Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
2
Posted byWGU-BSIT-Sec3 months ago

Is this the correct way to "not use" VLAN 1?

interface GigabitEthernet1/0/1

description NG port 1 Default

switchport access vlan 2

switchport trunk native vlan 2

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/2

description NG port 2 Vlans (Trunk)

switchport access vlan 2

switchport trunk native vlan 2

switchport trunk allowed vlan 2,10,20

switchport mode trunk

!

interface GigabitEthernet1/0/8

switchport access vlan 10

switchport trunk native vlan 10

switchport mode access

switchport nonegotiate

spanning-tree portfast

!

interface GigabitEthernet1/0/9

switchport access vlan 10

switchport trunk native vlan 10

switchport mode access

switchport nonegotiate

spanning-tree portfast

!

interface GigabitEthernet1/0/10

switchport access vlan 2

switchport trunk native vlan 2

switchport mode access

switchport nonegotiate

spanning-tree portfast

!

interface GigabitEthernet1/0/11

description WIFI Vlans (trunk)

switchport access vlan 2

switchport trunk native vlan 2

switchport trunk allowed vlan 2,10,20

switchport mode trunk

27 comments
100% Upvoted
What are your thoughts? Log in or Sign uplog insign up
level 1

Sure that's fine.. but I'd also do this:

interface Vlan 1

no ip address

shut

!

level 2
CCNA, A+, Sec+, Onto MS Azure and Programming1 point · 3 months ago

Isn't vlan 1 as an interface what you need for remote configuration, not actual data movement?

level 3
CCNA2 points · 3 months ago

You can use any other vlan you want with an SVI to manage the switch, if you set it up correctly.

level 3

Remote configuration of what? It's a security requirement here that Vlan 1 is shutdown on all our switches. It's admin down on every switch in our infrastructure.

level 4
CCNA, A+, Sec+, Onto MS Azure and Programming0 points · 3 months ago

It's the management VLAN for Telnet, SNMP and whatnot. But if you're not connecting remotely, yeah, you wouldn't need it have it up.

level 5

Not at all.. we can SSH and get SNMP traps from all our devices with Vlan 1 disabled.

I mean we could use Vlan 1 for that but we have our Management Vlan configured to a different Vlan.

level 1
CCNP R&S2 points · 3 months ago

"switchport access" commands have no function or value if the port is configured for "switchport mode trunk".

Conversely, "switchport trunk" commands have no function or value if the port is configured for "switchport mode access".

level 2
WGU-BSIT-SecOriginal Poster1 point · 3 months ago

Name: Gi1/0/2

Switchport: Enabled

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 2 (General)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk associations: none

Administrative private-vlan trunk mappings: none

Operational private-vlan: none

Trunking VLANs Enabled: 2,10,20

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

level 3
Now with more Cisco!1 point · 3 months ago

He's saying they don't make any functional difference, they are still added to the config.

Many people like to add both so that if things get swapped from trunk to access everything still works or is still secure.

level 1
Comment deleted3 months ago
level 2
Just 'cause it ain't in my flair doesn't mean I don't have certs3 points · 3 months ago

Native will not tag traffic for VLAN 2 if the native and the trunk VLAN are the same.

Uhh, what?

Native vlans don't tag. And the native vlan has to be listed in the trunk allowed list.

The "switchport access vlan 2" command is indeed superfluous on a trunk port though.

level 3
Comment deleted3 months ago
level 4
Just 'cause it ain't in my flair doesn't mean I don't have certs1 point · 3 months ago

The native VLAN does not have to be explicitly permitted in the allowed VLAN list.

Yes, it very much does.

SW1#
SW1#ping 10.1.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.2, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
SW1#ping 10.1.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/9/19 ms
SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#int g1/0
SW1(config-if)#switch trunk allow vlan add 2
SW1(config-if)#end
SW1#ping 10.1.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/26 ms
SW1#ping 10.1.3.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.3.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/9/14 ms




!
interface GigabitEthernet1/0
 switchport trunk allowed vlan 2,3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 2
 switchport mode trunk
 media-type rj45
 negotiation auto
end

interface Vlan2
 ip address 10.1.2.1 255.255.255.0

interface Vlan3
 ip address 10.1.3.1 255.255.255.0
end
level 5
Comment deleted3 months ago
level 6
Just 'cause it ain't in my flair doesn't mean I don't have certs2 points · 3 months ago

That if you don't have the native vlan in the allowed vlan list, shit doesn't work.

level 7
Comment deleted3 months ago
level 8
Just 'cause it ain't in my flair doesn't mean I don't have certs3 points · 3 months ago

You can post as many links as you like, be they from random people in the Cisco community forums or otherwise. (That link says nothing on the topic by the way).

