN, and remove it from from the list of VLANs allowed on the trunk (a Cisco best practice). That may not work on other vendors.
– Ron Maupin♦
Dec 7 at 16:40
That depends on how it is configured. You could have VLAN 10 as the native VLAN, so it would not be tagged. You can simply leave VLAN 1 as the native (untagged) VLAN, and remove it from from the list of VLANs allowed on the trunk (a Cisco best practice). That may not work on other vendors.
– Ron Maupin♦
Dec 7 at 16:40
add a comment |
1 Answer
1
active
oldest
votes
If you have an 8-port switch with ports 1-4 on VLAN 10, and 5-7 on VLAN 20, port 8 as trunk and default VLAN 1 ...
It's correct, VLAN 1 shouldn't be used
Watch for
- Untagged frames arriving on the trunk port 8
- Tagged-as-VLAN-1 frames arriving on the access ports or the trunk port
What happens with these depends on your manufacturer, model, and potentially other configuration. The normal goal would be to
- Drop any untagged frames arriving on a trunk
- Drop any unknown-VLAN tagged frames arriving anywhere
How you configure this depends on the particular switch.
Of course, if everything is configured correctly, you'll never get these untagged or tagged with unknown VLAN frames. But what's at the other end of all your wires? If there is any chance of malicious frames, or the ever-present certainty of configuration errors, this is just for protection. As a security matter, one of the first things the malcious systems do is mess with VLANs and MAC addresses.
answered Dec 7 at 16:27
jonathanjo
10.6k1833
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
Dec 7 at 16:33
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
Dec 7 at 16:36
Thank you for the clarification. That makes sense.
– vim_usr
Dec 7 at 16:38
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "496"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f55275%2fwhen-are-native-vlans-used-are-there-times-when-a-native-vlan-will-never-be-use%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you have an 8-port switch with ports 1-4 on VLAN 10, and 5-7 on VLAN 20, port 8 as trunk and default VLAN 1 ...
It's correct, VLAN 1 shouldn't be used
Watch for
- Untagged frames arriving on the trunk port 8
- Tagged-as-VLAN-1 frames arriving on the access ports or the trunk port
What happens with these depends on your manufacturer, model, and potentially other configuration. The normal goal would be to
- Drop any untagged frames arriving on a trunk
- Drop any unknown-VLAN tagged frames arriving anywhere
How you configure this depends on the particular switch.
Of course, if everything is configured correctly, you'll never get these untagged or tagged with unknown VLAN frames. But what's at the other end of all your wires? If there is any chance of malicious frames, or the ever-present certainty of configuration errors, this is just for protection. As a security matter, one of the first things the malcious systems do is mess with VLANs and MAC addresses.
answered Dec 7 at 16:27
jonathanjo
10.6k1833
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
Dec 7 at 16:33
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
Dec 7 at 16:36
Thank you for the clarification. That makes sense.
– vim_usr
Dec 7 at 16:38
add a comment |
If you have an 8-port switch with ports 1-4 on VLAN 10, and 5-7 on VLAN 20, port 8 as trunk and default VLAN 1 ...
It's correct, VLAN 1 shouldn't be used
Watch for
- Untagged frames arriving on the trunk port 8
- Tagged-as-VLAN-1 frames arriving on the access ports or the trunk port
What happens with these depends on your manufacturer, model, and potentially other configuration. The normal goal would be to
- Drop any untagged frames arriving on a trunk
- Drop any unknown-VLAN tagged frames arriving anywhere
How you configure this depends on the particular switch.
Of course, if everything is configured correctly, you'll never get these untagged or tagged with unknown VLAN frames. But what's at the other end of all your wires? If there is any chance of malicious frames, or the ever-present certainty of configuration errors, this is just for protection. As a security matter, one of the first things the malcious systems do is mess with VLANs and MAC addresses.
answered Dec 7 at 16:27
jonathanjo
10.6k1833
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
Dec 7 at 16:33
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
Dec 7 at 16:36
Thank you for the clarification. That makes sense.
– vim_usr
Dec 7 at 16:38
add a comment |
If you have an 8-port switch with ports 1-4 on VLAN 10, and 5-7 on VLAN 20, port 8 as trunk and default VLAN 1 ...
