Native Vlan Configuration

Unanswered Question
Jun 5th, 2008

Hey guys. I have a question about native vlans. Our Gateway has the configuration listed below. We have two switches, A and B, that have two different native vlans, but the gateway has no native vlan assigned to it. So, what does having 3 different native vlans do to a network? I ask this, because everyone is up and running, but every so often, which is once every couple of days, we get the below "inconsistent vlan" error. Also, switch B has not received the inconsistent vlan error, at least that we can see in the logs.

Also, i must add that there are other "dumb" switches inbetween. We have no view of them and they just pass the traffic.

Gateway#

Jun 3 14:14:06: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet3/1 VLAN506.

Jun 3 14:14:06: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet3/1 on VLAN0506. Inconsistent local vlan.

Jun 3 14:15:39: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet3/1 on VLAN0506. Port consistency restored.

!

interface GigabitEthernet3/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 3,506,555

switchport mode trunk end

Switch C#

Jun 3 14:14:06.945: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet0/1 VLAN506.

Jun 3 14:14:06.945: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet0/1 on VLAN0506. Inconsistent local vlan.

Jun 3 14:15:39.463: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0/1 on VLAN0506. Port consistency restored.

!

interface GigabitEthernet0/1

switchport trunk native vlan 998

switchport trunk allowed vlan 3,506

switchport mode trunk

no cdp enable

end

switch B#

!

interface GigabitEthernetx/x

switchport access vlan 506

switchport trunk native vlan 506

switchport mode trunk

media-type sfp

duplex full

no cdp enable

end

Thanks for your inputs!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Pravin Phadte Thu, 06/05/2008 - 02:57

Can you please let us know how or if these 3 swithes are interconnected to each other.

Also output:

show int status

sh interfaces gigabitEthernetx/x switchport

sh interfaces gigabitEthernetx/x trunk.

This will help us more to knowing better about the design.

Regards,

Pravin

glen.grant Thu, 06/05/2008 - 03:29

If switch C G0/1 is trunked to switch b Gx/x then the trunk is not working correctly because of the native vlan mismatch . What you are seeing is vlan506 is going into a blocked state and when it does this no traffic for that vlan is traversing the link. On each end of a trunked link the native vlans should match . If you see none configured on the link it will just use vlan 1 as the default and thus it does not show in the config. Just make sure the natives match on each end and this message should go away.

cindylee27 Thu, 06/05/2008 - 23:59

Glen,

Nice reply..Can I know what is the "native vlan" purpose for?

Thanks.

cindy

Jon Marshall Fri, 06/06/2008 - 00:14

Cindy

When a vlan is transported across a trunk link it is tagged with it's vlan ID so that at the other end of the trunk link the packet is sent to the right vlan.

The native vlan is the only vlan that is not tagged when it is sent across a trunk link. This is why it is important to have both sides of the trunk link agreeing on what the native vlan is as there is no vlan ID attached to the frame.

The native vlan's primary purpose is to provide backwards compatability to switches that do not understand vlan tagging.

Jon

wilson_1234_2 Wed, 06/11/2008 - 13:59

Jon,

I have a question regarding Native VLANs:

Recently I had the need for a logical interface addition on a firewall DMZ.

I only needed to allow two vlans across the trunk link. The 3550 switch I was using had a software revision that would not allow a trunk link without having the native vlan allowed on the trunk.

I talked to someone (CCIE) at the time that suggested creating a dummy VLAN (999)and have the trunk use that as it's native VLAN.

He said it was to avoid trouble, I seem to remember that he said I might see weird traffic on the trunk if I did not do this.

What would the weird traffic be? If nothing is using VLAN 1, what could get on VLAN 1?

Jon Marshall Wed, 06/11/2008 - 14:04

Richard

I have used vlan 999 as a dummy vlan for the native vlan as well.

I think he was advising a non-routable dummy vlan for security reasons but i'm not really sure what he meant by weird traffic.

If the native vlan is not vlan 1 CDP/PagP/VTP traffic will still be sent on vlan 1. Not an issue as such as you are connecting to a firewall rather than another switch but you need to be aware that vlan 1 is still in use on a trunk even if you change the native vlan.

Jon

wilson_1234_2 Wed, 06/11/2008 - 15:31

Thanks Jon,

1. In the example that I gave, if I am only trunking say VLAN 5, 10 and 999, and I do not see VLAN 1 when I do a "sh int trunk", are you saying I still have VLAN 1 active on the trunk?

2. If the above is true, can you give me an example of why using VLAN 999 is better from a security standpoint, if I still have VLAN 1 on the trunk?

Jon Marshall Wed, 06/11/2008 - 15:39

Richard

1) Vlan 1 is active but not for user data. It is used internally by the switch to send certain network data ie. CDP/PagP/VTP.

2) Using vlan 999 is better because Vlan 1 is the default vlan which all ports are in. It also tends to have a routed L3 interface.

If you use a vlan such as 999 (note it can be any vlan that is not used for anything else) then you can ensure

a) there are no user ports etc. allocated into that vlan

b) It never has a routed interface

Attached is a link to a vlan security paper which addresses the use of vlan 1 and why it is best to have a different management vlan and a different native vlan.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39009

Jon

wilson_1234_2 Wed, 06/11/2008 - 16:40

Excellent explanation jon.

Thank you, and for the link also.

The other guy must have been talking about the possibility of the CDP/PagP/VTP traffic.

This must also be where the security risk is.

The information contained in the above traffic, especially CDP?

Actions

This Discussion