Tuesday 19 May 2015

Troubleshooting VTP (Cont.)

All Ports Inactive After Power Cycle

Switch ports move to the inactive state when they are members of VLANs that do not exist in the VLAN database. A common issue is that all the ports move to this inactive state after a power cycle. Generally, you see this when the switch is configured as a VTP client with the uplink trunk port on a VLAN other than VLAN 1. Because the switch is in VTP client mode, when the switch resets, it loses its VLAN database and causes the uplink port and any other ports that were not members of VLAN 1 to go into inactive mode.
Complete these steps in order to solve this problem:
  1. Temporarily change the VTP mode to transparent.
    
switch (enable) set vtp mode transparent
    


    
VTP domain austinlab modified
    

    
switch (enable)
  2. Add the VLAN to which the uplink port is assigned to the VLAN database.
    Note: This example assumes that VLAN 3 is the VLAN that is assigned to the uplink port.
    
switch (enable) set vlan 3
    


    
VTP advertisements transmitting temporarily stopped,
    
and will resume after the command finishes.

    
switch (enable)
    

    
Vlan 3 configuration successful
  3. Change the VTP mode back to client after the uplink port begins forwarding.
    
switch (enable) set vtp mode client
    


    
VTP domain austinlab modified
    After you complete these steps, VTP should re-populate the VLAN database from the VTP server. The re-population moves all ports that were members of VLANs that the VTP server advertised back into the active state.

Trunk Down, which Causes VTP Problems

Remember that VTP packets are carried on VLAN 1, but only on trunks (ISL, dot1q, or LAN emulation [LANE]).
If you make VLAN changes during a time when you have a trunk down or when LANE connectivity is down between two parts of your network, you can lose your VLAN configuration. When the trunk connectivity is restored, the two sides of the network resynchronize. Therefore, the switch with the highest configuration revision number erases the VLAN configuration of the lowest configuration revision switch.

VTP and STP (Logical Spanning Tree Port)

When you have a large VTP domain, you also have a large STP domain. VLAN 1 must span through the whole VTP domain. Therefore, one unique STP is run for that VLAN in the whole domain.
When VTP is used and a new VLAN is created, the VLAN is propagated through the entire VTP domain. The VLAN is then created in all switches in the VTP domain. All Cisco switches use PVST, which means that the switches run a separate STP for each VLAN. This adds to the CPU load of the switch. You must refer to the maximum number of logical ports (for the STP) that are supported on the switch in order to have an idea of the number of STPs that you can have on each switch. The number of logical ports is roughly the number of ports that run STP.
Note: A trunk port runs one instance of STP for each active VLAN on the trunk.
You can perform a rapid evaluation of this value for your switch with this formula:
(Number of active VLANs x Number of trunks) + Number of access ports
This number, which is the maximum number of logical ports for STP, varies from switch to switch and is documented in the release notes for each product. For example, on a Catalyst 5000 with Supervisor Engine 2, you can have a maximum of 1500 STP instances. Each time you create a new VLAN with VTP, the VLAN is propagated by default to all switches and is subsequently active on all ports. You might need to prune unnecessary VLANs from the trunk in order to avoid inflation of the number of logical ports.
Note: Pruning unnecessary VLANs from the trunk can be performed with one of two methods:
  • Manual pruning of the unnecessary VLAN on the trunk—This is the best method, and it avoids the use of the spanning tree. Instead, the method runs the pruned VLAN on trunks. The VTP Pruning section of this document describes manual pruning further.
  • VTP pruning—Avoid this method if the goal is to reduce the number of STP instances. VTP-pruned VLANs on a trunk are still part of the spanning tree. Therefore, VTP-pruned VLANs do not reduce the number of spanning tree port instances.

