Symptom
On trying to remove the native vlan config from an interface, DCNM also removes the allowed vlans.
Conditions
When a port is configured as trunk host using int_trunk_host_11_1 policy, and the vlan id for "switchport trunk native vlan " command is also part of trunk allowed vlan list. On trying to remove the native vlan, DCNM also removes all the allowed vlans from the allowed vlan list.
For example, intent is:
interface Ethernet1/30
no shutdown
description SLOT1.NODE1
spanning-tree port type edge trunk
spanning-tree bpduguard enable
mtu 9216
switchport
switchport mode trunk
switchport trunk allowed vlan 104,111,112,113
switchport trunk native vlan 104
switchport
Running config is:
interface Ethernet1/30
description SLOT1.NODE1
switchport
switchport mode trunk
switchport trunk native vlan 104
switchport trunk allowed vlan 104,111-113
spanning-tree port type edge trunk
spanning-tree bpduguard enable
mtu 9216
no shutdown
After removing "switchport trunk native vlan 104" from intent, DCNM generates following config that removes all the allowed vlans:
interface ethernet1/30
no switchport trunk native vlan 104
switchport
switchport mode trunk
mtu 9216
spanning-tree bpduguard enable
spanning-tree port type edge trunk
description SLOT1.NODE1
no shutdown
no switchport trunk allowed vlan 104,111-113
Workaround
When removing the "switchport trunk native vlan " command, if the native vlan-id is part of allowed vlan list too, then remove the vlan-id from the allowed vlan list also and deploy the configs to the device.
Once the native vlan config is removed removed from the switch, the vlan-id can be added back to the allowed vlan list and deploy the configs to the device.
This issue is fixed in 11.2.1 CCO
Further Problem Description
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
