Switchport trunk native vlan & switchport access vlan dual configuration

I've discovered this dual configuration on a 3500xl switch while troubleshooting an incrementing runts issue. Could the config of this port be related to the issue at hand?
port configuration:
interface FastEthernet0/3
duplex full
speed 100
switchport access vlan 203
switchport trunk encapsulation dot1q
switchport trunk native vlan 203
switchport trunk allowed vlan 1,203,204,220,1002-1005
switchport mode trunk
spanning-tree portfast

Hi,
The 'switchport access vlan' command will have no effect on the configuration you have on this port. The port will operate as a trunk and will dis-regard any config that pertains to an access port.
Hope that helps ...
Paresh

Similar Messages

  • Switchport comparision, "trunk native vlan" versus "access vlan"

    I want to understand the logic when I install IP phone with PC attached. Is there any difference between two configurations. for exmaple, consideration to handle QoS.
    switchport access vlan 100
    switchport voice vlan 200
    versus
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 100
    switchport voice vlan 200
    switchport mode trunk
    Thanks in adance,

    The difference is that these applies to two different set of switches.
    The first set of configuration applies to the new series switches, Cisco 3550, 3560, 3750 series.
    The second set applies to the olders series Cisco 2900, Cisco 3500XL etc. In these switches, you need to configure the port as a trunk before the port can take both voice and data vlan.
    In the newer series, the port can take both voice and data vlan and still not run in trunk mode.
    Regards,
    Anup

  • VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1

    Hi All,
    L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
    Thanks,
    HC

    Hi HC,
    the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
    Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
    If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
    Simon

  • What is the effect of the command switchport trunk native vlan x

    Hello all,
    I have a SG500 switch. The port Gi0/19 is directly connected to a machine. When i show the running config file i find the following config in the interface gi0/19:
    switchport trunk native vlan 70
    I need to understand this command because i'm a bit confused that i know that only if we have a link between two switch that we put an interface in a trunk mode.
    Please Help :)

    Trunks can carry all the traffic(vlan 70,80,........Including vlan1)
    Access port can only be in one vlan (Say vlan 70)
    So if you configured as trunk and connect the server,  and since native vlan is 70, when traffic is of vlan 70, it will not be tagged so your server can understand it.(Assuming that server do not have the capacity to understand the tagged frames). Traffic in other vlan will also be received by this interface (say vlan 80,....vlan1....) but will be dropped.
    If you configure it as only access and in vlan 70, only untagged vlan 70 traffic will be received on the interface.
    Thanks

  • Switchport trunk native vlan question...

    What am I missing in regards to the following two lines assigned to a sw interface:
    switchport trunk native vlan 80
    switchport mode trunk
    Why assign a VLAN to the port when your trunking it (meaning you allowing all VLANs to pass)?
    Thank you.

    By default native VLAN is VLAN 1, but can be changed to any No. on the trunk port by command "switchport trunk native vlan #". This will make a new vlan# as native & allow all pkts from this vlan to pass thru trunk untagged.
    Native VLANs are used to carry CDP, PAgP & VTP messages. Thus the Frames on native VLAN are untagged. For these messages to propagate between devices, native VLANS must match on both sides of the trunk. In case of native VLAN mismatch on bothsides of the trunk, STP will put the trunk port in err-disabled state.

  • Switch trunk native and switchport trunk allowed commands

      Hello,
    What will be the result of having these two commands defined on trunk
    Switch(Config-if)# switchport trunk native vlan 500
    Switch(Config-if)# switchport trunk allowed vlan remove 500
    Thanks        

    The first command would send traffic untagged over vlan 500, but the second command removes vlan 500 from the trunk, so I think you would lose traffic for anything using vlan 500....
    HTH,
    John
    *** Please rate all useful posts ***

  • NAC manager doesn't change auth vlan to access vlan

    Hi,
    I am trying to install L2 out-of band NAC in my LAN but I have problem for which I don't seem to find any solutions.
    The problem is that NAC manager simply doesn't change switchport from authentication to access vlan although user
    is authenticated and all CAA requirements have been met.
    I connect my laptop to switch and NAM changes vlan to auth. vlan and laptop gets IP address from access vlan (vlan mapping
    configured on NAM). Then CCA login pops out and I enter username and password. After that CAA says: "Successfully logged in
    to network" but laptop stays in auth. vlan and I can see my user in "out of band" users list (on NAM) but laptop (his MAC address) is not
    in the certified devices list. And Manager keeps it in auth. vlan. So when I click OK in CAA, the login window pops out again because I'm still
    in authentication vlan.
    What could be the problem? I really tried everything and I don't know why manager doesn't put laptop to certified devices list (I repeat, user is in out
    of band users list) and CCA says successfully logged in to network, and all requirements are met too.

