Trunk Native VLAN
As you remember from the previous lesson, trunk ports send and receive Ethernet frames tagged with IEEE 802.1q VLAN tags . The primary idea behind this is to be able to transport frames from multiple VLANs over a single physical link between switches. This means that both ends of a trunk will always receive tagged frames as shown in Figure 1.
But is it always? What if there is a hub in the way or any other layer 1 device? What will happen if an untagged frame somehow gets into the trunk link? Native VLAN has been introduced to solve this specific scenario.
Figure 1. Frames forwarding over a trunk line
Native VLAN is configured per trunk port, it is locally significant and it tells the switch — «if you receive an untagged data into this port, forward it like it is part of the native VLAN number». For example, if we configure the native VLAN on a trunk to be 20, if data without IEEE 802.1q header comes in that port, it will be forwarded in VLAN 20. You can see an example of this in Figure 2. PC7 is somehow connected to the trunk and is sending untagged frames. When they are received on both sides of the link, they are forwarded into the VLAN 20 (the Native VLAN).
By default, the native VLAN of all trunk ports on Cisco switches is assigned to VLAN 1 but it can be any valid VLAN number.
Figure 2. Figure 2. Untagged frames coming in a trunk link
There is another very important angle to this concept. The switches are not only putting the received untagged data into the native VLAN, but they are also sending the data in the Native VLAN untagged. Look at the example in Figure 3, the frames from VLAN 10 are carried across the trunk with 802.1q headers, but the frames from VLAN20 are carried across untagged because VLAN20 is the Native VLAN of the trunk port. All control plane messages such as CDP, VTP, and DTP are also sent through the Native VLAN i.e untagged.
Figure 3. Frames are untagged in the Native VLAN but tagged in all others
Configuring and Verifying Native VLAN on a Trunk port
Let’s first see how we can check the operational mode and the native VLAN on any trunk port using the command show interface switchport.
You can see that by default, VLAN 1 is configured as Native. Let’s change it to be another value. This is done using the switchport trunk native vlan command in interface configuration mode. Always have in mind that this configuration is locally significant and has to be manually configured to match on both sides of the trunk link otherwise a faulty sate occurs.
Native VLAN Mismatch
Interface Trunk configuration is locally significant. This means that the Trunk settings on one switchport do not have to exactly match the settings on the other side of the link. Therefore, you can configure native VLAN 10 on one side and VLAN 20 on the other side of a single trunk link. This causes a dangerous faulty state called Native VLAN mismatch. Cisco proprietary protocol CDP can detect this misconfiguration and report with error messages as shown below. Please note that, if CDP is disabled on the link, there is no way for the switch to automatically detect this.
Native VLAN mismatch can cause some major issues and security implications such as:
- Misdirected traffic — Frames, originating in the VLAN configured as Native, are sent untagged across the trunk. Upon receiving on the other side on the link, they are forwarded in different VLAN because trunk settings don’t match on both sides.
- VLAN hopping — malicious traffic can cross VLAN boundaries.
Allowed VLANs on a Trunk port
By default on Cisco switches, frames from all VLANs are transported over the trunk link. However, there is a way to specify exactly which VLAN numbers are allowed to be carried across. There are many cases in which you would want to specify only certain VLANs and not send frames from all VLANs. If we take figure 4 as an example, the switch on the left has four VLANs 10,20,30 and 40 but the switch on the right has VLANs 10, 20, 50, and 60. So you would probably want to send only traffic for 10 and 20 over the trunk link. This can be configured using the switchport trunk allowed vlan feature. Let’s configure the link in Figure 4 to carry across only frames from vlan 10 and 20.
Figure 4. Example of a Trunk link with allowed VLANs
First, let’s verify how many virtual LANs are configured on SW1 and SW2.
Note that if we look at the show interface trunk output on SW1, it is shown that VLANs 1 — 1005 are allowed on the trunk. This means that all are allowed.
The same can be seen on SW2 as well.
We want to configure only 10 and 20 to be allowed. Let’s configure the trunk link on SW1 and SW2. The configuration is the same on both switches, so we need to look at only one example.
The same configuration is applied on both switches. Let’s now look at the trunk ports.
Using this feature is very common in scenarios where a switch owned by one organization is connected to another external switch. Usually, there is an agreement to exchange data in one VLAN so you would want to filter all other VLANs out.
Native vlan mismatch discovered on что это
Помогите разобраться, у меня 2 Cisco: 3550 и 2950, на них несколько vlan, соединены между собой через trunk (на порту GigabitEthernet0/2), все работает, но все время в syslog валится ошибка Native VLAN mismatch discovered on GigabitEthernet0/2.
Всё дело в том, что один из девайсов шлет пакеты без меток в натив влан, а второй с метками, ну и они кумекают, что это всё к одному влану относится.
Как избавится от ошибки?
Вот конфиг:
на 3550:
interface GigabitEthernet0/2
description link_to_2950
switchport trunk encapsulation dot1q
switchport trunk native vlan 4
switchport mode trunk
no ip address
!
interface Vlan4
ip address 192.168.2.1 255.255.255.0
ip directed-broadcast
ip pim dense-mode
!на 2950:
interface GigabitEthernet0/2
description link_to_3550
switchport mode trunk
no ip address
!
interface Vlan1
description management VLAN
ip address 192.168.2.3 255.255.255.0
ip directed-broadcast
no ip route-cache
!
