Detecting Mismatched Native VLANs

Many people have seen the message logged to their switch about a mismatched native VLAN on a trunk, but how is it detected? There are two methods of detecting mismatched native VLAN on a trunk link:

• CDP.
• STP when using a Per-VLAN flavor such as PVST+ or RPVST+.

To demonstrate how this happens, I will setup a very simple topology in CML with two switches connected by a trunk link as seen below:

At this point only the following has been configured on the trunk link:

interface GigabitEthernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 negotiation auto

Now, let’s take a look at the PDUs being generated, CDP and STP. For CDP we can see the following in Wireshark:

Frame 31: 354 bytes on wire (2832 bits), 354 bytes captured (2832 bits)
IEEE 802.3 Ethernet 
Logical-Link Control
Cisco Discovery Protocol
    Version: 2
    TTL: 180 seconds
    Checksum: 0x474d [correct]
    [Checksum Status: Good]
    Device ID: SW2
    Software Version
    Platform: Cisco 
    Addresses
    Port ID: GigabitEthernet0/0
    Capabilities
    VTP Management Domain: 
    Native VLAN: 1
        Type: Native VLAN (0x000a)
        Length: 6
        Native VLAN: 1
    Duplex: Full
    Trust Bitmap: 0x00
    Untrusted port CoS: 0x00
    Management Addresses

Notice that the native VLAN is signaled and that it is currently set to 1.

For PVST+, there are two BPDUs being generated:

• IEEE BPDU to destination MAC of 0180.c200.0000.
• PVST+ BPDU to destination MAC of 0100.0ccc.cccd.

Note that the IEEE BPDU has no information on the originating VLAN:

Frame 2: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
IEEE 802.3 Ethernet 
Logical-Link Control
Spanning Tree Protocol
    Protocol Identifier: Spanning Tree Protocol (0x0000)
    Protocol Version Identifier: Spanning Tree (0)
    BPDU Type: Configuration (0x00)
    BPDU flags: 0x00
    Root Identifier: 32768 / 1 / 52:54:00:04:2a:87
    Root Path Cost: 0
    Bridge Identifier: 32768 / 1 / 52:54:00:04:2a:87
    Port identifier: 0x8001
    Message Age: 0
    Max Age: 20
    Hello Time: 2
    Forward Delay: 15

The PVST+ BPDU does have this information:

Frame 3: 64 bytes on wire (512 bits), 64 bytes captured (512 bits)
IEEE 802.3 Ethernet 
Logical-Link Control
Spanning Tree Protocol
    Protocol Identifier: Spanning Tree Protocol (0x0000)
    Protocol Version Identifier: Spanning Tree (0)
    BPDU Type: Configuration (0x00)
    BPDU flags: 0x00
    Root Identifier: 32768 / 1 / 52:54:00:04:2a:87
    Root Path Cost: 0
    Bridge Identifier: 32768 / 1 / 52:54:00:04:2a:87
    Port identifier: 0x8001
    Message Age: 0
    Max Age: 20
    Hello Time: 2
    Forward Delay: 15
    Originating VLAN (PVID): 1
        Type: Originating VLAN (0x0000)
        Length: 2
        Originating VLAN: 1

Now, let’s change the native VLAN on SW2 and see what happens:

SW2(config)#int gi0/0
SW2(config-if)#switchport trunk native vlan 2

CDP is now reporting that there is a native VLAN mismatch:

%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/0 (2), with SW1 GigabitEthernet0/0 (1)

SW2 is detecting this by comparing the native VLAN in this PDU to what it has locally configured:

Frame 92: 354 bytes on wire (2832 bits), 354 bytes captured (2832 bits)
IEEE 802.3 Ethernet 
Logical-Link Control
Cisco Discovery Protocol
    Version: 2
    TTL: 180 seconds
    Checksum: 0x484d [correct]
    [Checksum Status: Good]
    Device ID: SW1
    Software Version
    Platform: Cisco 
    Addresses
    Port ID: GigabitEthernet0/0
    Capabilities
    VTP Management Domain: 
    Native VLAN: 1
    Duplex: Full
    Trust Bitmap: 0x00
    Untrusted port CoS: 0x00
    Management Addresses

Note that CDP is only reporting about the error. It doesn’t have the ability to block anything or take any corrective action.

STP is also detecting that there is a mismatch:

%SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on GigabitEthernet0/0 VLAN2.
%SPANTREE-2-BLOCK_PVID_PEER: Blocking GigabitEthernet0/0 on VLAN0001. Inconsistent peer vlan.
%SPANTREE-2-BLOCK_PVID_LOCAL: Blocking GigabitEthernet0/0 on VLAN0002. Inconsistent local vlan.

