Native Vlan Missmatch message

Hi All,
I am connecting 2950 switch port to 6505 switch port, both ports are in trunking mode and allowing only one vlan on the both.
On 6505 switch I set as follows:-
enable> set trunk 2/23 700
enable> set trunk 2/23 nonegotiate dot1q.
On 2950 I set it as follows:
(conf)int f0/23
switchport mode trunk
switchport trunk Native vlan 700
switchport nonegotiate.
when I issue the show logging, I noticed the (Native Vlan missmatch).
when I chang the switch port config on 2950 to the following it doesn't work:-
int f0/23
switchport mode trunk
switchport trunk allowed vlan 700
switchport nonegotiate
when I did the above, the traffic is discarded and subnets 0n the Core 6505 couldn't access subnets on their remote locations.
Could any body tell me the reason of that, and why I am getting Native Message? as well as why it works only if I set 2950 swith port to (trunk Native vlan ,,,, or ,,,, access mode).
thanks...

Hi Friend,
On cat6k though you have configured it as trunk and allowed only vlan 700 but still the native vlan is 1 by default.
And you have configured on 2950 native vlan as 700.
So what I will suggest you is to change the native vlan on cat6k switch also to vlan 700
How you can do this on catos is
set vlan 700 2/23
Now what this will do is on cat6k it will make vlan 700 as native on trunk and you can keep the conig on 2950 same
(conf)int f0/23
switchport mode trunk
switchport trunk Native vlan 700
switchport nonegotiate.
or if you just waan a get rid of the error message and keep the config as it was earlier you can also disable CDP on the interface level.
HTH, if yes please rate the post.
Ankur

Similar Messages

Cisco Nexus 5010 & Cisco 3560G Native Vlan 55 ?

Hello Everyone,
I have 2 switches named in the title that have Switchport mode Trunk Native Vlan 55. In the vlan configurations I do not see a Vlan 55.
Does anyone know why this is configured this way ?
P.S I am new to the config

It's odd because I did that last time on both switches and it didn't show.
But I did it when you sent this message and lo and behold it was.
Thank you

Native vlan mismatch error msg from cdp

get this message from my 6509 connects to 3550. but no trunking is set between them. my other ports also have the same settings, with no err msg but have a native vlan unknown status... why???
this 6509 is not set by me.. :(

I do not have enough information from you to say if it is a bug. Past output of
sh ver
sh cdp neigh detail
sh int trunk
sh run int gigx/y or sh run int fas x/y

Native Vlan Mismatch on Switch LD connected to

I am running 3 switches each with the same 3 vlans. I also have 2 local directors in failover mode. The primary has interfaces connected to switch one and the secondary has interfaces to switch two. Trunking is disabled on all device ports but enabled on a dedicated fiber connection between the 2 switches
The first vlan is vlan 1 for management
The second is vlan 2 for the gateway side of the local directors
The third is vlan 3 for the server side of the local directors
On the primary switch I am logging CDP messages telling me i have a native vlan mismatch on the 2 local director ports. The secondary switch I dont get these messages.
Any ideas what is going on here and why? Thanks, Art.

You mention above " but trunking is enabled on a dedicated fiber connection between the two switches", therefore trunking is enabled.
Because trunked ports need to be assigned to the same native vlan, I would do a "show trunk" and verify that the port used for trunking on each switch, are assigned to the same native vlan, I've seen the mismatch if the are not. That command above is if your switch is using CatalystOS, otherwise, use this command for NativeOS - sh int fast 0/1 switchport and look for the "trunking native mode vlan" number. They must match on each side. To correct the problem, do set vlan 1 4/10 to assign port 4/10 to vlan 1 which, is your management vlan which I assume you've choosen to be your native vlan.
Hope this helps.

