I started freestyle labbing to review some topics, and found some interesting behaviors along the way I wanted to make note of here, so this will be more of a troubleshooting / behaviors demonstration than a configuration of any particular topic.
The topic I went with here is creating VLANs local to their respective switches, how this plays out in the “sh int trunk” output, along with how STP and EtherChannel treats it.
Creating the VLANs
First just a simple configuration of the VLANs on SW1 and SW3.
SW1
SW1#
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int fa1/0/10
SW1(config-if)#switchport access vlan 10
% Access VLAN does not exist. Creating vlan 10
SW1(config-if)#int fa1/0/12
SW1(config-if)#switchport access vlan 20
% Access VLAN does not exist. Creating vlan 20
SW1(config-if)#
SW3
SW3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#int fa1/0/10
SW3(config-if)#switchport access vlan 30
% Access VLAN does not exist. Creating vlan 30
SW3(config-if)#
VLANs 10 and 20 will only be on SW1, and VLAN 30 only on SW3 throughout this lab, to demonstrate the behaviors moving forward that may be seen on exam day!
Trunk Configuration / In depth look at “sh int trunk” and VLAN Pruning
Simple Trunk configuration, followed by my dissection of the trunk interface output
SW1
SW1(config)#int ra fa1/0/1 – 4
SW1(config-if-range)#switchport trunk encap dot
SW1(config-if-range)#switchport mode trunk
SW3
SW3(config)#int ra fa1/0/1 – 4
SW3(config-if-range)#switchport trunk encap dot
SW3(config-if-range)#switchport mode trunk
Reviewing the “show int trunk” output one section at a time moving forward, and adding manual VLAN pruning into the mix to allow some troubleshooting / odd output!
SW1#sh int trunk
Trunk information
Port Mode Encapsulation Status Native vlan
Fa1/0/1 on 802.1q trunking 1
Fa1/0/2 on 802.1q trunking 1
Fa1/0/3 on 802.1q trunking 1
Fa1/0/4 on 802.1q trunking 1
The interface, mode, encapsulation type, status, and Native VLAN.
For more information about what these values mean, how to configure them, all posts that are specifically related to Trunking can be found here.
Trunk Pruning information
Port Vlans allowed on trunk
Fa1/0/1 1-4094
Fa1/0/2 1-4094
Fa1/0/3 1-4094
Fa1/0/4 1-4094
This is where manual VLAN Pruning for trunks is displayed, by default no VLANs are pruned / all VLANs are allowed over a Trunk by default, to manually prune them:
SW1(config-if)#switchport trunk allowed vlan ?
WORD VLAN IDs of the allowed VLANs when this port is in trunking mode
add add VLANs to the current list
all all VLANs
except all VLANs except the following
none no VLANs
remove remove VLANs from the current list
Defining a single VLAN with this command while all VLANs are being allowed by default on a Trunk interface, is the same as running “switch trunk allowed vlan none” and then adding that single VLAN – It nukes all other VLANs not manually allowed from crossing that Trunk interface:
SW1(config-if)#switchport trunk allowed vlan 10
SW1(config-if)#do sh int trunk
Port Mode Encapsulation Status Native vlan
Fa1/0/1 on 802.1q trunking 1
Fa1/0/2 on 802.1q trunking 1
Fa1/0/3 on 802.1q trunking 1
Fa1/0/4 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/0/1 10
Fa1/0/2 1-4094
Fa1/0/3 1-4094
Fa1/0/4 1-4094
Port Vlans allowed and active in management domain
Fa1/0/1 10
Fa1/0/2 1,10,20
Fa1/0/3 1,10,20
Fa1/0/4 1,10,20
Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/1 10
Fa1/0/2 1,10,20
Fa1/0/3 1,10,20
Fa1/0/4 1,10,20
Note that Manual Pruning impacts everything section below it for the configured interface, not even the Native VLAN is left in any following sections!
The Native VLAN remains 1 so the Trunk interface remains up, as Pruning the Native VLAN will not cause a Native VLAN mismatch (Native VLANs must match on each side of a Trunk), however as can be seen the only VLAN now traversing this trunk is VLAN 10.
