Native VLAN mismatch and missing VLAN?
- The combination of
switchport access
and switch port trunk allowedmakes the
switchport access` configuration a no-op, right? You cannot have a port in access mode and trunk mode unless I am mistaken. Can someone confirm this for me?
Not exactly. Let me break down the configuration:
interface Port-channel1
switchport access vlan 100
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 100,101,172,192
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
The net result of this configuration is:
- WHEN the port is in access mode:
- it will only pass (untagged) traffic on VLAN 100
- WHEN the port is in trunk mode (≥1 VLAN):
- the port will pass untagged traffic on VLAN 1
- the port will pass tagged traffic on VLAN 100,101,172,192
- HOWEVER note that VLAN 1 is not in the allowed list → no untagged traffic will be allowed to traverse this port
-
switchport mode trunk
→ this port will always be in trunk mode -
switchport nonegotiate
→ do not send DTP frames - such frames may get forwarded incorrectly and cause ports on other switches to negotiate to trunks when they're not supposed to. - you possibly want to add:
switchport trunk native vlan 100
if the other end of the link is expecting untagged traffic to be VLAN 100.
- It is my understanding that once you add a port to Port Channel all of the VLAN an STP configuration is done per Port Channel and not per port. If I create a Port Channel out of Fa 1/10 and Fa 1/11, I configure them as trunks using their assigned Port Channel and not their individual ports (at least this is what I do with ProCurves). Is this correct?
Right, for spanning-tree purposes the aggregated port is a link. To change the port configuration, change the configuration of the aggregated port and it'll propagate to the individual interfaces.
- If the last item is correct that means all of the per-port configuration of Port Channel members is either a no-op or was done prior to that port being made a Port Channel member. Is this a reasonable assumption?
It's not a no-op - they must match or the port will not be allowed to join the aggregation:
May 30 17:11:25.956: %EC-5-CANNOT_BUNDLE2: Gi0/20 is not compatible with Gi0/19 and will be suspended (vlan mask is different)
The switch will complain :)
- How the heck does the traffic from VLAN 100 get across the uplink (I can reach the VMs hosted on the ESXi hosts)? VLAN 100 disappears once it hits the Meraki and the native VLAN tags are different. Things are working but I can't help but feel something is weird with this setup and it would be preferable to push VLAN 100 all the way through to the rest of stack. To make things even stranger VLAN 2 terminates at Port 41 on the Meraki as well, everything else is set to Native VLAN 1.
interface GigabitEthernet1/0/24
description Uplink
switchport access vlan 100
switchport trunk native vlan 2
!
This is a little dangerous - untagged traffic will either be on VLAN 100 or VLAN 2 depending on the mode of the port. You should force mode trunk (switchport mode trunk
) or at least make the untagged VLANs match.
What happens in this mode (switchport mode dynamic
) is that the port will come up in access mode but switch to a trunk if it detects any tagged packets. (this is simplified)
It's "convention" to have switch-to-switch (sometimes switch-to-host) links with multiple VLANs (trunks in Cisco parlance) always have native (untagged) VLAN 1.
Defaults are not shown in the configuration. If you're unsure as to the defaults, you can always sh run all
:
interface Port-channel1
description blch1-sw1
switchport
switchport access vlan 1
switchport trunk native vlan 1
switchport trunk allowed vlan 1-1000,1002-4094
switchport mode trunk
no switchport nonegotiate
no switchport protected
no switchport block multicast
no switchport block unicast
no ip arp inspection trust
ip arp inspection limit rate 15 burst interval 1
ip arp inspection limit rate 15
no shutdown
ipv6 mld snooping tcn flood
snmp trap mac-notification change added
snmp trap mac-notification change removed
snmp trap link-status
spanning-tree port-priority 3
spanning-tree cost 3
ip dhcp snooping limit rate 4294967295
no ip dhcp snooping trust
no ip dhcp snooping information option allow-untrusted
vs:
interface Port-channel1
description blch1-sw1
switchport trunk allowed vlan 1-1000,1002-4094
switchport mode trunk
end
Note how switchport trunk native vlan 1
is not in the second listing. That's the default.