Native vlan mismatch

Dear all,
I am getting the following message in our VSS.
Sep 2 05:56:18.501: %CDP-SW1-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch
discovered on GigabitEthernet1/2/29 (304), with HQ-DC-CSW-VSS.abc.com
GigabitEthernet2/2/28 (300).
interface GigabitEthernet2/2/28
description *** F5 Load Balancer Port 2 Primary ***
switchport
switchport access vlan 300
switchport mode access
interface GigabitEthernet1/2/29
description *** F5 Load Balancer Port 5 Primary ***
switchport
switchport access vlan 304
switchport mode access
Can anyone explain me how I get this message although g2/2/28 and gi 1/2/29 are access ports.?How to fix this issue?Is this interrupt the network(loop)?
Thanks

Could u try this:
sw1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
sw1(config)#no cdp advertise-v2
regards
Inayath

SPT Inconsistent Native Vlan

Hi,
I cant figure out why this is showing on switches.
Core switch brc-k25-1 is using Native Vlan 1
Access switch c2-k25-5 is using Native Vlan 1
I get the following error message on the access switch:
Jun 27 08:57:40: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 171 on GigabitEthernet1/0/49 VLAN1.
Jun 27 08:57:40: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/0/49 on VLAN0171. Inconsistent peer vlan.
Jun 27 08:57:40: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/0/49 on VLAN0001. Inconsistent local vlan.
Jun 27 08:57:40: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Jun 27 08:57:55: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet1/0/49 on VLAN0171. Port consistency restored.
Jun 27 08:57:55: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet1/0/49 on VLAN0001. Port consistency restored.
Jun 27 08:57:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
Because of the error, I cannot login to the access switch using the native Vlan IP Address.
brc-k25-1 config:
interface GigabitEthernet3/2
description c2-k25-5
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,146,171
switchport mode trunk
logging event link-status
logging event trunk-status
qos trust dscp
tx-queue 1
bandwidth percent 69
tx-queue 2
bandwidth percent 1
tx-queue 3
bandwidth percent 15
priority high
tx-queue 4
bandwidth percent 15
end
brc-k25-1#sh interfaces gigabitEthernet 3/2 switchport
Name: Gi3/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 1,146,171
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
interface Vlan1
ip address 172.27.40.254 255.255.255.02
ip access-group vlan1out out
==================================================
c2-k25-5 config:
c2-k25-5#sh cdp ne
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
brc-k25-1 Gig 1/0/49 138 R S I WS-C4506 Gig 3/2
interface GigabitEthernet1/0/49
description brc-k25-5
switchport trunk allowed vlan 1,146,171
switchport mode trunk
interface Vlan1
ip address 172.27.40.18 255.255.255.0
interface Vlan146
ip address 172.31.146.1 255.255.255.0
c2-k25-5#sh interfaces gigabitEthernet 1/0/49 switchport
Name: Gi1/0/49
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 1,146,171
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Thanks for the replies.
I did remove the ACL from the VLAN1 but nothing change. Also the allowed VLAN1 was not included in the trunk allowed before, same result as now.
Jun 30 09:06:40: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 171 on GigabitEthernet1/0/49 VLAN1.
Jun 30 09:06:40: %SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/0/49 on VLAN0171. Inconsistent peer vlan.
Jun 30 09:06:40: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet1/0/49 on VLAN0001. Inconsistent local vlan.
Jun 30 09:06:41: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
Jun 30 09:06:55: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet1/0/49 on VLAN0171. Port consistency restored.
Jun 30 09:06:55: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet1/0/49 on VLAN0001. Port consistency restored.
Jun 30 09:06:56: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
We have multiple switches attached to the brc-k25-1 and only 2 switches are affected using VLAN1 management. I had to create another VLAN ID so that I can use that IP Address to SSH. Very weird problem.

%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface fa1.

I am getting the following message in my logs on SF300-8
"%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface fa1."
What is causing the error, see VLAN setup below:

Hi,
Yes, in this case you can change the native vlan on the that switch with the command (config-if)#switchport trunk native vlan #, there is no need to reboot the switch in order for the change to take effect.
Regards,

Switchport trunk native vlan question...

