As a reminder, a trunk is a link intended to convey the traffic of several vlans. Since a standard Ethernet frame does not have information about the vlan from which it originates, it is necessary to add this information via a protocol. 

In the case of dot1q (IEEE 802.1q standard protocol), a tag is inserted between the source MAC address field and the Type / Length field of the frame: 

Dot1q frame
Dot1q frame


As the diagram shows, the dot1q tag contains several information:
  • A protocol identifier (2 bytes)
  • 3 bits to indicate priority (used for QoS features at the frame level).
  • CFI: 1 bit used to guarantee compatibility between ethernet and token-ring frames (this bit is always 0 for an ethernet frame).
  • The identifier of the vlan, encoded on 12 bits (values ​​ranging from 0 to 4096, some of which are not used)
When a frame is transmitted by a trunk interface, it is marked with a tag dot1q containing the identifier of the vlan to which it belongs, this of course allowing the equipment that receives it to replace it in the appropriate vlan . 
 Native vlan ... why?
Some frames carried on a trunk are not marked with a dot1q tag. Then you have to be able to place them somewhere. This is where the native vlan comes in.
The native vlan is the vlan in which dot1q untagged frames are conveyed. So if a switch receives on a trunk interface a standard ethernet frame, it will place it in this native vlan, in a way, a default vlan (marking).
On Cisco devices, some protocols such as CDP or DTP are transported in untagged frames and thus in the native vlan.
Secure the native vlan ...
It is important to be concerned about the native vlan for several reasons:
  • It is preferable not to convey protocol frames such as CDP, DTP etc in the same vlan as data. Thus, a user is prevented from capturing traffic or, worse still, from generating false CDP or DTP messages, among other things, with the aim of diverting the operation of the network.
  • The fact that a vlan vehicle of untagged frames makes it possible to put in place attacks of the "vlan-hopping" type, the purpose of which is to artificially send traffic to a vlan where the emitting machine is not located and this By adding fake dot1q tags, this is the principle of "double tagging". We generate a frame with two dot1q tags, on arrival on the port, the switch gets rid of the first, but processes the 2nd tag and places the frame in the vlan that is filled in.
To remedy this, there are two main techniques:
  • Changing the value of the native vlan (by default, on a Cisco switch, vlan 1 is the native vlan).
  • Force tagging of all vlans, including the native vlan.
Topology



So here we have two switches, each with machines connected in vlans 10 and 20. The link between them will be configured in trunk dot1Q.
Basic configuration of switches (vlans, trunks, ...)
About 3560-1 ... 

 3560-1 # configure terminal
 
 !  Creation of vlans
 3560-1 (config) #vlan 10,20
 3560-1 (config-vlan) #exit
 
 !  Placing interfaces in the vlan 10
 3560-1 (config) #interface range fastEthernet 0 / 1-12
 3560-1 (config-if-range) #switchport mode access
 3560-1 (config-if-range) #switchport access vlan 10
 3560-1 (config-if-range) #exit
 
 !  Placement of interfaces in the vlan 20
 3560-1 (config) #interface range fastEthernet 0 / 13-24
 3560-1 (config-if-range) #switchport mode access
 3560-1 (config-if-range) #switchport access vlan 20
 3560-1 (config-if-range) #exit
 
 !  Basic configuration of trunk to 3560-2
 3560-1 (config) #interface gigabitEthernet 0/1
 3560-1 (config-if) #switchport trunk encapsulation dot1q
 3560-1 (config-if) #switchport mode trunk
 3560-1 (config-if) #exit
 3560-1 (config) # 

About 3560-2 ... 

 3560-2 # configure terminal
 
 !  Creation of vlans
 3560-2 (config) #vlan 10,20
 3560-2 (config-vlan) #exit
 
 !  Placing interfaces in the vlan 10
 3560-2 (config) #interface range fastEthernet 0 / 1-12
 3560-2 (config-if-range) #switchport mode access
 3560-2 (config-if-range) #switchport access vlan 10
 3560-2 (config-if-range) #exit
 
 !  Placement of interfaces in the vlan 20
 3560-2 (config) #interface range fastEthernet 0 / 13-24
 3560-2 (config-if-range) #switchport mode access
 3560-2 (config-if-range) #switchport access vlan 20
 3560-2 (config-if-range) #exit
 
 !  Basic configuration of trunk to 3560-1
 3560-2 (config) #interface gigabitEthernet 0/1
 3560-2 (config-if) #switchport trunk encapsulation dot1q
 3560-2 (config-if) #switchport mode trunk
 3560-2 (config-if) #exit
 3560-2 (config) # 

Checking ...
Verifications of vlans ... 

3560-1 # show vlan brief
 
 VLAN Name Status Ports
 ---- -------------------------------- --------- ----- --------------------------
 1 default active Gi0 / 2
 10 VLAN0010 active Fa0 / 1, Fa0 / 2, Fa0 / 3, Fa0 / 4
                                                 Fa0 / 5, Fa0 / 6, Fa0 / 7, Fa0 / 8
                                                 Fa0 / 9, Fa0 / 10, Fa0 / 11, Fa0 / 12
 20 VLAN0020 active Fa0 / 13, Fa0 / 14, Fa0 / 15, Fa0 / 16
                                                 Fa0 / 17, Fa0 / 18, Fa0 / 19, Fa0 / 20
                                                 Fa0 / 21, Fa0 / 22, Fa0 / 23, Fa0 / 24
 1002 fddi-default act / unsup
 1003 token-ring-default act / unsup
 1004 fddinet-default act / unsup
 1005 trnet-default act / unsup
 2960-1 # 

The interfaces are in good vlans, the G0 / 1 does not appear since it is a trunk. Only the G0 / 2 remains in the default vlan 1 (note that this is not a good practice, it would be better to place it in a vlan dedicated to unused interfaces).

