Native VLAN mismatch and missing VLAN?

Question

I'm trying to wrap my head around what exactly is going on here with a new site's configuration of their networking stack. This particular piece I am working is pretty simple but I having a hard time figuring out what the original intention was. There is a Cisco Catalyst 3750x with three Port Channels (each with four interfaces a piece) going to three ESXi hosts. The Catalyst is connected to the rest of the network via a Meraki MS42 via a single interface (no Port Channel). VLAN 100 carries the networking traffic, the other VLANs are dedicated to things like vMotion or isolated networks. I think a large part of my difficulty here is I don't speak Cisco-ese.

The Setup

Network Stack

Port-Channel 1

interface Port-channel1
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk

interface GigabitEthernet1/0/1
 description ESX1
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 1 mode on
!
interface GigabitEthernet1/0/2
 description ESX1
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 1 mode on
!
interface GigabitEthernet1/0/3
 description ESX1
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 1 mode on

Port-Channel 2 (I'm leaving out Port-Channel 3 since it is identical in configuration to Port-Channel 2)

interface Port-channel2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
!
interface GigabitEthernet1/0/5
 description ESX2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/6
 description ESX2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/7
 description ESX2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/8
 description ESX2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on

Uplink Ports

On the Catalyst:

interface GigabitEthernet1/0/24
 description Uplink
 switchport access vlan 100
 switchport trunk native vlan 2
!

On the Meraki:

Trunk port using native VLAN 1; allowed VLANs: all

The Question/s

The combination of switchport access and switch port trunk allowed makes the switchport access configuration a no-op, right? You cannot have a port in access mode and trunk mode unless I am mistaken. Can someone confirm this for me?
It is my understanding that once you add a port to Port Channel all of the VLAN an STP configuration is done per Port Channel and not per port. If I create a Port Channel out of Fa 1/10 and Fa 1/11, I configure them as trunks using their assigned Port Channel and not their individual ports (at least this is what I do with ProCurves). Is this correct?
If the last item is correct that means all of the per-port configuration of Port Channel members is either a no-op or was done prior to that port being made a Port Channel member. Is this a reasonable assumption?
How the heck does the traffic from VLAN 100 get across the uplink (I can reach the VMs hosted on the ESXi hosts)? VLAN 100 disappears once it hits the Meraki and the native VLAN tags are different. Things are working but I can't help but feel something is weird with this setup and it would be preferable to push VLAN 100 all the way through to the rest of stack. To make things even stranger VLAN 2 terminates at Port 41 on the Meraki as well, everything else is set to Native VLAN 1.

Moving forward I am inclined to abandon VLAN 100 or reconfigure the rest of our stack so that the subnet that rides on VLAN 100 doesn't use multiple VLANs (100 and 1) and resolve the Native VLAN tag mismatch on the uplink (Port 41 -- Gi 1/0/24). Thoughts on this plan?

MikeyB · Accepted Answer · 2014-06-23T13:43:54.270

The combination of switchport access and switch port trunk allowedmakes theswitchport access` configuration a no-op, right? You cannot have a port in access mode and trunk mode unless I am mistaken. Can someone confirm this for me?

Not exactly. Let me break down the configuration:

interface Port-channel1
    switchport access vlan 100
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 100,101,172,192
    switchport mode trunk
    switchport nonegotiate
    spanning-tree portfast trunk

The net result of this configuration is:

WHEN the port is in access mode:
- it will only pass (untagged) traffic on VLAN 100
WHEN the port is in trunk mode (≥1 VLAN):
- the port will pass untagged traffic on VLAN 1
- the port will pass tagged traffic on VLAN 100,101,172,192
- HOWEVER note that VLAN 1 is not in the allowed list → no untagged traffic will be allowed to traverse this port
- switchport mode trunk → this port will always be in trunk mode
- switchport nonegotiate → do not send DTP frames - such frames may get forwarded incorrectly and cause ports on other switches to negotiate to trunks when they're not supposed to.
- you possibly want to add: switchport trunk native vlan 100 if the other end of the link is expecting untagged traffic to be VLAN 100.

