Do I need a / is it a “standard” to have a subInterface on my router for my Native VLAN ID.
For example if I change my Native VLAN to VLAN 20. Do I need to have on my router a
interface FastEthernet0/1.20
description CNTRL-NATIVE
encapsulation dot1Q 20 native
thank you
ak
Hello Aaron
Just to reiterate, the native VLAN configuration tells a device on which VLANs any untagged traffic should be placed. On a switch, if you don’t configure it, any untagged traffic received on the interface will be dropped. On a router with subinterfaces however, any untagged frame will be placed onto the physical interface. If no IP address is configured on the physical interface, then untagged traffic will be dropped. If however you configure the physical interface AS WELL AS the subinterfaces, untagged traffic will be processed by the physical interface. No VLAN encapsulation command need be configured on the physical interface to make this work.
Having said all that, the answer is you don’t need to configure a native VLAN subinterface on your router on a stick configuration. However, it is important that native VLAN configurations do “match” on both ends of a link.
I hope this has been helpful!
Laz
Thank you here too… As the other post this is very helpful… But I would like to follow up with another question here too…
So having a native vlan is not needed, would it be recommended / Standard?
For example I have a router and a switch, router is the edge going out to the internet, with the below configs. Is this what generally is done as a standard for network design. Or would the router just not have any reference to a “native” VLAN?
I tried both setups in my lab, one config where the router has a fa0/1.2 Sub Int and one where it did not. Both configs I could run a show cdp neighbor and cdpo neighbor detail see the switch…
ak-lab-cme1#show run | sec interface FastEthernet0/1.2
interface FastEthernet0/1.2
description CNTRL-NATIVE
encapsulation dot1Q 2 native
ak-lab-cme1#
cme-sw1#show int trunk
Port Mode Encapsulation Status Native vlan
Fa1/0/1 on 802.1q trunking 2
cme-sw1#Hello Aaron
Putting routers aside for a moment, In general, when creating trunks , it is considered good practice to create a native VLAN on both ends of the trunk (on the switches themselves) that will not be used anywhere else. Create VLAN 99 for example and name it Native VLAN. This VLAN should not be assigned to any ports. Configure the switchport trunk native vlan 99 on both ends and you have secured yourself from any potential VLAN hopping attack.
Now when you apply this to a router on a stick scenario, the switch end of the configuration should use the same best practice. You should create the VLAN and assign it as the native VLAN on that interface. On the router end of the link, you have one of two choices:
Choice 1: Explicitly create a subinterface where the native VLAN will be configured. i.e.
interface fastethernet 1/0/1.99
encapsulation dot1q 99 native
You don’t even have to configure an IP address, and actually, you shouldn’t. Essentially what this does is if any frames are sent to this interface with no VLAN tag, they will be processed by this interface. This interface essentially goes nowhere, so any frames coming here would be dropped.
Choice 2: Don’t create a subinterface for the native VLAN. The physical interface will process any frames sent without a VLAN ID by default.
In this case, you don’t even have to specify the encapsulation dot1q 99 native command as all untagged traffic will go to this interface by default. Again, if you don’t configure an IP address the interface will go nowhere so any untagged frames that reach it will be dropped.
So in both cases, the native VLAN configs at both ends of such a link will match and will function correctly and safely.
I hope this has been helpful!
Laz
VERY helpful!! Thank you…
Funny as I “know” this stuff, but struggled to “Explain it”… Besides well you just do it this way… That subtle difference…
Thank you again for your time and help…
ak