We are going to explore the native VLAN tagging feature before diving into this first we should be aware of the possibility of security vulnerability in the network environment.
In LAN switch environments the native VLAN is typically untagged on 802.1Q trunk ports. It can lead to a security vulnerability in the network environment. It is always a best practice to explicitly tag the native VLAN in order to prevent against 802.1Q double-tagged packets from traversing VLANs.
Cisco brings up the tagging feature even for the native VLAN. Below is the topology used to explain about the native VLAN tagging feature.
 |
| Native VLAN tagging |
Here to simulate PC network we are going to use loopback on switches.
As we all know that in 802.1Q trunk by default native VLAN is VLAN 1 which means the traffic from VLAN 1 would be sent out untagged.
---------------------
SW1#sh int trunk
Port Mode Encapsulation Status Native vlan
G1/0/33 on 802.1q trunking 1
Port Vlans allowed on trunk
G1/0/33 1-4093
Port Vlans allowed and active in management domain
G1/0/33 1
Port Vlans in spanning tree forwarding state and not pruned
G1/0/33 1
---------------------
SW2#sh int trunk
Port Mode Encapsulation Status Native vlan
G1/0/23 on 802.1q trunking 1
Port Vlans allowed on trunk
G1/0/23 1-4094
Port Vlans allowed and active in management domain
G1/0/23 1-3,101,4094
Port Vlans in spanning tree forwarding state and not pruned
G1/0/23 1-3,101,4094
---------------------
On SW1 and SW2 the native VLAN 1 that means the traffic will be untagged for VLAN 1. If we try to ping 1.1.1.2 it should be reachable. Lets verify that
SW1#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
To enable Native VLAN tagging we have a generic global level command. It will apply the native VLAN tagging for all the ports.
Configuration:
---------------------
SW1(config)#vlan dot1q tag native
---------------------
This CLI will do two things
1) It will allow only the tagged traffic on the trunk port
2) It will tag the native VLAN i.e VLAN 1 traffic
Now if we ping, Ping should not be successful as on the other switch we didn't ask for native VLAN tagging.
---------------------
SW1#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
---------------------
Let us capture on SW2 and check whether VLAN 1 is tagged "Monitor Capture"
---------------------
SW1#ping 1.1.1.2 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
.
Success rate is 0 percent (0/1)
---------------------
SW2#show monitor capture test buffer brief | in ICMP
3 0.000029 1.1.1.1 -> 1.1.1.2 ICMP 118 Echo (ping) request id=0x0053, seq=0/0, ttl=254
SW2#show monitor capture test buffer detailed | be Frame 3:
Frame 3: 118 bytes on wire (944 bits), 118 bytes captured (944 bits) on interface 0
Interface id: 0 (/tmp/epc_ws/wif_to_ts_pipe)
Encapsulation type: Ethernet (1)
Arrival Time: Dec 13, 2018 22:10:42.329134000 IST
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1544719242.329134000 seconds
[Time delta from previous captured frame: 0.000013000 seconds]
[Time delta from previous displayed frame: 0.000013000 seconds]
[Time since reference or first frame: 0.000031000 seconds]
Frame Number: 3
Frame Length: 118 bytes (944 bits)
Capture Length: 118 bytes (944 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:vlan:ethertype:ip:icmp:data]
Ethernet II, Src: 00:00:00_00:11:11 (00:00:00:00:11:11), Dst: 00:00:00_00:22:22 (00:00:00:00:22:22)
Destination: 00:00:00_00:22:22 (00:00:00:00:22:22)
Address: 00:00:00_00:22:22 (00:00:00:00:22:22)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 00:00:00_00:11:11 (00:00:00:00:11:11)
Address: 00:00:00_00:11:11 (00:00:00:00:11:11)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 1
000. .... .... .... = Priority: Best Effort (default) (0)
...0 .... .... .... = CFI: Canonical (0)
.... 0000 0000 0001 = ID: 1
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 1.1.1.1, Dst: 1.1.1.2
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 100
Identification: 0x03b0 (944)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 254
Protocol: ICMP (1)
Header checksum: 0xb4e4 [validation disabled]
[Good: False]
[Bad: False]
Source: 1.1.1.1
Destination: 1.1.1.2
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xbf36 [correct]
Identifier (BE): 83 (0x0053)
Identifier (LE): 21248 (0x5300)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
Data (72 bytes)
---------------------
As you can see VLAN 1 traffic is sent as a 802.1Q tagged traffic. Now if we want few ports to have this functionality and few ports to behave the default way. We can enable/disable the native VLAN tagging per-interface level.
Now let's disable the native VLAN tagging on interface level so we can have a reachability.
Configuration:
---------------------
SW1(config-if)#int G1/0/33
SW1(config-if)#no switchport trunk native vlan tag
---------------------
Now definitely ping should be successful.
---------------------
SW1#ping 1.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
---------------------
Verification:
Native VLAN tagging can we verified using two methods.
SW1#sh vlan dot1q tag native
dot1q native vlan tagging is enabled globally
Per Port Native Vlan Tagging State
----------------------------------
Port Operational Native VLAN
Mode Tagging State
-------------------------------------------
G1/0/33 trunk disabled
SW1#sh int G1/0/33 switch
Name: G1/0/33
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: disabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Vepa Enabled: false
BONUS Points:
SW1#sh int G1/0/33 switch | in Administrative Native VLAN tagging
Administrative Native VLAN tagging: enabled
By Default, it will be shown as enabled even though we didn't enable native VLAN tagging feature globally. We should ignore this information . The reason is "switchport native VLAN tag" is by default present in the show run all.
