Native VLAN mismatch and missing VLAN?

  • The combination of switchport access and switch port trunk allowedmakes theswitchport access` configuration a no-op, right? You cannot have a port in access mode and trunk mode unless I am mistaken. Can someone confirm this for me?

Not exactly. Let me break down the configuration:

interface Port-channel1
    switchport access vlan 100
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 100,101,172,192
    switchport mode trunk
    switchport nonegotiate
    spanning-tree portfast trunk

The net result of this configuration is:

  • WHEN the port is in access mode:
    • it will only pass (untagged) traffic on VLAN 100
  • WHEN the port is in trunk mode (≥1 VLAN):
    • the port will pass untagged traffic on VLAN 1
    • the port will pass tagged traffic on VLAN 100,101,172,192
    • HOWEVER note that VLAN 1 is not in the allowed list → no untagged traffic will be allowed to traverse this port
    • switchport mode trunk → this port will always be in trunk mode
    • switchport nonegotiate → do not send DTP frames - such frames may get forwarded incorrectly and cause ports on other switches to negotiate to trunks when they're not supposed to.
    • you possibly want to add: switchport trunk native vlan 100 if the other end of the link is expecting untagged traffic to be VLAN 100.
  • It is my understanding that once you add a port to Port Channel all of the VLAN an STP configuration is done per Port Channel and not per port. If I create a Port Channel out of Fa 1/10 and Fa 1/11, I configure them as trunks using their assigned Port Channel and not their individual ports (at least this is what I do with ProCurves). Is this correct?

Right, for spanning-tree purposes the aggregated port is a link. To change the port configuration, change the configuration of the aggregated port and it'll propagate to the individual interfaces.

  • If the last item is correct that means all of the per-port configuration of Port Channel members is either a no-op or was done prior to that port being made a Port Channel member. Is this a reasonable assumption?

It's not a no-op - they must match or the port will not be allowed to join the aggregation:

May 30 17:11:25.956: %EC-5-CANNOT_BUNDLE2: Gi0/20 is not compatible with Gi0/19 and will be suspended (vlan mask is different)

The switch will complain :)

  • How the heck does the traffic from VLAN 100 get across the uplink (I can reach the VMs hosted on the ESXi hosts)? VLAN 100 disappears once it hits the Meraki and the native VLAN tags are different. Things are working but I can't help but feel something is weird with this setup and it would be preferable to push VLAN 100 all the way through to the rest of stack. To make things even stranger VLAN 2 terminates at Port 41 on the Meraki as well, everything else is set to Native VLAN 1.
interface GigabitEthernet1/0/24
 description Uplink
 switchport access vlan 100
 switchport trunk native vlan 2
!

This is a little dangerous - untagged traffic will either be on VLAN 100 or VLAN 2 depending on the mode of the port. You should force mode trunk (switchport mode trunk) or at least make the untagged VLANs match.

What happens in this mode (switchport mode dynamic) is that the port will come up in access mode but switch to a trunk if it detects any tagged packets. (this is simplified)


It's "convention" to have switch-to-switch (sometimes switch-to-host) links with multiple VLANs (trunks in Cisco parlance) always have native (untagged) VLAN 1.

Defaults are not shown in the configuration. If you're unsure as to the defaults, you can always sh run all:

interface Port-channel1
 description blch1-sw1
 switchport
 switchport access vlan 1
 switchport trunk native vlan 1
 switchport trunk allowed vlan 1-1000,1002-4094
 switchport mode trunk
 no switchport nonegotiate
 no switchport protected
 no switchport block multicast
 no switchport block unicast
 no ip arp inspection trust
 ip arp inspection limit rate 15 burst interval 1
 ip arp inspection limit rate 15
 no shutdown
 ipv6 mld snooping tcn flood
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 snmp trap link-status
 spanning-tree port-priority 3
 spanning-tree cost 3
 ip dhcp snooping limit rate 4294967295
 no ip dhcp snooping trust
 no ip dhcp snooping information option allow-untrusted

vs:

interface Port-channel1
 description blch1-sw1
 switchport trunk allowed vlan 1-1000,1002-4094
 switchport mode trunk
end

Note how switchport trunk native vlan 1 is not in the second listing. That's the default.