Native VLAN mismatch on Cisco 2950

Discussion in 'Cisco' started by bavien, Aug 9, 2007.

  1. bavien

    bavien Guest

    Little back ground:

    Currently we have a Cisco 3750 and a couple of Cisco 2950 switches.
    Only one VLAN on the whole network and that is the default VLAN 1 out
    of the box. I want to create an additional VLAN for management so that
    in the end there will be two VLANs, one for management and one for
    user. My questions are:

    1. Any benefit/reason in using VLAN 1 for management and create
    another VLAN for users compare to using VLAN 1 for users and create
    another VLAN for management?

    2. I did some test and set all the ports in one of the 2950 to VLAN
    10. Configure fa0/24 on the 2950 for trunking to Cisco 3750. Got
    Native VLAN mismatch warning when issuing "show interface trunk" on
    the 2950. Does this message indicates something is wrong or we can
    have mismatch native vlan?


    bavien, Aug 9, 2007
    1. Advertisements

  2. If you are using dot1q as a trunking protocol (most common) you also
    need to configure the same native VLAN on both ends of the trunk, as the
    packets of that VLAN are send untagged. use interface config command
    "switchport trunk native vlan vlan-nr" to change the specific VLAN on
    one or both sides. This probably is the cause of the native VLAN
    mismatch you are experiencing.
    And yes, it can be a good practice to seperate management and users
    VLANs, though its not a requirement.
    Leander de Graaf, Aug 10, 2007
    1. Advertisements

  3. bavien

    Arthur Brain Guest

    You can have it.

    It just means that, on the trunk between them, your 3750 is treating
    un-tagged frames as though they were VLAN 1, and your 2950 is treating
    un-tagged frames as VLAN 10.

    Basically a sign of poor design, but not *necessarily* of any problem.
    Arthur Brain, Aug 10, 2007
  4. bavien

    Scott Perry Guest

    There is a benefit: what is the one VLAN that you cannot delete or remove
    and will therefore always be there? VLAN1
    The books and prudence suggest manking VLAN 1 the management VLAN and to put
    your network device management IP addresses on there. Laziness says that it
    is easier to leave all switchports VLAN 1 for the users and workstations and
    to just move the management IP address ports to the other VLAN.
    If you are going to seperate them, make VLAN 1 for your network
    administration and move the users to another VLAN.


    Scott Perry
    Indianapolis, Indiana
    Scott Perry, Aug 10, 2007
  5. This is a bad idea. It's also a bad practice on a number of fronts
    ranging from security, node trust, and inband vs. out of band management:

    In particular, from a security perspective, not addressing the native
    VLAN 1 issue opens you up to a VLAN hopping attack.

    Change your native VLAN to something other than 1 (as it's the default
    fugettaboutit, Aug 10, 2007
  6. bavien

    KDawg44 Guest

    When you say separate management traffic, what traffic do you refer to
    exactly? We are in a small network that has one firewall, one network
    switch, and a couple servers. How would this benefit this particular
    network and what traffic should I segregate?

    KDawg44, Aug 10, 2007
  7. bavien

    Arthur Brain Guest

    Actually, I was just playing with an old 3548 switch, patched to a
    trunk port on a 3750 and the 3548 was actually disabling ports where a
    VLAN mismatch was detected.
    Arthur Brain, Aug 11, 2007
  8. bavien

    bavien Guest

    On the 2950 with all ports on VLAN10, I changed port 1 to access mode
    1 (default VLAN), connect a PC to port 1 and found out that the PC
    cannot see any devices on the 3750 switch (which all ports default to

    bavien, Aug 11, 2007
  9. bavien

    Arthur Brain Guest

    I would think that makes sense - the trunk back to the 3750 treats
    VLAN 10 as VLAN 1, so you shouldn't be able to use VLAN 1 on the 2950
    side of the trunk.

    I have come acrossVLAN mismatches on networks where they have multi-
    vendor switches and haven't figured out how to trunbk properly between
    two devices from different vendors.
    Arthur Brain, Aug 13, 2007
  10. bavien

    Scott Perry Guest

    fugettaboutit - Thank you for the correction. I read the article that you

    KDawg44 - Perhaps on such a small network there would not be as much
    benefit, but the concept is to put the management IP addresses of switches
    in a LAN on a seperate VLAN. This would keep users from having their
    connected switch IP addresses in an accessible IP address range or
    accessible VLAN. The router connecting to these switches would have a trunk
    connection which would have a seperate IP address in both VLANs - the
    management VLAN and the user VLAN.
    Maybe your setup does not need it, but the idea is to keep networks more
    secure by later allowing through access-lists that only certian IP addresses
    or IP address subnets can connect to the administrative IP address ranges
    used for the management IP addresses on the switches and routers. It is
    better than giving the switches a management IP address in the same VLAN and
    IP subnet as all of the users who could attempt to access it.


    Scott Perry
    Indianapolis, Indiana
    Scott Perry, Aug 13, 2007
  11. bavien

    KDawg44 Guest

    Scott - Thanks very much for the response. Makes perfect sense to me
    KDawg44, Aug 13, 2007
  12. bavien

    bavien Guest

    Thank you all for your insightful replies. I need another
    recommendation/best practice.

    I plan on leaving VLAN 1 alone on both switches (2950 and 3750).
    Create VLAN 10 for users, VLAN 20 for management. Trunk the 2950 to
    the 3750. In the trunk between the two switches, what VLAN should I
    use for the native VLAN (according to best practice at least)?

    bavien, Aug 13, 2007
  13. bavien

    KDawg44 Guest

    I am looking to implement VLANs. Does it make sense to separate
    servers into a separate VLAN? These servers are used internally
    only. We have about four servers.

    I would have the following VLANs:

    Normal users
    I.T. Dept.

    Currently there isn't a need to separate other departments. Does this
    make sense to do?

    My thinking is that everyone accesses one of the servers, another
    server is accessed by only one user on one PC, another is an SNMP and
    Syslog server so only the I.T. Department needs to access this one,
    and another server is used by the phone system.

    Thanks for any thoughts. I just want to make sure I am not going
    overboard but we are making some infrastructure changes due to our
    growth and I am looking to make sure we are in position for future
    growth without having to a revamp again.

    KDawg44, Aug 13, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.