Skip to main content

Vlan Trunk port vs Access port and Native Vlan

Access Port:
  • An access port can have only one VLAN configured on the interface; it can carry traffic for only one VLAN.
  • Frames coming in to the interface will be tagged and Frames going out to the interface will be untagged.
Trunk port:
  • A trunk port can have two or more VLANs configured on the interface; it can carry traffic for several VLANs simultaneously. Allow all the tagged packets or tagged packets of configured vlan on the particular port.
  • Switch port configured as a trunk port send and receive IEEE 801.q VLAN tagged Ethernet frames.
If a nontrunking port receives an 802.1Q frame, the source and destination MAC addresses are read, the tag field is ignored, and the frame is switched normally at Layer 2.


Native VLAN:

If a switch receives untagged Ethernet frames on its Trunk port, they are forwarded to the VLAN that is configured on the Switch as native VLAN. Both sides of the trunk link must be configured to be in same native VLAN.


  • An 802.1Q trunk port can carry tagged and untagged frames because Ethernet is assumed to be a shared medium and there may hosts on the medium that cannot handle untagged frames.
  • Untagged frames must placed into a VLAN by the receiving switch, the native VLAN is the VLAN used.
  • When a switch receives an untagged frame on a tagged interface it is assumed membership of the Native VLAN.
  • For 802.1.Q tagged interfaces, Cisco uses untagged frames to carry admin various protocols between the switches e.g. CDP, DTP, LACP (?). Not all vendors implement a native VLANs.
  • Configurable Native VLAN IDs are a response to the security vulnerability published bSANS in July 2000 that noted a possible VLAN hopping attack using the Native VLAN. Because VLAN1 on Cisco switches has special significance
  • It is not mandatory for vendors to implement Native VLANs so vendor interoperability for protocols using the feature will be a specific configuration issue.
  • For Cisco switches the Native VLAN ID must match on both end of the trunk.
  • By default the Native VLAN is 1.
  • My “Security Best Practice” is to configure the Native VLAN ID to VLAN 666 and to ensure that this VLAN is not used anywhere in the network. The number “666” helps people to remember this. An attacker who attempts to use the VLAN hopping attack will end up in a dead VLAN that has no hosts to leverage. 

Comments

Popular posts from this blog

What is QinQ(IEEE 802.1ad)

What is QinQ In this section, we will see about Switching concept QinQ. In service provider networks, This is very important. Service provider use this Switching function to pass customer data from one end to other end with two vlan id’s in own switching network.  Explanation: The QinQ technology is called VLAN dot1q tunnel, 802.1Q tunnel, VLAN Stacking technology. The standard comes from IEEE 802.1ad and it is the expansion of the 802.1Q protocol. QinQ adds one layer of 802.1Q tag (VLAN tag) based on the original 802.1Q packet head. With the double layers of tags, the VLAN quantity is increased to 802.1Q. QinQ encapsulates the private network VLAN tag of the user in the public(service provider) network VLAN Tag to make the packet with double layers of VLAN Tags cross the backbone network (public network) of the operator. In the public network, the packet is passed according to the out layer of VLAN tag (that is the public network VLAN Tag) and the private netw...

Beacon Frames, Probe request and response

Beacon frame  is one of the management frames in  IEEE 802.11  based WLANs. It contains all the information about the network. Beacon frames are transmitted periodically, they serve to announce the presence of a wireless LAN and to synchronise the members of the service set. Beacon frames are transmitted by the  access point  (AP) in an infrastructure  basic service set  (BSS). In IBSS network beacon generation is distributed among the stations. Beacons are sent periodically at a time called Target Beacon Transmission Time(TBTT) 1 TU = 1024 microseconds Beacon interval =100 TU (100x 1024 microseconds or 102.4 milliseconds) 1. Timestamp (8 byte) 2. Beacon Interval (2 byte) 3. Capability info (2 byte) 4. SSID (variable size) 5. Supported Rates (variable size) Probe Request:  A station or client becomes active or on a PC when the wlan card it enabled it becomes acti...

Difference between Polling and Trap in Network Management – Which one is better?

A Network Manager’s job is to get data from Network Elements and present it to the administrators or operators. There are two ways of doing this activity:  1) Polling and 2) Trap . Here is a quick difference between the two: Polling  : A traditional way of providing operators with the network elements information. It’s characteristics are as follows: ·        Pull Mechanism – Requests and get information from network elements at periodic intervals. The periodic interval is most often configurable. ·        Provides non-real time information. It may happen that some changes happen in network element but polling happens an hour after that. Thus, operator gets to know about the changes after an hour. ·        Higher bandwidth needed. Traps  : When an alarm situation exists a trap can be generated, or if some changes happen at network element, an attribute value chang...