vlan ,native ,trunk ,802.1q

Native VLAN是TRUNK上纔有的概念.主要的目的是不丟棄非標記幀.接收方交換機把所有接收到的未標記的數據包轉發到NATIVE VLAN中,而不是丟棄.默認是VLAN1.

801.q的TRUNK中可以存在多個VLAN。各個VLAN都被加上一個頭，並在該頭部說明VLAN號碼,但是有一個VLAN，不加頭，不進行封裝。就是native vlan。交換機在發送數據時候會使用vlan的標記來標記該數據屬於哪個vlan，802.1Q允許一個不打標記的vlan，凡在這個segement上沒有打標記，對端交換機讀數據時候沒有讀到802.1Q的標記則認爲是native vlan

簡單的來說Native Vlan 是802。1Q協議封裝下的一種特殊Vlan,來自該VLAN的流量在穿越TRUNK接口時不打TAG，缺省時VLAN1爲Native Vlan .
而VLAN1 爲交換機的缺省VLAN，一般不承載用戶DATA也不承載管理流量，只承載控制信息：如CDP，DTP，BPDU，VTP，Pagp等。

Native Vlan是對於中繼接口爲對象，不是trunk接口談不上Native Vlan。一般在trunk接口傳送的是打了標籤的數據包，那麼如果有沒有打標籤的數據呢，這纔用到Native Vlan，把這些沒有打標籤的數據打了Native Vlan的標籤進入交換機，cisco裏管理vlan和native vlan默認都是vlan 1。

對於TRUNK端口接收到一個無VLAN標記的數據幀時,802.1Q會打上NATIVE VLAN標記轉發到NATIVE VLAN[默認爲VLAN1 可以修改,若修改要確保網絡內所有交換機都一致],而ISL會丟棄.
802.1QTRUNK對於VLAN1向外轉發的數據幀不會打上VLAN標記會直接進行轉發。

如果兩臺通信的交換機配置的native vlan不一致，就會報mismatch錯誤，一個支持vlan的交換機，互連一個不支持vlan的交換機。之間則是通過native lan來交換數據。兩端native vlan不匹配的trunk鏈路,一端的端口會被block住，而不會轉發流量。

在IP電話系統中，電話機是可以直接把數據打上標籤的，但是普通PC不行，很多情況，電話機和PC是用同一條網線的，這時候，這個接口就被設定爲trunk模式，電話機就用打了標籤的數據傳，PC沒法打，交換機在收到沒有標籤的數據就按照隱含的switchport trunk native vlan 1爲數據打上native vlan標籤進入交換機傳輸。

vlan也是有其安全隱患的，***利用vlan hopping 穿過vlan。杜絕此種安全隱患方法：

1.把native vlan幹掉，不讓這vlan的數據在Trunk鏈路上跑
2.不把native vlan分配給普通用戶使用
3.強制native vlan在通過trunk的時候打tag。命令vlan dot1q tag native

When configuring 802.1Q tunneling on an edge switch, you must use 802.1Q trunk ports for sending packets into the service-provider network. However, packets going through the core of the service-provider network can be carried through 802.1Q trunks, ISL trunks, or nontrunking links. When 802.1Q trunks are used in these core switches, the native VLANs of the 802.1Q trunks must not match any native VLAN of the nontrunking (tunneling) port on the same switch because traffic on the native VLAN would not be tagged on the 802.1Q sending trunk port.

See Figure 14-3. VLAN 40 is configured as the native VLAN for the 802.1Q trunk port from Customer X at the ingress edge switch in the service-provider network (Switch B). Switch A of Customer X sends a tagged packet on VLAN 30 to the ingress tunnel port of Switch B in the service-provider network, which belongs to access VLAN 40. Because the access VLAN of the tunnel port (VLAN 40) is the same as the native VLAN of the edge-switch trunk port (VLAN 40), the metro tag is not added to tagged packets received from the tunnel port. The packet carries only the VLAN 30 tag through the service-provider network to the trunk port of the egress-edge switch (Switch C) and is misdirected through the egress switch tunnel port to Customer Y.

These are some ways to solve this problem:

•Use ISL trunks between core switches in the service-provider network. Although customer interfaces connected to edge switches must be 802.1Q trunks, we recommend using ISL trunks for connecting switches in the core layer. The Cisco ME switch does not support ISL trunks.

•Use the vlan dot1q tag native global configuration command to configure the edge switch so that all packets going out an 802.1Q trunk, including the native VLAN, are tagged. If the switch is configured to tag native VLAN packets on all 802.1Q trunks, the switch accepts untagged packets, but sends only tagged packets.

•Ensure that the native VLAN ID on the edge-switch trunk port is not within the customer VLAN range. For example, if the trunk port carries traffic of VLANs 100 to 200, assign the native VLAN a number outside that range.

Figure 14-3 Potential Problem with 802.1Q Tunneling and Native VLANs