Hey guys. I have a question about native vlans. Our Gateway has the configuration listed below. We have two switches, A and B, that have two different native vlans, but the gateway has no native vlan assigned to it. So, what does having 3 different native vlans do to a network? I ask this, because everyone is up and running, but every so often, which is once every couple of days, we get the below "inconsistent vlan" error. Also, switch B has not received the inconsistent vlan error, at least that we can see in the logs.
Also, i must add that there are other "dumb" switches inbetween. We have no view of them and they just pass the traffic.
Jun 3 14:14:06: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet3/1 VLAN506.
Jun 3 14:14:06: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet3/1 on VLAN0506. Inconsistent local vlan.
Jun 3 14:15:39: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet3/1 on VLAN0506. Port consistency restored.
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 3,506,555
switchport mode trunk end
Jun 3 14:14:06.945: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet0/1 VLAN506.
Jun 3 14:14:06.945: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet0/1 on VLAN0506. Inconsistent local vlan.
Jun 3 14:15:39.463: %SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking GigabitEthernet0/1 on VLAN0506. Port consistency restored.
switchport trunk native vlan 998
switchport trunk allowed vlan 3,506
switchport mode trunk
no cdp enable
switchport access vlan 506
switchport trunk native vlan 506
switchport mode trunk
no cdp enable
Thanks for your inputs!
Can you please let us know how or if these 3 swithes are interconnected to each other.
show int status
sh interfaces gigabitEthernetx/x switchport
sh interfaces gigabitEthernetx/x trunk.
This will help us more to knowing better about the design.
If switch C G0/1 is trunked to switch b Gx/x then the trunk is not working correctly because of the native vlan mismatch . What you are seeing is vlan506 is going into a blocked state and when it does this no traffic for that vlan is traversing the link. On each end of a trunked link the native vlans should match . If you see none configured on the link it will just use vlan 1 as the default and thus it does not show in the config. Just make sure the natives match on each end and this message should go away.
When a vlan is transported across a trunk link it is tagged with it's vlan ID so that at the other end of the trunk link the packet is sent to the right vlan.
The native vlan is the only vlan that is not tagged when it is sent across a trunk link. This is why it is important to have both sides of the trunk link agreeing on what the native vlan is as there is no vlan ID attached to the frame.
The native vlan's primary purpose is to provide backwards compatability to switches that do not understand vlan tagging.
I have a question regarding Native VLANs:
Recently I had the need for a logical interface addition on a firewall DMZ.
I only needed to allow two vlans across the trunk link. The 3550 switch I was using had a software revision that would not allow a trunk link without having the native vlan allowed on the trunk.
I talked to someone (CCIE) at the time that suggested creating a dummy VLAN (999)and have the trunk use that as it's native VLAN.
He said it was to avoid trouble, I seem to remember that he said I might see weird traffic on the trunk if I did not do this.
What would the weird traffic be? If nothing is using VLAN 1, what could get on VLAN 1?
I have used vlan 999 as a dummy vlan for the native vlan as well.
I think he was advising a non-routable dummy vlan for security reasons but i'm not really sure what he meant by weird traffic.
If the native vlan is not vlan 1 CDP/PagP/VTP traffic will still be sent on vlan 1. Not an issue as such as you are connecting to a firewall rather than another switch but you need to be aware that vlan 1 is still in use on a trunk even if you change the native vlan.
1. In the example that I gave, if I am only trunking say VLAN 5, 10 and 999, and I do not see VLAN 1 when I do a "sh int trunk", are you saying I still have VLAN 1 active on the trunk?
2. If the above is true, can you give me an example of why using VLAN 999 is better from a security standpoint, if I still have VLAN 1 on the trunk?
1) Vlan 1 is active but not for user data. It is used internally by the switch to send certain network data ie. CDP/PagP/VTP.
2) Using vlan 999 is better because Vlan 1 is the default vlan which all ports are in. It also tends to have a routed L3 interface.
If you use a vlan such as 999 (note it can be any vlan that is not used for anything else) then you can ensure
a) there are no user ports etc. allocated into that vlan
b) It never has a routed interface
Attached is a link to a vlan security paper which addresses the use of vlan 1 and why it is best to have a different management vlan and a different native vlan.
Excellent explanation jon.
Thank you, and for the link also.
The other guy must have been talking about the possibility of the CDP/PagP/VTP traffic.
This must also be where the security risk is.
The information contained in the above traffic, especially CDP?