Troubleshooting VLANs & Trunks

In a previous lesson I explained some of the possible interface issues that we can encounter. Once you verified that your interface(s) are configured correctly and you are still having issues, the problem might be related to VLANs & Trunks. Let’s take a look at some common issues and how to solve them.

VLAN assignment issues

Here is the topology:

host 1 switch 1 host 2

H1 is unable to ping H2. There are no issues with the hosts, the problem is related to the switch. Let’s see what happens when we try a ping:

C:Documents and SettingsH1>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

The two computers are unable to ping each other (what a surprise!). Let’s do a quick check if there are any interface errors:

SW1#show ip int brief
Interface           IP-Address      OK? Method Status                Protocol
FastEthernet0/1     unassigned      YES unset  up                    up      
FastEthernet0/3     unassigned      YES unset  up                    up

The interfaces are looking good, no errors here. Let’s check the VLAN assignments:

SW1#show vlan 

VLAN Name                Status    Ports
---- -------------------------------- --------- -------------------------------
1    default             active    Fa0/1, Fa0/2, Fa0/4, Fa0/5
                                   Fa0/6, Fa0/7, Fa0/8, Fa0/9
                                   Fa0/10, Fa0/11, Fa0/12,Fa0/13
                                   Fa0/14, Fa0/15, Fa0/16,Fa0/17
                                   Fa0/18, Fa0/19, Fa0/20,Fa0/21
                                   Fa0/22, Fa0/23, Fa0/24, Gi0/1
                                   Gi0/2
2    VLAN0002            active    Fa0/3

At this moment it’s a good idea to check the VLAN information. You can use the show vlan command to quickly verify to which VLAN the interfaces belong.
As you can see our interfaces are not in the same VLAN. Let’s fix this:

SW1(config)#interface fa0/3
SW1(config-if)#switchport access vlan 1

We’ll move interface Fa0/3 back to VLAN 1, both hosts are now in VLAN 1. Let’s try that ping again:

C:Documents and SettingsH1>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

This solves our problem!

Lesson learned: Make sure the interface is in the correct VLAN.

Switchport mode issues

Time for another problem, same topology:

host 1 switch 1 host 2

We verified that there are no interface errors, the interfaces are up and running:

SW1#show ip interface brief 
Interface          IP-Address      OK? Method Status               Protocol
FastEthernet0/1     unassigned      YES unset  up                    up      
FastEthernet0/3     unassigned      YES unset  up                    up

The interfaces don’t show any errors. Let’s check the VLAN assignments:

SW1#show vlan 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/2, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                Fa0/11, Fa0/12, Fa0/13,Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17,Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21,Fa0/22
                                                Fa0/23, Fa0/24, Gi0/1, Gi0/2
10   VLAN0010                         active    Fa0/1

Above you can see that FastEthernet 0/1 is in VLAN 10 but I don’t see FastEthernet 0/3 anywhere. Here are the possible causes:

  • Something is wrong with the interface. We proved this wrong because it shows up/up so it seems to be active.
  • The interface is not an access port but a trunk.

Let’s check the switchport information:

SW1#show interfaces fa0/3 switchport 
Name: Fa0/3
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 10 (VLAN0010)
Trunking Native Mode VLAN: 1 (default)

A quick look at the switchport information shows us what we need to know. We can confirm that interface fa0/3 is in trunk mode and the native VLAN is 1. This means that whenever H2 sends traffic and doesn’t use 802.1Q tagging that our traffic ends up in VLAN 1. Let’s turn this interface into access mode:

SW1(config)#interface fa0/3
SW1(config-if)#switchport mode access 
SW1(config-if)#switchport access vlan 10

We’ll turn FastEthernet 0/3 into access mode and make sure it’s in VLAN 10. Let’s verify this:

SW1#show vlan id 10

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
10   VLAN0010                         active    Fa0/1, Fa0/3

Both interfaces are now active in VLAN 10. Checking the operational mode is also a good idea:

SW1#show interfaces fa0/3 switchport | include Operational Mode 
Operational Mode: static access

It now shows up as access mode. Let’s try that ping again:

C:Documents and SettingsH1>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Now I can send a ping from H1 to H2…problem solved!

Lesson learned: Make sure the interface is in the correct switchport mode (access or trunk mode).

VACL (VLAN Access-List) issues

Same two computers, same switch, different problem:

host 1 switch 1 host 2

This scenario is a bit more interesting though. The computers are unable to ping each other so let’s walk through our list of “possible” errors:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 651 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

540 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Thanks alot Rene, these lessons are very helpful.
    Keep up the good work.

  2. Hi Hans,

    Best to do it on both sides. Your switch(es) will complain when you receive traffic for VLANs that are not allowed on the trunk. It’s best practice to ensure that both ends of the trunk have the same configuration.

    Rene

  3. Hello Rodrigo

    There are various ways to show the status of interfaces and each command provides different information and in different formats. The command initially chosen by Rene is the show ip interface brief will show the status and protocol of all the interfaces in a list, so you get a general picture of all interfaces with one command. If any of those interfaces are configured with IP addresses, those are also displayed.

    The show interface fa0/x switchport command will show the switchport configuration of a single port in detail. This can be used when

    ... Continue reading in our forum

  4. Are you familiar with the switch error - %sw_matm-4-macflap_notif. What causes them? What is flapping?

  5. Hi Jason,

    This message shows up when your switch receives a frame with the same source MAC address on two different interfaces.

    Do you see this for one MAC address or multiple? If you see multiple MAC address, you might have a L2 loop. If you only see one source MAC address, it’s probably a misconfiguration. Track it down like this:

    SW1#show mac address-table dynamic address 0017.94a5.a618 
              Mac Address Table
    -------------------------------------------
    
    Vlan    Mac Address       Type        Ports
    ----    -----------       --------    -----
     200    0017
    ... Continue reading in our forum

2 more replies! Ask a question or join the discussion by visiting our Community Forum