    Faisal,
    thank you very much, yes that was the problem. I didn't have managed subnet entry. Now it works fine, but I have another problem. When I added managed
    subnet I cannot connect to NAC server from my PC which has IP address from that subnet range. I cannot ping neither connect via https, totally
    inaccessible.
    What can I do to have that managed subnet entry, and still to be able to connect to server from that subnet (VLAN)?
    I tried adding managed subnet entry with auth. vlan (400) and then with access vlan (110) and no-vlan (-1) but the situation is same - clean access
    works fine, but I cannot reach server from my PC.

  • Auth VLAN and Access vlan

    When the interface comes up, the CAM puts the user in the AUTH vlan as expected via the set command (vlan 210)
    03:09:09: SNMP: Packet received via UDP from 172.31.200.200 on Vlan220
    03:09:09: SNMP: Set request, reqid 2144479366, errstat 0, erridx 0
    vmVlan.1 = 210
    that works OK
    Fa0/21, Fa0/22, Fa0/23
    210 VLAN0210 active Fa0/1
    211 VLAN0211 active
    So SNMP RW works OK,
    After the user logs in to the network the user should be put back into vlan 220 (according to the port profile settings) but nothig happens, no set command send, no SNMP traffic at all. The user remains in AUTH vlan and the agent loops
    I have tried all the settings, role based, initial VLAN as well, to no avail.
    Any ideas? What to check for?
    Rafal

    Have you double checked your settings for mapping ports with the VG setup guide?
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_addSrvr.html#wp1089247
    Also make sure your OOB port profile is correct and that it switches from auth to access vlan after authentication
    http://www.exio.com/en/US/docs/security/nac/appliance/configuration_guide/411/cam/m_oob.html#wp1083087

  • Cisco SF302-08P пропадает с порта trunk native vlan, когда подключаю IP PHONE.

    Здравствуйте!
    У меня возникла проблема с коммутатором Cisco SF302-08P. В частности проблема заключается в настройке порта для IP phone и ПК.
    Как известно это PoE коммутатор.
    vlan database
    vlan 47,147
    exit
    voice vlan id 147
    voice vlan oui-table add 0001e3 Siemens_AG_phone________
    voice vlan oui-table add 00036b Cisco_phone_____________
    voice vlan oui-table add 00096e Avaya___________________
    voice vlan oui-table add 000fe2 H3C_Aolynk______________
    voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
    voice vlan oui-table add 00d01e Pingtel_phone___________
    voice vlan oui-table add 00e075 Polycom/Veritel_phone___
    voice vlan oui-table add 00e0bb 3Com_phone______________
    hostname DepGrajdIniciativ
    ip ssh server
    snmp-server server
    ip telnet server
    interface vlan 47
     ip address 172.27.47.253 255.255.255.0
     no ip address dhcp
    interface fastethernet1
     storm-control broadcast enable
     storm-control broadcast level 10
     storm-control include-multicast
     port security max 10
     port security mode max-addresses
     port security discard trap 60
     spanning-tree portfast
     switchport trunk allowed vlan add 147
     switchport trunk native vlan 47                 <-----               
     macro description ip_phone_desktop
     !next command is internal.
     macro auto smartport dynamic_type ip_phone_desktop
    147 влан для Ip phone. 47 влан для компьютера.
    Дело в том, что когда, например, на 1 порт подключаю IP phone (cisco 6921), с порта пропадает настройка  "switchport trunk native vlan 47", соотвественно, на компьютере, который подключен к телефону на порт "computer", пропадает связь (теряется vlan 47?).  Приходится по новой прописывать, но он сохраняется до следующей перезагрзуки коммутатора или телефона.
    P.S. настройки на коммутаторе сохраняем командой "copy run start" или "wr". На телефоне "admin vlan" указан 147. 
    P.S.S. телефон питается по PoE.
    В чем может быть проблема? я работал со многими cisco коммутаторами, но нигде такой картины не видел....

