Friday, January 9, 2009

Native VLANs - ISL vs 802.1q, CatOS vs IOS

When configuring trunking, the discussion of Native VLANs may be a little confusing, especially when comparing ISL trunking vs 802.1q, and IOS vs CatOS.

Here's a breakdown:

First, the concept of Native VLAN is only understood by 802.1q. So, for ISL trunking, do not worry about setting it, as ISL encapsulates EVERY FRAME going through that trunk(more below).

A Native VLAN is merely a single VLAN ID already allowed on a trunk that will be used for all untagged frames sent/received. In other words, if the switch receives a frame on this trunk with no VLAN ID tagged on it, it will assume that this frame is in the Native VLAN, and inversely, if it sends a frame on this trunk that is in the Native VLAN, it will not bother tagging the frame.

As stated above, this does not apply to ISL because it encapsulates packets(instead of tagging them, like 802.1q), and every packet must be encapsulated, therefore, ISL does not bother with the concept.

Typically, you have a dedicated "switch management" VLAN on your network, and all your switches' management addresses are in this VLAN, and this VLAN is set as native on every trunk link between these switches. A lot of times setting the Native VLAN does not matter on newer switches, but I have found that some Cisco Autonomous APs and very old switches require it set, so I feel it is best to keep it consistent, YMMV.

To check the current Native VLAN on IOS:
sh int trunk InterfaceX/Y

To check the current Native VLAN on CatOS:
sh trunk X/Y

On IOS, its pretty easy to set the native VLAN, just enter the following command under the interface(where Z is the VLAN ID):
switchport trunk native vlan Z

On CatOS, its not as obvious, but just as easy, you just merely set the vlan of the trunk port as if it were an access port:
set vlan Z X/Y

As I said before its not terribly necessary nowadays, but for consistency I recommend setting it to the same VLAN as the management interface of your end-user switches. No matter what you do, you must ensure that the Native VLAN matches on both sides of your 802.1q trunk, because otherwise two Cisco switches will detect the mismatch via CDP and will block the port, until its fixed. The following IOS command will show you a list of any such blocked ports:
show spanning-tree inconsistentports