Hi,

It resolved the flapping for the ports. But, there is still the native vlan mismatch issue on it. 

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet1/0/27 (689), with C3650-S.abc.com GigabitEthernet1/0/25 (1).

Please firstly explain what you are trying to do. Do you want your L3 switch to be in one access VLAN on the L2 switch so it can route to the firewall? Or are you trying to trunk multiple VLANs from L2 switch to L3 switch?

Also tell me do you have SVI on L3 switch which you are going to use to route to the firewall?

Please do the following commands and post the output here from both sides of the L3 switch and L2 switch.

"show etherchannel summary"

"show run int gi1/0/27"

"show run int gi1/0/28"

"show run int poX" (whichever port-channel number you gave it.

L3 switch do not need to access vlan on L2 switch. L3 switch is having the same network segment with firewall interface. The Vlan on L2 switch is purely for segregation only. 

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)          -        Gi1/0/27(P) Gi1/0/28(P) 

interface Port-channel1
 switchport access vlan 689
 switchport mode access
end

interface GigabitEthernet1/0/27
 switchport access vlan 689
 switchport mode access
 spanning-tree portfast
 channel-group 1 mode on
end

interface GigabitEthernet1/0/28
 switchport access vlan 689
 switchport mode access
 spanning-tree portfast
 channel-group 1 mode on
end

OK, so instead why not make the port-channel on L3 switch as routed port instead of switchport? Instead of SVI vlan 689, the IP address will be on port-channel 1. Then your L3 switch will be like host on the L2 switch.

I do not want to put everything together in vlan 1 on L2 switch. There are other network using the default vlan 1 in L2 switch.

Then you can create another vlan on the L2 switch, and have the firewall and the L3 switch in that vlan? At the moment you have everything in VLAN 1 on L2 switch anyway.

You need to ensure the native vlan is the same both sides.

#switchport trunk native vlan [x]

[x] would be the VLAN ID you want to be native.

When creating a Trunk between the switches, i.e to pass traffic for more than 1 VLAN then the Native vlan needs to match both sides otherwise you end up with traffic bleeding between vlans.

The config both sides should be something like:

#switchport mode trunk
#switchport trunk native vlan [x]
#channel-group [y] mode [z]

The [x] will be the Vlan ID you want as the Native
The [y] will be the Port Channel Number
The [z] will be the Port Channel mode you want

Hope this helps

Hi devils_advocate, we might not want to be doing trunking here depending on the requirements.