Hi Jan,

This seems a bit too prevalent to be a typo  because I'm seeing it in all the AireOS 8.10 and IOS-XE 17.x configuration guides.

My undertanding of switchport trunk allowed vlan 101 is that frames egressed from the switch on vlan 101 will be tagged (.1q in this case) and frames ingressed to the switch with dot1q tag of 101 will be accepted into vlan 101.

The native vlan 100 command will egress traffic from the switch on vlan 100 without a .1q header and will accept the same untagged frames on ingress.

By having vlan 100 as both native and trunked, actually the behaviour seems somewhat undocumented. Most likely it would allow the switch to accept untagged and tagged frames on vlan 100 (on ingress from the AP). Probably egressed frames would go untagged.

I guess this is ultimately a question of whether Cisco amended the AP firmware in their later releases or they propagated bad config into all their config guides. Generally I'd consider seeing the same vlan id as both native and trunked is a bit tactless.

Regards

James.

Well, I think it's more discussion if VLAN is tagged or not. I am 99% sure that even if you have command "switchport trunk native vlan100" present but is on allowed it will not pass the trunk so thus it is useless. 

By command "switchport trunk native vlan100" you just say that you are expecting some traffic to be untagged on specific VLAN. So, let's say you want to have AP MGMT interface in VLAN100 untagged so then you use this command but also you have to include it in trunk. Without that, traffic on VLAN100 will not pass via that trunk.

interface Te1/0/1

description AP
switchport mode trunk <<<< change port to trunk mode
switchport trunk encapsulation dot1q <<<< here you say you want to tag traffic
switchport trunk native vlan 100 <<<< here you select what VLAN you want to have NATIVE (untagged)
switchport trunk allowed vlan 101 <<<< here you say what VLAN you ALLOW in the trunk. Of course, rest of VLAN are tagged except NATIVE one

So again, VLAN100 is missing so traffic on VLAN100 will not pass.

Hope this helps

Jan

> So again, VLAN100 is missing so traffic on VLAN100 will not pass

That's not quite my understanding. By "will not pass" did you mean the switch will not allow the frames to ingress or to egress? The switch would egress VLAN100 traffic untagged towards the AP and it would accept anything ingressed untagged from the AP and assume it to belong to VLAN100 (I think).

Incidentally, I'm reading on reddit that "most switches if they receive a frame tagged for the native vlan, they will forward it normally anyway".  This may mean that it's simply by specifying VLAN 100 as the native VLAN you are also implicitly adding it to the .1q trunk (for traffic ingressed to the switch).

Simply if VLAN is not included in allowed VLAN list it will not work that's all. It does not matter if it is native or not. In the trunk you have to specify what VLANs you want to allow on that trunk. If you don't allow traffic will not go through that link.

See this article https://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=7