Why wont switches pass traffic?

Sanis4life · January 2008

Hey folks. I figured i would drop a question in here for people that like troubleshooting. We had a situation at work where we were trunking two switches. The downlink switch was not passing traffic correctly. Both switches were up and up. The downlink switch's data packet output was high, but packet input was very low. In fact, the packet input matched exactly what the broadcasts were. None of the computers were picking up an IP, nor could the default gateway be pinged.

You can assume everything globally is configured correctly.

What could it be!!!!??

Netstudent · January 2008

Maybe a VLAN to ip subnet mismatch, perhaps a vlan was disallowed from the trunk when it shouldn't ahve been. Could have been a duplex mismatch, or maybe a native vlan mismatch(you would have gotten a no no message if that happened though).

Could both sides have been configured as auto?

Was VTP involved?

A "show interface fa?/? trunk" on both link parters would help.
Thats almost like going to the Off Topic forum and posting "Why can't I renew my IP"

Sanis4life · January 2008

Well, you already answered it, but here is the config on one of the trunk ports. The other one goes through someone elses services.

interface GigabitEthernet3/5
description Uplink
switchport trunk native vlan 515
switchport trunk allowed vlan 3,515
switchport mode trunk
no cdp enable
end

Now, another question is why would the native vlan command be used? I dont see any reason someone would want to untag a vlan.

nice343 · January 2008

Sanis4life wrote:

Well, you already answered it, but here is the config on one of the trunk ports. The other one goes through someone elses services.

interface GigabitEthernet3/5
description Uplink
switchport trunk native vlan 515
switchport trunk allowed vlan 3,515
switchport mode trunk
no cdp enable
end

Now, another question is why would the native vlan command be used? I dont see any reason someone would want to untag a vlan.

the native vlan is used when there is voice on the network. The native Vlan untags the data network so that the voice network will be tagged since that is the most important traffic.

have you tried typing

switchport trunk encapsulation dot1q

Netstudent · January 2008

yes thats one application of it's use. There are others I can think of. One big one is security. MOst networking people and hackers know about open standard technologies. Therefore they know how vlans work and that dot1q uses vlan 1 by default as a tagless frame. This can be exploited by a vlan hopping attack if you leave your native vlan as 1 and the attacker's VLAN is 1. So another reason would be to ensure security in the network by not using Vlan 1 for normal voice and data applications.

http://www.techexams.net/forums/viewtopic.php?t=26144

But dot1Q by nature has a native vlan. you don't have to use a native vlan at all. It may reduce some overhead on a data stream, by not inserting that 4 byte tag between the source and ether type fields, but the tradeoff is security and no priority bits. In smaller networks, I don't think it would be a big deal to use a tagless vlan, although I could be wrong on that. You never know where a hacker might sneak in.

networker050184 · January 2008

nice343 wrote:

the native vlan is used when there is voice on the network. The native Vlan untags the data network so that the voice network will be tagged since that is the most important traffic.

This is not the case with trunks between switches. I think you are confused with the special 802.1p trunk formed on a switch port configured for a voice and access vlan. The native vlan is usually pruned for security reasons.

Sanis4life · January 2008

Netstudent wrote:

yes thats one application of it's use. There are others I can think of. One big one is security. MOst networking people and hackers know about open standard technologies. Therefore they know how vlans work and that dot1q uses vlan 1 by default as a tagless frame. This can be exploited by a vlan hopping attack if you leave your native vlan as 1 and the attacker's VLAN is 1. So another reason would be to ensure security in the network by not using Vlan 1 for normal voice and data applications.

http://www.techexams.net/forums/viewtopic.php?t=26144

But dot1Q by nature has a native vlan. you don't have to use a native vlan at all. It may reduce some overhead on a data stream, by not inserting that 4 byte tag between the source and ether type fields, but the tradeoff is security and no priority bits. In smaller networks, I don't think it would be a big deal to use a tagless vlan, although I could be wrong on that. You never know where a hacker might sneak in.

This is a good example as to why it could be used, but if a native Vlan is used and you have multiple VLANs going through a trunk port, how will data that is destined for VLAN 515, in this case, find its way if it is not tagged with VLAN information?

dtlokee · January 2008

BEcause the native VLAN needs to match on both sides of the trunk, so if VLAN 515 is untagged, the other end receives it and sees that there is no tag (because the ethertype is unchanged) and will assign the frame to VLAN 515.

Sanis4life · January 2008

dtlokee wrote:

BEcause the native VLAN needs to match on both sides of the trunk, so if VLAN 515 is untagged, the other end receives it and sees that there is no tag (because the ethertype is unchanged) and will assign the frame to VLAN 515.

Ah. So, the "switchport trunk native vlan 515 " command must be on both sides of the trunk lines in order for untagged traffic to know where to go. Cool. Thanks!

Edit:
I found a link on the cisco boards that gave an excellent discussion of native vlans.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbed45c

Why wont switches pass traffic?

Comments