VTP Pruning

VTP pruning increases the available bandwidth. VTP pruning restricts flooded traffic to those trunk links that the traffic must use in order to access the appropriate network devices. By default, VTP pruning is disabled. The enablement of VTP pruning on a VTP server enables pruning for the entire management domain. The set vtp pruning enable command prunes VLANs automatically and stops the inefficient flooding of frames where the frames are not needed. By default, VLANs 2 through 1000 are pruning eligible. VTP pruning does not prune traffic from pruning-ineligible VLANs. VLAN 1 is always pruning ineligible; traffic from VLAN 1 cannot be pruned.
Note: Unlike manual VLAN pruning, automatic pruning does not limit the spanning tree diameter.
All devices in the management domain must support VTP pruning in order for VTP pruning to be effective. On devices that do not support VTP pruning, you must manually configure the VLANs that are allowed on trunks. You can perform manual pruning of the VLAN from the trunk with the clear trunk mod/port command and the clear trunk vlan_list command. For example, you can choose to only allow, on each trunk, a core switch to the VLANs that are actually needed. This helps to reduce the load on the CPUs of all switches (core switches and access switches) and avoids the use of STP for those VLANs that extend through the entire network. This pruning limits STP problems in the VLAN.
This is an example:
  • Topology—The topology is two core switches that are connected to each other, each with 80 trunk connections to 80 different access switches. With this design, each core switch has 81 trunks, and each access switch has two uplink trunks. This assumes that access switches have, in addition to the two uplinks, two or three trunks that go to a Catalyst 1900. This is a total of four to five trunks per access switch.
  • Platform—Core switches are Catalyst 6500s with Supervisor Engine 1A and Policy Feature Card 1 (PFC1) that run software release 5.5(7), this platform cannot have more than 4000 STP logical ports.
  • Access switches—Access switches are either:
    • Catalyst 5000 switches with Supervisor Engine 2, which do not support more than 1500 STP logical ports
    • Catalyst 5000 switches with Supervisor Engine 1 and 20 MB of DRAM, which do not support more than 400 STP logical ports
  • Number of VLANs—Remember to use VTP. A VLAN on the VTP server is created on all switches in the network. If you have 100 VLANs, the core must handle roughly 100 VLANs x 81 trunks = 8100 logical ports, which is above the limit. The access switch must handle 100 VLANs x 5 trunks = 500 logical ports. In this case, Catalysts in the core exceed the supported number of logical ports, and access switches with Supervisor Engine 1 are also above the limit.
  • Solution—If you assume that only four or five VLANs are actually needed in each access switch, you can prune all the other VLANs from the trunk on the core layer. For example, if only VLANs 1, 10, 11, and 13 are needed on trunk 3/1 that goes to that access switch, the configuration on the core is:
    
Praha> (enable) set trunk 1/1 des
    


    
Port(s) 1/1 trunk mode set to desirable.
    

    
Praha> (enable) clear trunk 1/1 2-9,12,14-1005
    

    
Removing Vlan(s) 2-9,12,14-1005 from allowed list.
    
Port 1/1 allowed vlans modified to 1,10,11,13.


    
Praha> (enable) clear trunk 1/1 2-9,12,14-1005
    Note: Even if you do not exceed the number of allowed logical ports, prune VLANs from a trunk. The reason is that an STP loop in one VLAN only extends where the VLAN is allowed and does not go through the entire campus. The broadcast in one VLAN does not reach the switch that does not need the broadcast. In releases that are earlier than software release 5.4, you cannot clear VLAN 1 from trunks. In later releases, you can clear VLAN 1 with this command:
    
Praha> (enable) clear trunk 1/1 1
    


    
Default vlan 1 cannot be cleared from module 1.
    The Case of VLAN 1 section of this document discusses techniques on how to keep VLAN 1 from spanning the whole campus.

VLANs are not pruned

If two switches, A and B, are connected with one port of Switch A, which is configured as trunk, and is connected to an IP phone, then the VTP joins the messages that pass from Switch A to Switch B. Therefore, Switch B is not able to prune the unused VLANS.
This issue can be resolved if you configure the port connected to IP Phone as an access port voice VLAN .

Switch#interface FastEthernet0/1



switchport access vlan <vlan number>



switchport voice vlan <vlan number>

The Case of VLAN 1

You cannot apply VTP pruning to VLANs that need to exist everywhere and that need to be allowed on all switches in the campus, in order to be able to carry VTP, Cisco Discovery Protocol [CDP] traffic, and other control traffic. However, there is a way to limit the extent of VLAN 1. The feature is called VLAN 1 disable on trunk. The feature is available on Catalyst 4500/4000, 5500/5000, and 6500/6000 series switches in CatOS software release 5.4(x) and later. The feature allows you to prune VLAN 1 from a trunk, as you do for any other VLAN. This pruning does not include all the control protocol traffic that is still allowed on the trunk (DTP, PAgP, CDP, VTP, and others). However, the pruning does block all user traffic on that trunk. With this feature, you can keep the VLAN from spanning the entire campus. STP loops are limited in extent, even in VLAN 1. Configure VLAN 1 to be disabled, as you would configure other VLANs to be cleared from the trunk:

Console> (enable) set trunk 2/1 desirable




Port(s)  2/1 trunk mode set to desirable.



