SG500 LACP trunk mismatch native vlan on individual ports

Similar Messages

• How to get info over snmp on cisco switch whether native vlan on a port is tagged or not?

  Hi!
  I want to know which oid(s) should I query to know whether native vlan on trunk port on cisco switch is tagged or not?
  I am querying the oid .1.3.6.1.4.1.9.9.46.1.6.3.0 (vlanTrunkPortsDot1qTag) on cisco 3560 (E Series) and I am getting global value. Also, this OID is showing as deprecated. So I query .1.3.6.1.4.1.9.9.246.1.6 (cltcDot1qAllTagged) and its subtree, but no value is returned.
  Switch Version is
  Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(50)SE2

  Keep in mind that DHCP is a broadcast packet to start. So the AP can only listen in the subnet that it has an IP address for.
  Now, for any other subnet you can use the AP for DHCP but you have to have an IP helper address on your L3 pointing back to the AP.
  That being said, I wouldn't use the DHCP server on the AP as it is limited. You'd be better off using a Microsoft server or some other device that is designed for DHCP.
  HTH,
  Steve

• Various questions on uplink profiles, CoS, native VLAN, downlink trunking

  I will be using vPC End Host Mode with MAC-pinning. I see I can further configure MAC-Pinning. Is this required or will it automatically forward packets by just turning it on? Is it also best not to enable failover for the vnics in this configuration? See this text from the Cisco 1000V deployment Guide:
  Fabric Fail-Over Mode
  Within the Cisco UCS M71KR-E, M71KR-Q and M81KR adapter types, the Cisco Unified Computing System can
  enable a fabric failover capability in which loss of connectivity on a path in use will cause remapping of traffic
  through a redundant path within the Cisco Unified Computing System. It is recommended to allow the Cisco Nexus
  1000V redundancy mechanism to provide the redundancy and not to enable fabric fail-over when creating the
  network interfaces within the UCS Service Profiles. Figure 3 shows the dialog box. Make sure the Enable Failover
  checkbox is not checked."
  What is the 1000V redundancy?? I didn't know it has redundancy. Is it the MAC-Pinning set up in the 1000V? Is it Network State Tracking?
  The 1000V has redundancy and we can even pin VLANs to whatever vNIC we want. See Cisco's Best Practices for Nexus 1000V and UCS.
  Nexus1000V management VLAN. Can I use the same VLAN for this and for ESX-management and for Switch management? E.g VLan 3 for everything.
  According to the below text (1000V Deployment Guide), I can have them all in the same vlan:
  There are no best practices that specify whether the VSM
  and the VMware ESX management interface should be on the same VLAN. If the management VLAN for
  network devices is a different VLAN than that used for server management, the VSM management
  interface should be on the management VLAN used for the network devices. Otherwise, the VSM and the
  VMware ESX management interfaces should share the same VLAN.
  I will also be using CoS and Qos to prioritize the traffic. The CoS can either be set in the 1000V (Host control Full) or per virtual adapter (Host control none) in UCS. Since I don't know how to configure CoS on the 1000V, I wonder if I can just set it in UCS (per adapter) as before when using the 1000V, ie. we have 2 choices.
  Yes, you can still manage CoS using QoS on the vnics when using 1000V:
  The recommended action in the Cisco Nexus 1000V Series is to assign a class of service (CoS) of 6 to the VMware service console and VMkernel flows and to honor these QoS markings on the data center switch to which the Cisco UCS 6100 Series Fabric Interconnect connects. Marking of QoS values can be performed on the Cisco Nexus 1000V Series Switch in all cases, or it can be performed on a per-VIF basis on the Cisco UCS M81KR or P81E within the Cisco Unified Computing System with or without the Cisco Nexus 1000V Series Switch.
  Something else: Native VLANs
  Is it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1?   I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.
  Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?
  And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...
  What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup described here with 1000V and MAC-pinning.
  No, port channel should not be configured when MAC-pinning is configured.
  [Robert] The VSM doesn't participate in STP so it will never send BPDU's.  However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter.  PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs.  I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.
  -Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?
  Edit: 26 July 14:23. Found answers to many of my many questions...