 3560-1#show interfaces trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/1       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/1       1,10,20

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1,10,20
3560-1#

The G0 / 1 interface is in trunking mode, by default all active vlans are conveyed on it

3560-1 # show interfaces gigabitEthernet 0/1 switchport
 Name: Gi0 / 1
 Switchport: Enabled
 Administrative Mode: trunk
 Operational Mode: trunk
 Administrative Trunking Encapsulation: dot1q
 Operational Trunking Encapsulation: dot1q
 Negotiation of Trunking: On
 Access VLAN Mode: 1 (default)
 Trunking Native Mode VLAN: 1 (default)
 Administrative Native VLAN tagging: disabled
 Voice VLAN: none
 Administrative private-vlan host-association: none
 Administrative private-vlan mapping: none
 Administrative private-vlan trunk native VLAN: none
 Native VLAN tagging: enabled
 Administrative private-vlan trunk encapsulation: dot1q
 Administrative private-vlan trunk normal VLANs: none
 Administrative private-vlan trunk associations: none
 Administrative private-vlan trunk mappings: none
 Operational private-vlan: none
 Trunking VLANs Enabled: ALL
 Pruning VLANs Enabled: 2-1001
 Capture Mode Disabled
 Capture VLANs Allowed: ALL
 
 Protected: false
 Unknown unicast blocked: disabled
 Unknown multicast blocked: disabled
 Appliance Trust: none
 3560-1 # 


The command "show interface g0 / 1 switchport" gives us information about native vlan etc. The native vlan is the vlan 1 (default) and the native vlan tagging is not enabled.
Securing the native vlan ...
The first good practice is therefore to modify the value of the native vlan on the trunk. However, we must be vigilant ...
  • It is strongly advised to use an "empty" vlan as native vlan, without interface connected in etc.
  • The native vlan must be identical to the two ends of the trunk, otherwise one would induce a multitude of problems ... such as the fact that frames would pass from one vlan to another, but also problems of convergence Spanning-Tree and thus formation Loop at the switching of the frames.
About 3560-1 ... 

3560-1 # configure terminal
 
 !  Creating a new specific vlan
 3560-1 (config) #vlan 999
 3560-1 (config-vlan) #name NATIVE
 3560-1 (config-vlan) #exit
 
 !  Configuring the Trunk Native Clan
 3560-1 (config) #interface gigabitEthernet 0/1
 3560-1 (config-if) #switchport trunk native vlan 999
 3560-1 (config-if) #
 
 !  STP and CDP are not particularly content ... The first detects an inconsistency 
  !  Between the BPDUs that exchange between the two switches ... And on its side CDP detects 
  !  The difference of native vlan and express it ...
 * Mar 1 02: 58: 07.094:% SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet0 / 1 VLAN999.
 * Mar 1 02: 58: 07.094:% SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet0 / 1 on VLAN0001.  Inconsistent peer vlan.
 * Mar 1 02: 58: 07.094:% SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet0 / 1 on VLAN0999.  Inconsistent local vlan.
 * Mar 1 02: 58: 07.103:% LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Native VLAN mismatch discovered on GigabitEthernet0 / 1 (999), with 3560-2 GigabitEthernet0 / 1 (1).

About 3560-2 ...

 3560-2 # configure terminal
 
 !  Creation of the specific clan
 3560-2 (config) #vlan 999
 3560-2 (config-vlan) #name NATIVE
 3560-2 (config-vlan) #exit
 
 !  Configuring the vlan 99 on trunk
 3560-2 (config) #interface gigabitEthernet 0/1
 3560-2 (config-if) #switchport trunk native vlan 999
 3560-2 (config-if) #end
 3560-2 #
 
 !  Everything goes in order for STP now that the native vlan is identical on both sides of the link
 * Mar 1 03: 04: 25.236:% SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0 / 1 on VLAN0999.  Port consistency restored.
 * Mar 1 03: 04: 25.236:% SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0 / 1 on VLAN0001.  Port consistency restored.
 
Forcing the tagging of the native vlan ...
About 3560-1 ... 

3560-1(config)#vlan dot1q tag native

About 3560-2 ... 

3560-2(config)#vlan dot1q tag native

Checking ... 

 3560-1 # show interfaces gigabitEthernet 0/1 switchport
 Name: Gi0 / 1
 Switchport: Enabled
 Administrative Mode: trunk
 Operational Mode: trunk
 Administrative Trunking Encapsulation: dot1q
 Operational Trunking Encapsulation: dot1q
 Negotiation of Trunking: On
 Access VLAN Mode: 1 (default)
 Trunking Native Mode VLAN: 999 (NATIVE)
 Administrative Native VLAN tagging: enabled
 Voice VLAN: none
 Administrative private-vlan host-association: none
 Administrative private-vlan mapping: none
 Administrative private-vlan trunk native VLAN: none
 Native VLAN tagging: enabled
 Administrative private-vlan trunk encapsulation: dot1q
 Administrative private-vlan trunk normal VLANs: none
 Administrative private-vlan trunk associations: none
 Administrative private-vlan trunk mappings: none
 Operational private-vlan: none
 Trunking VLANs Enabled: ALL
 Pruning VLANs Enabled: 2-1001
 Capture Mode Disabled
 Capture VLANs Allowed: ALL
 
 Protected: false
 Unknown unicast blocked: disabled
 Unknown multicast blocked: disabled
 Appliance trust: none
 3560-1 # 


We can see that the native vlan is now the vlan 999 and that in addition it is now tagged.

 
Top