Management Domain VLANs
Port Vlans allowed and active in management domain
Fa1/0/1 10
Fa1/0/2 1,10,20
Fa1/0/3 1,10,20
Fa1/0/4 1,10,20
By default this will include all VLANs present in the VLAN Database (vlan.dat), unless Manual Pruning is configured on an interface as shown above, or if the VLAN is shut down manually at Layer 2:
SW1(config)#shutdown ?
vlan Shutdown VLAN switching
SW1(config)#shutdown vlan ?
<2-1001> VLAN ID of the VLAN to shutdown
SW1(config)#shutdown vlan 20 ?
<cr>
SW1(config)#shutdown vlan 20
SW1(config)#
***Note that default VLAN 1 cannot be shut down at Layer 2!***
This is a very important distinction from shutting down an SVI interface, as issuing a “shutdown” command on an SVI interface shuts it down at Layer 3, to illustrate this I also shut down interface VLAN 1 and did a “sh vlan brief” to illustrate this point:
SW1(config)#int vlan 1
SW1(config-if)#shut
SW1(config-if)#
*Mar 1 02:09:11.786: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down
*Mar 1 02:09:11.794: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
SW1(config)#do sh vlan brief
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active (Lots of Ports)
10 VLAN0010 active Fa1/0/10
20 VLAN0020 act/lshut Fa1/0/12 <—– GOOD TO NOTE FOR EXAM DAY!
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
SW1(config)#
Note that default VLAN 1 shows Active (along with VLAN 20 actually), however it is not “act/lshut” like VLAN 20 now is, also note this command did not remove the VLAN itself or any of the interfaces in it.
Here comes the REAL oddity behind this command:
The interface output
SW1(config-if)#do sh int fa1/0/12
FastEthernet1/0/12 is up, line protocol is up (connected)
The Physical interface LED on the switch
The CAM Table (Dynamic MAC Address table)
SW1(config-if)#do sh mac address-table dyn
Mac Address Table
——————————————-
Vlan Mac Address Type Ports
—- ———– ——– —–
10 001e.f797.f14b DYNAMIC Fa1/0/10
1 5897.1eab.ce04 DYNAMIC Fa1/0/2
1 5897.1eab.ce05 DYNAMIC Fa1/0/3
1 5897.1eab.ce06 DYNAMIC Fa1/0/4
Total Mac Addresses for this criterion: 4
SW1(config-if)#
(Note no VLAN 20 or Interface Fa1/0/12)
The interface oddly shows that it is Up / Up on Fa1/0/12, however the Amber LED / “lshut” in the VLAN Table / missing interface from the CAM Table all imply there is no device present at Layer 2, and that is because the interface is placed in a VLAN that is shut down at Layer 2!
The reason a VLAN is removed at Layer 2 but not at Layer 3 (via SVI shutdown), is because devices on the same L2 broadcast domain can still communicate, however L3 routing cannot happen.
To bring up a VLAN shut down at Layer 2 you simply negate the shutdown command:
SW1(config)#no shutdown vlan 20
SW1(config)#do sh vlan brief
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active (Lots of ports)
Gi1/0/1, Gi1/0/2
10 VLAN0010 active Fa1/0/10
20 VLAN0020 active Fa1/0/12
This is really critical to note for both SWITCH and TSHOOT exams, as this is a sneaky gotcha on exam day, do not be caught off guard with this configuration!
If a VLAN is shut down at Layer 2 instead of being Pruned, it will impact the output of its own section, and the one below it (STP) and that is it:
Port Vlans allowed on trunk
Fa1/0/1 10
Fa1/0/2 1-4094
Fa1/0/3 1-4094
Fa1/0/4 1-4094
Port Vlans allowed and active in management domain
Fa1/0/1 10
Fa1/0/2 1,10
Fa1/0/3 1,10
Fa1/0/4 1,10
Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/1 10
Fa1/0/2 1,10
Fa1/0/3 1,10
Fa1/0/4 1,10
This illustrates the final segment of the “sh int trunk” output to review!
Spanning-Tree Forwarding VLANs section of “sh int trunk”
Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/1 10
Fa1/0/2 1,10,20
Fa1/0/3 1,10,20
Fa1/0/4 1,10,20
Note from the Topology configured this switch is the Root Bridge for SW1 and SW3, as it is Forwarding on all VLANs on all Trunk interfaces (except Fa1/0/1 that is being manually Pruned), however it will only be the Root Bridge for VLANs that it knows of.