Console> (enable) clear trunk 2/1 1



Removing Vlan(s) 1 from allowed list.



Port  2/1 allowed vlans modified to 2-1005.
UDLD uses native VLAN in order to talk to the neighbor. So, in a trunk port, the native VLAN must not be pruned in order for UDLD to work properly.

Troubleshoot VTP Configuration Revision Number Errors That Are Seen in the show vtp statistics Command Output

VTP is designed for an administrative environment in which the VLAN database for the domain is changed at only one switch at any one time. It assumes that the new revision propagates throughout the domain before another revision is made. If you change the database simultaneously on two different devices in the administrative domain, you can cause two different databases to be generated with the same revision number. These databases propagate and overwrite the existing information until they meet at an intermediate Catalyst switch on the network. This switch cannot accept either advertisement because the packets have the same revision number but a different MD5 value. When the switch detects this condition, the switch increments the No of config revision errors counter.
Note: The show vtp statistics command output in this section provides an example.
If you find that the VLAN information is not updated on a certain switch, or if you encounter other, similar problems, issue the show vtp statistics command. Determine if the count of VTP packets with configuration revision number errors is increasing:

Console> (enable) show vtp statistics




VTP statistics:



summary advts received          4690

subset  advts received          7


summary advts transmitted       4397

request advts received          0
subset  advts transmitted       8


No of config revision errors    5

request advts transmitted       0
No of config digest errors      0


Trunk     Join Transmitted  Join Received  Summary advts received from

VTP pruning statistics:


                                          non-pruning-capable device

--------  ---------------  -------------  ---------------------------


Console> (enable)

1/1      0                0              0


 1/2      0                0              0
If you observe a configuration revision error, you can resolve this problem if you change the VLAN database in some way so that a VTP database with a higher revision number than the revision number of the competing databases is created. For example, on the switch that acts as the primary VTP server, add or delete a false VLAN in the administrative domain. This updated revision is propagated throughout the domain and overwrites the database at all devices. When all the devices in the domain advertise an identical database, the error no longer appears.

Troubleshoot VTP Configuration Digest Errors That Are Seen in the show vtp statistics Command Output

This section addresses how to troubleshoot VTP configuration digest errors that you see when you issue the show vtp statisticscommand. This is an example:

Console> (enable) show vtp statistics




VTP statistics:



summary advts received          3240

subset  advts received          4


summary advts transmitted       3190

request advts received          0
subset  advts transmitted       5


No of config revision errors    0 

request advts transmitted       0




No of config digest errors      2


VTP pruning statistics:



Trunk     Join Transmitted  Join Received  Summary advts received from

non-pruning-capable device


 1/1      0                0              0

--------  ---------------  -------------  ---------------------------
 1/2      0                0              0


Console> (enable)
The general purpose of an MD5 value is to verify the integrity of a received packet and to detect any changes to the packet or corruption of the packet during transit. When a switch detects a new revision number that is different from the currently stored value, the switch sends a request message to the VTP server and requests the VTP subsets. A subset advertisement contains a list of VLAN information. The switch calculates the MD5 value for the subset advertisements and compares the value to the MD5 value of the VTP summary advertisement. If the two values are different, the switch increases the No of config digest errors counter.
A common reason for these digest errors is that the VTP password is not configured consistently on all VTP servers in the VTP domain. Troubleshoot these errors as a misconfiguration or data corruption issue.
When you troubleshoot this problem, ensure that the error counter is not historical. The statistics menu counts errors since the most recent device reset or the VTP statistics reset.

Unable to Change the VTP Mode of a Switch from Server / Transparent

If the switch is a standalone (that is, not connected to the network), and you want to configure the VTP mode as the client, after reboot, the switch comes up either as a VTP server or VTP transparent, dependent upon the VTP mode of the switch before it was configured as the VTP client. The switch does not allow itself to be configured as a VTP client when there is no VTP server nearby.

