Switch port trunk Problem - native VLAN

Unanswered Question
Jan 6th, 2010

Hi All,

I have one core switch 4507, Server (10.28.2.172) connected to port gi4/10.

I have enabled trunk on port gi4/10, enabled encapsulation dot1q and allowed vlan's 55,1800

Please find the below running config for interface.

Core#sh run int gi4/10
Building configuration...

Current configuration : 166 bytes
!
interface GigabitEthernet4/10
description RG Test Desktop
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 55,1800
switchport mode trunk
end


The problem is after don all the above config, the server is unreachable and the port showing in Native vlan 1, which is admin down.
When I removed trunk and allowed vlans, then the server is reachable.

Please find the below trunk status:

Core#sh int trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi4/10      on               802.1q         trunking      1
Gi4/27      on               802.1q         trunking      50
Gi4/48      on               802.1q         trunking      50
Gi5/18      on               802.1q         trunking      1
Gi5/19      on               802.1q         trunking      1
Gi5/21      on               802.1q         trunking      1
Gi5/47      on               802.1q         trunking      1
Gi5/48      on               802.1q         trunking      1
Po1         on               802.1q         trunking      50

Port        Vlans allowed on trunk
Gi4/10      55,1800
Gi4/27      1-4094
Gi4/48      1-4094
Gi5/18      20-24
Gi5/19      20-24
Gi5/21      20-24
Gi5/47      20-21,23-24
Gi5/48      20-21,23-24
Po1         1-4094


Experts, can any one please tell me where I am wrong and what needs to be done to work it.
However multiple vlans (exmaple vlan 55,1800 should be allowed on that port)


Regards,
Naidu.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
glen.grant Wed, 01/06/2010 - 05:11

   You have to check and see how the server is setup for trunking.  The server end would have to be forced on for trunking and most importantly have the native (untagged) vlan set as 1 as thats how the switchport is setup .

bret Wed, 01/06/2010 - 05:28

If you add the switchport trunk native vlan to the interface for the vlan the server is set up for will it work.

Example:

interface GigabitEthernet4/10
description RG Test Desktop
switchport trunk encapsulation dot1q
switchport trunk native vlan X X=the vlan your server is set up for

switchport trunk allowed vlan 55,1800
switchport mode trunk

ericn8484_2 Wed, 01/06/2010 - 05:33

Are you trying to trunk to the server? Since you say the server has an IP of 10.28.2.172, it shouldn't be a trunked server. At that

point you will want to setup the port to be the following:

interface GigabitEthernet4/10
description RG Test Desktop
switchport access vlan (VLAN#)
switchport mode access
end

Latchum Naidu Wed, 01/06/2010 - 06:38


Hi Bret,

Thank you very much for your reply.

Yes, I am trying to trunk to the Server.

Ok, the server is in vlan 1800 and I set native vlan as its own vlan (1800) and its working fine

But the real thing is we have a Firewall connected to core switch, DMZ L3 vlans (20,21,22,23,24)

configured in Firewall and L2 vlans (20,21,22,23,24) configured in core switch.

DMZ servers connected to core switch ports (gi5/18, 19, 21)
I enabled trunk and allowed vlans 20,21,22,23,24

Please find the below port configuration:

interface GigabitEthernet5/21
description AAL113 NIC 3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 20-24
switchport mode trunk

The problem is as like in the previous post its showing in Native vlan1, So here which vlan should I assign as a native vlan

and all vlans should be allowed.

Regards,

Naidu.

ericn8484_2 Wed, 01/06/2010 - 06:50

My pratice has been to set the native VLAN as the VLAN that I have the management IP that I want to use. The command to set the native vlan on the port is "switchport trunk native vlan (VLAN#)". I dont see that in your config.

The native VLAN doesn't make that much difference with which one you choose as long as its the same on both ends of the connection. It is a important portion of switching as the switches use the native VLAN to send administrative information back and forth between the switches.

The first task that I would do is set the port up so all VLAN's are allowed and ensure that everything works the way you want it to before trying to lock things down to specific VLANs.

bret Wed, 01/06/2010 - 08:28

Your question now can get quite complicated and could draw several answers. First a drawing of some sort would help you answer this question. From a design stand point I would not plug my dmz switches into my cores. I would plug my outside inferfaces of my pix into the dmzs and my inside interfaces of my pix to my cores. The configuration for the interfaces in this situation would be standard port configurations with no trunking

int g0/x or int gx/x

swithchport mode access

switchport access vlan x

spanning-tree portfast

Hope this helps

Giuseppe Larosa Wed, 01/06/2010 - 16:37

Hello Naidu,

with default settings the native vlan on the switch side is always 1.

So the "right" configuration is not unique: if the server or firewall is instructed to explicitly tag all vlans of interest you are fine.

if the server/FW wants to use as native vlan vlan X you need to accomodate this on switch port configuration as explained by Bret and the others.

This is open to different possible answers but a choice has to be done.

For example, our customer is deploying systems with virtual machines and they explicitly tag  all vlans, and the vlans are fixed in the vmware configuration.

So to have a working configuration the switch has to pass the same set of vlans all tagged.

Hope to help

Giuseppe

Latchum Naidu Wed, 01/06/2010 - 22:35

Hi Giuseppe & Bret,

As guiseppe said, yes my customer is deploying systems with VM and they explicity tag all vlans.
I allowed all vlans on the one port (20,21,22,23,24), but its shwoing to native vlan 1 whcih was shutdown and which should not be the case.

Now if I configured a vlan 20 as a native vlan, will it work and all allowed vlans traffic will get through?

If not which vlan should I configure as a native vlan?

If the server want to use Native vlan, then what about the allowed vlans? will all traffic go on only native vlan?

If i configure switch port like as below... Will it work? all allowed / tagged vlans traffic will get through?

interface GigabitEthernet5/21
description AAL113 NIC 3
switchport trunk encapsulation dot1q
switchport trunk native vlan 20
switchport trunk allowed vlan 20-24
switchport mode trunk

Please correct me if I am wrong anywhere.

Regards,
Naidu.

Giuseppe Larosa Thu, 01/07/2010 - 02:09

Hello Naidu,

the native vlan can also be a not used vlan on a 802.1Q trunk.

Actually some security best practice suggests for this to use as native vlan a vlan that is not used at all. There is no strict need for one vlan to travel untagged on the trunk.

You should be fine with default configuration with native vlan=1.

Also when you mean vlan1 is shutdown you  are probably referrring to the L3 object SVI interface vlan1, but this doesn't mean that the L2 object broadcast domain vlan 1 does not exist anymore it just means there is no L3 IP service on vlan1.

The trunk is an OSI layer 2 concept so it is not affected by L3 state of vlan1 or of any other vlan; it is just a question of what vlans are allowed on the trunk and how they are encapsulated (with vlan tag or not)

Hope to help

Giuseppe

Actions

This Discussion