On SW1 the output makes sense being on the Root Bridge, that all Trunks are FWD all VLANs except those being Pruned, but this makes an awful mess of output on the remote switch, so I wanted to illustrate this to make sense.
SW3 “sh int trunk” output
SW3#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa1/0/1 on 802.1q trunking 1
Fa1/0/2 on 802.1q trunking 1
Fa1/0/3 on 802.1q trunking 1
Fa1/0/4 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/0/1 1-4094
Fa1/0/2 1-4094
Fa1/0/3 1-4094
Fa1/0/4 1-4094
Port Vlans allowed and active in management domain
Fa1/0/1 1,30
Fa1/0/2 1,30
Fa1/0/3 1,30
Fa1/0/4 1,30
Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/1 1,30
Fa1/0/2 1,30
Fa1/0/3 30
Fa1/0/4 30
Everything here seems pretty standard, VTP has not been configured so SW3 only knows about Native VLAN 1 and VLAN 30 configured only on SW3, however that bottom section highlighted in blue is screaming “put me in exam question format!”
As mentioned above the local switch will be the Root Bridge only for the VLANs it knows about, so it makes sense that VLAN 30 is FWD on all Trunk interfaces,however it took me a bit to wrap my mind around why VLAN 1 was FWD on two interfaces.
This is an interesting and tricky scenario, because there are two switches with different VLANs configured, and the trunk ports are independent rather than a single logical interface like an EtherChannel.
The current logical Topology of the lab at this point
Spanning-Tree output on SW3 for VLAN 1
SW3#sh span
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 1ce6.c7c1.c800
Cost 19
Port 4 (FastEthernet1/0/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 5897.1eab.ce00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
——————- —- — ——— ——– ——————————–
Fa1/0/1 Desg FWD 19 128.3 P2p
Fa1/0/2 Root FWD 19 128.4 P2p
Fa1/0/3 Altn BLK 19 128.5 P2p
Fa1/0/4 Altn BLK 19 128.6 P2p
Both switches know of VLAN 1 so they’ve agreed that SW1 is the Root Bridge for that VLAN, but because that is being Pruned on SW1, SW3 puts its end of the link into FWD mode.
This goes back to the STP concept that an STP interface is either FWD, BLK, or Root!
SW1’s side of the link is in a BLK mode because of the manual VLAN Pruning over the trunk, so this side puts the connected interface with lowest Port Priority into Desg / FWD for VLAN 1 to SW1, while also having a Root Port for it leading back to the Root Bridge.
This type of scenario just screams question me on this for exam day, so its important to really understand what is happening there, and lab it if you don’t!
Configuration of EtherChannel with manual VLAN Pruning configured on SW1
SW1 configuration
SW1(config)#int ra fa1/0/1 – 4
SW1(config-if-range)#channel-group 13 mode desirable
Creating a port-channel interface Port-channel 13
SW1(config-if-range)#
*Mar 1 00:43:27.380: %EC-5-CANNOT_BUNDLE2: Fa1/0/2 is not compatible with Fa1/0/1 and will be suspended (vlan mask is different)
*Mar 1 00:43:27.430: %EC-5-CANNOT_BUNDLE2: Fa1/0/3 is not compatible with Fa1/0/1 and will be suspended (vlan mask is different)
*Mar 1 00:43:27.456: %EC-5-CANNOT_BUNDLE2: Fa1/0/4 is not compatible with Fa1/0/1 and will be suspended (vlan mask is different)
Big problem here, Fa1/0/1 is added to the Port-Channel group first, and all other interfaces are suspended because the VLANs allowed do not match!
SW3 Configuration
SW3(config)#int ra fa1/0/1 – 4
SW3(config-if-range)#channel-group 31 mode auto
Creating a port-channel interface Port-channel 31
All interface bounces Down and back Up normally as expected, no issues on this side.