  • 2960 will not allow "switchport trunk encapsulation dot1q" CLI

    I have a Cisco 2960 switch that is not allowing me to setup switchport trunk encapsulation dot1q on a trunking interface.
    The show capabilities shows that the interface can use 802.1q, but when I try to CLI the command the work encapsulation is not an option.
    Please advise with a solution.
    Thanks, S
    Model - WS-C2960G-24TC-L  
    SW Version - 12.2(44)SE6          
    SW Image - C2960-LANBASEK9-M
    S1#
    S1#sh int gi0/23 capabilities
    GigabitEthernet0/23
    Model:                 WS-C2960G-24TC-L
    Type:                 1000BaseLX SFP
    Speed:                 1000
    Duplex:               full
    Trunk encap. type:     802.1Q
    Trunk mode:           on,off,desirable,nonegotiate
    Channel:               yes
    Broadcast suppression: percentage(0-100)
    Flowcontrol:           rx-(off,on,desired),tx-(none)
    Fast Start:           yes
    QoS scheduling:       rx-(not configurable on per port basis),
                             tx-(4q3t) (3t: Two configurable values and one fixed.)
    CoS rewrite:           yes
    ToS rewrite:           yes
    UDLD:                 yes
    Inline power:         no
    SPAN:                 source/destination
    PortSecure:           yes
    Dot1x:                yes
    Multiple Media Types: rj45, sfp, auto-select
    S1#
    S1#
    S1#
    S1(config-if)#switchport ?
    access         Set access mode characteristics of the interface
    backup         Set backup for the interface
    block         Disable forwarding of unknown uni/multi cast addresses
    host           Set port host
    mode           Set trunking mode of the interface
    nonegotiate   Device will not engage in negotiation protocol on this
                     interface
    port-security Security related command
    priority       Set appliance 802.1p priority
    protected     Configure an interface to be a protected port
    trunk         Set trunking characteristics of the interface
    voice         Voice appliance attributes
    S1#
    S1#
    S1#
    S1(config-if)#switchport trunk ?
    allowed Set allowed VLAN characteristics when interface is in trunking mode
    native   Set trunking native characteristics when interface is in trunking
               mode
    pruning Set pruning VLAN characteristics when interface is in trunking mode
    S1#
    S1#
    S1#

    Newer devices don't support ISL so you can only run 802.1Q. That means that there is no need for an encapsulation command because only one encapsulation is supported. If the device had support for ISL then you would also have that command.
    Daniel Dib
    CCIE #37149
    Please rate helpful posts.

  • Switchport trunk

    De la siguiente configuración cual es la mas apropiada para que tarabajen en redundancia entre 2 equipos 4507.
    interface GigabitEthernet4/15
    switchport access vlan 110
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 110
    switchport mode trunk
    duplex full
    speed 100
    interface GigabitEthernet4/15
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 110
    switchport mode trunk
    duplex full
    speed 100

    Hi Frind,
    Can you please post the question in english. I tried translating it but was not very successfull.
    Your first config and second config is exactly the same with only one difference that in your first config you have configured native vlan as 110 and in your second config the native vlan is 1 which is bydefault.
    Native vlan is the vlan which is sent across the trunk without tagging.
    Make sure if you are connecting these 2 switches together try to make native vlan as same on both the end. Also for etherchannel or teaming to work config on both the ports shoould be same.
    HTH
    Ankur

  • ASA5585-X Switchport Trunk ask security expert

    Hi, I have ASA5585-X version 9.1 and asdm version 7.1
    have alot of diffrent vlans on the asr router. asr router have a subif with vlans. asa 5585 are behind to asr router. want to setting up asa 5585 switch ports trunk mode. is it possible?
    Topology are below.
    ISP -> Cisco ASR with bgp and subif and gateway for the vlans -> ASA5585 all ip addresses security configrations -> Cisco 6500 aggregations switch -> Cisco 2960 cabinets switchs -> Servers

    I can't speak to the ASR router configuration, but you can definitely have trunk ports on the ASA side.  What has worked for me between 3750 switches and assorted generations of ASA hardware and software is configurations like:
    On the switch you set it to mode trunk with negotiation off:
    interface GigabitEthernet1/0/38
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 400
    switchport trunk allowed vlan 1,430-435,543-545
    switchport mode trunk
    switchport nonegotiate
    On the ASA you put the parent physical interface into "no shutdown" state and then set up subinterfaces with vlan tags:
    interface GigabitEthernet0/3
    description trunk port
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet0/3.543
    description first subinterface
    vlan 543
    nameif whatever
    security-level 80
    ip address 192.0.2.1 255.255.255.0
    -- Jim Leinweber, WI State Lab of Hygiene

  • Does it need add the native vlan to allowed vlan list ?

