Solved

Cisco VTP - vlan changes

Posted on 2014-10-29
16
503 Views
Last Modified: 2014-10-30
I had an issue where a new Cisco switch changed the vlans of other switches to vlan 1 (which was shut down) when plugged in.  I was going to use our management vlan to update the IOS and plugged into a trunk port from an access port with only the management vlan.
Details about the Cisco switch
Port 1 trunk
vlans with IP management
default route to the core
vtp transparent, no domain, no password

I plugged into an access port with the management vlan untagged (default) on an Extreme switch.  A saw a BPDU broadcast, complaint about vlan mismatch, and then nodes started to drop.  
This only affected other switches that were Cisco by changing the channel-group port(s) vlan to default vlan 1 which is shut down.  When the switch was restarted it loaded the startup config and all was well.  
Basically I want  to know what needs to be done so I don't repeat the adventure.
0
Comment
Question by:PostQ
  • 8
  • 6
  • 2
16 Comments
 
LVL 2

Author Comment

by:PostQ
ID: 40411852
Would non negotiable setting help?
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40411857
if your switch allows do that

SW-X(config)# set vtp mode off

or put it in vtp transparent mode
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40411859
Command
Purpose
Step 1

configure terminal

Enter global configuration mode.

Step 2

vtp mode transparent

Configure the switch for VTP transparent mode (disable VTP).

Step 3

end

Return to privileged EXEC mode.

Step 4

show vtp status

Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display.

Step 5

copy running-config startup-config

(Optional) Save the configuration in the startup configuration file.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_9_ea1/configuration/guide/scg/swvtp.html
0
 
LVL 2

Author Comment

by:PostQ
ID: 40411879
The switch is already in transparent mode (as were the switches that changed).
0
 
LVL 2

Author Comment

by:PostQ
ID: 40411898
In short plugging my new switch (transparent vtp) into an Extreme switch access port with vlan 17 brought down the other Cisco switches by putting their trunks into vlan 1 which was shudtdown.  Only affected Cisco (not Extreme switches) so it must be a broadcast or protocaol that has the ability to change vlans.  My switch is not a vtp server. (Null vtp password and domain)
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40411923
The switch is already in transparent mode (as were the switches that changed).
If the switches were in transparent mode it is impossible for VTP to change the VLAN database.
In short plugging my new switch (transparent vtp) into an Extreme switch access port with vlan 17 brought down the other Cisco switches by putting their trunks into vlan 1 which was shudtdown.
This statement doesn't make any sense. What do you mean by "putting their trunks into vlan 1"? Are you saying that it changed the trunk ports to access ports?  Or do you mean that it removed all VLANs from the trunk except VLAN1?
Only affected Cisco (not Extreme switches) so it must be a broadcast or protocaol that has the ability to change vlans.
There are only two protocols that can alter the VLAN database on Cisco switches: VTP and GVRP. VTP is enabled by default but you said the switches were in transparent mode so that's not it. GVRP is disabled by default (and I'm not even sure it's supported on current IOS switches) and would have to be specifically enabled. That said, GVRP will create VLANs but it doesn't delete them.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40411960
VTP was set to transparent because I created a vlan with a value over 1024.  So to create that I had to set VTP.

The switches has two fiber ports that were channeled as group 1.  After all of the other 5 Cisco switches dropped off the network fiber ports were solid yellow and sh vlan had then in vlan 1.  That vlan was shutdown since we do not use it.
Other vlans were still on the switch and did not move.  It seems my switch had a vlan mismatch and maybe during negotiation they ports failed to vlan 1.  My new switch also had VTP disabled and revision 0. (no domain or password applied)  They are all the same switch type WS-C2960S-48LPD-L   C2960S-UNIVERSALK9-M Version 15.0(2)SE4
.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40412063
It would help to see the config of the switches.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 2

Author Comment

by:PostQ
ID: 40412120
I also looked at this but other than nonegotiate I do not believe we were serving any VTP with all switches in transparent.

http://cciepursuit.wordpress.com/2007/08/11/vtp-domain-mismatches-can-break-your-trunking/

Maybe for protection:

 switchport trunk encapsulation 802.1Q
 switchport mode trunk
 switchport nonegotiate

I will look into getting the configs posted
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40412132
Other vlans were still on the switch and did not move
Okay, so this validates that VTP didn't do anything.
The switches has two fiber ports that were channeled as group 1.  After all of the other 5 Cisco switches dropped off the network fiber ports were solid yellow and sh vlan had then in vlan 1.  That vlan was shutdown since we do not use it.
This would indicate that the ports were configured to negotiate trunking and that stopped working.
In addition to seeing the configs for the switches, we would really need to see the topology.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40412177
As I read more this seems like it is a possibility.

My switch sent out a BPDU before others went down.

If others have spanning-tree guard enabled then that may shut down the port channel.

It may have been orange instead of amber and that would indicate shutdown.

From what I understand if a trunk is not connected it does show up in the native vlan with the sh vlan.  (Vlan 1)

If blocked is the same as not connected then what I saw in sh vlan can be verified.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 40412241
Correct.  If BPDU guard is enabled on a port and that port receives a BPDU (which it would if a switch is connected to it), then that port will go errdisable.   But only that port. Other ports will not be affected.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40413136
I read not to turn it of per port because it could allow layer 2 storms (worse than layer 3 with TTL).

So I think I am lacking err disable timeout.  I had to manually tend to the switches even though I corrected the issue.

I will add a time out so it will auto enable the port and stay up if conditions are corrected.

Thanks
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40413149
No... BPDUguard is used with portfast.  Portfast should not be enabled on ports that will connect to switches.  BPDUguard is used to disable the port should a switch ever be connected to the port (either by accident or by an unauthorized connection).

Setting a timeout is not the correct fix for this.  The correct fix it not to use portfast (along with BPDUguard and/or BPDUfilter) on a port that connects to a switch.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40413157
I will look at the port details today and make sure we have trunks as suggested.  Thanks
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40413165
My previous comment has nothing to do with trunking.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Management Network in CIsco L2 Switch 3 29
HSRP needed? 4 31
cisco nexus experiance 2 30
ASR920 switching 2 13
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now