Native VLAN是TRUNK上才有的概念.主要的目的是不丢弃非标记帧.接收方交换机把所有接收到的未标记的数据包转发到NATIVE VLAN中,而不是丢弃.默认是VLAN1.
801.q的TRUNK中可以存在多个VLAN。各个VLAN都被加上一个头,并在该头部说明VLAN号码,但是有一个VLAN,不加头,不进行封装。就是native vlan。交换机在发送数据时候会使用vlan的标记来标记该数据属于哪个vlan,802.1Q允许一个不打标记的vlan,凡在这个segement上没有打标记,对端交换机读数据时候没有读到802.1Q的标记则认为是native vlan
简单的来说Native Vlan 是802。1Q协议封装下的一种特殊Vlan,来自该VLAN的流量在穿越TRUNK接口时不打TAG,缺省时VLAN1为Native Vlan .
而VLAN1 为交换机的缺省VLAN,一般不承载用户DATA也不承载管理流量,只承载控制信息:如CDP,DTP,BPDU,VTP,Pagp等。
Native Vlan是对于中继接口为对象,不是trunk接口谈不上Native Vlan。一般在trunk接口传送的是打了标签的数据包,那么如果有没有打标签的数据呢,这才用到Native Vlan,把这些没有打标签的数据打了Native Vlan的标签进入交换机,cisco里管理vlan和native vlan默认都是vlan 1。
对于TRUNK端口接收到一个无VLAN标记的数据帧时,802.1Q会打上NATIVE VLAN标记转发到NATIVE VLAN[默认为VLAN1 可以修改,若修改要确保网络内所有交换机都一致],而ISL会丢弃.
802.1QTRUNK对于VLAN1向外转发的数据帧不会打上VLAN标记会直接进行转发。
如果两台通信的交换机配置的native vlan不一致,就会报mismatch错误,一个支持vlan的交换机,互连一个不支持vlan的交换机。之间则是通过native lan来交换数据。两端native vlan不匹配的trunk链路,一端的端口会被block住,而不会转发流量。
在IP电话系统中,电话机是可以直接把数据打上标签的,但是普通PC不行,很多情况,电话机和PC是用同一条网线的,这时候,这个接口就被设定为trunk模式,电话机就用打了标签的数据传,PC没法打,交换机在收到没有标签的数据就按照隐含的switchport trunk native vlan 1为数据打上native vlan标签进入交换机传输。
vlan也是有其安全隐患的,黑客利用vlan hopping 穿过vlan。杜绝此种安全隐患方法:
1.把native vlan干掉,不让这vlan的数据在Trunk链路上跑
2.不把native vlan分配给普通用户使用
3.强制native vlan在通过trunk的时候打tag。命令 vlan dot1q tag native
When configuring 802.1Q tunneling on an edge switch, you must use 802.1Q trunk ports for sending packets into the service-provider network. However, packets going through the core of the service-provider network can be carried through 802.1Q trunks, ISL trunks, or nontrunking links. When 802.1Q trunks are used in these core switches, the native VLANs of the 802.1Q trunks must not match any native VLAN of the nontrunking (tunneling) port on the same switch because traffic on the native VLAN would not be tagged on the 802.1Q sending trunk port.
See Figure 14-3 . VLAN 40 is configured as the native VLAN for the 802.1Q trunk port from Customer X at the ingress edge switch in the service-provider network (Switch B). Switch A of Customer X sends a tagged packet on VLAN 30 to the ingress tunnel port of Switch B in the service-provider network, which belongs to access VLAN 40. Because the access VLAN of the tunnel port (VLAN 40) is the same as the native VLAN of the edge-switch trunk port (VLAN 40), the metro tag is not added to tagged packets received from the tunnel port. The packet carries only the VLAN 30 tag through the service-provider network to the trunk port of the egress-edge switch (Switch C) and is misdirected through the egress switch tunnel port to Customer Y.
These are some ways to solve this problem:
•
Use ISL trunks between core switches in the service-provider network. Although customer interfaces connected to edge switches must be 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer. The Cisco ME switch does not support ISL trunks.
•
Use the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an 802.1Q trunk, including the native VLAN, are tagged. If the switch is configured to tag native VLAN packets on all 802.1Q trunks, the switch accepts untagged packets, but sends only tagged packets.
•
Ensure that the native VLAN ID on the edge-switch trunk port is not within the customer VLAN range. For example, if the trunk port carries traffic of VLANs 100 to 200, assign the native VLAN a number outside that range.
Figure 14-3 Potential Problem with 802.1Q Tunneling and Native VLANs