Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco VTP - vlan changes

Posted on 2014-10-29
16
Medium Priority
?
555 Views
Last Modified: 2014-10-30
I had an issue where a new Cisco switch changed the vlans of other switches to vlan 1 (which was shut down) when plugged in.  I was going to use our management vlan to update the IOS and plugged into a trunk port from an access port with only the management vlan.
Details about the Cisco switch
Port 1 trunk
vlans with IP management
default route to the core
vtp transparent, no domain, no password

I plugged into an access port with the management vlan untagged (default) on an Extreme switch.  A saw a BPDU broadcast, complaint about vlan mismatch, and then nodes started to drop.  
This only affected other switches that were Cisco by changing the channel-group port(s) vlan to default vlan 1 which is shut down.  When the switch was restarted it loaded the startup config and all was well.  
Basically I want  to know what needs to be done so I don't repeat the adventure.
0
Comment
Question by:PostQ
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 2
16 Comments
 
LVL 2

Author Comment

by:PostQ
ID: 40411852
Would non negotiable setting help?
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40411857
if your switch allows do that

SW-X(config)# set vtp mode off

or put it in vtp transparent mode
0
 
LVL 14

Expert Comment

by:JAN PAKULA
ID: 40411859
Command
Purpose
Step 1

configure terminal

Enter global configuration mode.

Step 2

vtp mode transparent

Configure the switch for VTP transparent mode (disable VTP).

Step 3

end

Return to privileged EXEC mode.

Step 4

show vtp status

Verify your entries in the VTP Operating Mode and the VTP Domain Name fields of the display.

Step 5

copy running-config startup-config

(Optional) Save the configuration in the startup configuration file.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_9_ea1/configuration/guide/scg/swvtp.html
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 
LVL 2

Author Comment

by:PostQ
ID: 40411879
The switch is already in transparent mode (as were the switches that changed).
0
 
LVL 2

Author Comment

by:PostQ
ID: 40411898
In short plugging my new switch (transparent vtp) into an Extreme switch access port with vlan 17 brought down the other Cisco switches by putting their trunks into vlan 1 which was shudtdown.  Only affected Cisco (not Extreme switches) so it must be a broadcast or protocaol that has the ability to change vlans.  My switch is not a vtp server. (Null vtp password and domain)
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40411923
The switch is already in transparent mode (as were the switches that changed).
If the switches were in transparent mode it is impossible for VTP to change the VLAN database.
In short plugging my new switch (transparent vtp) into an Extreme switch access port with vlan 17 brought down the other Cisco switches by putting their trunks into vlan 1 which was shudtdown.
This statement doesn't make any sense. What do you mean by "putting their trunks into vlan 1"? Are you saying that it changed the trunk ports to access ports?  Or do you mean that it removed all VLANs from the trunk except VLAN1?
Only affected Cisco (not Extreme switches) so it must be a broadcast or protocaol that has the ability to change vlans.
There are only two protocols that can alter the VLAN database on Cisco switches: VTP and GVRP. VTP is enabled by default but you said the switches were in transparent mode so that's not it. GVRP is disabled by default (and I'm not even sure it's supported on current IOS switches) and would have to be specifically enabled. That said, GVRP will create VLANs but it doesn't delete them.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40411960
VTP was set to transparent because I created a vlan with a value over 1024.  So to create that I had to set VTP.

The switches has two fiber ports that were channeled as group 1.  After all of the other 5 Cisco switches dropped off the network fiber ports were solid yellow and sh vlan had then in vlan 1.  That vlan was shutdown since we do not use it.
Other vlans were still on the switch and did not move.  It seems my switch had a vlan mismatch and maybe during negotiation they ports failed to vlan 1.  My new switch also had VTP disabled and revision 0. (no domain or password applied)  They are all the same switch type WS-C2960S-48LPD-L   C2960S-UNIVERSALK9-M Version 15.0(2)SE4
.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40412063
It would help to see the config of the switches.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40412120
I also looked at this but other than nonegotiate I do not believe we were serving any VTP with all switches in transparent.

http://cciepursuit.wordpress.com/2007/08/11/vtp-domain-mismatches-can-break-your-trunking/

Maybe for protection:

 switchport trunk encapsulation 802.1Q
 switchport mode trunk
 switchport nonegotiate

I will look into getting the configs posted
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40412132
Other vlans were still on the switch and did not move
Okay, so this validates that VTP didn't do anything.
The switches has two fiber ports that were channeled as group 1.  After all of the other 5 Cisco switches dropped off the network fiber ports were solid yellow and sh vlan had then in vlan 1.  That vlan was shutdown since we do not use it.
This would indicate that the ports were configured to negotiate trunking and that stopped working.
In addition to seeing the configs for the switches, we would really need to see the topology.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40412177
As I read more this seems like it is a possibility.

My switch sent out a BPDU before others went down.

If others have spanning-tree guard enabled then that may shut down the port channel.

It may have been orange instead of amber and that would indicate shutdown.

From what I understand if a trunk is not connected it does show up in the native vlan with the sh vlan.  (Vlan 1)

If blocked is the same as not connected then what I saw in sh vlan can be verified.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 2000 total points
ID: 40412241
Correct.  If BPDU guard is enabled on a port and that port receives a BPDU (which it would if a switch is connected to it), then that port will go errdisable.   But only that port. Other ports will not be affected.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40413136
I read not to turn it of per port because it could allow layer 2 storms (worse than layer 3 with TTL).

So I think I am lacking err disable timeout.  I had to manually tend to the switches even though I corrected the issue.

I will add a time out so it will auto enable the port and stay up if conditions are corrected.

Thanks
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40413149
No... BPDUguard is used with portfast.  Portfast should not be enabled on ports that will connect to switches.  BPDUguard is used to disable the port should a switch ever be connected to the port (either by accident or by an unauthorized connection).

Setting a timeout is not the correct fix for this.  The correct fix it not to use portfast (along with BPDUguard and/or BPDUfilter) on a port that connects to a switch.
0
 
LVL 2

Author Comment

by:PostQ
ID: 40413157
I will look at the port details today and make sure we have trunks as suggested.  Thanks
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 40413165
My previous comment has nothing to do with trunking.
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question