Troubleshooting VLANs & Trunks

This topic is to discuss the following lesson:

https://networklessons.com/switching/troubleshooting-vlans-trunks/

1 Like

Thanks alot Rene, these lessons are very helpful.
Keep up the good work.

Hi Renee,
With switchport trunk allowed vlan xx, do you have to specify this on both sides of the trunk link or is one side enough?

Regards,
Hans de Roode.

1 Like

Hi Hans,

Best to do it on both sides. Your switch(es) will complain when you receive traffic for VLANs that are not allowed on the trunk. It’s best practice to ensure that both ends of the trunk have the same configuration.

Rene

1 Like

Hello Rene.
Could you explain me what’s the difference between show ip interface brief and show interface fa0/x switchport? I’m asking this because you use first the show ip interface to check the status of a swichport (up/down) and the other to check operational mode. My question is why you don’t use only interface fa0/x switchport to get both information ( status and operatinal mode?

Hello Rodrigo

There are various ways to show the status of interfaces and each command provides different information and in different formats. The command initially chosen by Rene is the show ip interface brief will show the status and protocol of all the interfaces in a list, so you get a general picture of all interfaces with one command. If any of those interfaces are configured with IP addresses, those are also displayed.

The show interface fa0/x switchport command will show the switchport configuration of a single port in detail. This can be used when the only information you’re looking for is about that port in particular.

There is also the show interface status command which will provide a list of all the interfaces and include a column that shows the VLAN on which they are assigned if they are access ports, or if they are trunk ports, the word trunk will appear in that column. This command shows all the interfaces including the operational mode in which the ports are functioning.

I hope this has been helpful!

Laz

2 Likes

Are you familiar with the switch error - %sw_matm-4-macflap_notif. What causes them? What is flapping?

Hi Jason,

This message shows up when your switch receives a frame with the same source MAC address on two different interfaces.

Do you see this for one MAC address or multiple? If you see multiple MAC address, you might have a L2 loop. If you only see one source MAC address, it’s probably a misconfiguration. Track it down like this:

SW1#show mac address-table dynamic address 0017.94a5.a618 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 200    0017.94a5.a618    DYNAMIC     Gi0/34
Total Mac Addresses for this criterion: 1

If you have multiple switches, do this on all switches until you get to the source. One example where this can happen is when you configure link aggregation / load balancing on a server but not on your switch.

Rene

1 Like

A post was merged into an existing topic: VLAN Access-List (VACL)

Hello Rene,

First off thank you for this service, I have a solid background in networking at this point, but it never hurts to follow up on the fundamentals…

To this day I get confused with all of the information displayed when using “show interface trunk”. Given the image below, I was hoping you could elaborate on the difference on the “allowed and active in management domain”?

My mind instantly thinks management plane (SNMP, TELNET, SSH, NETCONF,etc), and upon further investigation, it seems to be referring to a VTP domain, but can you confirm this is the case?

If so Cisco did a really terrible job in my opinion making that clear and concise.

With that being said I have VTP turned off in my production environment at work and yet it still shows vlans in that field (picture is random example from google).

image

1 Like

Hello Adam

The truth is that sometimes Cisco does indeed do a terrible job at their descriptions. Let me try to clarify:

VLANs allowed on trunk - this shows the actual configuration that has been applied as far as allowed VLANs go. Whatever appears in the switchport trunk allowed vlan add command will appear here. By default, if you don’t issue this command, the default is 1-4094.

VLANS allowed and active in management domain - This lists those VLANs that are allowed on the trunk AND are currently active. What does it mean to be active? It simply means that the VLAN itself has been created. In other words, that VLAN must be listed in the output of the show vlan command.

I actually labbed this up and confirmed this. Essentially, this output seems to be a more legacy way of saying that the VLAN is created. It exists within the “management domain” of the VLAN database within the switch. The management domain doesn’t have to do with VTP or with the management VLAN, or management protocols.

I hope this has been helpful!

Laz

1 Like

switchport trunk allowed vlan

Don’t forget the add keyword :wink:.

Everyone network engineer makes that mistake once.

1 Like

Hello Adam

Yes, you are correct. :blush: One mistake is allowed indeed! I’ve made the change in the post. The IOS is more forgiving since it helps you “remember” the commands as you type.

Thanks again for pointing that out!

Laz

1 Like

Hi

How does 2 host in different vlan can communicate with each other if we have a switch in between them?
Host1(vlan10)—————-switch————-host2(vlan20)

Hello Rahul

Whenever you have two hosts on two different VLANs (and thus two different subnets), in order to have them communicate with each other, you require a router. Somewhere, there must be routing taking place, either using a separate router, or a layer 3 switch.

In your topology, if the switch is a Layer 3 switch, then routing can take place in the switch itself. There you would use InterVLAN routing, which is described in detail in the lesson below:

Otherwise, if your switch is only a Layer 2 switch, then you need to implement router on a stick, which is described in the following lesson:

I hope this has been helpful!

Laz

Hello,

Thank you again for another superb article! I love how you use topologies along with real CLI output to explain concepts. This makes learning MUCH more student-friendly and practical.

I’d like to ask about this statement:
“Don’t be confused because of the permit statement here. Using a permit statement in the access-list means that it will “match” on 192.168.1.0 /24. Our two computers are using IP addresses from this range. If it matches this access-list then the VLAN access-map will drop the traffic.”

What if instead of the “permit” action, the “deny” action is configured on this ACL? Would it leave all IPs in the 192.168.1.0 /24 subnet unaffected (so it wouldn’t drop traffic sourced from that subnet), and it would drop all traffic from all of the other subnets?

Thank you.
Attila

Hello Attila

We must keep in mind what the role of the access list in this scenario is. The access list is used to match traffic. The ACL itself does not allow or block traffic, but it matches it. In such a scenario, the permit statement indicates a match. So matched traffic is defined by the ACL, and is acted upon by the action defined in the access map.

What if we set “deny” instead of “permit” in the ACL? Well, the ACL would never match any traffic, because the deny statement in an ACL does not match anything. Therefore, the access map would never act upon any traffic. The result is the same as if you had not configured any ACL or access map. Does that make sense?

I hope this has been helpful!

Laz

2 Likes