As I prepare for CCNA, I had the opportunity to really get into the bottom of things. Today, I finally settled it with Native VLAN. During my Cisco Networking Academy days, we had to do our skill-based exam for CCNA 3 (LAN Switching and Wireless) which lasted 10 hours because of a problem with Native VLAN. I even made a post about it. But that was the end of it, we made a mistake and we learned to never configure Native VLAN on the trunk link of the switch connected to the router configured for router-on-a-stick. We just moved on, we did not even bother to research why is that a problem. Even our instructor did not enlighten us with the issue.
First is to configure the router to handle untagged traffic. Second is to set VLAN 88 as Native VLAN in the router by just adding one keyword in the existing command.
But it's been bugging me since that day. Why? WHY? Now I have the answers.
First, let me review the problem:
I applied the command switchport trunk native vlan 88 on the trunk link of S2. This trunk link is connected to R1 which is configured for router-on-a-stick. The Native VLAN in LAB1 domain is VLAN 88. When I ping S1's management interface from PC1, the ping doesn't work.
Now this is my theory:
As I ping from PC1 which is in VLAN 20 to the switches which has management interface of interface VLAN 88, it has to go to R1 from the trunk link. The frame was supposed to be tagged with VLAN 88 but since we defined VLAN 88 on S2 as the Native VLAN, the frame is not tagged (no 802.1Q header).
The router has not been configured to handle untagged traffic, thus it is dropped. So the immediate solution is to simply not configure a Native VLAN on S2's trunk link with no switchport trunk native vlan 88. But that is not the right solution, it may allow the ping to pass in which the frame is tagged with VLAN 88 while all untagged traffic will be forwarded in VLAN 1, but still the router has no mechanism to handle untagged traffic.
As I ping from PC1 which is in VLAN 20 to the switches which has management interface of interface VLAN 88, it has to go to R1 from the trunk link. The frame was supposed to be tagged with VLAN 88 but since we defined VLAN 88 on S2 as the Native VLAN, the frame is not tagged (no 802.1Q header).
The router has not been configured to handle untagged traffic, thus it is dropped. So the immediate solution is to simply not configure a Native VLAN on S2's trunk link with no switchport trunk native vlan 88. But that is not the right solution, it may allow the ping to pass in which the frame is tagged with VLAN 88 while all untagged traffic will be forwarded in VLAN 1, but still the router has no mechanism to handle untagged traffic.
There must be a real solution. Actually there are two and I don't have to apply the no switchport trunk native vlan 88 command anymore.
First is to configure the router to handle untagged traffic. Second is to set VLAN 88 as Native VLAN in the router by just adding one keyword in the existing command.
Configuring the router to handle untagged traffic is to simply remove fa0/1.88 with no interface fa0/1.88 and apply its address to the main interface which is interface fa0/1. So the new configuration would be:
R1(config)#no interface fa0/1.88
R1(config)#interface fa0/1
R1(config-if)#ip address 192.168.7.126 255.255.255.192
R1(config)#interface fa0/1
R1(config-if)#ip address 192.168.7.126 255.255.255.192
The second solution is more convenient because it will use the existing configuration but with the native keyword:
R1(config)#interface fa0/1.88
R1(config-subif)#encapsulation dot1q 88 native
R1(config-subif)#ip address 192.168.7.126 255.255.255.192
R1(config-subif)#encapsulation dot1q 88 native
R1(config-subif)#ip address 192.168.7.126 255.255.255.192
Quoting from CCNA ICND2 Official Cert Guide (3rd Ed), encapsulation dot1q vlan-id native command "not only tell the router that the subinterface is associated with vlan-id, but also not to use any 802.1Q headers with that subinterface".
Note: 01/29/12
If you're thinking that what I've said above which is "The frame was supposed to be tagged with VLAN 88..." is wrong, you are right. Give yourself credit for noticing that. I already addressed that in my later post here.
If you're thinking that what I've said above which is "The frame was supposed to be tagged with VLAN 88..." is wrong, you are right. Give yourself credit for noticing that. I already addressed that in my later post here.
Comments
Post a Comment