[c-nsp] STP, native VLAN and trunks

Christian Zeng christian at zengl.net
Wed Dec 14 03:23:55 EST 2005 

Hi,

* McLean Pickett wrote on 13.12.2005 19:34:
> The native vlan on a trunk port should be allowed on trunk for CDP and
> other protocols to function. Typically native vlan's are left as vlan 1
> which is not used anywhere else. In recent versions of code Cisco has
> introduced features that mitigate the risk of having vlan 1 trunked all
> over your layer 2 network.

This little test shows that CDP makes it way even if I do not allow the 
native VLAN:

B#sh cdp nei
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                   S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID            Local Intrfce         Holdtme   Capability 
Platform   Port ID
A                    Gig 0/11              143            R S 
WS-C4503  Gig 2/5

B#sh run int Gi0/11

interface GigabitEthernet0/11
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 840
  switchport trunk allowed vlan 800
  switchport mode trunk
end

The same can be seen on switch A.

> Native VLAN's need to be the same on both ends and they need to be
> allowed over the trunk. Production VLAN's should not be used as the
> native vlan on a trunk.

Yes, I'm aware of this, except the "allow native VLAN" part.

Until now, I configured trunking at switches (mainly in security 
environments) like above; however, in these environments the use of any 
non-static feature (CDP, VTP etc) and common resources (VLAN 1 etc.) are 
considered evil(tm). It is likely that I did not run into any problems 
by having the native VLAN not allowed, because we simply do not need 
most of these features or they are implemented very restrictive.

Maybe I misunderstood cisco's "switchport trunk allowed vlan" command. I 
thought that by having the native VLAN defined with "sw trunk native 
vlan", the native VLAN is then used and do not need an explicit 
allowance with "allowed vlan", because the native VLAN covers untagged 
traffic on the trunk, and that "allowed vlan" is there for any other 
vlan. CCO search and a look into the command reference were not helful.

> STP re-calcs on the native VLAN should not interrupt traffic on the
> production VLAN's. However, if you are not allowing the native VLAN on a
> 802.1q trunk your results may vary since the BDPU's for the native VLAN
> are not being passed.

Yesterday the result of the discussion was that noone could definitely 
reason why this either will or will not have an effect on production VLANs.

When using dedicated and different native VLANs for every trunk and not 
allowing these VLANs on the trunks, the switch cannot forward BPDUs for 
these VLANs, because he will not run STP on that VLAN and there are no 
BPDUs created to forward...

I think that evaluating this in the test lab would give me final answers.

Thanks,

Christian

More information about the cisco-nsp mailing list