  Answers inline.
  Atle Dale wrote:
  Something else: Native VLANsIs it important to have the same native VLAN on the UCS and the Cisco switch? And not to use the default native VLAN 1?   I read somewhere that the native VLAN is used for communication between the switches and CDP amongst others. I know the native VLAN is for all untagged traffic. I see many people set the ESXi management VLAN as native also, and in the above article the native VLAN (default 1) is setup. Why? I have been advised to leave out the native VLAN.[Robert] The native VLAN is assigned per hop.  This means between the 1000v Uplinks port profile and your UCS vNIC definition, the native VLAN should be the same.  If you're not using a native VLAN, the "default" VLAN will be used for control traffic communication.  The native VLAN and default VLAN are not necessarily the same.  Native refers to VLAN traffic without an 802.1q header and can be assigned or not.  A default VLAN is mandatory.  This happens to start as VLAN 1 in UCS but can be changed. The default VLAN will be used for control traffic communication.  If you look at any switch (including the 1000v or Fabric Interconnects) and do a "show int trunk" from the NXOS CLI, you'll see there's always one VLAN allowed on every interface (by default VLAN 1) - This is your default VLAN.Example:Will I be able to access a VM set with VLAN 0 (native) if the native VLAN is the same in UCS and the Cisco switch (Eg. VLAN 2)? Can I just configure a access port with the same VLAN ID as the native VLAN, i.e 2 and connect to it with a PC using the same IP network address?[Robert] There's no VLAN 0.  An access port doesn't use a native VLAN - as its assigned to only to a single VLAN.  A trunk on the other hand carries multiple VLANs and can have a native vlan assigned.  Remember your native vlan usage must be matched between each hop.  Most network admins setup the native vlan to be the same throughout their network for simplicity.  In your example, you wouldn't set your VM's port profile to be in VLAN 0 (doens't exist), but rather VLAN 2 as an access port.  If VLAN 2 also happens to be your Native VLAN northbound of UCS, then you would configured VLAN 2 as the Native VLAN on your UCS ethernet uplinks.  On switch northbound of the UCS Interconnects you'll want to ensure on the receiving trunk interface VLAN 2 is set as the native vlan also.  Summary:1000v - VM vEthernet port profile set as access port VLAN 21000v - Ethernet Uplink Port profile set as trunk with Native VLAN 2UCS - vNIC in Service Profile allowing all required VLANs, and VLAN 2 set as NativeUCS - Uplink Interface(s) or Port Channel set as trunk with VLAN 2 as Native VLANUpstream Switch from UCS - Set as trunk interface with Native VLAN 2From this example, your VM will be reachable on VLAN 2 from any device - assuming you have L3/routing configured correctly also.And is it important to trunk this native VLAN? I see in a Netapp Flexpod config they state this: "This configuration also leverages the native VLAN on the trunk ports to discard untagged packets, by setting the native VLAN on the port channel, but not including this VLAN in the allowed VLANs on the port channel". But I don't understand it...[Robert] This statement recommends "not" to use a native VLAN.  This is a practice by some people.  Rather than using a native VLAN throughout their network, they tag everything.  This doesn't change the operation or reachability of any VLAN or device - it's simply a design descision.  The reason some people opt not to use a native VLAN is that almost all switches use VLAN 1 as the native by default.  So if you're using the native VLAN 1 for management access to all your devices, and someone connects in (without your knowing) another switch and simply plug into it - they'd land on the same VLAN as your management devices and potentially do harm.What about the downlinks from the FI to the chassis. Do you configure this as a port channel also in UCS? Or is this not possible with the setup descrived here with 1000V and MAC-pinning.[Robert] On the first generation hardware (6100 FI and 2104 IOM) port channeling is not possible.  With the latest HW (6200 and 2200) you can create port channels with all the IOM - FI server links.  This is not configurable.  You either tell the system to use Port Channel or Individual Links.  The major bonus of using a Port Channel is losing a link doesn't impact any pinned interfaces - as it would with individual server interfaces.  To fix a failed link when configured as "Individual" you must re-ack the Chassis to re-pinn the virtual interfaces to the remaining server uplinks.  In regards to 1000v uplinks - the only supported port channeling method is "Mac Pinning".  This is because you can't port channel physical interfaces going to separate Fabrics (one to A and one to B).  Mac Pinning gets around this by using pinning so all uplinks can be utilized at the same time.--[Robert] The VSM doesn't participate in STP so it will never send BPDU's.  However, since VMs can act like bridges & routers these days, we advise to add two commands to your upstream VEM uplinks - PortFast and BPDUFilter.  PortFast so the interface is FWD faster (since there's no STP on the VSM anyway) and BPDUFilter to ignore any received BPDU's from VMs.  I prefer to ignore them then using BPDU Gaurd - which will shutdown the interface if BPDU's are received.-Are you thinking of the upstream switch here (Nexus, Catalyst) or the N1kV uplink profile config?[Robert] The two STP commands would be used only when the VEM (ESX host) is directly connected to an upstream switch.  For UCS these two commands to NOT apply.

• Why Native VLAN exists on a Trunk?

