Skip to content

Solution: VLAN Trunk Mistag

Summary

VLAN 350 is not included in the allowed VLAN list on the trunk port (Gi1/0/48) connecting esxi-node-07 to sw-dist-02. The switch silently drops all 802.1Q tagged frames for VLAN 350. VLANs 100 and 200 work because they were explicitly added when the port was configured, but VLAN 350 was missed.

Senior Workflow

Step 1: Check the trunk port configuration

sw-dist-02# show running-config interface GigabitEthernet1/0/48
interface GigabitEthernet1/0/48
  description esxi-node-07 trunk
  switchport mode trunk
  switchport trunk allowed vlan 100,200
  spanning-tree port type edge trunk

Notice: allowed vlan 100,200 -- VLAN 350 is not listed.

Step 2: Verify VLAN 350 exists on the switch

sw-dist-02# show vlan id 350
VLAN Name                             Status    Ports
---- -------------------------------- --------- ---
350  DB-Network                        active    Gi1/0/1, Gi1/0/2

VLAN 350 exists and is active, but Gi1/0/48 is not listed as a member.

Step 3: Check the trunk status

sw-dist-02# show interface GigabitEthernet1/0/48 trunk
Port        Mode         Encapsulation  Status        Native vlan
Gi1/0/48    on           802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/48    100,200

Port        Vlans allowed and active in management domain
Gi1/0/48    100,200

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/48    100,200

VLAN 350 is absent from all three VLAN lists.

Step 4: Confirm the host is sending tagged frames (already known)

# On esxi-node-07:
tcpdump -i vmnic0 -nn -e vlan 350
# Shows outgoing frames with 802.1Q tag 350 -- host config is correct

Step 5: Apply the fix

sw-dist-02# configure terminal
sw-dist-02(config)# interface GigabitEthernet1/0/48
sw-dist-02(config-if)# switchport trunk allowed vlan add 350
sw-dist-02(config-if)# end
sw-dist-02# write memory

Critical: Use add keyword. Without it, the command replaces the entire VLAN list.

Step 6: Verify

sw-dist-02# show interface Gi1/0/48 trunk
Port        Vlans allowed on trunk
Gi1/0/48    100,200,350

# From the VM on VLAN 350:
ping 10.50.350.1
# Should now succeed

Common Pitfalls

  • Forgetting the add keyword: switchport trunk allowed vlan 350 (without add) removes VLANs 100 and 200, breaking everything else. Always use switchport trunk allowed vlan add 350.
  • Assuming "trunk = all VLANs": If the trunk has an explicit allowed VLAN list, only those VLANs pass. This is a common misconception.
  • Not checking the VLAN database: If VLAN 350 does not exist on the switch at all, adding it to the trunk won't help. Create it first.
  • VTP pruning: Even if the VLAN is allowed on the trunk, VTP pruning can remove it if no local ports need it. Check show interface trunk for pruned VLANs.
  • Blaming the hypervisor: The tcpdump showing correct VLAN tags proves the host side is fine. The issue is always between the host and the first switch.
  • Using allowed vlan all as a blanket fix: This works but defeats the purpose of trunk VLAN restriction (security, broadcast domain control).