What am I missing in regards to the following two lines assigned to a sw interface:
switchport trunk native vlan 80
switchport mode trunk
Why assign a VLAN to the port when your trunking it (meaning you allowing all VLANs to pass)?
Thank you.

By default native VLAN is VLAN 1, but can be changed to any No. on the trunk port by command "switchport trunk native vlan #". This will make a new vlan# as native & allow all pkts from this vlan to pass thru trunk untagged.
Native VLANs are used to carry CDP, PAgP & VTP messages. Thus the Frames on native VLAN are untagged. For these messages to propagate between devices, native VLANS must match on both sides of the trunk. In case of native VLAN mismatch on bothsides of the trunk, STP will put the trunk port in err-disabled state.

Native VLAN discrepancy is not reported in LMS 4.0

Hi all,
I have the following problem in LMS 4.0. I see a lot of CDP syslog messages about Native Vlan Mismatch, but the LMS doesn't report it in the disrepancy report. Why?? The similar problem is with TRUNK VLAN Mismatch.
The customer doesn't use VTP in his network. All switches are in the VTP transparent mode.
See the attachment.
Tank you very much
Roman

Moved discussion to Network Management sub-community for quicker response.
Regards,
Pulkit Nagpal
Community Manager- R&S

Nativ vlan confusion

Dear All,
We have two sg300-52 managed switch connected via gi 52 with trunk ports. One of these (switchA) connected (via gi51) with an other cisco sf300-24p (switchVOIP) managed switch, which preconfigured and I don't know the configuration. This sf300 is used for voip. There is a fourth unmanaged 3com switch (switch3COM) with connection to the other sg300 (switchB).
There are four vlan in switchA and switchB:
Vlan1 -> the default vlan1, connected to switch3COM (and it seems to be good)
Vlan10 -> office net
Vlan5 -> voip
vlan105->public
switch3COM --} VLAN1 {---switchB --- gi52 } TRUNK allowed 1,5,10,105 {gi52----switchA ---gi51 Access port VLAN 5}---{swicthVOIP
My problem is the connection between switchA and switchVOIP.
The switchVOIP is in 'default mode', the contact person said they don't configure it, and leaving everythink defult. So I think it use its default vlan1 on its every ports. However the phones work perfectly, on switchA I can see the:
CDP-W-NATIVE-VLAN-MISMATCH on interface gi 51.
On the switchA I configured the gi51 (to the switchVOIP) access mode.
show interfaces switchport gi 51 =>
PortMode:access
Ingress Filtering:true
Acceptable Frame Type; adminAll
Ingress Untagged VLAN (NATIVE): 5
Port is memeber in:
Vlan 5
Egress rule:untagged
I would like every packet leaving switchVOIP to be injected in my switchA VLAN5, and as I know this should be done by
Ingress Untagged VLAN (NATIVE): 5
Is there any way to get rid of this mismatch messages?
Thank you very much.

If you want all packets to be in vlan 5 on switch A then you can either -
a) configure all the ports on the VOIP switch to be in vlan 5
or
b) turn off CDP which will obviously remove those messages but CDP can be useful for troubleshooting
or
c) just accept that you will see these messages
Jon

The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?

Hello
I think the following topologies are supported for Cisco Routers
And the Physical interface also can be using as Native VLAN interface right?
Topology 1.
R1 Gi0.1 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
R1 - configuration
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
ip address 10.0.0.1 255.255.255.0
Topology 2.
R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3
Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4 (same VLAN-ID)
R1 - configuration
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet8.20
encapsulation dot1Q 20
ip address 20.0.0.1 255.255.255.0
Any information is very appreciated. but if there is any CCO document please let me know.
Thank you very much and regards,
Masanobu Hiyoshi

Hello,
The diagram is helpful.
If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
Best regards,
Peter

