802.1Q Native VLAN on Cisco IOS Switch

Hello Rene,
quick question please,
when we applied :

SW1(config)#interface fastEthernet 0/24
SW1(config-if)#switchport trunk native vlan 10

and then i went ahead and did : sh vlan brief , i cannot see that vlan 10 is created at all? can we have more than native vlan at the same time on the same switch?

im getting this:

Port        Mode             Encapsulation  Status        Native vlan
Et0/1       desirable        n-isl          trunking      10
Po1         on               802.1q         trunking      1

thanks,
Ammar

2 Likes

Hello Eng_A

It is important to understand how VLANs are created and how they are applied. In the Cisco IOS, you can apply a VLAN (say to an access port or a trunk port) without it actually existing! And actually, you don’t get an error message for this either. This is also the case when you apply the Native VLAN. So when you apply a native VLAN to a trunk port, there are two steps:

  1. Create the VLAN (or make sure that it already exists)
  2. Apply the Native VLAN configuration to the trunk

As you have already seen, these commands don’t actually have to be implemented in the above order.

So for commands like:

SW1(config-if)#switchport access vlan 10
or
SW1(config-if)#switchport trunk allowed vlan 10
or
SW1(config-if)#switchport trunk native vlan 10

vlan 10 may not even exist, but you can still issue the above commands.

The only time a VLAN will be created without explicitly issuing the vlan xx command (where xx is the VLAN ID) is when you create an SVI. For example:

SW1(config)# interface vlan 10

This command creates the SVI on a switch, but it also automatically creates the associated VLAN. If you have terminal monitor on, you will actually see a syslog message that informs you of this.

So, to answer your question, you must create vlan 10 in order for your native vlan configuration to work correctly.

I hope this has been helpful!

Laz

1 Like

At what point do you assign an IP address to a vlan say
“Interface vlan2
IP address…”
instead of assigning IP address to a normal interace.

Hello Olaniyi.

The command interface vlan 2for example would be used to create a Switched Virtual Interface (SVI) on a layer 3 switch to function as a default gateway and allow for inter-VLAN routing. If you have a layer 3 switch with two VLANs configured on it, say VLAN 20 and 30 with subnets 10.10.20.0/24 and 10.10.30.0/24 respectively, these VLANs cannot communicate with each other. If you create two SVIs, say VLAN 20 and VLAN 30 and assign them IP addresses 10.10.20.1 and 10.10.30.1 respecitvely, you can use these as gateways on the end devices to allow communication between the VLANs on the same switch.

This command is only available on layer 3 switches and NOT on routers. On routers, you would assign an IP address on a specific physical interface.

I hope this has been helpful!

Laz

19 posts were merged into an existing topic: 802.1Q Native VLAN on Cisco IOS Switch

is there specific topic to describe Native VLAN exactly what dose it uses for and how dose it help switching process ?

Hello Mohammad.

Frames that are placed on a trunk include a VLAN tag. Switches know to which VLAN to forward a frame that is received on a trunk interface by this tag. If however for some reason, there is no tag on a frame that is received, the switch must know what to do with it. The Native VLAN configuration essentially tells the switch on which VLAN any UNtagged frames should be placed.

Now if you have connected two switches with a trunk, it is highly unlikely that any frame will arrive without a tag. (If it does, then there is a problem with some configuration). However, if you have a hub between two switches connected with a trunk and you have a PC connected to that hub, then you will definitely receive untagged frames on the trunk ports. Take a look at the following diagram:

Any frames sent by the PC will hit the trunk ports on the two switches untagged. The switches must know what to do with them. This is why the native VLAN must be configured, otherwise these frames will be dropped.

The truth is that such a topology is a very bad idea. You should never create such a network. The capability of switches to deal with untagged frames however must be applied and configured in order for trunks to function correctly from end to end.

I hope this has been helpful!

Laz

2 Likes

Hi Rene,

I now that the “vlan dot1q tag native” command will tag native vlan on all trunks port but what about the “switchport trunk native vlan tag” command used for ??? notice that this command is enabled by default per interface and can not be seen by applying show run all command, but when I use “no switchport trunk native vlan tag” it’s show up in run config.

The switch model and IOS version is :-
Catalyst 4500 L3 Switch Software (cat4500e-IPBASEK9-M), Version 15.1(1)SG, RELEASE SOFTWARE (fc3)



Hi Hussien,

The vlan dot1q tag native is a global command so it applies to all interfaces. If you want to exclude certain interfaces, you can use the no switchport trunk native vlan tag command on the interface level.

4 Likes

Great answer, thanks again Rene.

1 Like

Hi Rene,
Good Day…

When I have configured Native vlan different on Trunk port then Found switch port is “Desg BKN*” state with PVID-Inconsistant for the particular VLAN . I understand VLAN Mismatched on BPDU but why switch Blocking the port.Is it normal rule that if VLAN Mismatched the port will be Blocking mode ??? Need detailed Technical Reason regarding.Thx

br//zaman

Hi Mohammad,

you are correct, it’s normal rule of STP and the port state is BROKEN to prevent the Leaking traffic between the two native VLANs, and The PVID-Inconsistant is checked by SSTP BPDU that PVST+ send per VLAN with 802.1q tag except for the native VLAN where it sent without tag even if the native VLAN is not allowed on the trunk.

