Concept of Native VLAN with configuration example
Author : Amandeep Kaur
Today we are going to talk about one of the most interesting topic and its none other than Native VLAN. I knew most of you guys know the concept and the requirement of the Native VLAN and most of you already using and configuring the same in your network environment. But there are so many people just starting studying the basics of the networking and this is one of the most important topic to understand the basics of switching.
In my example I am taking the Cisco devices where I will show the Native VLAN working and the configurations of the Native VLAN on the devices.
What is Native VLAN ?
What is the Use of the Native VLAN ?
When and where to use the Native VLAN concept ?
Standards of the Native VLANs ?
I knew there are lot of questions in your mind, So lets start with the beginning on the Native VLAN part. The IEEE 802.1Q trunking protocol describes some thing called the “native VLAN”.
All site visitors sent and acquired on an interface that is configured for 802.1Q gained have a tag on its Ethernet body. whilst you look at it in cord shark, it'll appearance the identical much like any regular Ethernet body.
when your Cisco switches receives an Ethernet body without a tag on a 802.1Q enabled interface, it's going to anticipate that it belongs to the local VLAN. for this reason you need to make sure that the native VLAN is the same on each sides. Below is am example showing native VLAN in the switched network
 |
| Fig 1.1- Native VLANs |
A VLAN trunk is an OSI Layer 2 hyperlink among switches that carries site visitors for all VLANs (unless the allowed VLAN list is constrained manually or dynamically). To enable trunk links, configure the ports on both cease of the bodily link with parallel sets of commands.
To configure a switch port on one give up of a trunk link, use the switch port mode trunk command. With this command, the interface modifications to permanent trunking mode.
The port enters right into a Dynamic Trunking Protocol (DTP) negotiation to transform the hyperlink into a trunk link even supposing the interface connecting to it does no longer comply with the trade.
 |
| Fig 1.2- Native VLANs |
DTP is defined inside the subsequent topic. on this path, the switch port mode trunk command is the only technique implemented for trunk configuration.
- An 802.1Q trunk port can carry tagged and un tagged frames because Ethernet is assumed to be a shared medium and there may hosts on the medium that cannot handle un tagged frames.
- Un tagged frames must placed into a VLAN by the receiving switch, the native VLAN is the VLAN used.
- When a switch receives an un tagged frame on a tagged interface it is assumed membership of the Native VLAN.
- For 802.1.Q tagged interfaces, Cisco uses un tagged frames to carry admin various protocols between the switches e.g. CDP, DTP, LACP (?). Not all vendors implement a native VLANs.
- Configurable Native VLAN IDs are a response to the security vulnerability published by SANS in July 2000 that noted a possible VLAN hopping attack using the Native VLAN. Because VLAN1 on Cisco switches has special significance
- It is not mandatory for vendors to implement Native VLANs so vendor interoperability for protocols using the feature will be a specific configuration issue.
- For Cisco switches the Native VLAN ID must match on both end of the trunk.
- By default the Native VLAN is 1.
- My “Security Best Practice” is to configure the Native VLAN ID to VLAN 666 and to ensure that this VLAN is not used anywhere in the network. The number “666” helps people to remember this. An attacker who attempts to use the VLAN hopping attack will end up in a dead VLAN that has no hosts to leverage.
VLANs 10, 20, and 30 support the SALES, SERVICE, and SUPPORT (PC1, PC2, and PC3). The F0/1 port on switch S1 is configured as a trunk port and forwards traffic for VLANs 10, 20, and 30. VLAN 99 is configured as the native VLAN.
 |
| Fig 1.3- Example for Native VLAN |