  Basically, A Native VLAN carries untagged traffic on a trunk line.
  A trunk line allows mutiple VLAN traffic ( tagged traffic). So Why Native VLAN exists on a trunk.
  Why Native VLAN was created?
  I'm pretty confused up with VLANs.

  Hi,
  The second question - why PC Network adapters support VLAN tags - is actually easier to answer :)
  First of all, with regards to VLANs and frame tagging, there is actually nothing special to support on a network adapter! The VLAN tag itself is in fact stored in the payload of a tagged frame. Even to the most dumb network adapter, a tagged frame looks like any other - Destination MAC, Source MAC, EtherType (set to 0x8100), Payload (holding the rest of the VLAN tag, the original EtherType and the original Payload), and the FCS. Supporting VLANs and frame tags is possible on a purely software level. The fact that network adapters often do have hardware support for VLANs is related to performance reasons: With hardware VLAN support, the tagging, de-tagging, filtering and/or sorting frames based on the VLAN tag value is faster and it allows offloading these operations from the computer's CPU to the network card. However, even if the network adapter did not have any kind of VLAN support, the VLANs could still be implemented purely in the card's software driver.
  Ordinarily, you would not see a common PC send and receive tagged frames. However, there are situations in which even a PC would send or receive a tagged frame. One of reasons is the presence of the Class-of-Service (CoS) bits in a VLAN tag. You surely know that basic Ethernet frame format does not include any kind of priority marking. There is no field in an Ethernet header that would allow you to indicate that this or that frame requires a preferential treatment. VLAN tags, on the other hand, have a 3-bit CoS field that allows you to indicate the priority of the tagged frame. Should a  PC need to send a frame that needs to be explicitly marked as more important than others, it can be done by inserting a VLAN tag into this frame and setting the CoS field to a non-zero value (with 3 bits, the maximum CoS value is 7).
  Another reason for a computer to send and receive tagged frames would be when the computer itself would be intentionally placed into multiple VLANs. For example, the router-on-a-stick performing inter-VLAN routing is not a concept just for dedicated hardware routers. For example, any computer running Linux can be used in place of a Cisco router to perform inter-VLAN routing. Just like on a Cisco router, you would configure the Linux with subinterfaces for each VLAN it should be able to route from and to, assign IP addresses, and voila - you have a cheap and powerful inter-VLAN router. Yet another reason for receiving and sending tagged frames on a computer would be virtualization: You could have a server that runs multiple virtual operating systems in VirtualBox, VMWare, Xen or some other virtualization solution, and you want each of these virtual PCs to have a "separate" network card so that they can not talk to each other when they communicate with the outside world. You would do this again by creating subinterfaces on the physical machine, and bridging the individual virtual PCs with unique subinterfaces so that each virtual PC gets its own subinterface onto which it is bridged. As a result, the communication of individual virtual PCs would be tagged on the physical link depending on what virtual machine was speaking.
  So, while not exactly a typical situation for an ordinary office PC, it is nonetheless quite normal to see a computer being connected to a trunk port. This, however, is always done with the prior knowledge that the computer will indeed need to talk to several VLANs simultaneously and directly. Otherwise there's no need for that.
  Regarding the native VLAN on trunks - well, this is a neverending debate. I wish the native VLAN was never invented but well, it's here so we have to fight with it. Often, it is explained as "the VLAN that will save you if you happen to connect a normal PC to a trunk", and you have asked quite correctly - why on Earth would I want to connect a normal PC to a trunk, if not for reasons stated above? And you would be perfectly right - you wouldn't. The reason for native VLANs is different. If you try to study the IEEE 802.1Q standard you will learn that it does not recognize the terms access port and trunk port. It has no distinction for these port types. Instead, 802.1Q considers each port to be possibly associated with multiple VLANs at once. One of these VLANs is called the Primary VLAN, its number (ID) is called the Primary VLAN ID (PVID), and this VLAN is considered to be the one that is always associated with the port and thus does not need to use tags. Any other VLAN that is in addition associated with the port obviously has to use tags to be distinguishable. From this viewpoint, a port that is associated just with its PVID would be what Cisco calls an access port, and a port that is associated with VLAN IDs other than just its PVID would be what Cisco calls a trunk port, with the PVID being the trunk's native VLAN ID.
  So in the way IEEE defines VLANs and their usage, PVID (= native VLAN ID) is a property of each port, so any implementation that claims compatibility with 802.1Q has to implement the PVID. Cisco decided to have a twist on the understanding of VLANs, and came up with access ports (i.e. ports associated just with their PVID and no other VLAN ID) and trunk ports  (i.e. ports associated with many VLAN IDs including PVID), and so each trunk port must have its PVID - and that is what we call native VLAN and why we need to at least support it - although we do not need to make use of the native VLAN on trunks.
  Quite convoluted.
  Best regards,
  Peter

• Is this considered NATIVE VLAN?