If you define a native vlan, and that vlan is not in the "switch trunk allowed vlan" list, that vlan doesn't work. End of story. Go try it yourself if you don't believe it.

level 9
WGU-BSIT-SecOriginal Poster1 point · 3 months ago

yeah, I can 100% say that whatever vlan you want to use, it has to be in the allowed vlan list. I have tested the crap out of that today.

im still confused as to what the native vlan is used for, and getting even more confused the more i read. off to google some videos.

level 10
Just 'cause it ain't in my flair doesn't mean I don't have certs1 point · 3 months ago

im still confused as to what the native vlan is used for

It's simply used to handle the "default" untagged traffic on a subnet. You can have no native vlan if you so desire, either with a global command, or by setting the native vlan to some otherwise unused ID and not allowing that over the trunk.

level 9
Comment deleted2 months ago
level 10
Just 'cause it ain't in my flair doesn't mean I don't have certs1 point · 2 months ago

Yes, CDP,VTP,DTP, loop prevention, and some other stuff are always sent untaggedl,l, but they're port traffic not vlan traffic. This effectively makes them appear alongside the native vlan traffic, but they're generated locally as control plane functions, and filtered by the seitch at the other end. This is different than control plane functions like routing which originate from a SVI. Those are effectively transmitted on the vlan level, not the port level, and thus are blockable by the allowed vlan list.

level 8
...1 point · 3 months ago

You need the explicitly allow the native vlan over the trunk.

level 1
WGU-BSIT-SecOriginal Poster1 point · 3 months ago

so it should look like this?

!

interface GigabitEthernet1/0/1

description NG port 1 Default

switchport access vlan 2

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/2

description NG port 2 Vlans (Trunk)

switchport trunk allowed vlan 2,10,20

switchport mode trunk

level 2
CCNP R&S2 points · 3 months ago

I don't believe that "switchport nonegotiate" has any value when using "switchport mode access".

In order to not use VLAN 1, you should change the native VLAN on your trunk as well.

level 3
WGU-BSIT-SecOriginal Poster1 point · 3 months ago

so on the access ports what should the native vlan be? and what should it be on the trunk ports. Do i need to make a vlan 999 for the native access and a 998 for the native vlan for the trunk?

level 4
CCNP|CCDP|CCNA-V|CMNA2 points · 3 months ago

Native VLAN is really only a thing on trunk ports. An access port only has 1 VLAN, so the access vlan and the native VLAN are the same.

level 4
CCNP R&S1 point · 3 months ago

It is not necessary to set a native VLAN on an access port.

Anytime you see a command starting with "switchport trunk" that command is inactive(it does nothing) if the "switchport mode access" command is applied to the port.

"Switchport trunk" commands are only functional with "switchport mode trunk".
"Switchport access" commands are only functional with "switchport mode access".

Set aside a specific VLAN to be the native VLAN for all trunks. This VLAN should not be used for any other reason.

level 1
JNCIA-Junos | CCENT1 point · 3 months ago
Switchport trunk encapsulation dot1q

Switchport mode trunk

Switchport trunk native vlan 2

That is all you need to set the native valn to vlan 2.

level 2
Just 'cause it ain't in my flair doesn't mean I don't have certs1 point · 3 months ago

Yes, but you also have to do a "switchport trunk allowed vlan remove 1" to remove it from the trunks.

And should do a "int vlan 1; shut" and probably "vlan 1; shut"

level 1
CCNA R&S, Sec+, Net+, A+1 point · 3 months ago

As mentioned, you don't need switchport access commands on a manually configured trunk port, and vice versa.

If you're really trying to lock your layer 2 down, then you would ideally blackhole the native vlan altogether on your trunk ports and set it to a VLAN that doesn't exist.

Community Details

34.0k

Subscribers

163

Online

Create Post
r/ccna Rules
1.
No posting of illegal materials
2.
No posting of braindumps
3.
Be courteous and helpful
4.
Don't ask others to complete your labs
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.