Various questions on uplink profiles, CoS, native VLAN, downlink trunking

I will be using vPC End Host Mode with MAC-pinning. I see I can further configure MAC-Pinning. Is this required or will it automatically forward packets by just turning it on? Is it also best not to enable failover for the vnics in this configuration? See this text from the Cisco 1000V deployment Guide:
Fabric Fail-Over Mode
Within the Cisco UCS M71KR-E, M71KR-Q and M81KR adapter types, the Cisco Unified Computing System can
enable a fabric failover capability in which loss of connectivity on a path in use will cause remapping of traffic
through a redundant path within the Cisco Unified Computing System. It is recommended to allow the Cisco Nexus
1000V redundancy mechanism to provide the redundancy and not to enable fabric fail-over when creating the
network interfaces within the UCS Service Profiles. Figure 3 shows the dialog box. Make sure the Enable Failover
checkbox is not checked."
What is the 1000V redundancy?? I didn't know it has redundancy. Is it the MAC-Pinning set up in the 1000V? Is it Network State Tracking?
The 1000V has redundancy and we can even pin VLANs to whatever vNIC we want. See Cisco's Best Practices for Nexus 1000V and UCS.
Nexus1000V management VLAN. Can I use the same VLAN for this and for ESX-management and for Switch management? E.g VLan 3 for everything.
According to the below text (1000V Deployment Guide), I can have them all in the same vlan:
There are no best practices that specify whether the VSM
and the VMware ESX management interface should be on the same VLAN. If the management VLAN for
network devices is a different VLAN than that used for server management, the VSM management
interface should be on the management VLAN used for the network devices. Otherwise, the VSM and the
VMware ESX management interfaces should share the same VLAN.
I will also be using CoS and Qos to prioritize the traffic. The CoS can either be set in the 1000V (Host control Full) or per virtual adapter (Host control none) in UCS. Since I don't know how to configure CoS on the 1000V, I wonder if I can just set it in UCS (per adapter) as before when using the 1000V, ie. we have 2 choices.
Yes, you can still manage CoS using QoS on the vnics when using 1000V:
The recommended action in the Cisco Nexus 1000V Series is to assign a class of service (CoS) of 6 to the VMware service console and VMkernel flows and to honor these QoS markings on the data center switch to which the Cisco UCS 6100 Series Fabric Interconnect connects. Marking of QoS values can be performed on the Cisco Nexus 1000V Series Switch in all cases, or it can be performed on a per-VIF basis on the Cisco UCS M81KR or P81E within the Cisco Unified Computing System with or without the Cisco Nexus 1000V Series Switch.
Something else: Native VLANs
Is it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1? I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.
Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?
And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...
What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup described here with 1000V and MAC-pinning.
No, port channel should not be configured when MAC-pinning is configured.
[Robert] The VSM doesn't participate in STP so it will never send BPDU's. However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter. PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs. I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.
-Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?
Edit: 26 July 14:23. Found answers to many of my many questions...