It's correct, VLAN 1 shouldn't be used
Watch for
- Untagged frames arriving on the trunk port 8
- Tagged-as-VLAN-1 frames arriving on the access ports or the trunk port
What happens with these depends on your manufacturer, model, and potentially other configuration. The normal goal would be to
- Drop any untagged frames arriving on a trunk
- Drop any unknown-VLAN tagged frames arriving anywhere
How you configure this depends on the particular switch.
Of course, if everything is configured correctly, you'll never get these untagged or tagged with unknown VLAN frames. But what's at the other end of all your wires? If there is any chance of malicious frames, or the ever-present certainty of configuration errors, this is just for protection. As a security matter, one of the first things the malcious systems do is mess with VLANs and MAC addresses.
answered Dec 7 at 16:27
jonathanjo
10.6k1833
If you have an 8-port switch with ports 1-4 on VLAN 10, and 5-7 on VLAN 20, port 8 as trunk and default VLAN 1 ...
It's correct, VLAN 1 shouldn't be used
Watch for
- Untagged frames arriving on the trunk port 8
- Tagged-as-VLAN-1 frames arriving on the access ports or the trunk port
What happens with these depends on your manufacturer, model, and potentially other configuration. The normal goal would be to
- Drop any untagged frames arriving on a trunk
- Drop any unknown-VLAN tagged frames arriving anywhere
How you configure this depends on the particular switch.
Of course, if everything is configured correctly, you'll never get these untagged or tagged with unknown VLAN frames. But what's at the other end of all your wires? If there is any chance of malicious frames, or the ever-present certainty of configuration errors, this is just for protection. As a security matter, one of the first things the malcious systems do is mess with VLANs and MAC addresses.
answered Dec 7 at 16:27
jonathanjo
10.6k1833
edited Dec 7 at 17:39
answered Dec 7 at 16:27
jonathanjo
10.6k1833
answered Dec 7 at 16:27
jonathanjo
10.6k1833
answered Dec 7 at 16:27
jonathanjo
10.6k1833
10.6k1833
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
Dec 7 at 16:33
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
Dec 7 at 16:36
Thank you for the clarification. That makes sense.
– vim_usr
Dec 7 at 16:38
add a comment |
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
Dec 7 at 16:33
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
Dec 7 at 16:36
Thank you for the clarification. That makes sense.
– vim_usr
Dec 7 at 16:38
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
Dec 7 at 16:33
This leads me to another related question, wouldn't any untagged frame arriving on trunk port 8 have to associated with VLAN 10 or 20 since that's how the ports have been setup?
– vim_usr
Dec 7 at 16:33
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
Dec 7 at 16:36
Assuming you only have 10 and 20 defined: yes, only tagged-10 and tagged-20 arriving on trunk port will be useful. But you might get malicious or erroneous packets with funny tags or no tag. All depends on what's on the other end of the trunk.
– jonathanjo
Dec 7 at 16:36
Thank you for the clarification. That makes sense.
– vim_usr
Dec 7 at 16:38
Thank you for the clarification. That makes sense.
– vim_usr
Dec 7 at 16:38
add a comment |
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f55275%2fwhen-are-native-vlans-used-are-there-times-when-a-native-vlan-will-never-be-use%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Is this a Cisco switch?
– Ron Maupin♦
Dec 7 at 16:26
I've been using Packet Tracer (Cisco), but also have access to an HP Procurve as well as Netgear managed switch...hence my terminology possibly being messy.
– vim_usr
Dec 7 at 16:28
You can set up Cisco to not trunk VLAN and have all VLANs on a trunk as tagged, so there is no native VLAN. Other vendors sometime need VLAN 1 as a native VLAN. It depends on the version of STP used.
– Ron Maupin♦
Dec 7 at 16:31
I assumed trunk = tagged. So when an untagged frame associated with a VLAN like VLAN 10, that frame would be tagged as 10 on the trunk. Is that not always the case?
– vim_usr
Dec 7 at 16:36
That depends on how it is configured. You could have VLAN 10 as the native VLAN, so it would not be tagged. You can simply leave VLAN 1 as the native (untagged) VLAN, and remove it from from the list of VLANs allowed on the trunk (a Cisco best practice). That may not work on other vendors.
– Ron Maupin♦
Dec 7 at 16:40