critical to add a switch in this manner.
Content 2.5 Correcting Common VLAN Configuration
Errors 2.5.1 Describing Issues with 802.1Q
Native VLANs Figure shows a frequent configuration error.
The native VLAN configured on each end of an 802.1Q trunk must
be the same. Remember that a switch receiving an untagged frame
assigns it to the native VLAN of the trunk. If one end is
configured for native VLAN 1 and the other to native VLAN 2, a
frame sent in VLAN 1 on one side is received on VLAN 2 on the
other. VLAN 1 and 2 have been segmented and merged. There is no
reason this should be required, and connectivity issues will
occur in the network. Cisco switches use Cisco Discovery
Protocol (CDP) to warn of a native VLAN mismatch. In Figure ,
the PCs connected to the hub are sending untagged frames.
Because the frames are untagged, they become part of VLAN 1 on
the left-hand switch and part of VLAN 2 on the right-hand
switch. Figure describes the mitigation of 802.1Q native VLAN
issues.
Content 2.5 Correcting Common
VLAN Configuration Errors 2.5.2 Resolving
Issues with 802.1Q Native VLANs Consider the following
issues when you are configuring a native VLAN on an 802.1Q
trunk link: - The native VLAN interface configurations
must match at both ends of the link or the trunk may not
form.
- By default, the native VLAN is VLAN1. For the
purpose of security, the native VLAN on a trunk should be set
to a specific VID that is not used for normal operations
elsewhere on the network.
Switch(config-if)#switchport trunk native vlan
vlan-id - If there is a native VLAN mismatch on
an 802.1Q link, CDP (if used and functioning) issues a “native
VLAN mismatch” error.
- On select versions of Cisco IOS
software, CDP may not be transmitted or automatically turns off
if VLAN1 is disabled on the trunk.
- If there is a
native VLAN mismatch on either side of an 802.1Q link, Layer 2
loops may occur because VLAN 1 STP BPDUs are sent to the IEEE
STP MAC address (0180.c200.0000) untagged.
- When
troubleshooting VLANs, note that a link can have one native
VLAN association when in access mode, and another native VLAN
association when in trunk mode.
Content
2.5 Correcting Common VLAN Configuration
Errors 2.5.3 Describing Trunk Link
Problems The trunking mode, the trunk encapsulation type,
the VTP domain, and the hardware capabilities of two connected
ports determine whether an operational trunk link is formed and
which type it becomes. Consider that with the default
switchport mode set to dynamic auto and with DTP
enabled, if another switch is connected and is set to
switchport mode trunk, the switch automatically converts
the link to a trunk. This could have security implications,
because it might start accepting traffic destined for any VLAN.
Therefore, a malicious user could start communicating with
other VLANs through that compromised port. Following is an
explanation of the three examples illustrated in Figure .
Example A If both ends of the link are set to
switchport mode auto, the link does not become a trunk,
and the ports remain as access ports. Switch1#show interface
fa0/1 switchport
Name: Fa0/1
Switchport:
Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking
Encapsulation: dot1q
Operational Trunking Encapsulation:
native
Negotiation of Trunking: On Example B
If one end of the link is set to switchport mode
dynamic desirable and the other end of the link is set to
switchport mode access, both ports remain as access
ports. Switch1#show interface fa0/1 switchport
Name:
Fa0/1
Switchport: Enabled
Administrative Mode:
dynamic desirable
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of
Trunking: On
Switch2#show interfaces g1/0/1
switchport
Name: Gi1/0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode:
static access
Administrative Trunking Encapsulation:
negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off Example C If one
end of the link is set to switchport mode trunk and
switchport nonegotiate and the other end of the link is
set to switchport mode auto, a mismatch occurs, because
the left-hand switch is not sending any DTP frames. The port
that is set to switchport mode auto on the right-hand
switch defaults to being an access port. Switch1#show int
fa0/1 switchport
Name: Fa0/1
Switchport:
Enabled
Administrative Mode: trunk
Operational Mode:
trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of
Trunking: Off
Switch2#show interfaces g1/0/1
switchport
Name: Gi1/0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode:
static access
Administrative Trunking Encapsulation:
negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Web Links For other DTP
messages and recommended actions, see: DTP Messages
Content 2.5 Correcting Common VLAN
Configuration Errors 2.5.4 Resolving Trunk Link
Problems Trunk negotiation is managed by the Dynamic
Trunking Protocol (DTP), which is a point-to-point protocol.
When using DTP to configure trunks, ensure that both ends of
the link are in the same VTP domain. Because DTP is a Cisco
proprietary protocol, some internetworking devices do not
support DTP frames, which could cause misconfigurations. To
avoid this potential problem, you should turn off DTP for
interfaces that are connected to devices that do not support
DTP. Use the following commands to configure ports in the
appropriate mode: - If you do not intend to trunk across
the links, use the switchport mode access interface
configuration command to disable trunking.
- To enable
trunking to a device that does not support DTP, use the
switchport mode trunk and switchport nonegotiate
interface configuration commands to cause the interface to
become a trunk but to not generate DTP frames.
- Use
the switchport trunk encapsulation isl or
switchport trunk encapsulation dot1q interface to
select the encapsulation type on the trunk port.
Regardless if a device supports DTP, general best practice is
to configure trunks statically by configuring the interface to
trunk and nonegotiate.
Content
2.5 Correcting Common VLAN Configuration
Errors 2.5.5 Common Problems with VTP
Configuration Some unexpected results can occur after VTP
configuration and . The configuration revision number is used
when determining if a switch should keep its existing VLAN
database or overwrite it with the VTP update sent by another
switch in the same domain with the same password. Therefore,
when a switch is added to a network, it is important that it
does not inject spurious information into the domain. Following
is an example of a VTP client overwriting a VTP server when
correct procedures were not followed. The VTP server, Switch1,
is currently at configuration revision 1 and knows of six
VLANs. Switch1#show vtp status
VTP Version : 2
Configuration Revision : 1
Maximum VLANs supported locally
: 1005
Number of existing VLANs : 6
VTP Operating Mode
: Server
VTP Domain Name : building1
VTP Pruning Mode :
Disabled
VTP V2 Mode : Disabled
VTP Traps Generation :
Disabled
MD5 digest : 0x0B 0xED 0x6C 0xE2 0x16 0xE9 0x3D
0x3C
Configuration last modified by 172.16.1.111 at 3-1-93
00:29:26
Local updater ID is 172.16.1.111 on interface Vl1
(lowest numbered VLAN interface found) The new switch, Switch2,