  Greetings All I know that the Native VLAN in a switch is VLAN 1
  Since my access points needs a native vlan to perform multiple SSID and VLANS etc. If the ACcess pont is sitting on VLAN 20 with an ip address assinged to it from that vlan does that mean VLAN 20 is native?? Sorry for the ignorant question but I am trying to do multiple ssid etc

  Hey Pete,
  Have a read of this good doc, here is an excerpt;
  The routers and switches that make up the physical infrastructure of a network are managed in a different method than the client PCs that attach to that physical infrastructure. The VLAN these router and switch interfaces are members of is called the Native VLAN (by default, VLAN 1). Client PCs are members of a different VLAN, just as IP telephones are members of yet another VLAN. The administrative interface of the access point or bridge (interface BVI1) are considered and numbered a part of the Native VLAN regardless of what VLANs or SSIDs pass through that wireless device.The switchport config might look like this;
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 1
  switchport trunk allowed vlan 1,10,30
  Where vlan 1 is Native and vlan 10 and 30 will be associated with SSID's.
  When you use an IEEE 802.1Q trunk port, all frames are tagged except those on the VLAN configured as the "native VLAN" for the port. Frames on the native VLAN are always transmitted untagged and are normally received untagged. Therefore, when an AP is connected to the switchport, the native VLAN configured on the AP must match the native VLAN configured on the switchport.
  Note: If there is a mismatch in the native VLANs, the frames are dropped.
  This scenario is better explained with an example. If the native VLAN on the switchport is configured as VLAN 12 and on the AP, the native VLAN is configured as VLAN 1, then when the AP sends a frame on its native VLAN to the switch, the switch considers the frame as belonging to VLAN 12 since the frames from the native VLAN of the AP are untagged. This causes confusion in the network and results in connectivity problems. The same happens when the switchport forwards a frame from its native VLAN to the AP.
  From this good doc;
  Using VLANs with Cisco Aironet Wireless Equipment
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#vlanap
  Hope this helps!
  Rob
  Please remember to rate helpful posts.........

• Quesiton about PVID , SA520, Native VLAN

  Is PVID the same thing as "native vlan"? Can the native VLAN be changed on a SA520? Currently I believe it to be 1, I'd like to change the native VLAN to 10.
  I have a scenario where I have a prexisting production LAN of  192.168.1.0/24 . It's a small organization (a church), but they purchased 3 Aironet 1130ag units. They want to have a "private" WLAN that is part of 192.168.1.0/24 , and a guest WLAN of a different subnet (I chose 192.168.20.0/24) . The two should never meet. There will likely never be a guest computer connected via ethernet. Guest computers would always have to connect wirelessly.
  I accomplished this to a point.
  I left VLAN 1 on the SA520 192.168.75.0/24 subnet as default.I created a VLAN 10 , 192.168.1.0/24 subnet, and I created a VLAN 20, 192.168.20.0/24 subnet.
  VLAN Recap:
  VLAN 1 , 192.168.75.0/24
  VLAN 10, 192.168.1.0/24
  VLLAN 20, 192.168.20.0/34
  Ports 1-3 of the SA520 are members of VLAN 1, 10, and 20 (cannot remove membership of VLAN1, which is pretty annoying).
  The Aironets have been configured correctly.
  SSID: Priv is part of VLAN 10
  SSID: Pub is part of VLAN 20
  Both are secured by WPA, and when I connect, the proper DHCP subnet passes from the firewall through to the wireless client, for each respective SSID.
  Ultimately, I'd like the SBS 2003 server to handle DHCP for VLAN 10, and have the SA520 handle DHCP for VLAN 20, but i'll take what I can get.
  Here's my challenge:
  The original production LAN is connected via an unmanged switch.
  I'd like to trunk the unmanaged switch to Port 4 on the SA520. However, since the PVID (native vlan?) of SA520 is 1, and I cannot make Port 4 on the SA520 ony a member of VLAN 10, then anything traffic coming from the unanaged switch will automatically be tagged with VLAN1, correct? Thus causing the already existing production network to start receiving DHCP from the firewall in the 192.168.75.0/24 range.
  Any ideas or help on the above?
  What I would do if I had a managed switch on the production LAN:
  If I had a managed switch on the production LAN, what I think I would do is make one port a trunk port, connect that port to Port 4 on the SA520, then make all the rest of the ports on the managed switch access ports, and members of VLAN 10. Am I on the right track there?
  Hiccups when setting up the WAP:
  I would have changed the VLAN 1 on SA520 to 192.168.1.0/24  subnet, and only created a second subnet, but there was a challenge  with that and the WAP's.
  Cannot change the VLAN the dot11radio0 is a part of. There's not encapsulation command.
  Could  not broadcast the SSID's successfully and secure via WPA unless the  SSID's were on VLAN's other than 1. The dot11radio0 would go into a  "reset" state.
  Could change the VLAN subinterfaces  of dot11radio0 were on, for example dot11radio0.10 is a member of VLAN  10.  Dot11radio0.20 is a member of VLAN2.
  In any event, it's working, but the rest of the infrastructure is the challenge.
  Here's one of my  WAP configs as an example:
  Building configuration...
  Current configuration : 2737 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname WAP2
  enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
  no aaa new-model
  no ip domain lookup
  dot11 syslog
  dot11 ssid CASPRIV
     vlan 10
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 107E1B101345425A5D4769
  dot11 ssid CASPUB
     vlan 20
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 132616013B19066968
  username Cisco password 7 0802455D0A16
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 20 mode ciphers aes-ccm
  encryption vlan 10 mode ciphers aes-ccm
  ssid CASPRIV
  ssid CASPUB
  mbssid
  channel 6
  station-role root
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.10
  encapsulation dot1Q 10
  ip address 192.168.1.5 255.255.255.0
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  bridge-group 10 spanning-disabled
  interface Dot11Radio0.20
  encapsulation dot1Q 20
  ip address 192.168.20.3 255.255.255.0
  no ip route-cache
  bridge-group 20
  bridge-group 20 subscriber-loop-control
  bridge-group 20 block-unknown-source
  no bridge-group 20 source-learning
  no bridge-group 20 unicast-flooding
  bridge-group 20 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  shutdown
  encryption mode ciphers aes-ccm
  ssid CASPRIV
  dfs band 3 block
  channel dfs
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.10
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  no bridge-group 10 source-learning
  bridge-group 10 spanning-disabled
  interface FastEthernet0.20
  encapsulation dot1Q 20
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface BVI1
  no ip address
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local

