NATIVE_VLAN_MISMATCH on a non-trunk port

Unanswered Question
Mar 16th, 2009
User Badges:

Hello,


I have a Cisco 851w that connects to a Catalyst 2950, the Catalyst have a few vlans and a FW that is being the "Router on a stick", the 851w should only be used in VLAN20.


It connects to Fa0/23 on the catalyst which is configured as follows:

interface FastEthernet0/23

description Line to xxx Fa0

switchport access vlan 20

switchport mode access

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky aaaa.bbbb.cccc

load-interval 30

speed 100

duplex full

spanning-tree portfast


Even though, I got errors in the log:

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/23 (20), with xxxxx FastEthernet0 (1). (Same errors appear on the 851 log with different direction)


The 851 doesn't really support VLANs, it does have a vlan database but only "supports" VLAN1, although that doesn't really suppose to matter as I don't try to negotiate a trunk between the devices, and even if I was trying, the native vlan for that interface would be VLAN1 as seen in the following output:


sh int fastEthernet 0/23 switchport

Name: Fa0/23

Switchport: Enabled

Administrative Mode: static access

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: Off

Access Mode VLAN: 20 (Wifi-DMZ)

Trunking Native Mode VLAN: 1 (default)

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none



Any one has an idea how to "fix" that problem? the error shouldn't appear in the logs


Thanks,

Ido.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mohamad Qayoom Mon, 03/16/2009 - 08:38
User Badges:
  • Bronze, 100 points or more

Do you really need the following command on fa0/23 ?


switchport access vlan 20

John Blakley Mon, 03/16/2009 - 10:01
User Badges:
  • Purple, 4500 points or more

Can you post the config for the interface of your router that connects to fa0/23?


John

ido.edo10 Mon, 03/16/2009 - 10:06
User Badges:

Sure, although nothing special there...

interface FastEthernet0

description To yyyy Fa0/23

duplex full

speed 100

spanning-tree portfast

end


I supposed that spanning-tree portfast isn't really needed at the router, however it stays the same even if I remove it.

John Blakley Mon, 03/16/2009 - 10:13
User Badges:
  • Purple, 4500 points or more

Okay,


Under interface F0, see if you have the encapsulate option:


int fa0

encapsulate dot1q 20 native


Take spanning-tree portfast out.


HTH,


John

John Blakley Mon, 03/16/2009 - 10:16
User Badges:
  • Purple, 4500 points or more

You won't have it because it's only for subinterfaces.


John

John Blakley Mon, 03/16/2009 - 10:17
User Badges:
  • Purple, 4500 points or more

Try this instead:


int fa0

no ip address


int fa0.20

encapsulate dot1q 20 native


Put your ip address under fa0.20 subinterface, and it *should* work.


HTH,

John

ido.edo10 Mon, 03/16/2009 - 10:29
User Badges:

There is no IP on that interface,

it looks like cisco didn't really know what to do with those interfaces on the 851, they aren't layer-2 capable and neither layer-3 capable,

xxxx(config-if)#ip address 1.1.1.1 255.0.0.0


% IP addresses may not be configured on L2 links.


xxxxx(config-if)#switch?

% Unrecognized command


also no sub interfaces on this one:

xxxxx(config)#int fa0.20

^

% Invalid input detected at '^' marker.


The IP address is configured on BVI1 which is a bridge between VLAN1 & Dot11Radio0.

I attached those interfaces config as well:

interface BVI1

ip address 172.10.1.253 255.255.255.0

ip virtual-reassembly max-reassemblies 64

ip tcp adjust-mss 1435

end


interface Vlan1

no ip address

no ip virtual-reassembly

bridge-group 1

bridge-group 1 spanning-disabled

end

(Tried removing the bridge-group 1 spanning-disabled as well, didn't help)


Any other thoughts?


Thanks,

Ido.

John Blakley Mon, 03/16/2009 - 10:31
User Badges:
  • Purple, 4500 points or more

On the 851, can you delete vlan 1, and create a vlan 20 in its place?

ido.edo10 Mon, 03/16/2009 - 10:49
User Badges:

I can delete interface vlan 1,

but can't delete the vlan itself.


Tried to do that with int vlan1, I configured int vlan20 instead after putting int vlan20 in the bridge-group instead of vlan1 the router lost connectivity through its LAN interfaces.


It's like the Fa0-3 acts like a "stupid" switch, however they are still aware of vlans (I can execute show interfaces switchport, but can't configure them to do anything...) the problem is why they care about native vlan when both sides are configured as access ports.

And even if they were trunk ports, both sides when the show int switchport command issued shows that the native vlan is vlan1.


I have on the Catalyst another port (Gi0/2) that is a trunk and have native vlan 20, but I don't see how it should be related, I did attach it's configuration maybe you will see something I didn't:


interface GigabitEthernet0/2

description Lint to zzzzz

switchport trunk native vlan 20

switchport mode trunk

load-interval 30

ip dhcp snooping trust

end

John Blakley Mon, 03/16/2009 - 11:03
User Badges:
  • Purple, 4500 points or more

You would delete the vlan from:


router# vlan database


That's where you would create your vlan 20 also.


John

ido.edo10 Mon, 03/16/2009 - 11:05
User Badges:

Can't do that, not in vlan db mode and not from global config:


xxxxxx(vlan)#vlan 20

Vlan can not be added. Maximum number of 1 vlan(s) in the database.


xxxxx(vlan)#no vlan 1

A default VLAN may not be deleted.

Leo Laohoo Mon, 03/16/2009 - 14:34
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

You're correct. The c850 ISR will not support multiple VLANs nor will it allow Trunking.


On the switch, have you tried making your native VLAN as VLAN 1?

ido.edo10 Mon, 03/16/2009 - 14:38
User Badges:

What do you mean "on the switch"?

On the port, although set to access mode, by default the native vlan is 1.

How can you set a native vlan "on the switch"?


Edison Ortiz Mon, 03/16/2009 - 15:40
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

As you have bridging enabled on the 851w, it is carrying BPDUs on the link and the 2950 is detecting it as a regular switch where the Vlans must match.


Now, having different Vlans (both in access-mode) shouldn't be a problem with the connection there but CDP is quite picky when it comes to that.


You can either ignore the message (hard to do when filling up your log) or disable CDP at both ends of the link.


http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_03.html#wp1011618


HTH,


__


Edison.

ido.edo10 Mon, 03/16/2009 - 16:51
User Badges:

OK, I did manage to solve the problem, while looking at the input from the show cdp ne fa0/23 de command I saw that both the switch and the router was on the same VTP domain (although, obviously the cannot share the same database), and it said "Native Vlan: 1 (Mismatch)"

Changing the VTP domain on the router solved the problem and now it says "Native Vlan: 1" - looks like it doesn't care that there is a mismatch.


Regarding the bridging enable - looks like it doesn't matter, I just tried with a Cisco 851 that doesn't have any bridging and had the same "problem", the 851 also sends BPDUs (was confirmed using bpduguard on the port...) although it doesn't run spanning tree. (reports "No spanning tree instances exist." when using the show span command)


However I still can't find out how does CDP decides what is the "native vlan" at the other side (and obviously it decides incorrectly, because as shown by the show int fa0/23 switchport the native vlan is auto set to 1) any ideas regarding that?

Actions

This Discussion