OSPF Hellos Blocked in a VTP Domain

Open Shortest Path First (OSPF) Hellos can get blocked and the adjacency can be dropped if a switch in the VTP domain is changed from the server or client mode to transparent mode. This issue can occur if VTP pruning is enabled in the domain.
Use any of these options in order to resolve the issue:
  • Hard code the OSPF neighbors.
  • Disable VTP pruning in the domain.
  • Revert the VTP mode of the switch to server or client.

SW_VLAN-4-VTP_USER_NOTIFICATION

This section talks about the commonly occuring variants of this error message:
%SW_VLAN-4-VTP_USER_NOTIFICATION : VTP protocol user notification: [chars]

%SW_VLAN-4-VTP_USER_NOTIFICATION: VTP protocol user notification: Version 1 device detected on [int] after grace period has ended

By default, the VLAN Trunking Protocol (VTP) Version on Cisco switches is Version 2 and is compatible with Version 1. This message is just a notification that indicates that there is a switch connected on port Gig0/10 that runs VTP Version 1. Everything continues to work fine, unless you run IPX, and there is nothing harmful for the switch.
In order to resolve this issue, change the VTP version with these commands.
For Cisco IOS switches, use these commands:

Switch#vlan database



Switch(vlan)#vtp v2-mode
For CatOS switches, use this command:
Console> (enable) set vtp version 2 enable

%SW_VLAN-SP-4-VTP_USER_NOTIFICATION: VTP protocol user notification: MD5 digest checksum mismatch on receipt of equal revision summary on trunk: [int]

%SW_VLAN-4-VTP_USER_NOTIFICATION: VTP protocol user notification: Error detected in VTP Revision Number for VTP Domain Index [dec]

Single Switchport Trunk That Allowed the vlan command Appears as Multiple Commands in the show running-config command Output

When the number of allowed VLANs extends past a certain number of characters, which is the default terminal width, the show running-config command wraps the line and adds the switchport trunk allowed vlan add command to the line. This is the way Cisco IOS handles long lists in the switchport trunk allowed vlan command.

Switch#configure terminal



Switch(config)#int fa3/30



Switch(config-if)#switchport trunk allowed vlan 14, 105, 110, 115, 120, 125, 130-132, 



140, 150, 155, 200, 210, 220, 222, 230, 232, 240, 301-309, 840, 860-862, 870, 880, 

881, 884-886, 889, 896, 898, 411, 412, 413, 421







!--- The previous command should be in a single line. 



It has been wrapped into three lines for proper formatting.
The output of show running-config looks similar to this:

Switch#show running-config | begin 3/30



interface FastEthernet3/30

switchport


 switchport trunk allowed vlan 14,105,110,115,120,125,130-132,140,150,155,200

switchport trunk allowed vlan add 210,220,222,230,232,240,301-309,411-413,421





switchport trunk allowed vlan add 840,860-862,870,880,881,884-886,889,896,898
!




!--- rest of output elided
You can also notice that the VLAN list has been order in ascending order and displayed in the output.
Remove VLAN 1 from the allowed list so you can disable VLAN 1 on any individual VLAN trunk port in order to reduce the risk of spanning-tree loops or storms. When you remove VLAN 1 from a trunk port, the interface continues to send and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), Dynamic Trunking Protocol (DTP), and VLAN Trunking Protocol (VTP) in VLAN 1.
The no form of the allowed vlan command resets the list to the default list, which allows all VLANs.

Internal VLAN Usage

All packets sent to the EARL must be prefixed by a VLAN ID, because that is the packet format the EARL expects. Routed ports do not have a visible VLAN ID since one is not explicitly configured, so the switch borrows a VLAN from the pool of 4096 that it has. You can instruct the Catalyst 6500 series switch to start to borrow VLANs from the top, and descend from 4096, or from bottom, and ascend from 1006, with the use the global config mode vlan allocation policy command.

Switch(config)#vlan internal allocation policy {ascending | descending}
Thus it is normal behavior for internal VLAN to be utilized with routed or WAN interface.
Posted by at
Location: Patiala, Punjab, India

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)