  Hello Paul,
  You have a lot going on here so forgive me if I miss something.
  PVID is for Primary/Port Vlan ID. It is used to identify the vlan on a port and can be used to change the native vlan of a port. You can change the PVID on port 4 of the SA520 to be vlan 10 if you need to.
  The simplest setup would be for you to have your private network all be on the native vlan 1 and set your guest to be on another vlan. All of this would be possible without any problem on the SA520. Unfortunately I do not have much experience with the Aironet APs but they should allow you to continue this configuration onto the wireless network. For assistance with the Aironet APs I would have to refer you to someone more familiar.
  I do hope this helps with setting your network.

• Changing the Native VLAN command?

  Can someone please refresh me as to what the command is to change the Native VLAN for the entire switch? (IE: not just on the trunk, I mean the default native for the entire switch). Thanks

  Hi
  While on this topic. I have been trying to trunk to 2960 switches and can't seem to get a proper connection. I am using packet tacer. The 1st switch already has a trunk port going to a router and the router has port is trunked and has sub ints for each of vlans 2 and 3 and each sub trunk has respective  native encap vlan configured. My management vlan is vlan 3. And I don't have an int vlan1 only int vlan 3. The router and the 1st siwtch work fine. But now I am trying to get another trunk port with second switch. I configured both ints for trunking using native vlan 1. Now the links are in up state but both ends are not leds green, one is orange. And I have only int vlan 3 as with other switch and ip in same subnet as managment ip but cannot ping. Strange thing vtp info can pass but no connection to other switch vlans and router etc, only local connectivity. Plz help, below is the configs of the rotuer and two switches. It is switch 1 that is giving me beans to connect to the rest.
  Router0
  version 12.2
  no service timestamps log datetime msec
  no service timestamps debug datetime msec
  service password-encryption
  hostname RouterA
  enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
  username admin secret 5 $1$mERr$vPOtdREpWgzFVVY37SB2h/
  ip name-server 0.0.0.0
  interface Loopback0
  description management
  ip address 192.168.1.1 255.255.255.0
  interface Loopback1
  ip address 192.168.2.1 255.255.255.224
  interface FastEthernet0/0
  no ip address
  duplex auto
  speed auto
  interface FastEthernet0/0.1
  encapsulation dot1Q 1 native
  ip address 192.168.3.1 255.255.255.0
  interface FastEthernet0/0.2
  encapsulation dot1Q 2
  ip address 10.5.0.1 255.255.255.0
  interface FastEthernet0/0.3
  encapsulation dot1Q 3
  ip address 192.168.4.1 255.255.255.0
  interface FastEthernet0/1
  description management
  no ip address
  duplex auto
  speed auto
  interface Serial0/0
  ip address 172.16.1.1 255.255.255.252
  interface Serial0/1
  no ip address
  interface FastEthernet1/0
  no ip address
  duplex auto
  speed auto
  interface FastEthernet1/1
  no ip address
  duplex auto
  speed auto
  router rip
  version 2
  network 172.16.0.0
  network 192.168.1.0
  network 192.168.2.0
  no auto-summary
  ip classless
  access-list 1 permit 192.168.4.0 0.0.0.255
  access-list 1 permit host 192.168.4.2
  line con 0
  line vty 0 4
  access-class 1 in
  password 7 08316C5D1A2E5505165A
  login
  end
  Switch 0 (connected to Router 0)
  version 12.2
  no service timestamps log datetime msec
  no service timestamps debug datetime msec
  service password-encryption