Answers inline.
Atle Dale wrote:
Something else: Native VLANsIs it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1? I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.[Robert] The native VLAN is assigned per hop. This means between the 1000v Uplinks port profile and your UCS vNIC definition, the native VLAN should be the same. If you're not using a native VLAN, the "default" VLAN will be used for control traffic communication. The native VLAN and default VLAN are not necessarily the same. Native refers to VLAN traffic without an 802.1q header and can be assigned or not. A default VLAN is mandatory. This happens to start as VLAN 1 in UCS but can be changed. The default VLAN will be used for control traffic communication. If you look at any switch (including the 1000v or Fabric Interconnects) and do a "show int trunk" from the NXOS CLI, you'll see there's always one VLAN allowed on every interface (by default VLAN 1) - This is your default VLAN.Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?[Robert] There's no VLAN 0. An access port doesn't use a native VLAN - as its assigned to only to a single VLAN. A trunk on the other hand carries multiple VLANs and can have a native vlan assigned. Remember your native vlan usage must be matched between each hop. Most network admins setup the native vlan to be the same throughout their network for simplicity. In your example, you wouldn't set your VM's port profile to be in VLAN 0 (doens't exist), but rather VLAN 2 as an access port. If VLAN 2 also happens to be your Native VLAN northbound of UCS, then you would configured VLAN 2 as the Native VLAN on your UCS ethernet uplinks. On switch northbound of the UCS Interconnects you'll want to ensure on the receiving trunk interface VLAN 2 is set as the native vlan also. Summary:1000v - VM vEthernet port profile set as access port VLAN 21000v - Ethernet Uplink Port profile set as trunk with Native VLAN 2UCS - vNIC in Service Profile allowing all required VLANs, and VLAN 2 set as NativeUCS - Uplink Interface(s) or Port Channel set as trunk with VLAN 2 as Native VLANUpstream Switch from UCS - Set as trunk interface with Native VLAN 2From this example, your VM will be reachable on VLAN 2 from any device - assuming you have L3/routing configured correctly also.And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...[Robert] This statement recommends "not" to use a native VLAN. This is a practice by some people. Rather than using a native VLAN throughout their network, they tag everything. This doesn't change the operation or reachability of any VLAN or device - it's simply a design descision. The reason some people opt not to use a native VLAN is that almost all switches use VLAN 1 as the native by default. So if you're using the native VLAN 1 for management access to all your devices, and someone connects in (without your knowing) another switch and simply plug into it - they'd land on the same VLAN as your management devices and potentially do harm.What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup descrived here with 1000V and MAC-pinning.[Robert] On the first generation hardware (6100 FI and 2104 IOM) port channeling is not possible. With the latest HW (6200 and 2200) you can create port channels with all the IOM - FI server links. This is not configurable. You either tell the system to use Port Channel or Individual Links. The major bonus of using a Port Channel is losing a link doesn't impact any pinned interfaces - as it would with individual server interfaces. To fix a failed link when configured as "Individual" you must re-ack the Chassis to re-pinn the virtual interfaces to the remaining server uplinks. In regards to 1000v uplinks - the only supported port channeling method is "Mac Pinning". This is because you can't port channel physical interfaces going to separate Fabrics (one to A and one to B). Mac Pinning gets around this by using pinning so all uplinks can be utilized at the same time.--[Robert] The VSM doesn't participate in STP so it will never send BPDU's. However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter. PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs. I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.-Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?[Robert] The two STP commands would be used only when the VEM (ESX host) is directly connected to an upstream switch. For UCS these two commands to NOT apply.

QoS / Native VLAN Issue - Please HELP! :)

