5 Replies Latest reply on Jan 23, 2017 4:36 PM by jayh

    Native VLAN traffic betwen Trunk Ports

    00pinetree New Member

      I have the following setup on a 1534P

       

      interface gigabit-switchport 0/3

        description Down-to-AP1

        no shutdown

        switchport mode trunk

        switchport trunk native vlan 201

        switchport trunk allowed vlan 201,1103-1105

       

      interface gigabit-switchport 0/28

        description Up-To-CORE-SW-GIG-0/28

        no shutdown

        switchport mode trunk

        switchport trunk allowed vlan 101,201,1103-1105,1501-1505

       

      interface vlan 1

        ip address dhcp

        ip route-cache express

        no shutdown

      !

      interface vlan 101

        ip address  10.5.0.32  255.255.255.0

        no awcp

        no ip route-cache express

        no shutdown

       

      A few questions:

       

      1. When untagged traffic egresses port 0/3 to 0/28 will it be tagged with VLAN 201 or sent untagged?

      2. Port 0/28 has no native vlan, is ingress untaggged traffic tagged with default VLAN1?

      2a.  If tagged with VLAN1 but VLAN1 is not allowed then is the untagged traffic dropped?

       

      I have read the Adtran vlan documentation I can find, any further links for learning are appreciated.

       

      Thank you.

        • Re: Native VLAN traffic betwen Trunk Ports
          jayh Hall_of_Fame

          00pinetree wrote:

           

          A few questions:

           

          1. When untagged traffic egresses port 0/3 to 0/28 will it be tagged with VLAN 201 or sent untagged?

          Untagged traffic entering port 0/3 will belong to VLAN 201 and be tagged with 201 leaving port 0/28.

           

          2. Port 0/28 has no native vlan, is ingress untaggged traffic tagged with default VLAN1?

          If allowed, it will be on default VLAN 1, which is not normally tagged by default. See answer to 2a below.

          2a. If tagged with VLAN1 but VLAN1 is not allowed then is the untagged traffic dropped?

          Usually yes. However, some switches and firmware versions don't allow you to remove VLAN 1 from a trunk. I recommend that you avoid using VLAN 1 on a switch that has multiple VLANs configured. I generally will configure an unused VLAN as native on these ports if this is a concern.

           

          Note that in the scenario you have above, there is a risky configuration. You have the VLAN 1 interface enabled and configured for DHCP. You also have the VLAN 101 interface enabled and configured with a static IP address. If the switch has IP routing enabled and a rogue DHCP server is plugged in to a port where VLAN 1 appears, then the switch will route between that subnet and your configured subnet if you have IP routing enabled. A default route may also be learned by the switch from DHCP. You probably don't want this behavior so it is best to shut down the VLAN 1 interface and/or configure it with no IP address.

            • Re: Native VLAN traffic betwen Trunk Ports
              00pinetree New Member

              Thank you for the reply.

              jayh wrote:

               

              00pinetree wrote:

               

              A few questions:

               

              1. When untagged traffic egresses port 0/3 to 0/28 will it be tagged with VLAN 201 or sent untagged?

              Untagged traffic entering port 0/3 will belong to VLAN 201 and be tagged with 201 leaving port 0/28.

               

              To confirm: traffic leaving leaving 0/3 will be tagged with 201 when it leaves 0/3 or when leaving 0/28?

               

              2. Port 0/28 has no native vlan, is ingress untaggged traffic tagged with default VLAN1?

              If allowed, it will be on default VLAN 1, which is not normally tagged by default. See answer to 2a below.

              2a. If tagged with VLAN1 but VLAN1 is not allowed then is the untagged traffic dropped?

              Usually yes. However, some switches and firmware versions don't allow you to remove VLAN 1 from a trunk. I recommend that you avoid using VLAN 1 on a switch that has multiple VLANs configured. I generally will configure an unused VLAN as native on these ports if this is a concern.

               

              Note that in the scenario you have above, there is a risky configuration. You have the VLAN 1 interface enabled and configured for DHCP. You also have the VLAN 101 interface enabled and configured with a static IP address. If the switch has IP routing enabled and a rogue DHCP server is plugged in to a port where VLAN 1 appears, then the switch will route between that subnet and your configured subnet if you have IP routing enabled. A default route may also be learned by the switch from DHCP. You probably don't want this behavior so it is best to shut down the VLAN 1 interface and/or configure it with no IP address.

