cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
691
Views
5
Helpful
3
Replies

CDP mismatch

deypuchka
Level 1
Level 1

Hello,

I am trying to just connect two layer 3 switch together where int e0/0 and e0/1 is set as trunk port and e2/0 as access port of vlan 10 in both switches. After configuring this I always get this error message and I want to ask is this a big issue if it occurs in production ?

Error message:

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on Ethernet2/0 (10), with IOU1 Ethernet2/0 (1).

 

 

 

wwwwwwwww.png

Configurations:

IOU1:

hostname IOU1
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending

interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10
switchport mode trunk
duplex auto
!
interface Ethernet0/1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10
switchport mode trunk
duplex auto
!
interface Ethernet0/2
ip address 103.120.31.114 255.255.255.248
duplex auto

interface Ethernet2/0
switchport
switchport access vlan 10
switchport mode access
duplex auto

ip route 0.0.0.0 0.0.0.0 Ethernet0/2



IOU2:

hostname IOU2

spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending

interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Ethernet0/0
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 20
switchport trunk allowed vlan 10
switchport mode trunk
duplex auto
!
interface Ethernet0/1
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 20
switchport trunk allowed vlan 10
switchport mode trunk
duplex auto
!
interface Ethernet0/2
ip address 103.120.31.115 255.255.255.248
duplex auto


interface Ethernet2/0
switchport
switchport access vlan 10
switchport mode access
duplex auto

no ip http server
ip route 0.0.0.0 0.0.0.0 Ethernet0/2
3 Accepted Solutions

Accepted Solutions

native VLAN in trunk 
one side is 20 other side is 10, 
this wrong 
the native must match in both side.

View solution in original post

In addition to what @MHM Cisco World said and to answer your question, yes its bad in production. A user could use that vulnerability to VLAN hop. The point of the native VLAN is to not tag ONE specific VLAN as it enters the trunk, so when the frame gets to the other side it knows the only untagged frames belong to the native VLAN, which needs to be the same on each side. If you have a native VLAN of 20 on one side and native VLAN of 10 on the other then an attacker (or even normal user) could VLAN hop. So when it sends an untagged frame of VLAN 10 into the trunk, as it comes out of the other side it thinks it belongs to VLAN 20 (since its native VLAN is 20 and native VLANs are untagged) and propagates it in that VLAN. 

 

Best practice is to disable native VLAN unless you NEED to send an untagged frame on a port (usually to be compatible with other vendors that dont understand tags on VLANS)

 

Hope that helps

 

-David

View solution in original post

Joseph W. Doherty
Hall of Fame
Hall of Fame

"After configuring this I always get this error message and I want to ask is this a big issue if it occurs in production ?"

Depends what you're trying to accomplish. Normally such an error message would indicate a configuration error, which is why the other posters consider such a configuration as "wrong" or "bad".  However, there might be some (highly unusual) reason you need to do this.  If so, you either live with lots of these error messages or you disable CDP on the "problem" port.

BTW, the error message, itself, would also appear wrong, assuming your posted configs and network diagram are correct.  Why?

Well, the error message is flagging interface e2/0 on both switches, but those interfaces connect to Switch2 and are both configured as access ports using VLAN10.(?!)

Also, on IOU2's e0/0 and e0/1, you have the native VLAN as 20, but your only

permit VLAN10

on the trunk.(?!)

View solution in original post

3 Replies 3

native VLAN in trunk 
one side is 20 other side is 10, 
this wrong 
the native must match in both side.

In addition to what @MHM Cisco World said and to answer your question, yes its bad in production. A user could use that vulnerability to VLAN hop. The point of the native VLAN is to not tag ONE specific VLAN as it enters the trunk, so when the frame gets to the other side it knows the only untagged frames belong to the native VLAN, which needs to be the same on each side. If you have a native VLAN of 20 on one side and native VLAN of 10 on the other then an attacker (or even normal user) could VLAN hop. So when it sends an untagged frame of VLAN 10 into the trunk, as it comes out of the other side it thinks it belongs to VLAN 20 (since its native VLAN is 20 and native VLANs are untagged) and propagates it in that VLAN. 

 

Best practice is to disable native VLAN unless you NEED to send an untagged frame on a port (usually to be compatible with other vendors that dont understand tags on VLANS)

 

Hope that helps

 

-David

Joseph W. Doherty
Hall of Fame
Hall of Fame

"After configuring this I always get this error message and I want to ask is this a big issue if it occurs in production ?"

Depends what you're trying to accomplish. Normally such an error message would indicate a configuration error, which is why the other posters consider such a configuration as "wrong" or "bad".  However, there might be some (highly unusual) reason you need to do this.  If so, you either live with lots of these error messages or you disable CDP on the "problem" port.

BTW, the error message, itself, would also appear wrong, assuming your posted configs and network diagram are correct.  Why?

Well, the error message is flagging interface e2/0 on both switches, but those interfaces connect to Switch2 and are both configured as access ports using VLAN10.(?!)

Also, on IOU2's e0/0 and e0/1, you have the native VLAN as 20, but your only

permit VLAN10

on the trunk.(?!)

Review Cisco Networking for a $25 gift card