cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Native VLAN traffic betwen Trunk Ports

Jump to solution

I have the following setup on a 1534P

interface gigabit-switchport 0/3

  description Down-to-AP1

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 201

  switchport trunk allowed vlan 201,1103-1105

interface gigabit-switchport 0/28

  description Up-To-CORE-SW-GIG-0/28

  no shutdown

  switchport mode trunk

  switchport trunk allowed vlan 101,201,1103-1105,1501-1505

interface vlan 1

  ip address dhcp

  ip route-cache express

  no shutdown

!

interface vlan 101

  ip address  10.5.0.32  255.255.255.0

  no awcp

  no ip route-cache express

  no shutdown

A few questions:

1. When untagged traffic egresses port 0/3 to 0/28 will it be tagged with VLAN 201 or sent untagged?

2. Port 0/28 has no native vlan, is ingress untaggged traffic tagged with default VLAN1?

2a.  If tagged with VLAN1 but VLAN1 is not allowed then is the untagged traffic dropped?

I have read the Adtran vlan documentation I can find, any further links for learning are appreciated.

Thank you.

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: Native VLAN traffic betwen Trunk Ports

Jump to solution

00pinetree wrote:

I appreciate the feedback and suggestion. My understanding then is:

  • Trunks to AP's, or any source of untagged traffic, will remain with native VLAN 201

If the trunk port is configured with VLAN 201 as native, then traffic on VLAN 201 will not be tagged leaving the port, and untagged traffic entering the port will be on VLAN 201, correct.

  • Trunk ports between switches should not require a native VLAN.

The concept of a native VLAN is inherent in the 802.1q specification. If you do not configure a native VLAN, then VLAN 1 will be native by default. Simply put, frames belonging to the native VLAN are untagged on the trunk. You can leave VLAN 1 as native and just not use it if you choose.

  • Since VLAN1 is not in use, at least intentionally, it should be shut, or at least not have an IP.

Correct, but it's a little bit more complex. There is a difference between a VLAN and a VLAN interface. Configuring a VLAN on a switch simply means that the switch will forward frames on that VLAN. So if you have a switch with VLAN 201 configured, it will move frames on that VLAN between ports, keep track of MAC addresses on that VLAN, etc. A VLAN interface actually causes the switch to look at the frames from a layer 3 perspective. You don't need a VLAN interface for a switch to forward frames, but you do need one if you want the switch itself to do something with IP packets on the VLAN, such as layer 3 routing or communicating with the switch such as logging in, SNMP, etc. So if you aren't using VLAN 1, don't have an active VLAN 1 interface or at least don't assign it an IP address. 

View solution in original post

0 Kudos
5 Replies
jayh
Honored Contributor
Honored Contributor

Re: Native VLAN traffic betwen Trunk Ports

Jump to solution

00pinetree wrote:

A few questions:

1. When untagged traffic egresses port 0/3 to 0/28 will it be tagged with VLAN 201 or sent untagged?

Untagged traffic entering port 0/3 will belong to VLAN 201 and be tagged with 201 leaving port 0/28.

2. Port 0/28 has no native vlan, is ingress untaggged traffic tagged with default VLAN1?

If allowed, it will be on default VLAN 1, which is not normally tagged by default. See answer to 2a below.

2a. If tagged with VLAN1 but VLAN1 is not allowed then is the untagged traffic dropped?

Usually yes. However, some switches and firmware versions don't allow you to remove VLAN 1 from a trunk. I recommend that you avoid using VLAN 1 on a switch that has multiple VLANs configured. I generally will configure an unused VLAN as native on these ports if this is a concern.

Note that in the scenario you have above, there is a risky configuration. You have the VLAN 1 interface enabled and configured for DHCP. You also have the VLAN 101 interface enabled and configured with a static IP address. If the switch has IP routing enabled and a rogue DHCP server is plugged in to a port where VLAN 1 appears, then the switch will route between that subnet and your configured subnet if you have IP routing enabled. A default route may also be learned by the switch from DHCP. You probably don't want this behavior so it is best to shut down the VLAN 1 interface and/or configure it with no IP address.

Anonymous
Not applicable

Re: Native VLAN traffic betwen Trunk Ports

Jump to solution

Thank you for the reply.

jayh wrote:

00pinetree wrote:

A few questions:

1. When untagged traffic egresses port 0/3 to 0/28 will it be tagged with VLAN 201 or sent untagged?

Untagged traffic entering port 0/3 will belong to VLAN 201 and be tagged with 201 leaving port 0/28.

To confirm: traffic leaving leaving 0/3 will be tagged with 201 when it leaves 0/3 or when leaving 0/28?

2. Port 0/28 has no native vlan, is ingress untaggged traffic tagged with default VLAN1?

If allowed, it will be on default VLAN 1, which is not normally tagged by default. See answer to 2a below.

2a. If tagged with VLAN1 but VLAN1 is not allowed then is the untagged traffic dropped?

Usually yes. However, some switches and firmware versions don't allow you to remove VLAN 1 from a trunk. I recommend that you avoid using VLAN 1 on a switch that has multiple VLANs configured. I generally will configure an unused VLAN as native on these ports if this is a concern.