               

              I appreciate the feedback and suggestion.  My understanding then is:

              • Trunks to AP's, or any source of untagged traffic, will remain with native VLAN 201.
              • Trunk ports between switches should not require a native VLAN.
              • Since VLAN1 is not in use, at least intentionally, it should be shut, or at least not have an IP.
                • Re: Native VLAN traffic betwen Trunk Ports
                  jayh Hall_of_Fame

                  00pinetree wrote:

                   

                  I appreciate the feedback and suggestion. My understanding then is:

                  • Trunks to AP's, or any source of untagged traffic, will remain with native VLAN 201

                  If the trunk port is configured with VLAN 201 as native, then traffic on VLAN 201 will not be tagged leaving the port, and untagged traffic entering the port will be on VLAN 201, correct.

                  • Trunk ports between switches should not require a native VLAN.

                  The concept of a native VLAN is inherent in the 802.1q specification. If you do not configure a native VLAN, then VLAN 1 will be native by default. Simply put, frames belonging to the native VLAN are untagged on the trunk. You can leave VLAN 1 as native and just not use it if you choose.

                   

                  • Since VLAN1 is not in use, at least intentionally, it should be shut, or at least not have an IP.

                  Correct, but it's a little bit more complex. There is a difference between a VLAN and a VLAN interface. Configuring a VLAN on a switch simply means that the switch will forward frames on that VLAN. So if you have a switch with VLAN 201 configured, it will move frames on that VLAN between ports, keep track of MAC addresses on that VLAN, etc. A VLAN interface actually causes the switch to look at the frames from a layer 3 perspective. You don't need a VLAN interface for a switch to forward frames, but you do need one if you want the switch itself to do something with IP packets on the VLAN, such as layer 3 routing or communicating with the switch such as logging in, SNMP, etc. So if you aren't using VLAN 1, don't have an active VLAN 1 interface or at least don't assign it an IP address. 

                    • Re: Native VLAN traffic betwen Trunk Ports
                      00pinetree New Member

                      Thank you once again.

                       

                      My problem was apparently a native vlan mismatch:

                       

                      SW2

                      interface gigabit-switchport 0/3

                        description Down-to-AP1

                        no shutdown

                        switchport mode trunk

                        switchport trunk native vlan 201

                        switchport trunk allowed vlan 201,1103-1105

                       

                      interface gigabit-switchport 0/1

                        description Up-To-CORE-SW-GIG-0/28

                        no shutdown

                        switchport mode trunk

                        switchport trunk allowed vlan 101,201,1103-1105,1501-1505

                                |

                                |

                                |

                      CORE-SW

                      interface gigabit-switchport 0/28

                      description Down-To-SW2-GIG 0/1

                        no shutdown

                        switchport mode trunk

                        switchport native vlan 201

                        switchport trunk allowed vlan 101,201,1103-1105,1501-1505

                       

                      Once I removed

                      switchport native vlan 201

                       

                      from CORE-SW 0/28 then untagged traffic originating on SW2-0/3 was able to pass. 

                       

                      Still not sure exactly why this fixed things.  If a packet leaving 0/3 is tagged with VLAN 201 then it would be tagged with 201 when hits 0/1 and I would expect it would be received as tagged 201 when it reaches CORE-SW 0/28

                        • Re: Native VLAN traffic betwen Trunk Ports
                          jayh Hall_of_Fame

                          00pinetree wrote:

                           

                          Thank you once again.

                           

                          My problem was apparently a native vlan mismatch:

                           

                          SW2

                          interface gigabit-switchport 0/3

                          description Down-to-AP1

                          no shutdown

                          switchport mode trunk

                          switchport trunk native vlan 201

                          switchport trunk allowed vlan 201,1103-1105

                           

                          interface gigabit-switchport 0/1

                          description Up-To-CORE-SW-GIG-0/28

                          no shutdown

                          switchport mode trunk

                          switchport trunk allowed vlan 101,201,1103-1105,1501-1505

                          |

                          |

                          |

                          CORE-SW

                          interface gigabit-switchport 0/28

                          description Down-To-SW2-GIG 0/1

                          no shutdown

                          switchport mode trunk

                          switchport native vlan 201

                          switchport trunk allowed vlan 101,201,1103-1105,1501-1505

                           

                          Once I removed

                          switchport native vlan 201

                           

                          from CORE-SW 0/28 then untagged traffic originating on SW2-0/3 was able to pass.

                           

                          Still not sure exactly why this fixed things. If a packet leaving 0/3 is tagged with VLAN 201 then it would be tagged with 201 when hits 0/1 and I would expect it would be received as tagged 201 when it reaches CORE-SW 0/28

                          You're correct that it was a native VLAN mismatch. The frames leaving CORE-SW 0/28 belonging to VLAN 201 would have their tags stripped leaving the port because VLAN 201 was configured as native. When those frames arrived at SW2 untagged, they would be placed in VLAN 1 (the default untagged VLAN).

                           

                          You could have also solved the problem by leaving CORE-SW 0/28 alone and putting switchport native vlan 201 on port 0/1 of SW2. Native VLAN is configured on a per-trunk-port basis and is not global to the switch.