  hostname SwitchA
  no logging console
  enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
  ip name-server 0.0.0.0
  username admin password 7 08651D0A043C3705561E0B54322E2B3C2B063137324232064274
  spanning-tree portfast default
  interface FastEthernet0/1
  interface FastEthernet0/2
  interface FastEthernet0/3
  interface FastEthernet0/4
  interface FastEthernet0/5
  switchport access vlan 3
  interface FastEthernet0/6
  switchport access vlan 3
  interface FastEthernet0/7
  interface FastEthernet0/8
  interface FastEthernet0/9
  interface FastEthernet0/10
  interface FastEthernet0/11
  interface FastEthernet0/12
  interface FastEthernet0/13
  switchport access vlan 2
  interface FastEthernet0/14
  switchport access vlan 2
  interface FastEthernet0/15
  switchport access vlan 2
  interface FastEthernet0/16
  switchport access vlan 2
  interface FastEthernet0/17
  switchport access vlan 2
  interface FastEthernet0/18
  switchport mode trunk
  interface FastEthernet0/19
  switchport access vlan 2
  switchport mode access
  interface FastEthernet0/20
  switchport access vlan 2
  interface FastEthernet0/21
  switchport access vlan 2
  interface FastEthernet0/22
  switchport mode access
  interface FastEthernet0/23
  switchport access vlan 2
  interface FastEthernet0/24
  switchport mode trunk
  interface GigabitEthernet1/1
  interface GigabitEthernet1/2
  interface Vlan1
  no ip address
  interface Vlan3
  ip address 192.168.4.10 255.255.255.0
  ip default-gateway 192.168.4.1
  access-list 1 permit 192.168.4.0 0.0.0.255
  access-list 1 permit host 192.168.4.1
  line con 0
  line vty 0 4
  access-class 1 in
  password 7 08316C5D1A2E5505165A
  login
  line vty 5 15
  login
  end
  Switch 1 (connected to Switch0) (This is the second switch which I cannot get connected to rest of network properly)
  version 12.2
  no service timestamps log datetime msec
  no service timestamps debug datetime msec
  no service password-encryption
  hostname Switch
  interface FastEthernet0/1
  interface FastEthernet0/2
  interface FastEthernet0/3
  interface FastEthernet0/4
  interface FastEthernet0/5
  switchport access vlan 3
  interface FastEthernet0/6
  switchport access vlan 3
  interface FastEthernet0/7
  interface FastEthernet0/8
  interface FastEthernet0/9
  interface FastEthernet0/10
  interface FastEthernet0/11
  interface FastEthernet0/12
  interface FastEthernet0/13
  interface FastEthernet0/14
  interface FastEthernet0/15
  interface FastEthernet0/16
  interface FastEthernet0/17
  interface FastEthernet0/18
  switchport mode trunk
  interface FastEthernet0/19
  interface FastEthernet0/20
  interface FastEthernet0/21
  interface FastEthernet0/22
  interface FastEthernet0/23
  interface FastEthernet0/24
  interface GigabitEthernet1/1
  interface GigabitEthernet1/2
  interface Vlan1
  no ip address
  interface Vlan3
  ip address 192.168.4.20 255.255.255.0
  ip default-gateway 192.168.4.1
  line con 0
  line vty 0 4
  login
  line vty 5 15
  login
  end

• Native VLAN question

  I asked this in another forum, but was hoping for some other explanations...
  switchport mode trunk
  switchport native vlan 80
  switchport trunk allowed vlan 50, 80
  Can someone provide a line by line explanation of whats being done?
  If I understand correctly, the first line lets ALL vlans through this port. The second line lets all untagged traffic that comes from VLAN 80 through. Line three perplexes me, because if we are trunking the port (letting all VLANs through) why explicitly let these two VLANs through when they are already allowed.
  Thank you.

