I have the native VLAN on my trunk links set to VLAN 10 which is my management VLAN that spans the entire network. We have one WLC and Access Points connected on a trunk link set to native VLAN20 which is the wireless VLAN. I was wondering if I should have all network devices on the same Native VLAN to avoid any mismatch issues for cisco and other protocols that run untagged over the network?
We have a lot of Apple and L2 devices on the network that would like to utilize protocols wired or wireless. I have configured mDNS on the WLC but still having issues with basic print jobs. I was planning on moving the WLC to the VLAN10 but I have read articles that recommend different ways of deploying the controller.
VLAN 10 - Management
VLAN 20 - Wireless
VLAN 60 - Hosts
Router (10.0.1.2) - access port, VLAN 10
c3750 (10.0.1.1) - you name it we probably got it plugged in
wlc (10.0.2.3) - trunk port, native VLAN 20
==3 switches on trunk links running back to 10.0.1.1 ==
c3750(10.0.1.3) - trunk port, native VLAN 10
c3750(10.0.1.4) - trunk port, native VLAN 10
c3750(10.0.1.5) - trunk port, native VLAN 10
Best Answer
Untagged (native) VLANs don't really offer you any benefit over tagged VLANs, and they present a certain level of security risk. There is no real reason to use untagged VLANs when tagged VLANs are available.
Some people prefer to use a network-wide VLAN for management, one for printers, etc. This scenario presents both security and operational risks. Cisco has been recommending one access switch per VLAN (an access swtich can have multiple VLANs, but those VLANs don't extend to any other access switch), and, if you can, use layer-3 connections to the access switches instead of trunks.
There is a book published by Cisco Press, "LAN Switch Security: What Hackers Know About Your Switches" by Eric Vyncke and Christopher Paggen that explains a lot of these sorts of things.