Note that in the scenario you have above, there is a risky configuration. You have the VLAN 1 interface enabled and configured for DHCP. You also have the VLAN 101 interface enabled and configured with a static IP address. If the switch has IP routing enabled and a rogue DHCP server is plugged in to a port where VLAN 1 appears, then the switch will route between that subnet and your configured subnet if you have IP routing enabled. A default route may also be learned by the switch from DHCP. You probably don't want this behavior so it is best to shut down the VLAN 1 interface and/or configure it with no IP address.

I appreciate the feedback and suggestion.  My understanding then is:

  • Trunks to AP's, or any source of untagged traffic, will remain with native VLAN 201.
  • Trunk ports between switches should not require a native VLAN.
  • Since VLAN1 is not in use, at least intentionally, it should be shut, or at least not have an IP.
jayh
Honored Contributor
Honored Contributor

Re: Native VLAN traffic betwen Trunk Ports

Jump to solution

00pinetree wrote:

I appreciate the feedback and suggestion. My understanding then is:

  • Trunks to AP's, or any source of untagged traffic, will remain with native VLAN 201

If the trunk port is configured with VLAN 201 as native, then traffic on VLAN 201 will not be tagged leaving the port, and untagged traffic entering the port will be on VLAN 201, correct.

  • Trunk ports between switches should not require a native VLAN.

The concept of a native VLAN is inherent in the 802.1q specification. If you do not configure a native VLAN, then VLAN 1 will be native by default. Simply put, frames belonging to the native VLAN are untagged on the trunk. You can leave VLAN 1 as native and just not use it if you choose.

  • Since VLAN1 is not in use, at least intentionally, it should be shut, or at least not have an IP.

Correct, but it's a little bit more complex. There is a difference between a VLAN and a VLAN interface. Configuring a VLAN on a switch simply means that the switch will forward frames on that VLAN. So if you have a switch with VLAN 201 configured, it will move frames on that VLAN between ports, keep track of MAC addresses on that VLAN, etc. A VLAN interface actually causes the switch to look at the frames from a layer 3 perspective. You don't need a VLAN interface for a switch to forward frames, but you do need one if you want the switch itself to do something with IP packets on the VLAN, such as layer 3 routing or communicating with the switch such as logging in, SNMP, etc. So if you aren't using VLAN 1, don't have an active VLAN 1 interface or at least don't assign it an IP address. 

0 Kudos
Anonymous
Not applicable

Re: Native VLAN traffic betwen Trunk Ports

Jump to solution

Thank you once again.

My problem was apparently a native vlan mismatch:

SW2

interface gigabit-switchport 0/3

  description Down-to-AP1

  no shutdown

  switchport mode trunk

  switchport trunk native vlan 201

  switchport trunk allowed vlan 201,1103-1105

interface gigabit-switchport 0/1

  description Up-To-CORE-SW-GIG-0/28

  no shutdown

  switchport mode trunk

  switchport trunk allowed vlan 101,201,1103-1105,1501-1505

          |

          |

          |

CORE-SW

interface gigabit-switchport 0/28

description Down-To-SW2-GIG 0/1

  no shutdown

  switchport mode trunk

  switchport native vlan 201

  switchport trunk allowed vlan 101,201,1103-1105,1501-1505

Once I removed

switchport native vlan 201

from CORE-SW 0/28 then untagged traffic originating on SW2-0/3 was able to pass. 

Still not sure exactly why this fixed things.  If a packet leaving 0/3 is tagged with VLAN 201 then it would be tagged with 201 when hits 0/1 and I would expect it would be received as tagged 201 when it reaches CORE-SW 0/28

jayh
Honored Contributor
Honored Contributor

Re: Native VLAN traffic betwen Trunk Ports

Jump to solution

00pinetree wrote:

Thank you once again.

My problem was apparently a native vlan mismatch:

SW2

interface gigabit-switchport 0/3

description Down-to-AP1

no shutdown

switchport mode trunk

switchport trunk native vlan 201

switchport trunk allowed vlan 201,1103-1105

interface gigabit-switchport 0/1

description Up-To-CORE-SW-GIG-0/28

no shutdown

switchport mode trunk

switchport trunk allowed vlan 101,201,1103-1105,1501-1505

|

|

|

CORE-SW

interface gigabit-switchport 0/28

description Down-To-SW2-GIG 0/1

no shutdown

switchport mode trunk

switchport native vlan 201

switchport trunk allowed vlan 101,201,1103-1105,1501-1505

Once I removed

switchport native vlan 201

from CORE-SW 0/28 then untagged traffic originating on SW2-0/3 was able to pass.

Still not sure exactly why this fixed things. If a packet leaving 0/3 is tagged with VLAN 201 then it would be tagged with 201 when hits 0/1 and I would expect it would be received as tagged 201 when it reaches CORE-SW 0/28

You're correct that it was a native VLAN mismatch. The frames leaving CORE-SW 0/28 belonging to VLAN 201 would have their tags stripped leaving the port because VLAN 201 was configured as native. When those frames arrived at SW2 untagged, they would be placed in VLAN 1 (the default untagged VLAN).

You could have also solved the problem by leaving CORE-SW 0/28 alone and putting switchport native vlan 201 on port 0/1 of SW2. Native VLAN is configured on a per-trunk-port basis and is not global to the switch.