Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2246
Views
0
Helpful
39
Replies

NATIVE_VLAN_MISMATCH

captainit
Level 1
Level 1

‎09-03-2024 11:12 AM

Hello,
I see from my logs in SG220-26 26-Port Gigabit Smart Switch:

NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on gi1, with Cisco-SG220 gi25

captainit_0-1725386634547.png

captainit_1-1725386676933.png

In same switch gi1:

captainit_2-1725386744932.png

 

captainit_3-1725386810251.png

captainit_4-1725386838394.png

From show running config: 

captainit_5-1725386973178.png

Can you please help me solve this? I don’t understand. I know the error indicates that the native VLAN should be the same on both ends, but there are no ends because there is no network cable connected from gi25 to another.
Also I don't understand what is the relation to gi1.

Please help me to solve it☹

 

Labels:
0 Helpful
39 Replies 39

Ramblin Tech
VIP
VIP

‎09-03-2024 11:22 AM

SwitchF476F8/gi1 shows "connected". What is it connected to? CDP can report a native VLAN mismatch; what does CDP say about gi1?

Disclaimers: I am long in CSCO. Bad answers are my own fault as they are not AI generated.
0 Helpful

captainit
Level 1
Level 1
In response to Ramblin Tech

‎09-03-2024 11:35 AM

captainit_1-1725388463337.png
gi1 is connected to a port of patch panel

0 Helpful

captainit
Level 1
Level 1
In response to Ramblin Tech

‎09-03-2024 11:37 AM

captainit_2-1725388616636.png
Attaching another screenshot.

Thanks

 

0 Helpful

Ramblin Tech
VIP
VIP
In response to captainit

‎09-03-2024 11:53 AM

Gi1 is receiving a CDP packet from port gi25 on a SG220-26 switch associated with IP address 192.168.100.251. Gi25 is configured with Native VLAN 1, while local port gi1 is configured for native VLAN 1000, hence the VLAN mismatch message.

Is there possibly another SG220-26 connected to this same patch panel that has IP addr 192.168.100.251?

Disclaimers: I am long in CSCO. Bad answers are my own fault as they are not AI generated.
0 Helpful

captainit
Level 1
Level 1
In response to Ramblin Tech

‎09-03-2024 12:08 PM

I have:
Cisco SG220 - Main Rack - what I sent you 192.168.1.246
Cisco SG220 - Secondary Rack - another switch - in same IP segment 192.168.1.245

192.168.100.251 - is also SG220-26 26-Port Gigabit Smart Switch 


0 Helpful

captainit
Level 1
Level 1
In response to Ramblin Tech

‎09-03-2024 12:12 PM

From 192.168.100.251:
captainit_0-1725390618485.png

captainit_1-1725390695742.png

captainit_2-1725390730483.png
Thanks

 

 

0 Helpful

Ramblin Tech
VIP
VIP

‎09-03-2024 12:17 PM

"192.168.100.251 - is also SG220-26 26-Port Gigabit Smart Switch "

CDP on 192.168.1.246 is claiming that there is L2 connectivity between its own port gi1 and remote port gi25 on the above switch (192.168.100.251), with a VLAN mismatch between the two ports (vlan 1000 local vs vlan 1 remote).

Disclaimers: I am long in CSCO. Bad answers are my own fault as they are not AI generated.
0 Helpful

captainit
Level 1
Level 1
In response to Ramblin Tech

‎09-03-2024 12:28 PM

I understand. GE1 in 192.168.1.246 is access mode:

captainit_0-1725391519766.png

captainit_1-1725391556670.png

DO I need to change only the native vlan to vlan id=1? 
Do I need to change it also to Trunk (does it mean that the two switches are connected together by ethernet cable)?

I understand that only in Trunk I need to change the native vlan, because w it wihen configured as access mode, lt will get the native vlan of the assigned vlan?

Thanks
Many many thanks

0 Helpful

Ramblin Tech
VIP
VIP

‎09-03-2024 12:57 PM - edited ‎09-03-2024 12:58 PM

Access mode is normally intended for connectivity from the switch to an end-system (desktop, server, IOT device, etc) that operates only with untagged frames. In your case, you have two switches connected with at least one of them (.246) operating in access mode, but with a mismatch in their port configs for native VLANs. This represents a potential security vulnerability in that an untagged frame egressing .246 will have come from vlan 1000, but after ingressing .251 it will be associated with vlan 1 and vice versa (vlan-hopping vulnerability).

I will assume that the two switches connected together is intentional, so my recommendation is to connect switches together using only trunk configurations, even if there is only a single vlan to be carried on the link in your current design, as designs change over time. It will be less disruptive to add additional vlans to a trunk in the future than to reconfigure an access port to be a trunk later . I would also tag every frame on the trunk and not rely on native vlans to handle untagged frames (caveat: I do not know if the SG220 supports the IOS command to tag all frames on a trunk).

Disclaimers: I am long in CSCO. Bad answers are my own fault as they are not AI generated.
0 Helpful

captainit
Level 1
Level 1
In response to Ramblin Tech

‎09-03-2024 01:18 PM

Update
When I change GE1 from access mode to trunk on 192.168.1.246 - the admin panel of 192.168.100.251 fall down.
When change it back to access mode vlan 1000 is up again.

vlan 1000= segment 100 (192.168.100.0/24)

What can I do please?

Thanks

0 Helpful

captainit
Level 1
Level 1
In response to Ramblin Tech

‎09-03-2024 01:29 PM

And I also added to trunk vlan1000 and 192.168.100.251 stopped working when doing it

0 Helpful

Ramblin Tech
VIP
VIP

‎09-03-2024 01:34 PM

I suspect that this link (.246/gi1 -- .251/gi25) is the path used to connect to .251 for management purposes and that when you make changes to the ports, the connectivity is lost. What is the current config of gi25 on .251?

Disclaimers: I am long in CSCO. Bad answers are my own fault as they are not AI generated.
0 Helpful

captainit
Level 1
Level 1
In response to Ramblin Tech

‎09-03-2024 01:43 PM

captainit_2-1725390730483.png

captainit_1-1725390695742.png

 Thanks

0 Helpful

Ramblin Tech
VIP
VIP

‎09-03-2024 02:17 PM

It appears that the management interface of .251 (ie, 192.168.100.251) is associated with vlan 1, but the management subnet (192.168.100.0/24) is associated with vlan 1000 in the rest of the network. That is an issue that needs to be rectified, but let us see if we can get into trunking mode first.

When you changed .246/g1 to a trunk, did you also explicitly configure its native vlan to be 1000? That should still send out vlan1000 frames untagged to .251/g25, which will stuff them into its own native vlan 1.

Also, do you have local access to the SG220 switches where you can connect a console cable? The best way to make changes that might be service-impacting would be to schedule a maintenance window and be onsite with the devices (or have out-of-band access to their consoles). You could reconfigure the trunks on both switches via their consoles and be back up in a matter of minutes.

Disclaimers: I am long in CSCO. Bad answers are my own fault as they are not AI generated.
0 Helpful
Customers Also Viewed These Support Documents