Understanding Conditions of NATIVE VLAN MISMATCH

Danielh22185

Okay so this is perfect for my switch studies however I am just starting to touch on trucking stuff and thought this would be a good knowledge re-enforcer.

At work I have an access switch that reported this NATIVE VLAN MISMATCH alarm:

Switch A syslog event:
Apr 2 15:40:29 GMT: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet5/20 (106), with [Switch_B] FastEthernet9/3 (103).

So the way I understand this I hope...

It seems that Switch A port gi5/20 tried to establish a trunk with Switch B's fa9/3 port.

BPDU Guard is also enabled so Switch A's gi5/20 port immediately err-disabled:

[Switch A]#show interfaces status err-disabled
Port Name Status Reason Err-disabled Vlans
Gi5/20 PC- Usuario err-disabled bpduguard

I fully understand why the port disabled (because it saw a switch on the other side and this port is not configured to be a trunk):
[Switch A]#sh run int gi5/20
Building configuration...

Current configuration: 363 bytes
!
interface GigabitEthernet5/20
description PC- Usuario
switchport access vlan 106
switchport mode access
switchport voice vlan 202
switchport port-security maximum 5
switchport port-security
switchport port-security aging time 5
no snmp trap link-status
storm-control broadcast level 25.00
storm-control action shutdown
service-policy output DBL
end

So what I am trying to understand is the syslog message and what it essentially is saying. What I kind of do not understand is the NATIVE VLAN reference.

I'm guessing at this point but here are my thoughts:

Switch A's gi5/20 port is configured to be in VLAN 106 as an access port. Does this mean that the for this port, this is considered this ports Native Vlan?

It is an access port so it's not currently trunking so it cannot see multiple vlan frames running across the link. So, since gi5/20 also saw the vlan of 103 from the other end switch (switch it disabled the port because these two vlans do not match and MUST be the same when considering access ports.


Also here is the config of the far side switch port (Switch :


[Switch B]#sh run int fa9/3
Building configuration...

Current configuration: 444 bytes
!
interface FastEthernet9/3
switchport
switchport access vlan 103
switchport mode access
switchport voice vlan 212
wrr-queue cos-map 1 1 1
wrr-queue cos-map 2 1 0
wrr-queue cos-map 3 1 2
wrr-queue cos-map 3 2 3
wrr-queue cos-map 3 3 6
wrr-queue cos-map 3 4 7
priority-queue cos-map 1 4 5
rcv-queue cos-map 1 3 6
no snmp trap link-status
mls qos vlan-based
spanning-tree portfast edge
spanning-tree bpduguard enable
end

Thanks ahead of time!

fredrikjj

Danielh22185 wrote: »

Switch A's gi5/20 port is configured to be in VLAN 106 as an access port. Does this mean that the for this port, this is considered this ports Native Vlan?

Yes, essentially that's true.

It is an access port so it's not currently trunking so it cannot see multiple vlan frames running across the link.

An access port will simply discard incoming tagged frames.

So, since gi5/20 also saw the vlan of 103 from the other end switch (switch it disabled the port because these two vlans do not match and MUST be the same when considering access ports.

No, two connected access ports do not have to be configured with the same vlan. However, the respective broadcast domains will leak into one another and that's probably not what you want most of the time.

PS.
Basically, native vlan mismatch is about warning you about potentially weird behaviour through broadcast domain leakage and the fact that per-vlan STP requires matching native vlans.

Danielh22185

fredrikjj wrote: »

Yes, essentially that's true.



An access port will simply discard incoming tagged frames.



No, two connected access ports do not have to be configured with the same vlan. However, the respective broadcast domains will leak into one another and that's probably not what you want most of the time.

Thanks for your response. So essentially what does the syslog message mean / refer to?

Because it is an access port it sees the incoming tagged frames and it throws up the NATIVE VLAN MISMATCH error?

fredrikjj

There are multiple moving parts here actually.