SW1 “sh int trunk” output
SW1#sh int trunk
Port Mode Encapsulation Status Native vlan
Po13 on 802.1q trunking 1
Port Vlans allowed on trunk
Po13 10
Port Vlans allowed and active in management domain
Po13 10
Port Vlans in spanning tree forwarding state and not pruned
Po13 10
SW1#
Verifying what is happening on the Port-Channel
SW1#sh int po13
Port-channel13 is up, line protocol is up (connected)
Hardware is EtherChannel, address is 1ce6.c7c1.c803 (bia 1ce6.c7c1.c803)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, link type is auto, media type is unknown
input flow-control is off, output flow-control is unsupported
Members in this channel: Fa1/0/1
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:01, output 00:00:00, output hang never
Last clearing of “show interface” counters never
In this scenario, there is actually a Port-Channel containing only 1 active interface, due to all its other bundled links being suspended.
“sh int trunk” on SW3
SW3#sh int trunk
Port Mode Encapsulation Status Native vlan
Fa1/0/2 on 802.1q trunking 1
Fa1/0/3 on 802.1q trunking 1
Fa1/0/4 on 802.1q trunking 1
Po31 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa1/0/2 1-4094
Fa1/0/3 1-4094
Fa1/0/4 1-4094
Po31 1-4094
Port Vlans allowed and active in management domain
Fa1/0/2 1,30
Fa1/0/3 1,30
Fa1/0/4 1,30
Po31 1,30
Port Vlans in spanning tree forwarding state and not pruned
Fa1/0/2 1,30
Fa1/0/3 1,30
Fa1/0/4 1,30
Po31 1,30
SW3#
On this side it shows a similar picture, except the links in this interface range were not put into a logically Down state, because there was no issue with their Port-Channel configuration – Their remote side of the link for Fa1/0/2 – 4 is having issues so they continue acting as independent Trunk interfaces!
The fix for this is tricky, because “switchport trunk allowed vlan all” will not work on SW1’s interface Fa1/0/1 to resolve this issue:
SW1(config-if)#switchport trunk allowed vlan all
SW1(config-if)#
*Mar 1 01:07:32.838: %EC-5-CANNOT_BUNDLE2: Fa1/0/2 is not compatible with Po13 and will be suspended (vlan mask is different)
*Mar 1 01:07:32.838: %EC-5-CANNOT_BUNDLE2: Fa1/0/3 is not compatible with Po13 and will be suspended (vlan mask is different)
*Mar 1 01:07:32.838: %EC-5-CANNOT_BUNDLE2: Fa1/0/4 is not compatible with Po13 and will be suspended (vlan mask is different)
*Mar 1 01:07:32.838: %EC-5-CANNOT_BUNDLE2: Fa1/0/2 is not compatible with Po13 and will be suspended (vlan mask is different)
SW1(config-if)#)
Instead, the fix will be configured on the Port-Channel interface itself:
SW1(config-if)#int po13
SW1(config-if)#switchport trunk allowed vlan all
SW1(config-if)#
*Mar 1 01:13:51.936: %EC-5-COMPATIBLE: Fa1/0/1 is compatible with port-channel members
*Mar 1 01:13:51.936: %EC-5-COMPATIBLE: Fa1/0/2 is compatible with port-channel members
*Mar 1 01:13:51.936: %EC-5-COMPATIBLE: Fa1/0/3 is compatible with port-channel members
*Mar 1 01:13:51.944: %EC-5-COMPATIBLE: Fa1/0/4 is compatible with port-channel members
SW1(config-if)#
*Mar 1 01:13:54.813: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
*Mar 1 01:13:54.863: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
*Mar 1 01:13:54.872: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/4, changed state to up
*Mar 1 01:13:55.686: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed state to up
SW1(config-if)#
*Mar 1 01:13:55.795: %LINK-3-UPDOWN: Interface Port-channel13, changed state to up
*Mar 1 01:13:56.801: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel13, changed state to up
SW1(config-if)#
To verify this change has fixed the issue
SW1(config-if)#do sh int trunk
Port Mode Encapsulation Status Native vlan
Po13 on 802.1q trunking 1
Port Vlans allowed on trunk
Po13 1-4094
Port Vlans allowed and active in management domain
Po13 1,10,20
Port Vlans in spanning tree forwarding state and not pruned
Po13 1,10,20
SW1(config-if)#
Good thing to review and remember for exam day, a config change to one is a config change to all links in the bundle, when making it from the Port-Channel interface!
I will leave it there for this labbing review!
I’ll be moving onto some switch redundancy methods such as VSS and Stackwise next!
The DEVNET GRIND! 