Hi, i want information please
I have see example from my customer there are some swtich with native vlan different form Vlan1 example switchport trunk native vlan 250
Why this command ?
thanks
Hello Ugo
By default, when you create a trunk, the native VLAN is set to VLAN 1. However, it is best practice to change the default native VLAN to something other than VLAN1. This should be done to mitigate security threats such as VLAN hopping.
More info on the threat of VLAN hopping can be found at this lesson:
I hope this has been helpful!
Laz
Question: Defaults for cisco are ports set to the default VLAN 1 and native VLAN to be on 1.
-
If we change the native VLAN to 99, does that make all ports still on VLAN 1 now tagged? ie when a frame goes to the port it gets tagged with vlan 1.
-
If I wish to keep using VLAN 1, would I need a subinterface on the router? Since now, frames are being tagged with VLAN 1?
Thanks
Hello Patrick
Yes, that is correct. Just a clarification, though, keep in mind that the native VLAN is set to 1 on any trunk ports that may be configured. The native VLAN only has meaning when weâre talking about trunk ports. If a switch has no trunk ports, then the native VLAN is non-existent.
If we change the native VLAN on a specific trunk port to 99, this does not affect any other port on the switch. The only thing it does is, if an untagged frame is received on that trunk port, that frame will be placed on VLAN 99. Remember that access ports that may be assigned to VLAN 1 will never âseeâ any tags at all regardless of what the native VLAN is on any trunk port.
If you have changed the native VLAN on a particular trunk port, then frames on VLAN 1 will only be tagged when sent over that trunk port. As for subinterfaces on a router, this is only done when you are configuring router on a stick. For more info on that, take a look at this lesson:
I hope this has been helpful!
Laz
Hi @lagapidis,
Iâve just scrolled down through the posts and got a question to your statement:
I tested this with the following topology in EVE-NG and observed a different behaviour than you described.
Interface âe0/0â on S1 & S2:
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
Interface âe0/1â on S1 & S2:
switchport mode access
switchport access vlan 999
Now, when PC1 is trying to ping PC2, the Ethernet frame isnât getting tagged on the trunk according to Wireshark capture.
As for my understanding, based on this topology the Ethernet frame gets tagged in three scenarios. WhenâŚ
a) changing the VLAN on the access ports (to other than the native VLAN)
b) changing the native VLAN on the trunk ports (to different than the access VLAN)
c) activating native VLAN tagging globally
However, the Ethernet frame doesnât get tagged, if the access VLAN is identical to the native VLAN.
Can you confirm this, or am I misunderstanding something?
Many thanks in advance. Your replies are awesome! 
Hello Marcel
Concerning the answer you quoted from my previous post, I was responding to a question about Native VLAN tagging. The first question stated by the poster was, "What would happen if native VLAN tagging were enabled? " If that is the case, then frames belonging to the native VLAN sent over the trunk will be tagged.
In the scenario you tested, there is no native VLAN tagging enabled, so the behavior you see is expected.
All things being equal in your topology, if you make these changes, then the frame traversing the trunk will indeed be tagged.
For more info, take a look at this NetworkLessons note on the topic of Native VLANs and untagged frames.
I hope this has been helpful!
Laz
Please explain more about Native VLAN, its purposes and share use cases.
Hello Jayashree
First of all, take a look at this lesson that talks about the Native VLAN:
You can also get some more information in th NetworkLessons Notes site at these particular notes:
- https://notes.networklessons.com/native-vlans-and-untagged-frames
- https://notes.networklessons.com/switchport-trunk
- https://notes.networklessons.com/vlans-when-a-tagged-frame-arrives-on-an-access-port
- https://notes.networklessons.com/vlan-control-frames
If you have any other specific questionsa about the native VLAN, please let us know!
I hope this has been helpful!
Laz
Hi @lagapidis ,
Is the below scenario valid?, if yes, PC 2 will ping PC 3?
Hello Premkumar
If your fundamental question is âwill this workâ then the answer is yes, it will. PC2 will be able to ping PC 3 assuming their IP addressing is on the same subnet. This is because SW1 and SW2 are connected to each other over access ports. When a frame exits SW1 on that port, no tag information is included, so when SW2 receives that frame on the access port, it will place it on the VLAN configured on the access port.
Now is this scenario valid? Itâs definitely NOT recommended. As the topology is, it will function, however, if you expand your network, create trunk links to other switches, and include the various VLANs in those trunks, things will get mismatched. Itâs a good idea to keep your VLANs consistent across the whole topology.
I hope this has been helpful!
Laz
Great explanation! Of course we should use trunk ports between switches. I wanted to understand different access vlan ports behavior and can be used or not. Thanks for the clarification.
1 Like
I had somehow understood the concepts until now, but this statement confused me. Could you please be a little bit brief on this? Iâm sorry for asking a dumb question.
Hello Sathish
Take a look at this
SW1(config)#vlan dot1q tag native
SW2(config)#vlan dot1q tag native
If you decide to tag the native VLAN on a trunk port, anything that is untagged and received on that trunk port will be dropped
PC3#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/7 ms
Everything is working so far. Now, letâs configure SW2 to not tag the native VLAN, so it will send anything from PC3 in VLAN 10 untagged. Letâs see what SW1 will think about this.
SW2(config)#no vlan dot1q tag native
PC3#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
.....
As you can see, SW1 dropped this traffic. The reason for this is that the moment you configure native VLAN tagging, the switch will drop any traffic that simply isnât tagged. Since Iâve left native VLAN tagging configured on SW1, it dropped the traffic.
If youâre still confused, please let me know. And donât apologize for asking questions, how else are you supposed to learn something? Weâre glad to help.
David
1 Like
Hello @davidilles
Really appreciate you taking the time to address my doubts. I am now confident
Hello Sathish
As usual, @davidilles did a great job in answering your question. I believe that my statement you highlighted may have been a bit confusing, so I updated it in my post.
Laz
1 Like
Great, appreciate it @lagapidis
1 Like