1) CDPv2 error message. That's this thing: Apr 2 15:40:29 GMT: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet5/20 (106), with [Switch_B] FastEthernet9/3 (103).

Because it is an access port it sees the incoming tagged frames and it throws up the NATIVE VLAN MISMATCH error?

Switch A sees that the native vlan field of the received CDP message is 103 and the local access port is configured with vlan 106. By itself this doesn't do anything but give this syslog message as far as I know because mismatched native vlans is a (in rare cases) legitimate design.

2) BPDU Guard error disabling the port.

BPDU Guard is also enabled so Switch A's gi5/20 port immediately err-disabled:

[Switch A]#show interfaces status err-disabled
Port Name Status Reason Err-disabled Vlans
Gi5/20 PC- Usuario err-disabled bpduguard

I fully understand why the port disabled (because it saw a switch on the other side and this port is not configured to be a trunk):

This has nothing to do with the port being a trunk or access port. The port received a BPDU (spanning tree control message), and the entire purpose of BPDU guard is to shut down ports that receive these messages.

3) The final issue is spanning tree considering the port to be inconsistent because the native vlans don't match. I don't know if that even triggered since bpduguard shut it down.

Danielh22185

fredrikjj wrote: »

There are multiple moving parts here actually.

1) CDPv2 error message. That's this thing: Apr 2 15:40:29 GMT: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet5/20 (106), with [Switch_B] FastEthernet9/3 (103).



Switch A sees that the native vlan field of the received CDP message is 103 and the local access port is configured with vlan 106. By itself this doesn't do anything but give this syslog message as far as I know because mismatched native vlans is a (in rare cases) legitimate design.

2) BPDU Guard error disabling the port.



This has nothing to do with the port being a trunk or access port. The port received a BPDU (spanning tree control message), and the entire purpose of BPDU guard is to shut down ports that receive these messages.

3) The final issue is spanning tree considering the port to be inconsistent because the native vlans don't match. I don't know if that even triggered since bpduguard shut it down.

Okay I think I am beginning to understand now. So the NATIVE VLAN MISMATCH message is strictly due to the port seeing the vlan frames which are different than what the port is configured for, this does not necessarily disable the port though. (I've heard of this concept before).

The BPDU guard message I assumed was related as both ports are not configured to be trunks so the ports disabled. SO... Essentially if I did not have BPDU guard enabled on the ports I could have an up/up switch port receiving vlan frames from a different vlan than what is presently configured on that port WITH the ports interconnecting the switches AS access ports?


^^^ LOL That sounds insanely complicated

fredrikjj

Danielh22185 wrote: »

Okay I think I am beginning to understand now. So the NATIVE VLAN MISMATCH message is strictly due to the port seeing the vlan frames which are different than what the port is configured for, this does not necessarily disable the port though. (I've heard of this concept before).

To nitpick, the switch cannot "see" untagged frames since there's no field in the ethernet header that's encoded with that information. It's all about CDP retrieving that information from one switch and that message then being sent to the other side.

The BPDU guard message I assumed was related as both ports are not configured to be trunks so the ports disabled. SO... Essentially if I did not have BPDU guard enabled on the ports I could have an up/up switch port receiving vlan frames from a different vlan than what is presently configured on that port WITH the ports interconnecting the switches AS access ports?

If you disabled spanning-tree, yes, but per vlan spanning tree isn't compatible with that behavior as far as I know.

Danielh22185

fredrikjj wrote: »

To nitpick, the switch cannot "see" untagged frames since there's no field in the ethernet header that's encoded with that information. It's all about CDP retrieving that information from one switch and that message then being sent to the other side.



If you disabled spanning-tree, yes, but per vlan spanning tree isn't compatible with that behavior as far as I know.

Cool thanks for the info! This helps a lot!

I can't wait for my switches to ship to my house, so I can start labbing this kind of stuff to experiement!