It is my understanding that once you add a port to Port Channel all of the VLAN an STP configuration is done per Port Channel and not per port. If I create a Port Channel out of Fa 1/10 and Fa 1/11, I configure them as trunks using their assigned Port Channel and not their individual ports (at least this is what I do with ProCurves). Is this correct?

Right, for spanning-tree purposes the aggregated port is a link. To change the port configuration, change the configuration of the aggregated port and it'll propagate to the individual interfaces.

If the last item is correct that means all of the per-port configuration of Port Channel members is either a no-op or was done prior to that port being made a Port Channel member. Is this a reasonable assumption?

It's not a no-op - they must match or the port will not be allowed to join the aggregation:

May 30 17:11:25.956: %EC-5-CANNOT_BUNDLE2: Gi0/20 is not compatible with Gi0/19 and will be suspended (vlan mask is different)

The switch will complain :)

How the heck does the traffic from VLAN 100 get across the uplink (I can reach the VMs hosted on the ESXi hosts)? VLAN 100 disappears once it hits the Meraki and the native VLAN tags are different. Things are working but I can't help but feel something is weird with this setup and it would be preferable to push VLAN 100 all the way through to the rest of stack. To make things even stranger VLAN 2 terminates at Port 41 on the Meraki as well, everything else is set to Native VLAN 1.

interface GigabitEthernet1/0/24
 description Uplink
 switchport access vlan 100
 switchport trunk native vlan 2
!

This is a little dangerous - untagged traffic will either be on VLAN 100 or VLAN 2 depending on the mode of the port. You should force mode trunk (switchport mode trunk) or at least make the untagged VLANs match.

What happens in this mode (switchport mode dynamic) is that the port will come up in access mode but switch to a trunk if it detects any tagged packets. (this is simplified)

It's "convention" to have switch-to-switch (sometimes switch-to-host) links with multiple VLANs (trunks in Cisco parlance) always have native (untagged) VLAN 1.

Defaults are not shown in the configuration. If you're unsure as to the defaults, you can always sh run all:

interface Port-channel1
 description blch1-sw1
 switchport
 switchport access vlan 1
 switchport trunk native vlan 1
 switchport trunk allowed vlan 1-1000,1002-4094
 switchport mode trunk
 no switchport nonegotiate
 no switchport protected
 no switchport block multicast
 no switchport block unicast
 no ip arp inspection trust
 ip arp inspection limit rate 15 burst interval 1
 ip arp inspection limit rate 15
 no shutdown
 ipv6 mld snooping tcn flood
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 snmp trap link-status
 spanning-tree port-priority 3
 spanning-tree cost 3
 ip dhcp snooping limit rate 4294967295
 no ip dhcp snooping trust
 no ip dhcp snooping information option allow-untrusted

vs:

interface Port-channel1
 description blch1-sw1
 switchport trunk allowed vlan 1-1000,1002-4094
 switchport mode trunk
end

Note how switchport trunk native vlan 1 is not in the second listing. That's the default.

score -2 · Answer 2 · answered May 27 '14 at 22:08

I think this is what you want for Channel2

interface Port-channel2
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk

interface GigabitEthernet1/0/4
 description ESX2
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/5
 description ESX2
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on
!
interface GigabitEthernet1/0/6
 description ESX2
 switchport access vlan 100
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,101,172,192
 switchport mode trunk
 switchport nonegotiate
 spanning-tree portfast trunk
 channel-group 2 mode on

score -2 · Answer 3 · answered May 28 '14 at 18:16

Eitherchannel Ports.

Any changes to the port channel affect the bundle of ports
Any changes to individual ports affect the port only
Looks like you were handed a mess to clean up... :D

I think you would want to clear most of the configuration in the ports and just have something simple like:

interface Port-channel2
no ip address 
switchport
switchport access vlan 100


interface GigabitEthernet1/0/6
description ESX2
channel-group 2 mode on

Seems to me that the only trunk you need is in between the two switchs.

Native vlan on cisco switch:

int GigabitEthernet1/0/24
no switchport access vlan 100
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 1

The trunks are required on ESX links for hypervisor traffic ( eg. vmotion ), and will be configured as such on the ESX hosts, so removing them from the swtich will cause problems. — CGretski, Jan 29 '18 at 13:06

Native VLAN mismatch and missing VLAN?

The Setup

The Question/s

3 Answers3