  Hi
  "switchport mode trunk" means configure the link as a trunk link ie. a link that can carry traffic for multiple vlans. By default it will allow all vlans.
  "switchport native vlan 80" means the vlan on the trunnk link that will not be tagged will be vlan 80. So all other vlan traffic is tagged but not this vlan.
  "switchport trunk allowed vlan 50, 80" means only allow vlan 50 and vlan 80 traffic across this link. There a number of reasons you may want to do this. Perhaps at the other end of the link you know that the switch only has ports in vlan 50 and vlan 80 so there is no need to forward traffic for any other vlan. By not allowing those vlans across the trunk you not only stop broadcast traffic from going across the trunk (which can be achieved with the "vtp pruning" command) but you also stop STP for any other vlans than 50 & 80 across the link.
  HTH
  Jon

• Native Vlan Mismatch on Switch LD connected to

  I am running 3 switches each with the same 3 vlans. I also have 2 local directors in failover mode. The primary has interfaces connected to switch one and the secondary has interfaces to switch two. Trunking is disabled on all device ports but enabled on a dedicated fiber connection between the 2 switches
  The first vlan is vlan 1 for management
  The second is vlan 2 for the gateway side of the local directors
  The third is vlan 3 for the server side of the local directors
  On the primary switch I am logging CDP messages telling me i have a native vlan mismatch on the 2 local director ports. The secondary switch I dont get these messages.
  Any ideas what is going on here and why? Thanks, Art.

  You mention above " but trunking is enabled on a dedicated fiber connection between the two switches", therefore trunking is enabled.
  Because trunked ports need to be assigned to the same native vlan, I would do a "show trunk" and verify that the port used for trunking on each switch, are assigned to the same native vlan, I've seen the mismatch if the are not. That command above is if your switch is using CatalystOS, otherwise, use this command for NativeOS - sh int fast 0/1 switchport and look for the "trunking native mode vlan" number. They must match on each side. To correct the problem, do set vlan 1 4/10 to assign port 4/10 to vlan 1 which, is your management vlan which I assume you've choosen to be your native vlan.
  Hope this helps.

• %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface fa1.

  I am getting the following message in my logs on SF300-8
  "%CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface fa1."
  What is causing the error, see VLAN setup below:

  Hi,
   Yes, in this case you can change the native vlan on the that switch with the command (config-if)#switchport trunk native vlan #, there is no need to reboot the switch in order for the change to take effect.
  Regards,

• %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi26.

  Hell everyone,
  I have a sonicwall firewall with 6 vlan and 3 cisco sg28 switches connected to it, everything is working fine, but I se I have these waring the the log files of all three switches.
  I just need to know the best way to resolve this..
  the firsrt switch is the "core" switch and the other two are connect to it in a star pattern.
  Sonicwall--switch1.101.1----switch 101.10
                                        |
                                        |
                                        switch 101.20
  So core switch 101.1 has default vlan set to 100  which is the default lan on the sonicwall that it is connected to. There are no devices in .100
  switch 101.10 has devault vlan set to 1
  switch 101.20 has default vlan set to 1
  switch 101.1 is seeing these warnings..
  2147483643
  2014-Apr-01 19:33:08
  Warning
  %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi27.      
  2147483644
  2014-Apr-01 19:30:52
  Warning
  %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi26.     
  switch 101.10 is seeing these warnings;
  %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi52.        
   port gi52 is connecting to switch 101.1
  switch 101.20 is seeing these warings;
  %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi27.     
   portgi27 is connected to switch 101.1
  Thanks!

  Hi,
   Yes, in this case you can change the native vlan on the that switch with the command (config-if)#switchport trunk native vlan #, there is no need to reboot the switch in order for the change to take effect.
  Regards,

• How one Switch identify the Native vlan mismatch

  Dear All,
  I am using two cisco L2 switches. Both are connected by a trunk link. Unfortunately I configured different native vlan between two switches. Suddenly I got an error that native vlan mismatch. When I changed the configuration Now it's working fine. My question is that how one switch identify that native vlan mismatch(either by Bpdu, cdp or packet). Please mention which of the following used by switch to identify native Vlan mismatch.
  Regards,
  Sanjib

  Sanjib, Karsten,
  It's CDP.
  Yes, and STP as well if you run a trunk between the two switches. PVST+ and RPVST+ BPDUs have a TLV in their trailer that carries the VLAN number for which the BPDU was originated. If the BPDU is received in a different VLAN (caused by a native VLAN mismatch), the receiving switch will be able to detect it.
  Wireshark 1.12.x will be capable of displaying this TLV field in captured PVST+ and RPVST+ BPDUs. Until 1.12.x is released, you may want to try daily builds from:
  http://www.wireshark.org/download/automated/
  They already incorporate the enhancement.
  Best regards,
  Peter

• Switchport trunk native vlan question...

