Switch Working -3 :Native Vlan

Native VLAN:- Features And Configuration

In This section we will try to cover the following questions

• What is native VLAN?
• Difference b\w vlan and native vlan ?
• What are the features of native vlan?
• How to configure a native vlan?
• What is the best practice of configuring a native vlan?
• How to troubleshoot it.

If multiple switches with multiple VLANs are connected with each other then the traffic /packets Coming form  switch having multiple vlan is tagged with the vlan id. but if we take a scenario in which a switch receive a packet which is not tagged, then the received packet forwarded to native vlan, which means the Native vlan  is the vlan to which any untagged  traffic is assigned. This default behavior can be changed by configuring the switch to tag native VLAN frames .

Features of Native VLAN:

• Default native VLAN is VLAN1
• And it is not recommended to use vlan 1 as a Native VLAN
• Because, If a packet is received on a dot1q link. which is not tagged. It is assumed to belongs to  Native VLAN and forwarded into that vlan.
• so creating any vlan and assigning it as a native vlan, enhance the security in network by avoiding vlan hopping.
• By default connection between the switches formed with 802.1q or dot1q/isl trunking protocol so if
• Any traffic come from vlan 10 and transfer to another switch bia trunk link ,before sending the packet to trunk link a tag is added which is called frame tagging.
• b/w  switch to switch This method insure that  which packet belong to which vlan. And hence forward the packet to port belong to  that vlan.
• But if a switch receive a frame from hub, which don’t understand the concept of vlan, hence send the packet without a tag
• So if a switch receive a frame without a tag, it is assume to belong to native vlan and hence  forward it to a port belong to native vlan.

Hub don't understand then concept of vlan, so did not tag a packet while forwarding

Best Practice to configure a Native vlan:-

The best way to configure the native vlan is to create any vlan and assign it as native vlan and ensure to not have any port in that vlan, So If any attacker want to use vlan hopping attack will reach to vlan with no port ,no host.

Configuration

            Sw(config)#vlan 111.......................................................create vlan 111

            Sw(config)#in fa <port-id>..............................................choose a port  i.e
            Sw(config)#in fa 0/1

            Sw(config-if)#switchport trunk encapsulation dot1q.......encapsulation type (dot1q/isl)

 Sw(config-if)#switchport mode trunk..............................to create a trunk link

 Sw(config-if)#switchport trunk native vlan 111...............vlan 111 as a native vlan

Verification

            Sw# show int fa 0/0 switch port.... To give the complete information about port fa 0/0

            Sw# show int trunk

Port        mode     Encapsulation     status      native Vlan

Fa 0/0    on            802.1q                trunking        111

            

 Note:- for cisco switch the native VLAN- id must match on both sides of the trunk link for 802.1Q; otherwise the link will not work. ... Because the un-tagged vlan,

Previous                                                                                              Next