This is detected by checking the originating VLAN in PVST+ BPDU and comparing it to on what VLAN it was received:

Frame 94: 64 bytes on wire (512 bits), 64 bytes captured (512 bits)
IEEE 802.3 Ethernet 
Logical-Link Control
Spanning Tree Protocol
    Protocol Identifier: Spanning Tree Protocol (0x0000)
    Protocol Version Identifier: Spanning Tree (0)
    BPDU Type: Configuration (0x00)
    BPDU flags: 0x01, Topology Change
    Root Identifier: 32768 / 1 / 52:54:00:0b:45:06
    Root Path Cost: 0
    Bridge Identifier: 32768 / 1 / 52:54:00:0b:45:06
    Port identifier: 0x8001
    Message Age: 0
    Max Age: 20
    Hello Time: 2
    Forward Delay: 15
    Originating VLAN (PVID): 1
        Type: Originating VLAN (0x0000)
        Length: 2
        Originating VLAN: 1

There is a native VLAN (PVID) mismatch which is reported as PVID_Inc. STP goes into a broken state (BKN) and is blocking both of the offending VLANs:

SW2#show span vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     5254.0004.2a87
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     5254.0004.2a87
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0               Desg BKN*4         128.1    P2p *PVID_Inc 

SW2#show span vlan 2

VLAN0002
  Spanning tree enabled protocol ieee
  Root ID    Priority    32770
             Address     5254.0004.2a87
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32770  (priority 32768 sys-id-ext 2)
             Address     5254.0004.2a87
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0               Desg BKN*4         128.1    P2p *PVID_Inc

If STP didn’t block the VLANs, there would be bridging between two different VLANs, VLAN 1 and 2 in this scenario. By using PVST+, this misconfiguration didn’t lead to any “leaking” of traffic between different VLANs.

Just to show you what would happen without PVST+, let’s disable STP completely on SW2:

SW2(config)#no span vlan 1
SW2(config)#no span vlan 2

As SW2 is no longer generating BPDUs, SW1 therefore not receiving them, SW1 can change the state to forwarding on Gi0/0:

SW1#show span vlan 1

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     5254.000b.4506
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     5254.000b.4506
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/0               Desg FWD 4         128.1    P2p 

Then, let’s configure SVI in VLAN 1 on SW1 and VLAN 2 on SW2:

SW1#sh run int vlan 1
Building configuration...

Current configuration : 60 bytes
!
interface Vlan1
 ip address 10.0.0.1 255.255.255.252
end

SW2#sh run int vlan 2
Building configuration...

Current configuration : 60 bytes
!
interface Vlan2
 ip address 10.0.0.2 255.255.255.252
end

Then let’s try a ping:

SW2#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/4/5 ms

It works! By disabling STP on SW2, there is now bridging between VLAN 2 and VLAN 1. Let’s verify the ARP cache and then the MAC address table:

SW2#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.1                0   5254.000b.8001  ARPA   Vlan2
Internet  10.0.0.2                -   5254.0004.8002  ARPA   Vlan2

SW2#show mac address-table vlan 2
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   2    5254.000b.4506    DYNAMIC     Gi0/0
   2    5254.000b.8001    DYNAMIC     Gi0/0
Total Mac Addresses for this criterion: 2

SW1#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.1                -   5254.000b.8001  ARPA   Vlan1
Internet  10.0.0.2                1   5254.0004.8002  ARPA   Vlan1

SW1#show mac address-table vlan 1
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    5254.0004.2a87    DYNAMIC     Gi0/0
   1    5254.0004.8002    DYNAMIC     Gi0/0
Total Mac Addresses for this criterion: 2

Notice how SW2 knows MAC of SW1 (5254.000b.8001) via VLAN 2 although it originated in VLAN 1 on SW1. SW1 knows MAC of SW2 (5254.0004.8002) via VLAN 1 although it originated in VLAN 2.

In this post we learned that there are two mechanisms to detect a mismatch of native VLAN on a trunk link, CDP, and STP. CDP will only report the error, but has no mechanism of blocking (as expected) or correcting the misconfiguration. The PVST+ BPDUs that are generated contain information on the originating VLAN and compare this on the VLAN that the BPDU was received. If there is a mismatch, both the offending VLANs will be blocked. This prevents bridging frames between two different VLANs.