Now the question is how the mismatch of native VLAN done ???
well, the SSTP BPDU looks exactly like IEEE BPDU except it has TLV filed than contain VLAN ID, so if the switch receive untagged SSTP BPDU with different TLV ID from it’s local configured native VLAN, it will know that the native VLAN is mismatched from the other side of the trunk and both VLANs will be in “BKN” state of the trunk port in both side.

I hope this has been helpful!
Hussein

Hi @lagapides , can i just interject and ask a question of my own?

Why do 2 switches need to have the same native VLAN in order for them to communicate? If the frame is untagged anyway without any vlan information then why does the other switch care what its native VLAN is? If i have one switch with a native VLAN of 1 and the other switch native VLAN 99, when one goes to send a CDP or STP fram untagged and it reaches the other switch untagged, then why does it get rejected? Is there still information on what the native VLAN of the sender is and thus as a result have to match?

Thanks again

Hello Michael

You are correct in that you can create a trunk link where the native VLAN is different on each end. The link will function correctly as far as data traffic is concerned (although you will get syslog messages indicating a native VLAN mismatch). However, this causes the following problems:

  1. Using your example, I could have one user on VLAN 1 on Switch 1 who, through the native mismatch configured, would have access to VLAN 99. VLANs by definition should not be able to communicate unless they connect via a router. This is not only a design flaw, but it is also a security risk, especially if VLAN 99 is a server subnet to which you have configured access lists to restrict access.
  2. A native VLAN mismatch will cause problems with STP. Specifically, if there is a native VLAN mismatch, the STP state of one end of the link becomes broken while the other end of the link is functioning normally. This will result in an STP loop. Take a look at this Cisco Learning Network discussion for more details.
  3. Concerning CDP, the CDP traffic is always preferred on the lowest VLAN configured. That is, VLAN 1 always, which cannot be deleted from the VLAN database. The CDP protocol behaves differently when the switch sends CDP as a tagged packet or untagged packet dependent upon the native VLAN configured on the trunk link. However, CDP would not be blocked by a native VLAN mismatch. It actually detects it and gives you syslog messages.

I hope this has been helpful!

Laz

2 Likes

I have a linux server interface [Trunk/ expecting tagged vlan 1 traffic]. Its connected to L2 switch. Tagging an admin vlan [native/ VLAN1 by default] is not an option on 2950/2960 switches. on Nexus, can be done globally only; so it does not suffice my purpose. What I want is to send vlan 1 traffic [tagged] on that linux server interface. Can this be done with any software of PC [directly connected to linux server port] or from L2 switch?

Hi Deep,

You can’t use vlan dot1q tag native on the 2950/2960 but you could change the native VLAN on a trunk to your server. Something like this:

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 200

This makes VLAN 200 (a bogus VLAN that you don’t use) the native VLAN and VLAN 1 will then be tagged. Still, it’s probably best not to use VLAN 1 but something else instead.

Thank you for the reply Rene.
I quickly checked on both NX 3k and 2960 but dont see encapsulation options available to start with. Is there any thing on the global config that could prevent this?

NX 3K [physical interface/ without VPC, standalone]
switch(config)# interface ethernet 1/2
switch(config-if)# switchport trunk ?
  allowed  Set allowed VLAN characteristics when interface is in trunking mode
  native   Set trunking native characteristics when interface is in trunking
           mode

2960:
Switch(config)#interface GigabitEthernet0/12
Switch(config-if)#switchport trunk ?
  allowed  Set allowed VLAN characteristics when interface is in trunking mode
  native   Set trunking native characteristics when interface is in trunking
           mode
  pruning  Set pruning VLAN characteristics when interface is in trunking mode

Hello Deep

When you don’t have the option of adding the encapsulation, this usually means that the switch only supports one type of encapsulation, that is, dot1q. So you do not require this command since it is already configured by default. To verify this, type the show interface ethernet 1/2 capabilities command and take a look at the trunk encapsulation type. It should state 802.1Q.

I hope this has been helpful!

Laz

Hi Andrew, I found your answer interesting and I have seen these type of configuration at many places where a Laptop/ Desktop is connected to the VoIP. My question is - " How can we configure two VLANs on a single switch port? Do we assign two diffenet IP Addresses?

You would set the switchport in question to be a trunk usually, with the native vlan to be the vlan the computer would use. Some Cisco equipment has a special mode of doing this specifically for voice vlans.

A real world example might help: At my company, we have the port set to be a trunk and allow both the PC and Voice vlans on the trunk, setting the PC vlan to native. The Avaya phone gets a DHCP address on the native vlan, but it looks for a special DHCP scope option that tells the phone, “you should be on the Voice vlan” The phone recognizes this, and says, “okay, I will now request an IP address on the Voice vlan.” The phone is responsible for tagging its own traffic on the Voice vlan from that point forward.