Support
Community

00pinetree wrote: A few questions: 1. When untagged traffic egresses port 0/3 to 0/28 will it be tagged with VLAN 201 or sent untagged?

Untagged traffic entering port 0/3 will belong to VLAN 201 and be tagged with 201 leaving port 0/28.

2. Port 0/28 has no native vlan, is ingress untaggged traffic tagged with default VLAN1?

If allowed, it will be on default VLAN 1, which is not normally tagged by default. See answer to 2a below.

2a. If tagged with VLAN1 but VLAN1 is not allowed then is the untagged traffic dropped?

Usually yes. However, some switches and firmware versions don't allow you to remove VLAN 1 from a trunk. I recommend that you avoid using VLAN 1 on a switch that has multiple VLANs configured. I generally will configure an unused VLAN as native on these ports if this is a concern.

Note that in the scenario you have above, there is a risky configuration. You have the VLAN 1 interface enabled and configured for DHCP. You also have the VLAN 101 interface enabled and configured with a static IP address. If the switch has IP routing enabled and a rogue DHCP server is plugged in to a port where VLAN 1 appears, then the switch will route between that subnet and your configured subnet if you have IP routing enabled. A default route may also be learned by the switch from DHCP. You probably don't want this behavior so it is best to shut down the VLAN 1 interface and/or configure it with no IP address.

00pinetree wrote: Thank you once again. My problem was apparently a native vlan mismatch: SW2 interface gigabit-switchport 0/3 description Down-to-AP1 no shutdown switchport mode trunk switchport trunk native vlan 201 switchport trunk allowed vlan 201,1103-1105 interface gigabit-switchport 0/1 description Up-To-CORE-SW-GIG-0/28 no shutdown switchport mode trunk switchport trunk allowed vlan 101,201,1103-1105,1501-1505 | | | CORE-SW interface gigabit-switchport 0/28 description Down-To-SW2-GIG 0/1 no shutdown switchport mode trunk switchport native vlan 201 switchport trunk allowed vlan 101,201,1103-1105,1501-1505 Once I removed switchport native vlan 201 from CORE-SW 0/28 then untagged traffic originating on SW2-0/3 was able to pass. Still not sure exactly why this fixed things. If a packet leaving 0/3 is tagged with VLAN 201 then it would be tagged with 201 when hits 0/1 and I would expect it would be received as tagged 201 when it reaches CORE-SW 0/28

You're correct that it was a native VLAN mismatch. The frames leaving CORE-SW 0/28 belonging to VLAN 201 would have their tags stripped leaving the port because VLAN 201 was configured as native. When those frames arrived at SW2 untagged, they would be placed in VLAN 1 (the default untagged VLAN).

You could have also solved the problem by leaving CORE-SW 0/28 alone and putting switchport native vlan 201 on port 0/1 of SW2. Native VLAN is configured on a per-trunk-port basis and is not global to the switch.