03-16-2009 08:21 AM - edited 03-06-2019 04:37 AM
Hello,
I have a Cisco 851w that connects to a Catalyst 2950, the Catalyst have a few vlans and a FW that is being the "Router on a stick", the 851w should only be used in VLAN20.
It connects to Fa0/23 on the catalyst which is configured as follows:
interface FastEthernet0/23
description Line to xxx Fa0
switchport access vlan 20
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky aaaa.bbbb.cccc
load-interval 30
speed 100
duplex full
spanning-tree portfast
Even though, I got errors in the log:
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/23 (20), with xxxxx FastEthernet0 (1). (Same errors appear on the 851 log with different direction)
The 851 doesn't really support VLANs, it does have a vlan database but only "supports" VLAN1, although that doesn't really suppose to matter as I don't try to negotiate a trunk between the devices, and even if I was trying, the native vlan for that interface would be VLAN1 as seen in the following output:
sh int fastEthernet 0/23 switchport
Name: Fa0/23
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 20 (Wifi-DMZ)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Any one has an idea how to "fix" that problem? the error shouldn't appear in the logs
Thanks,
Ido.
03-16-2009 08:38 AM
Do you really need the following command on fa0/23 ?
switchport access vlan 20
03-16-2009 08:43 AM
Yes, I do, the port should be in Vlan20.
03-16-2009 10:01 AM
Can you post the config for the interface of your router that connects to fa0/23?
John
03-16-2009 10:06 AM
Sure, although nothing special there...
interface FastEthernet0
description To yyyy Fa0/23
duplex full
speed 100
spanning-tree portfast
end
I supposed that spanning-tree portfast isn't really needed at the router, however it stays the same even if I remove it.
03-16-2009 10:13 AM
Okay,
Under interface F0, see if you have the encapsulate option:
int fa0
encapsulate dot1q 20 native
Take spanning-tree portfast out.
HTH,
John
03-16-2009 10:16 AM
You won't have it because it's only for subinterfaces.
John
03-16-2009 10:17 AM
Try this instead:
int fa0
no ip address
int fa0.20
encapsulate dot1q 20 native
Put your ip address under fa0.20 subinterface, and it *should* work.
HTH,
John
03-16-2009 10:29 AM
There is no IP on that interface,
it looks like cisco didn't really know what to do with those interfaces on the 851, they aren't layer-2 capable and neither layer-3 capable,
xxxx(config-if)#ip address 1.1.1.1 255.0.0.0
% IP addresses may not be configured on L2 links.
xxxxx(config-if)#switch?
% Unrecognized command
also no sub interfaces on this one:
xxxxx(config)#int fa0.20
^
% Invalid input detected at '^' marker.
The IP address is configured on BVI1 which is a bridge between VLAN1 & Dot11Radio0.
I attached those interfaces config as well:
interface BVI1
ip address 172.10.1.253 255.255.255.0
ip virtual-reassembly max-reassemblies 64
ip tcp adjust-mss 1435
end
interface Vlan1
no ip address
no ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
end
(Tried removing the bridge-group 1 spanning-disabled as well, didn't help)
Any other thoughts?
Thanks,
Ido.
03-16-2009 10:31 AM
On the 851, can you delete vlan 1, and create a vlan 20 in its place?
03-16-2009 10:49 AM
I can delete interface vlan 1,
but can't delete the vlan itself.
Tried to do that with int vlan1, I configured int vlan20 instead after putting int vlan20 in the bridge-group instead of vlan1 the router lost connectivity through its LAN interfaces.
It's like the Fa0-3 acts like a "stupid" switch, however they are still aware of vlans (I can execute show interfaces switchport, but can't configure them to do anything...) the problem is why they care about native vlan when both sides are configured as access ports.
And even if they were trunk ports, both sides when the show int switchport command issued shows that the native vlan is vlan1.
I have on the Catalyst another port (Gi0/2) that is a trunk and have native vlan 20, but I don't see how it should be related, I did attach it's configuration maybe you will see something I didn't:
interface GigabitEthernet0/2
description Lint to zzzzz
switchport trunk native vlan 20
switchport mode trunk
load-interval 30
ip dhcp snooping trust
end
03-16-2009 11:03 AM
You would delete the vlan from:
router# vlan database
That's where you would create your vlan 20 also.
John
03-16-2009 11:05 AM
Can't do that, not in vlan db mode and not from global config:
xxxxxx(vlan)#vlan 20
Vlan can not be added. Maximum number of 1 vlan(s) in the database.
xxxxx(vlan)#no vlan 1
A default VLAN may not be deleted.
03-16-2009 02:34 PM
You're correct. The c850 ISR will not support multiple VLANs nor will it allow Trunking.
On the switch, have you tried making your native VLAN as VLAN 1?
03-16-2009 02:38 PM
What do you mean "on the switch"?
On the port, although set to access mode, by default the native vlan is 1.
How can you set a native vlan "on the switch"?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide