Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1496
Views
10
Helpful
3
Replies

Native VLAN blocking traffic

mediaworksnz
Level 1
Level 1

‎03-25-2018 12:59 PM - edited ‎03-08-2019 02:23 PM

Hello, I have a pair of ports on opposing switches configured as port channels. One side has a different native VLAN to the other.

From switch 1, I cannot ping devices on switch 2 in VLAN 46. What exactly is causing this to fail ?

Thank you.

 

Switch 1:

interface Port-channel5
switchport trunk native vlan 46
switchport trunk allowed vlan 10,46
switchport mode trunk
end

 

Switch 2:

interface Port-channel5
switchport mode trunk
switchport trunk allowed vlan 10,46
switchport mode trunk
end

 

Labels:
0 Helpful
3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

‎03-25-2018 01:37 PM

Hi,

With your configuration, when you ping hosts in VLAN 46 from Switch1, the frames leave Switch1 untagged - this is because VLAN 46 is the native VLAN on Port-channel5 of Switch1. However, when Switch2 receives the untagged frames, it will treat them according to its own native VLAN on Port-channel5, which is 1. And, since VLAN 1 is not present in the list of allowed VLANs on Po5 of Switch2, the switch will drop these frames. This is why your ping - nor any other connectivity in VLAN 46 - does not work.

In addition, STP on trunks would also be able to detect a mismatch in native VLANs, and block the ports for the mismatched pair of VLANs.

Obviously, the correct solution is to make the native VLAN on both ends of the trunk the same.

Best regards,
Peter

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-25-2018 11:14 PM

I hope you checked the logs on your switch as getting "CDP: Native VLAN mismatch"(If CDP enabled) for the particular port-channel. Add same native VLAN at both switches as below:

 

Switch 1:

interface Port-channel5
switchport trunk native vlan 46
switchport trunk allowed vlan 10,46
switchport mode trunk
end

 

Switch 2:

interface Port-channel5
switchport mode trunk

switchport trunk native vlan 46
switchport trunk allowed vlan 10,46
switchport mode trunk
end

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

gs.skills
Level 1
Level 1

‎03-26-2018 07:47 AM

Hello,

to ping from SW1, it requires:

  • Layer 3 connectivity:
    • a SVI for VLAN 46 (interface vlan 46) with an IP that belongs to VLAN 46 subnet
    • or an IP address that belongs to another subnet plus a default gateway address on this same subnet (Layer 3 connectivity from the gateway to VLAN 46 subnet required)
  • Layer 2 connectivity

On my switches, the default for trunks is to tag the native VLAN

SW#show vlan dot1q tag native 
dot1q native vlan tagging is enabled

If not enabled, enabling this features on both switches prevents VLAN hopping attacks (and the native VLAN mismatch do not break connectivity)

 

Regards, Guillaume

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card