I've purchased 10 Cisco Aironet 2600 AP’s (AIR-SAP2602I-E-K9 standalone rather than controller based).
I’ve configured the WAP’s (or the first WAP I’m going to configure and then pull the configuration from and push to the others) with 2 SSID’s. One providing access to our DATA VLAN (1000 – which I’ve set as native on the WAP) and one providing access to guest VLAN (1234). I’ve configured the connecting DELL switchport as a trunk and set the native VLAN to 1000 (DATA) and allowed trunk traffic for VLAN’s 1000 and 1234. Everything works fine, when connecting to the DATA SSID you get a DATA IP and when you connect to the GUEST SSID you lease a GUEST IP.
The problem starts when I create a QoS policy on the WAP (for Lync traffic DSCP 40 / CS5) and try to attach it to my VLAN’s. It won’t let me attach the policy to VLAN 1000 as it’s the native VLAN. If I change VLAN 1000 on the WAP to NOT be the native VLAN I can attach the policies however wireless clients can no longer attach to either SSID properly as they fail to lease an IP address and instead get a 169.x.x.x address.
I'm sure I'm missing something basic here so please forgive my ignorance.
This is driving me insane!
Thanks to anyone that provides assistance. Running config below and example of the error...
User Access Verification
Username: admin
Password:
LATHQWAP01#show run
Building configuration...
Current configuration : 3621 bytes
! Last configuration change at 02:37:59 UTC Mon Mar 1 1993 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname LATHQWAP01
logging rate-limit console 9
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
no ip routing
dot11 syslog
dot11 vlan-name Data vlan 1000
dot11 vlan-name Guest vlan 1234
dot11 ssid LatitudeCorp
   vlan 1000
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii
dot11 ssid LatitudeGuest
   vlan 1234
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii
crypto pki token default removal timeout 0
username admin privilege 15 password!
class-map match-all _class_Lync0
match ip dscp cs5
policy-map Lync
class _class_Lync0
set cos 6
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 1234 mode ciphers aes-ccm
encryption vlan 1000 mode ciphers aes-ccm
ssid LatitudeCorp
ssid LatitudeGuest
antenna gain 0
stbc
station-role root
interface Dot11Radio0.1000
encapsulation dot1Q 1000 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1234
encapsulation dot1Q 1234
no ip route-cache
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
service-policy input Lync
service-policy output Lync
interface Dot11Radio1
no ip address
no ip route-cache
encryption vlan 1234 mode ciphers aes-ccm
encryption vlan 1000 mode ciphers aes-ccm
ssid LatitudeCorp
ssid LatitudeGuest
antenna gain 0
no dfs band block
stbc
channel dfs
station-role root
interface Dot11Radio1.1000
encapsulation dot1Q 1000 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.1234
encapsulation dot1Q 1234
no ip route-cache
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
service-policy input Lync
service-policy output Lync
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface GigabitEthernet0.1000
encapsulation dot1Q 1000 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.1234
encapsulation dot1Q 1234
no ip route-cache
bridge-group 255
bridge-group 255 spanning-disabled
no bridge-group 255 source-learning
service-policy input Lync
service-policy output Lync
interface BVI1
ip address 10.10.1.190 255.255.254.0
no ip route-cache
ip default-gateway 10.10.1.202
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
transport input all
end
LATHQWAP01#conf
Configuring from terminal, memory, or network [terminal]? t
Enter configuration commands, one per line. End with CNTL/Z.
LATHQWAP01(config)#int dot11radio1.1000
LATHQWAP01(config-subif)#ser
LATHQWAP01(config-subif)#service-policy in
LATHQWAP01(config-subif)#service-policy input Lync
set cos is not supported on native vlan interface
LATHQWAP01(config-subif)#

