• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5826
  • Last Modified:

STP blocking VLAN communication on Cisco Catalyst 2950 switch

Hi All,

I'm currently trying to configure VLANs across some Cisco switches however the inter-switch communication appears to be getting blocked by STP.

I've broken the network topology down to it's most basic level, working with the gateway server, two switches and two client devices.

In our network topology, all clients exist on the same VLAN but are prevented from inter-client communication by wireless client isolation and switchport protection.

Bridges between sites (forming the trunks between switches) are managed on a separate VLAN to switch management.


Attached is an image of the network topology as it currently stands.  This is working with non-cisco switches with no STP.

I'm wanting to change to Cisco switches and have STP enables so that I can put in place redundant links between second and third level switches.


When I use only one switch in the lab environment I can communicate with a client and their request is trunked and vlan tagged properly to the gateway.  

With the second level switch disconnected, I can communicate with the bridging devices that connect the core switch to the second level switch but as soon as the second level switch is connected, the core switch blocks the port.


Both ports connecting the two switches are configured exactly the same with the same Native VLAN tag (1701), but still no success.


I'm running out of ideas to try, I'm certain it's something simple but can't seem to find it.

Thanks
Anubis.
Network-Diagram.jpg
Level-1-Switch-Config.txt
Level-2-Switch-Config.txt
0
Anubis2005
Asked:
Anubis2005
  • 6
  • 3
  • 3
  • +1
2 Solutions
 
Craig BeckCommented:
First, I would turn off storm-control on your trunk ports.  Minimise what you're looking at so its easier to troubleshoot.

Second, what bridges are you using to link the sites?
0
 
Anubis2005Author Commented:
Hi Craigbeck,

Thanks for the reply.

Even with stormcontrol disabled on the trunk ports this doesn't make a difference.

With regards to the bridges, these are ethernet based microwave bridging devices (non-cisco).  They simply act as simple bridge devices passing data entering one side of the bridge to the other and do not participate (or interact with) STP in any way.

Thanks
Anubis.
0
 
pwindellCommented:
If you have less than 200 Hosts wipe out all the VLANs and forget it.

If you have more than 200 Hosts create one Layer3 IP Segment per every 200 Hosts and allow the Core Switch to operated as a Layer3 Router (assuming it is capable).  Looking at the 2nd Level you appear to have three distinct branches,..you could easily make each one of those a Layer3 IP Segment which would give you a host capacity of just over 750.

If I came into your place the first thing I would want to do is reset every switch back to factory defaults, and if there were more than 200 Hosts, possibly create two additional VLAN on the Core Switch (Default VLAN, VLAN2, VLAN3) and run 3 IP Segments.  All the other switches would have no VLANs configured,...they would just be VLAN "agnostic".  The VLANs on the Core Switch would be tied to the Backbone Cable leaving the Core Switch and anything physically plugged into a particular cable would just naturally and agnostically be part of that particular VLAN.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
pwindellCommented:
I realize my suggestion is drastically different then what you are trying to do,...and I make no real attempt to consider the physical geographical layout of the facility or facilities.  I cannot say anything about redundant links simply due to that.   So I cannot comment on anything I have no information about.
0
 
Craig BeckCommented:
Can you remove the switchport protected command from each of your trunk links and see how that affects things?
0
 
rfc1180Commented:
craigbeck has a great solution; this is more than likely you issue. Per Cisco:

"A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2"

Removing the protected command from the trunk will get you what you need.

Billy
0
 
Anubis2005Author Commented:
Hi All,

Thanks for your comments.

@pwindell:
Unfortunately the image which I made up to represent the network isn't really the best diagram.  Yes, there are well over 200 hosts and the network spans a city (and will be expanding further).  There is reasoning for this particular network topology as no 'client' should be allowed to see any other 'client' without passing through the gateway; this is enforced with VLANing and switchport protection.

What isn't shown is a number of 'franchisee' endpoints where their network runs on top of ours in a separate VLAN re-branding our service as theirs.

Switch and bridge management is placed in separate VLAN's to provide blocking (denial of access further down the chain) to prevent points of attack.  If it was all done with IP segments, simply changing the IP address that one was connecting with would potentially allow them to administer other points of the network.

Currently this topology runs fine and achieves all the points we desire; except, it's not currently running on Cisco brand switches and there is no STP operating, this is what I'm trying to change.