    If I confiured the port like this "
    switchport trunk native vlan 10
    switchport trunk allowed vlan 11,12"
    does the vlan 10 allowed passing ? or it still need add vlan 10 to the allowed vlan list like "
    switchport trunk native vlan 10
    switchport trunk allowed vlan 10,11,12"
    Thanks

    Yes you can remove the native VLAN from the list, and it does prevent the native VLAN from traversing the trunk. That is, if you look at the Spanning Tree for the native VLAN, the trunk will be absent from the list of ports on the VLAN.
    The question of untagged frames is a different one. There are some control protocols, particularly link-local ones, that are sent untagged, and these will traverse the trunk regardless. However, they are not considered as part of the native VLAN Spanning Tree as such.
    But beware: there is a bug in earlier IOS and in all CatOS switches! If you use a non-1 VLAN as your trunk native VLAN, and you disallow it from the trunks, and there are no other ports carrying that native VLAN, then the Spanning Tree for that VLAN shut down. That is fair enough. But the bug is that the Spanning Tree for VLAN 1 also breaks down, sending your network into meltdown.
    Kevin Dorrell
    Luxembourg

  • Autonymouse AP1121 - Management Vlan and SSID Vlan

    Hello,
    We are using an ACS server to authenticate wireless users to active directory this works fine. The issue occurs when we try to pull an ip and we can't fomr the dhcp. The vlan we have the SSID on is vlan 10 and the management vlan of the AP is vlan 500. The ip-helper info is correct because wired users on vlan 10 get an ip immedialty. We just can't pull one with the AP. Does anyone know the config for this? Here is my current config, the client authenticate through the ACS 4.2 but pull no ip, the only way for me to manage the ap is to have the native vlan command on there, once i remove it i can't telnet. What is the fix for this? Thanks
    current switch port config ap is plugged into.
    interface FastEthernet1/0/48
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 500
    switchport mode trunk

    Do you have sub interfaces for vlan 10 being brigged through the radio interface?
    Example config below...
    interface Dot11Radio0.10
    description Secure Wireless access
    encapsulation dot1Q 10
    no ip route-cache
    bridge-group 10
    bridge-group 10 subscriber-loop-control
    bridge-group 10 block-unknown-source
    no bridge-group 10 source-learning
    no bridge-group 10 unicast-flooding
    bridge-group 10 spanning-disabled
    interface FastEthernet0.10
    encapsulation dot1Q 10
    no ip route-cache
    bridge-group 10
    no bridge-group 10 source-learning
    bridge-group 10 spanning-disabled
    Also verify that vlan 10 is allowed on the trunk interface of the switch by typing "show int trunk"

  • Cat 3750 with Voice VLAN and Dynamic VLANs

    Morning,
    Has anyone had any success with configuring a Catalyst 3750 with a Voice VLAN (Cisco phones) and 802.1x dynamic VLANs?
    Is a RADIUS server able to provide values to change the native vlan?
    Is there a decent tech note knocking about for configuring 'dynamic VLAN assignment through MAC addresses'?
    Thanks,

    Voice VLAN's don't require trunk ports to be configured (unless you are talkling about 2900XL/3500XL switches). Cisco added the ability to trunk a single 802.1q VLAN down an access port in addition to the access vlan - so in 2950 or above the only config you need is:
    interface FastEthernet0/1
    switchport
    switchport mode access
    switchport access vlan 10
    switchport voice vlan 100
    This is effectively the same as:
    interface FastEthernet0/1
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport trunk native vlan 10
    switchport trunk allowed vlan 10,100
    The only difference is the CDP message with the first config will advertise the Voice VLAN capability and the tag.
    With the older 2900XL/3500XL switches you had to configure the interfaces like the second example (plus adding the command switchport voice vlan xx for CDP to inform the IP Phone of the voice vlan).
    QoS is not detailed anywhere here and that obviously plays an important role with voice.
    In your scenario I am not sure ACS can do what you describe as this will require 802.1x supplicants on the client PC's (I may be wrong here and I do remember someone talking about switches being able to do an 802.1x 'proxy' using the MAC address on behalf of non 802.1x capable devices). This seems to me more of a VMPS application.
    Personally I would reconfigure the network each time and charge the occupants a small fee for network setup.....
    HTH
    Andy

Maybe you are looking for