Hey Scott,
Thank you (again) for your assistance.
So I' ve done as instructed and reconfigured the WAP. I've added an additional VLAN (1200 our VOIP VLAN) and made this the native VLAN - so 1000 and 1234 are now tagged. I've configure the BVI interface with a VOIP IP address for management and can connect quite happily. I've configured the connecting Dell switchport as a trunk and to allow trunk vlans 1000 (my DATA SSID), 1200(native) and 1234 (MY GUEST SSID). I'm now back to the issue where when a wireless client attempts to connect to either of my SSID's (Guest or DATA) they are not getting a IP address / cannot connect.
Any ideas guys? Forgive my ignorance - this is a learning curve and one i'm enjoying.
LATHQWAP01#show run
Building configuration...
Current configuration : 4426 bytes
! Last configuration change at 20:33:19 UTC Mon Mar 1 1993 by Cisco
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname LATHQWAP01
logging rate-limit console 9
enable secret 5
no aaa new-model
no ip source-route
no ip cef
dot11 syslog
dot11 vlan-name DATA vlan 1000
dot11 vlan-name GUEST vlan 1234
dot11 vlan-name VOICE vlan 1200
dot11 ssid LatitudeCorp
   vlan 1000
   authentication open
   authentication key-management wpa version 2
   mobility network-id 1000
   wpa-psk ascii
dot11 ssid LatitudeGuest
   vlan 1234
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   mobility network-id 1234
   wpa-psk ascii
   no ids mfp client
dot11 phone
username CISCO password
class-map match-all _class_Lync0
match ip dscp cs5
policy-map Lync
class _class_Lync0
set cos 6
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 1000 mode ciphers aes-ccm
encryption vlan 1234 mode ciphers aes-ccm
ssid LatitudeCorp
ssid LatitudeGuest
antenna gain 0
stbc
mbssid
station-role root
interface Dot11Radio0.1000
encapsulation dot1Q 1000
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
service-policy input Lync
service-policy output Lync
interface Dot11Radio0.1200
encapsulation dot1Q 1200 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1234
encapsulation dot1Q 1234
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 spanning-disabled
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
service-policy input Lync
service-policy output Lync
interface Dot11Radio1
no ip address
encryption vlan 1000 mode ciphers aes-ccm
encryption vlan 1234 mode ciphers aes-ccm
ssid LatitudeCorp
ssid LatitudeGuest
antenna gain 0
peakdetect
no dfs band block
stbc
mbssid
channel dfs
station-role root
interface Dot11Radio1.1000
encapsulation dot1Q 1000
bridge-group 255
bridge-group 255 subscriber-loop-control
bridge-group 255 spanning-disabled
bridge-group 255 block-unknown-source
no bridge-group 255 source-learning
no bridge-group 255 unicast-flooding
service-policy input Lync
service-policy output Lync
interface Dot11Radio1.1200
encapsulation dot1Q 1200 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.1234
encapsulation dot1Q 1234
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 spanning-disabled
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
service-policy input Lync
service-policy output Lync
interface GigabitEthernet0
no ip address
duplex full
speed auto
interface GigabitEthernet0.1000
encapsulation dot1Q 1000
bridge-group 255
bridge-group 255 spanning-disabled
no bridge-group 255 source-learning
service-policy input Lync
service-policy output Lync
interface GigabitEthernet0.1200
encapsulation dot1Q 1200 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.1234
encapsulation dot1Q 1234
bridge-group 254
bridge-group 254 spanning-disabled
no bridge-group 254 source-learning
service-policy input Lync
service-policy output Lync
interface BVI1
mac-address 881d.fc46.c865
ip address 10.10. 255.255.254.0
ip default-gateway 10.10.
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
login local
transport input all
sntp server ntp2c.mcc.ac.uk
sntp broadcast client
end
LATHQWAP01#

Need help in understanding native VLAN or PVID concent

Hi: I am fairly new to VLANs. I can't seem to understand how native VLAN or PVID concept works. I found descriptions for native VLAN. But what I donot understand is the following scenario:
Letz say a port is a member of VLANs 1 and 2. The PVID for the port is 1. A normal PC is attached to this port. If an untagged frame arrives on this port from the PC attached, based on native VLAN definition, the frame will be assigned to VLAN 1. But what if the source wanted this untagged frame to go to a server in VLAN 2 since the port is a member of both VLAN 1 and 2?
Thanks in Advance.
Ravi

leonvd79: thanks for your response. I was thinking a port to which a user is attached (access port) can be member of multiple VLANs if it needs to communicate with entities in multiple VLANs. Could you please clarify.
So in a network where there are two servers, server2 in VLAN 2 and server3 in VLAN 3. So I will make PVID=2 for access port server2 is attached and PVID=3 for access port to which server3 is attached.
I have user2 who will need to talk to only server2. So I make the PVID for the access port to which user2 is attached as 2. If I have user23 who needs to communicate with both server2 and server3, what will be the PVID for the port to which user23 is attached: 2 or 3?
Thanks
Ravi

WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

Hi
We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
I can't find any recommandations regarding the use of native vlan/ssid vlan
Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
Regards,
Lars Christian

It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
HTH
Rasika
**** Pls rate all useful responses ****

Native Vlan Missmatch message

Similar Messages

Maybe you are looking for