@craigbeck & rfc1180
Thanks for the comment, I had already tried this and did try again (just to be sure) but it unfortunately makes no difference.


When running "sh span incon" I get reports of "Port VLAN ID Mismatch" on almost every VLAN.  This is obviously the problem but according to the configuration of the trunk ports (0/13 on 1 and 0/24 on the other) their native VLAN ID's match.  Looking up Cisco's document on 'Theory behind PVID and Type inconsistencies' doesn't help much in the way of explaining how to rectify it.


Thanks
Anubis.
0
 
pwindellCommented:
Ok, fair enough.
I disagree with the necessity of the design and disagree that a Layer3 design (done properly) would present the risks you say, but I accept that that are many more factors to this than the diagram shows.
0
 
rfc1180Commented:
"Port VLAN ID Mismatch" This was my original thought, but based on your network diagram and the configs, I thought it might not be an issue; and I can understand your frustration. If there is more to the diagram than what you actually have running, this is very important to lay down on the table, the more information we have the better we can assist!

The only recommendation that I can make that should resolve your issue is that when adding Cisco PVST+ switches to standards based switches (if you have any; HP, etc)  or to any other Cisco based switch, make sure that all switches are connected using dot1q trunks and have consistent native vlan configurations end to end. How you have the native vlan setup between the trunks is not best practice and can cause the issues you are experiencing.

Billy
0
 
Anubis2005Author Commented:
Hi rfc1180,

Thanks for the reply.  

On the diagram I only omitted repeated nodes and/or parts which are reasonably identical to the basic operation, once the basic level of the network is operational the rest would function in the same manner.

With regards to the native VLAN, this I did change and it was configured identically on both ends.

Yesterday I defaulted both switches that I was testing with and connected them together Fe0/13 to Fe0/24 using the default switch settings.  This worked as expected.  As soon as I added one additional VLAN (VTP Transparent Mode) the same problems started occurring.

I've included below the results and configs of this test so that you can see what's happening (from a default switch with no port isolation).  As you can see, the moment that I added the one additional VLAN it starting having problems.  Also keep in mind that there is currently only '1' physical link between the two switches.

Thanks
Anubis.








BEFORE ADDING ADDITIONAL VLAN:



Switch 1:

Switch#sh sp s
Switch is in pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Pathcost method used         is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0          3          3
---------------------- -------- --------- -------- ---------- ----------
1 vlan                       0         0        0          3          3



Switch 2:

Switch#sh sp s
Switch is in pvst mode
Root bridge for: VLAN0001
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Pathcost method used         is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0          2          2
---------------------- -------- --------- -------- ---------- ----------
1 vlan                       0         0        0          2          2




ADDING VLAN 1500 (Clients) TO A SWITCH:


Got this error (on Switch 2) while adding the VLAN to Switch 1:

00:04:28: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1500 on FastEthernet0/24 VLAN1.
00:04:28: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/24 on VLAN0001. Inconsistent local vlan.
00:04:46: %SPANTREE-2-BLOCK_PVID_PEER: Blocking FastEthernet0/24 on VLAN1500. Inconsistent peer vlan.




AFTER ADDING ADDITIONAL VLAN:


Switch 1:

Switch#sh sp s
Switch is in pvst mode
Root bridge for: VLAN0001, VLAN1500
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Pathcost method used         is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0          3          3
VLAN1500                     0         0        0          1          1
---------------------- -------- --------- -------- ---------- ----------
2 vlans                      0         0        0          4          4



Switch 2:

Switch#sh sp s
Switch is in pvst mode
Root bridge for: VLAN0001, VLAN1500
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Pathcost method used         is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     1         0        0          1          2
VLAN1500                     1         0        0          0          1
---------------------- -------- --------- -------- ---------- ----------
2 vlans                      2         0        0          1          3




SETTING SWITCH 1 TO ROOT PRIMARY AND RELOADING BOTH SWITCHES PRODUCED THIS OUTPUT:


Switch 1:

