×
all 30 comments

[–]Shadowdane 1 point2 points  (5 children)

Sure that's fine.. but I'd also do this:

interface Vlan 1

no ip address

shut

!

[–]Cynicbats 0 points1 point  (4 children)

Isn't vlan 1 as an interface what you need for remote configuration, not actual data movement?

[–]Dawk1920CCNA 1 point2 points  (0 children)

You can use any other vlan you want with an SVI to manage the switch, if you set it up correctly.

[–]Shadowdane 0 points1 point  (2 children)

Remote configuration of what? It's a security requirement here that Vlan 1 is shutdown on all our switches. It's admin down on every switch in our infrastructure.

[–]Cynicbats -1 points0 points  (1 child)

It's the management VLAN for Telnet, SNMP and whatnot. But if you're not connecting remotely, yeah, you wouldn't need it have it up.

[–]Shadowdane 0 points1 point  (0 children)

Not at all.. we can SSH and get SNMP traps from all our devices with Vlan 1 disabled.

I mean we could use Vlan 1 for that but we have our Management Vlan configured to a different Vlan.

[–]shortstop20CCNP R&S 1 point2 points  (3 children)

"switchport access" commands have no function or value if the port is configured for "switchport mode trunk".

Conversely, "switchport trunk" commands have no function or value if the port is configured for "switchport mode access".

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (2 children)

Name: Gi1/0/2

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 2 (General)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan: none

Trunking VLANs Enabled: 2,10,20

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

[–]zanfarCCENT 0 points1 point  (0 children)

He's saying they don't make any functional difference, they are still added to the config.

Many people like to add both so that if things get swapped from trunk to access everything still works or is still secure.

[–]Cb3dwa 0 points1 point  (12 children)

Not sure of the question. VLAN 1 will always be the default VLAN.

Some of the config is messed up, access and trunk on same interface.

Native will not tag traffic for VLAN 2 if the native and the trunk VLAN are the same.

[–]a_cute_epic_axisJust 'cause it ain't in my flair doesn't mean I don't have certs 3 points4 points  (11 children)

Native will not tag traffic for VLAN 2 if the native and the trunk VLAN are the same.

Uhh, what?

Native vlans don't tag. And the native vlan has to be listed in the trunk allowed list.

The "switchport access vlan 2" command is indeed superfluous on a trunk port though.

[–]Cb3dwa -3 points-2 points  (10 children)

Think that's what I said just in a different way lol

The native VLAN does not have to be explicitly permitted in the allowed VLAN list.

[–]a_cute_epic_axisJust 'cause it ain't in my flair doesn't mean I don't have certs 0 points1 point  (9 children)

The native VLAN does not have to be explicitly permitted in the allowed VLAN list.

Yes, it very much does.

SW1#
SW1#ping 10.1.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.2, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
SW1#ping 10.1.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/9/19 ms
SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#int g1/0
SW1(config-if)#switch trunk allow vlan add 2
SW1(config-if)#end
SW1#ping 10.1.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/26 ms
SW1#ping 10.1.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/9/14 ms




!
interface GigabitEthernet1/0
 switchport trunk allowed vlan 2,3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 2
 switchport mode trunk
 media-type rj45
 negotiation auto
end

interface Vlan2
 ip address 10.1.2.1 255.255.255.0

interface Vlan3
 ip address 10.1.3.1 255.255.255.0
end

[–]Cb3dwa -3 points-2 points  (8 children)

What's that showing ?

[–]a_cute_epic_axisJust 'cause it ain't in my flair doesn't mean I don't have certs 1 point2 points  (7 children)

That if you don't have the native vlan in the allowed vlan list, shit doesn't work.

[–]Cb3dwa -3 points-2 points  (6 children)

[–]a_cute_epic_axisJust 'cause it ain't in my flair doesn't mean I don't have certs 2 points3 points  (4 children)

You can post as many links as you like, be they from random people in the Cisco community forums or otherwise. (That link says nothing on the topic by the way).

If you define a native vlan, and that vlan is not in the "switch trunk allowed vlan" list, that vlan doesn't work. End of story. Go try it yourself if you don't believe it.

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (3 children)

yeah, I can 100% say that whatever vlan you want to use, it has to be in the allowed vlan list. I have tested the crap out of that today.

im still confused as to what the native vlan is used for, and getting even more confused the more i read. off to google some videos.

[–]a_cute_epic_axisJust 'cause it ain't in my flair doesn't mean I don't have certs 0 points1 point  (2 children)

im still confused as to what the native vlan is used for

It's simply used to handle the "default" untagged traffic on a subnet. You can have no native vlan if you so desire, either with a global command, or by setting the native vlan to some otherwise unused ID and not allowing that over the trunk.

[–]idkyou1 0 points1 point  (0 children)

You need the explicitly allow the native vlan over the trunk.

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (4 children)

so it should look like this?

!

interface GigabitEthernet1/0/1

description NG port 1 Default

switchport access vlan 2

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/2

description NG port 2 Vlans (Trunk)

switchport trunk allowed vlan 2,10,20

switchport mode trunk

[–]shortstop20CCNP R&S 1 point2 points  (3 children)

I don't believe that "switchport nonegotiate" has any value when using "switchport mode access".

In order to not use VLAN 1, you should change the native VLAN on your trunk as well.

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (2 children)

so on the access ports what should the native vlan be? and what should it be on the trunk ports. Do i need to make a vlan 999 for the native access and a 998 for the native vlan for the trunk?

[–]chuckbalesCCNP|CCDP|CCNA-V|CMNA 1 point2 points  (0 children)

Native VLAN is really only a thing on trunk ports. An access port only has 1 VLAN, so the access vlan and the native VLAN are the same.

[–]shortstop20CCNP R&S 0 points1 point  (0 children)

It is not necessary to set a native VLAN on an access port.

Anytime you see a command starting with "switchport trunk" that command is inactive(it does nothing) if the "switchport mode access" command is applied to the port.

"Switchport trunk" commands are only functional with "switchport mode trunk".
"Switchport access" commands are only functional with "switchport mode access".

Set aside a specific VLAN to be the native VLAN for all trunks. This VLAN should not be used for any other reason.

[–]CannibalAngelJNCIA-Junos | CCENT 0 points1 point  (1 child)

Switchport trunk encapsulation dot1q

Switchport mode trunk

Switchport trunk native vlan 2

That is all you need to set the native valn to vlan 2.

[–]a_cute_epic_axisJust 'cause it ain't in my flair doesn't mean I don't have certs 0 points1 point  (0 children)

Yes, but you also have to do a "switchport trunk allowed vlan remove 1" to remove it from the trunks.

And should do a "int vlan 1; shut" and probably "vlan 1; shut"

[–]pcd84CCNA R&S, Sec+, Net+, A+ 0 points1 point  (0 children)

As mentioned, you don't need switchport access commands on a manually configured trunk port, and vice versa.

If you're really trying to lock your layer 2 down, then you would ideally blackhole the native vlan altogether on your trunk ports and set it to a VLAN that doesn't exist.