Troubleshooting VLANs & Trunks

Lesson Contents

In a previous lesson I explained some of the possible interface issues that we can encounter. Once you verified that your interface(s) are configured correctly and you are still having issues, the problem might be related to VLANs & Trunks. Let’s take a look at some common issues and how to solve them.

VLAN assignment issues

Here is the topology:

H1 is unable to ping H2. There are no issues with the hosts, the problem is related to the switch. Let’s see what happens when we try a ping:

C:>Documents and Settings>H1>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

The two computers are unable to ping each other (what a surprise!). Let’s do a quick check if there are any interface errors:

SW1#show ip int brief
Interface           IP-Address      OK? Method Status                Protocol
FastEthernet0/1     unassigned      YES unset  up                    up      
FastEthernet0/3     unassigned      YES unset  up                    up

The interfaces are looking good, no errors here. Let’s check the VLAN assignments:

SW1#show vlan 

VLAN Name                Status    Ports
---- -------------------------------- --------- -------------------------------
1    default             active    Fa0/1, Fa0/2, Fa0/4, Fa0/5
                                   Fa0/6, Fa0/7, Fa0/8, Fa0/9
                                   Fa0/10, Fa0/11, Fa0/12,Fa0/13
                                   Fa0/14, Fa0/15, Fa0/16,Fa0/17
                                   Fa0/18, Fa0/19, Fa0/20,Fa0/21
                                   Fa0/22, Fa0/23, Fa0/24, Gi0/1
                                   Gi0/2
2    VLAN0002            active    Fa0/3

At this moment it’s a good idea to check the VLAN information. You can use the show vlan command to quickly verify to which VLAN the interfaces belong.
As you can see our interfaces are not in the same VLAN. Let’s fix this:

SW1(config)#interface fa0/3
SW1(config-if)#switchport access vlan 1

We’ll move interface Fa0/3 back to VLAN 1, both hosts are now in VLAN 1. Let’s try that ping again:

C:>Documents and Settings>H1>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

This solves our problem!

Lesson learned: Make sure the interface is in the correct VLAN.

Switchport mode issues

Time for another problem, same topology:

We verified that there are no interface errors, the interfaces are up and running:

SW1#show ip interface brief 
Interface          IP-Address      OK? Method Status               Protocol
FastEthernet0/1     unassigned      YES unset  up                    up      
FastEthernet0/3     unassigned      YES unset  up                    up

The interfaces don’t show any errors. Let’s check the VLAN assignments:

SW1#show vlan 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/2, Fa0/4, Fa0/5, Fa0/6
                                                Fa0/7, Fa0/8, Fa0/9, Fa0/10
                                                Fa0/11, Fa0/12, Fa0/13,Fa0/14
                                                Fa0/15, Fa0/16, Fa0/17,Fa0/18
                                                Fa0/19, Fa0/20, Fa0/21,Fa0/22
                                                Fa0/23, Fa0/24, Gi0/1, Gi0/2
10   VLAN0010                         active    Fa0/1

Above you can see that FastEthernet 0/1 is in VLAN 10 but I don’t see FastEthernet 0/3 anywhere. Here are the possible causes:

Something is wrong with the interface. We proved this wrong because it shows up/up so it seems to be active.
The interface is not an access port but a trunk.

Let’s check the switchport information:

SW1#show interfaces fa0/3 switchport 
Name: Fa0/3
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 10 (VLAN0010)
Trunking Native Mode VLAN: 1 (default)

A quick look at the switchport information shows us what we need to know. We can confirm that interface fa0/3 is in trunk mode and the native VLAN is 1. This means that whenever H2 sends traffic and doesn’t use 802.1Q tagging that our traffic ends up in VLAN 1. Let’s turn this interface into access mode:

SW1(config)#interface fa0/3
SW1(config-if)#switchport mode access 
SW1(config-if)#switchport access vlan 10

We’ll turn FastEthernet 0/3 into access mode and make sure it’s in VLAN 10. Let’s verify this:

SW1#show vlan id 10

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
10   VLAN0010                         active    Fa0/1, Fa0/3

Both interfaces are now active in VLAN 10. Checking the operational mode is also a good idea:

SW1#show interfaces fa0/3 switchport | include Operational Mode 
Operational Mode: static access

It now shows up as access mode. Let’s try that ping again:

C:>Documents and Settings>H1>ping 192.168.1.2

Pinging 192.168.1.2 with 32 bytes of data:

Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Now I can send a ping from H1 to H2…problem solved!

Lesson learned: Make sure the interface is in the correct switchport mode (access or trunk mode).

VACL (VLAN Access-List) issues

Same two computers, same switch, different problem:

This scenario is a bit more interesting though. The computers are unable to ping each other so let’s walk through our list of “possible” errors:

Forum Replies

wisamani says:

Thanks alot Rene, these lessons are very helpful.
Keep up the good work.
hansderoode says:

Hi Renee,
With switchport trunk allowed vlan xx, do you have to specify this on both sides of the trunk link or is one side enough?

Regards,
Hans de Roode.
ReneMolenaar says:

Hi Hans,

Best to do it on both sides. Your switch(es) will complain when you receive traffic for VLANs that are not allowed on the trunk. It’s best practice to ensure that both ends of the trunk have the same configuration.

Rene
rodriarz says:

Hello Rene.
Could you explain me what’s the difference between show ip interface brief and show interface fa0/x switchport? I’m asking this because you use first the show ip interface to check the status of a swichport (up/down) and the other to check operational mode. My question is why you don’t use only interface fa0/x switchport to get both information ( status and operatinal mode?
lagapidis says:

Hello Rodrigo

There are various ways to show the status of interfaces and each command provides different information and in different formats. The command initially chosen by Rene is the show ip interface brief will show the status and protocol of all the interfaces in a list, so you get a general picture of all interfaces with one command. If any of those interfaces are configured with IP addresses, those are also displayed.

The show interface fa0/x switchport command will show the switchport configuration of a single port in detail. This can be used when
... Continue reading in our forum