- , Ярослав Росомахо, 14:22 , 05-Фев-07, (1)
- , Ярослав Росомахо, 14:32 , 05-Фев-07, (2)
- , Антон, 14:15 , 25-Июн-14, (3)
| Сообщения по теме | [Сортировка по времени | RSS] |
>Помогите разобраться, у меня 2 Cisco: 3550 и 2950, на них несколько
>vlan, соединены между собой через trunk (на порту GigabitEthernet0/2), все работает,
>но все время в syslog валится ошибка Native VLAN mismatch discovered
>on GigabitEthernet0/2.
>
>Всё дело в том, что один из девайсов шлет пакеты без меток
>в натив влан, а второй с метками, ну и они кумекают,
>что это всё к одному влану относится.
>
>Как избавится от ошибки?Три варианта.
1. Сделать switchport trunk native vlan 4 на 2950 на интерфейсе GigabitEthernet0/2
2. Сделать no switchport trunk native vlan на 3550 на интерфейсе GigabitEthernet0/2
3. Если вы ПОНИМАЕТЕ что вы делаете и УВЕРЕНЫ что vlan 4 на 3550 должен превращаться в vlan 1 на 2950 — сделайте no cdp enable на 2950 и на 3550 на интерфейсах GigabitEthernet0/2. Это единственный способ избавится от ошибок при разных native vlanах.
>>Как избавится от ошибки?
>
>Три варианта.
>1. Сделать switchport trunk native vlan 4 на 2950 на интерфейсе GigabitEthernet0/2
>
>2. Сделать no switchport trunk native vlan на 3550 на интерфейсе GigabitEthernet0/2
>
>3. Если вы ПОНИМАЕТЕ что вы делаете и УВЕРЕНЫ что vlan 4
>на 3550 должен превращаться в vlan 1 на 2950 — сделайте
>no cdp enable на 2950 и на 3550 на интерфейсах GigabitEthernet0/2.
>Это единственный способ избавится от ошибок при разных native vlanах.А вообще если вы хотите использовать vlan 4 для управления сделайте на 2950:
int vlan 1
no ip addr
shutint vlan 4
ip addr <addr> <mask>
no shut
>[оверквотинг удален]
>>no cdp enable на 2950 и на 3550 на интерфейсах GigabitEthernet0/2.
>>Это единственный способ избавится от ошибок при разных native vlanах.
> А вообще если вы хотите использовать vlan 4 для управления сделайте на
> 2950:
> int vlan 1
> no ip addr
> shut
> int vlan 4
> ip addr <addr> <mask>
> no shutна интерфейсе сделать
no cdp enableCisco Native VLAN mismatch
After installing a test Meraki MS220-8 switch in my lab environment at home, I noticed when I remoted into my core switch for my lab, a Cisco SG300-20, it was displaying messages about a Native VLAN mismatch. I wanted to take a moment and describe why this message is important. The Cisco Native VLAN mismatch basically is saying that you have a device plugged into your Cisco device that has a different native VLAN than your switch.
The following was seen on the Cisco switch by issuing a show log command:
Cisco Native VLAN mismatch
The native VLAN mismatch is problematic because any untagged traffic on your downstream switch thinks that its native VLAN is a certain VLAN and passes that untagged traffic to your upstream switch which has a native VLAN assigned to another numbered VLAN, that traffic will seemingly traverse VLANs just by traffic moving from one switch to another via the trunk ports. This can create confusion and problems with traffic flow as untagged traffic moves between VLANs getting assigned to different VLANs as the traffic flows.
In my case is wasn’t a big deal as I simply plugged my roughly unconfigured Meraki into my Cisco switch and didn’t have any devices plugged into the Meraki. Chaning the native VLAN on the Meraki is easy enough. Simply login to your cloud console and edit your switch port(s).
As you can see above you simply edit the “Native VLAN” field to match up with your upstream Cisco switch that is complaining about the VLAN mismatch. After editing and saving the configuration on the Meraki switch, I no longer received the VLAN mismatch error on the Cisco switch.
Final Thoughts
Of course in a lab environment, a native VLAN mismatch can be annoying but not the end of the world. However, in a production environment, a native VLAN mismatch can be extremely difficult to track down if it is at play and can potentially cause major outages if untagged traffic isn’t passed as expected.
Solving Native Vlan Mismatch error
I am new in VLANs , im currently trying to complete this topology however i can see the following errors on all the three switches: EX:
The used configuration is : S2:
the vlans created on all switches are:
can any one help me to know what the possible mistake may be?
2 Answers 2
Your interface range commands on S2 and S3 are overwriting the trunk commands you had just inputted. Make sure you verify before inputting that the range doesn’t include a pre-configured port, or you’ll just continually overwrite them.
Native VLAN means — untagging a vlan 99 details, so that if a frame is being transferred to other switch, the receiving end switch will not have your native vlan details, means it’s not tagging your vlan details to the frame.
In your scenario —
Switch 1 configuration is fine.
But Switch 2 interface fa0/1 connected to SW1 fa0/1 should be configured with switchport mode trunk, switchport trunk native vlan 99, you have configured like interface range fa0/1-5 under access mode but not trunk.
Similarly for Switch 3 interface fa0/2 connected to SW1 fa0/2 should be configured with switchport mode trunk, switchport trunk native vlan 99.
The problem is you have configured SW2 and SW3 interfaces which is connected to SW1 is in access mode. Make is as trunk mode and then set the native vlan command. Hope this clarifies your doubt.
