Solved

Cisco VTP - vlan changes

Posted on 2014-10-29
16
536 Views
Last Modified: 2014-10-30
I had an issue where a new Cisco switch changed the vlans of other switches to vlan 1 (which was shut down) when plugged in.  I was going to use our management vlan to update the IOS and plugged into a trunk port from an access port with only the management vlan.
Details about the Cisco switch
Port 1 trunk
vlans with IP management
default route to the core
vtp transparent, no domain, no password

I plugged into an access port with the management vlan untagged (default) on an Extreme switch.  A saw a BPDU broadcast, complaint about vlan mismatch, and then nodes started to drop.  
This only affected other switches that were Cisco by changing the channel-group port(s) vlan to default vlan 1 which is shut down.  When the switch was restarted it loaded the startup config and all was well.  
Basically I want  to know what needs to be done so I don't repeat the adventure.
0
Comment
Question by:PostQ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 2
16 Comments
 
LVL 2

Author Comment

by:PostQ
ID: 40411852
Would non negotiable setting help?
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40411857
if your switch allows do that

SW-X(config)# set vtp mode off

or put it in vtp transparent mode
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40411859
Command
Purpose
Step 1

configure terminal

Enter global configuration mode.

Step 2

vtp mode transparent

Configure the switch for VTP transparent mode (disable VTP).

Step 3

end

Return to privileged EXEC mode.

Step 4

show vtp status

Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display.

Step 5

copy running-config startup-config

(Optional) Save the configuration in the startup configuration file.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_9_ea1/configuration/guide/scg/swvtp.html
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 2

Author Comment

by:PostQ
ID: 40411879
The switch is already in transparent mode (as were the switches that changed).
0
 
LVL 2

Author Comment

by:PostQ
ID: 40411898
In short plugging my new switch (transparent vtp) into an Extreme switch access port with vlan 17 brought down the other Cisco switches by putting their trunks into vlan 1 which was shudtdown.  Only affected Cisco (not Extreme switches) so it must be a broadcast or protocaol that has the ability to change vlans.  My switch is not a vtp server. (Null vtp password and domain)
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40411923
The switch is already in transparent mode (as were the switches that changed).
If the switches were in transparent mode it is impossible for VTP to change the VLAN database.
In short plugging my new switch (transparent vtp) into an Extreme switch access port with vlan 17 brought down the other Cisco switches by putting their trunks into vlan 1 which was shudtdown.
This statement doesn't make any sense. What do you mean by "putting their trunks into vlan 1"? Are you saying that it changed the trunk ports to access ports?  Or do you mean that it removed all VLANs from the trunk except VLAN1?
Only affected Cisco (not Extreme switches) so it must be a broadcast or protocaol that has the ability to change vlans.
There are only two protocols that can alter the VLAN database on Cisco switches: VTP and GVRP. VTP is enabled by default but you said the switches were in transparent mode so that's not it. GVRP is disabled by default (and I'm not even sure it's supported on current IOS switches) and would have to be specifically enabled. That said, GVRP will create VLANs but it doesn't delete them.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40411960
VTP was set to transparent because I created a vlan with a value over 1024.  So to create that I had to set VTP.

The switches has two fiber ports that were channeled as group 1.  After all of the other 5 Cisco switches dropped off the network fiber ports were solid yellow and sh vlan had then in vlan 1.  That vlan was shutdown since we do not use it.
Other vlans were still on the switch and did not move.  It seems my switch had a vlan mismatch and maybe during negotiation they ports failed to vlan 1.  My new switch also had VTP disabled and revision 0. (no domain or password applied)  They are all the same switch type WS-C2960S-48LPD-L   C2960S-UNIVERSALK9-M Version 15.0(2)SE4
.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40412063
It would help to see the config of the switches.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40412120
I also looked at this but other than nonegotiate I do not believe we were serving any VTP with all switches in transparent.

http://cciepursuit.wordpress.com/2007/08/11/vtp-domain-mismatches-can-break-your-trunking/

Maybe for protection:

 switchport trunk encapsulation 802.1Q
 switchport mode trunk
 switchport nonegotiate

I will look into getting the configs posted
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40412132
Other vlans were still on the switch and did not move
Okay, so this validates that VTP didn't do anything.
The switches has two fiber ports that were channeled as group 1.  After all of the other 5 Cisco switches dropped off the network fiber ports were solid yellow and sh vlan had then in vlan 1.  That vlan was shutdown since we do not use it.
This would indicate that the ports were configured to negotiate trunking and that stopped working.
In addition to seeing the configs for the switches, we would really need to see the topology.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40412177
As I read more this seems like it is a possibility.

My switch sent out a BPDU before others went down.

If others have spanning-tree guard enabled then that may shut down the port channel.

It may have been orange instead of amber and that would indicate shutdown.

From what I understand if a trunk is not connected it does show up in the native vlan with the sh vlan.  (Vlan 1)

If blocked is the same as not connected then what I saw in sh vlan can be verified.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 40412241
Correct.  If BPDU guard is enabled on a port and that port receives a BPDU (which it would if a switch is connected to it), then that port will go errdisable.   But only that port. Other ports will not be affected.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40413136
I read not to turn it of per port because it could allow layer 2 storms (worse than layer 3 with TTL).

So I think I am lacking err disable timeout.  I had to manually tend to the switches even though I corrected the issue.

I will add a time out so it will auto enable the port and stay up if conditions are corrected.

Thanks
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40413149
No... BPDUguard is used with portfast.  Portfast should not be enabled on ports that will connect to switches.  BPDUguard is used to disable the port should a switch ever be connected to the port (either by accident or by an unauthorized connection).

Setting a timeout is not the correct fix for this.  The correct fix it not to use portfast (along with BPDUguard and/or BPDUfilter) on a port that connects to a switch.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40413157
I will look at the port details today and make sure we have trunks as suggested.  Thanks
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40413165
My previous comment has nothing to do with trunking.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question