  What am I missing in regards to the following two lines assigned to a sw interface:
  switchport trunk native vlan 80
  switchport mode trunk
  Why assign a VLAN to the port when your trunking it (meaning you allowing all VLANs to pass)?
  Thank you.

  By default native VLAN is VLAN 1, but can be changed to any No. on the trunk port by command "switchport trunk native vlan #". This will make a new vlan# as native & allow all pkts from this vlan to pass thru trunk untagged.
  Native VLANs are used to carry CDP, PAgP & VTP messages. Thus the Frames on native VLAN are untagged. For these messages to propagate between devices, native VLANS must match on both sides of the trunk. In case of native VLAN mismatch on bothsides of the trunk, STP will put the trunk port in err-disabled state.

• What is the effect of the command switchport trunk native vlan x

  Hello all,
  I have a SG500 switch. The port Gi0/19 is directly connected to a machine. When i show the running config file i find the following config in the interface gi0/19:
  switchport trunk native vlan 70
  I need to understand this command because i'm a bit confused that i know that only if we have a link between two switch that we put an interface in a trunk mode.
  Please Help :)

  Trunks can carry all the traffic(vlan 70,80,........Including vlan1)
  Access port can only be in one vlan (Say vlan 70)
  So if you configured as trunk and connect the server,  and since native vlan is 70, when traffic is of vlan 70, it will not be tagged so your server can understand it.(Assuming that server do not have the capacity to understand the tagged frames). Traffic in other vlan will also be received by this interface (say vlan 80,....vlan1....) but will be dropped.
  If you configure it as only access and in vlan 70, only untagged vlan 70 traffic will be received on the interface.
  Thanks

• Wireless AP native vlan and switch trunk

  Hi,
  I am unable to ping my ap, i think it is due to the multiple vlan issues, can provide some advise, my config for the ap and switch is as below
  AP Config
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname hostname
  logging rate-limit console 9
  enable secret 5 $1$ZxN/$eYOf/ngj7vVixlj.wjG2G0
  no aaa new-model
  ip cef
  dot11 syslog
  dot11 ssid Personal
     vlan 2
     authentication open
     authentication key-management wpa version 2
     guest-mode
     wpa-psk ascii 7 070E26451F5A17113741595D
  crypto pki token default removal timeout 0
  username Cisco password 7 1531021F0725
  bridge irb
  interface Dot11Radio0
  no ip address
  encryption vlan 2 mode ciphers aes-ccm tkip
  ssid Personal
  antenna gain 0
  stbc
  beamform ofdm
  station-role root
  no dot11 extension aironet
  interface Dot11Radio0.2
  encapsulation dot1Q 2
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 spanning-disabled
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  interface Dot11Radio0.100
  encapsulation dot1Q 100 native
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio1
  no ip address
  encryption vlan 2 mode ciphers aes-ccm tkip
  ssid Personal
  antenna gain 0
  no dfs band block
  stbc
  beamform ofdm
  channel dfs
  station-role root
  interface Dot11Radio1.2
  encapsulation dot1Q 2
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 spanning-disabled
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  interface Dot11Radio1.100
  encapsulation dot1Q 100 native
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface GigabitEthernet0
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0.2
  encapsulation dot1Q 2
  bridge-group 2
  bridge-group 2 spanning-disabled
  no bridge-group 2 source-learning
  interface GigabitEthernet0.100
  encapsulation dot1Q 100 native
  bridge-group 1
  bridge-group 1 spanning-disabled
  no bridge-group 1 source-learning
  interface BVI1
  ip address 192.168.1.100 255.255.255.0
  ip default-gateway 192.168.1.1
  ip forward-protocol nd
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  password 7 01181101521F
  login
  transport input all
  end
  Switch Port config
  interface FastEthernet1/0/10
  switchport trunk native vlan 100
  switchport mode trunk

  I will re-check the routing again but could it be some bridging issues ?
  interface GigabitEthernet0
  no ip address
  duplex auto
  speed auto
  **** unable to put up this command on the giga port
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  I try to put this command on the gigaethernet port but it does not allow me, could this be the bridging  issue ?