00:00:16: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:19: %SYS-5-CONFIG_I: Configured from memory by console
00:00:19: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA14, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by cisco Systems, Inc.
Compiled Tue 26-Oct-10 10:35 by nburra
00:00:19: %SNMP-5-COLDSTART: SNMP agent on host Switch is undergoing a cold start
00:00:19: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down
00:00:23: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
00:00:23: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
00:00:23: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to up
00:00:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
00:00:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up
00:00:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up
00:00:26: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1500 on FastEthernet0/13 VLAN1.
00:00:26: %SPANTREE-2-BLOCK_PVID_PEER: Blocking FastEthernet0/13 on VLAN1500. Inconsistent peer vlan.
00:00:26: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/13 on VLAN0001. Inconsistent local vlan.
Switch>en  
Switch#sh sp s
Switch is in pvst mode
Root bridge for: VLAN0001, VLAN1500
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Pathcost method used         is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     1         0        0          2          3
VLAN1500                     1         0        0          0          1
---------------------- -------- --------- -------- ---------- ----------
2 vlans                      2         0        0          2          4
Switch#sh sp vl 1500

VLAN1500
  Spanning tree enabled protocol ieee
  Root ID    Priority    26076
             Address     0013.190b.db80
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    26076  (priority 24576 sys-id-ext 1500)
             Address     0013.190b.db80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/13           Desg BKN*19        128.13   P2p *PVID_Inc




Switch 2:

00:00:15: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:00:17: %SYS-5-CONFIG_I: Configured from memory by console
00:00:17: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA14, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by cisco Systems, Inc.
Compiled Tue 26-Oct-10 10:35 by nburra
00:00:17: %SNMP-5-COLDSTART: SNMP agent on host Switch is undergoing a cold start
00:00:18: %LINK-5-CHANGED: Interface Vlan1, changed state to administratively down
00:00:21: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
00:00:21: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to up
00:00:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
00:00:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up
Switch>en
Switch#sh sp s
Switch is in pvst mode
Root bridge for: VLAN0001, VLAN1500
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Pathcost method used         is short

Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0          2          2
VLAN1500                     0         0        0          1          1
---------------------- -------- --------- -------- ---------- ----------
2 vlans                      0         0        0          3          3
Switch#sh sp vl 1500

VLAN1500
  Spanning tree enabled protocol ieee
  Root ID    Priority    34268
             Address     000c.ce45.a540
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    34268  (priority 32768 sys-id-ext 1500)
             Address     000c.ce45.a540
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/24           Desg FWD 19        128.24   P2p




CONFIGS OF SWITCHES:


Switch 1:

!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
vtp domain LabTest
vtp mode transparent
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 24576
!
!
!
!
vlan 1500
 name Clients
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!        
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
 switchport mode trunk
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!        
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
ip http server
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
!
end




Switch 2:

!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
vtp domain LabTest
vtp mode transparent
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!        
!
!
vlan 1500
 name Clients
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!        
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
 switchport mode trunk
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
ip http server
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
!
end




0
 
Craig BeckCommented:
Try configuring the native VLAN on the trunk port on each switch as follows:

switchport trunk native vlan 1500

See what happens...
0
 
rfc1180Commented:
I believe you are running into a bug based on what you have describe thus far; the native vlan by default is vlan1 (still the case when the vlan 1 interface is admin down); you have not remapped the native vlan, so this should not be occuring. Are you running the same version of code on all switches?

Additionally, are the trunks active?

show int trunk
0
 
Anubis2005Author Commented:
Hi All,

"I believe you are running into a bug"... This is what I'm starting to think.

I'm running the same version of IOS on both switches:

Switch1#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2950 Software (C2950-I6K2L2Q4-M), Version 12.1(22)EA14, RELEASE SOFTWARE (fc1)

I've managed to get around the issue in the mean time by using MSTP which seems to be working fine so far.


The trunks are active but being blocked by STP.


It does seem odd.  I've even confirmed the issue with some other cisco tech and they too are puzzled.  They also tell me it's configured correctly.

So, for the time being, I'll just have to stick to MSTP and see how it goes.


Thanks all for your help.
Anubis.
0
 
Anubis2005Author Commented:
Hi All,

Solved the issue with PVST.

It was a bug, but not with Cisco!

The microwave equipment I was using in the lab to test as bridges between the sites was for some reason working perfectly talking and passing some data, but having a heart attack with STP.

I've changed the bridge equipment to, first a patch cable and it all functioned as expected (including using my original configs with switchport protection) and the testing with a different (better) brand of microwave linkage gear, it continued to work as expected!

Thanks very much to all who have helped; just another one of those lessons that if it 'appears' to work, doesn't necessarily mean that it 'is' working properly!

Thanks
Anubis.
0
 
Anubis2005Author Commented:
Problem was resolved, not with the device in question but another part of it.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 6
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now