Layer 2 Troubleshooting

Troubleshooting Layer 2
trunk
VTP
VLAN
STP
Etherchannel
SVI
Etherchannel L3
Switch Security
FHRP
DHCP show mac address-table
show mac-address-table
show interface fa0/1 switchport
show interface trunk
Causes
VLAN is not configured

VLAN is not added to the trunk
VLAN is blocked by STP
VLAN Updated by VTP
There is no trunk
There is a VACL
A Mac ACL exists
Port security
Negotiation between switch interfaces
Query commands
show mac address-table
show mac-address-table
show vlan
show vtp status
show vtp pass
ipconfig
show ip int brief
show run int fa0/x
1 .- Troubleshooting Trunks
1.1 Encapsulation differences

1.2 Incompatible Trunking Modes
1.3 VTP Domain Name Differences
1.4 Differences in the Native VLAN
1.5 VLANs not included (Allowed)
2 .- VTP Troubleshooting
2.1 Differences in VTP version

2.2 differences in VTP mode
2.3 Differences in vTP password
2.4 VTP revision numbers update
3 .- VLAN troubleshooting
3.1 Configure an incorrect IP address

3.2 The VLAN is not configured
3.3 A port has another VLAN
Encapsulation differences
- IEEE 802.1Q
- ISL (Inter-switch Link)
DTP trunk negotiation
Car
Desirable
Manual
int fa0/24
sw trunk enca dot
int fa0/24
sw trunk encap isl
2960 switches by default support dot1q encapsulation

default-gateway 192.168.x.1
802.1q
802.1 qn int fa0/24
sw mode trunk
sw
nonegotiate
int fa0/24
sw mode trunk dynamic desirable (DTP)
1.2 Incompatible Trunking Modes

Access
trunk
Dynamic Desirable
Dynamic Auto
1.3 VTP Domain Name Differences
Two switches have client mode activated.

Differences between VTP passwords.
If a defense exists in the vTP domain, the trunk encallce will not be
formed.
vtp mode server

vtp pass cisco123
vtp domain tshoot.cl
show vtp status

show vtp pass
1.4 Differences in the Native VLAN
Transport protocols such as:

DTP
VTP
Etcherchannel
STP
CDP show int trunk
1.5 VLANs not included (Allowed)
sw trunk allowed vlan 10,20,30,40
sw trunk all vlan 50

sw trunk all vlan add 50
sw trunk all vlan remove

sw trunk all vlan except 10
2.1 Differences in VTP version
Vtp version 1|2|3
2.2 differences in VTP mode
customer
server
transparent
off
show vtp status
2.3 Differences in vTP password

show vtp pass
2.4 VTP Revision Number Update
When connecting to a server with a higher revision number
3.1 Configure an incorrect IP address
ipconfig
show ip int brief (Router/SwitchL3)
3.2 The VLAN is not configured
show vlan on each switch

3.3 A port has another VLAN
vlan 50
name SUPPORT
int fa0/3
sw mode acc
sw acc vlan 20
Spanning-tree and Etherchannel troubleshooting
Spanning tree
Get STP information

- What are the switches in the topology?
- Who is the root bridge
- What are the root ports
- STP Security
- show spanning-tree vlan 10

- root priority
- root MAC address
- root role
- Port connected to root
- FWD // BLK port status
- show spanning-tree interface fa0/24

- VLAN No.
- Port priority = 128
- Priority number = Port number
- show spanning-tree interface fa0/24 detail

- STP priority for a VLAN
- 32768 + VL 1 = 32769
- 32768 + VL 60 = 32828
- 32768 + VL 100 = 32868
Get MST information
- Group multiple VLANs into an MSTP instance
- instance 1 (10,20-100)
Configuration process
MST Name
Region MST
MST instance
Map VLAN instance
Issues
- Different MST region name

- Different MST revision numbers
- Number of VLANs associated with an instance
- VTPv3 is not present
#show spanning-tree mst configuration
Spanning-tree problems
1. MAC table corruption

2. Broadcast storms
3. portfast
4. BPDU Guard
5. BPDU Filter
6. Root Guard
7. Loop Guard
1. MAC table corruption
- When a SW exists outside the STP domain

- When a HUB exists
- Both cases forward frames to their neighbors
- flood the network with duplicate frames
- An OS switch receives a MAC through different ports
Switch sends a syslog message
flapping an AAAA MAC between two ports.
%SW_MATM-4-MACFLAP_NOTIF
2. Broadcast storms
Destination MAC broadcast frame FFFF.FFFF.FFFF

Frames are sent to all switches.
Other switches forward these frames on all their ports except where they received them.
Frames do not have a TTL, broadcast frames are always being forwarded by all switches.
Consumes BW
Network delay
CPU
RAM
Storm-control int fa0/5

storm-control broadcast level 1
3. portfast
- Configure on edge ports
- transition to forwarding state immediately.
- Deletes the Listening and Learning state of the STP.
int fa0/1
spann portf!
spann protf default
show spann int fa0/1 portfast

show spann int fa0/1 detail
show spann summary
4. BPDU Guard
int f0/3
spanning-tree bpduguard enable
do sh int fa0/3
spanning-tree portfast bpduguard default
5. Root Guard
int fa0/4
spanning-tree portfast
spanning-tree guard root
Bridge ID - Switch + MAC Priority
Root Guard leaves port in inconsistent state
interface by interface is enabled
show spanning-tree guard root

show spanning-tree inconsistentports
show spanning-tree int fa0/4 detail
show spanninf-tree vlan xx
6. BPDU Filter
7. Loop Guard
***Resolve ticket 03***

***END ***
9:30
2. Troubleshooting Etherchannel
Create logical links from 1 or more physical links.

Port-channel
Negotiation protocols
Pagp
Lacp
Manual
Portchannel is a virtual interface that replicates its configuration to physical ports.

Amplifies BW capacity
Up to 16 interfaces can be added on a Po, but only 8 interfaces will be active.
2.1 Differences in port configuration
Identical:
- Port speed
- Duplex Mode
- trunk mode
- Native VLAN
- VLANs included in the port
- Po L2 or Po L3
2.2 Differences in Etherchannel configuration
LACP
Active/Passive
Active/Active
PAGP
self/desirable
desirable/desirable
ON
on/off
2.3 Inappropriate distribution of the Etherchannel algorithm
Hash calculation -> how to transmit frames

Distribute traffic loads
Hash algorithm can be based on MAC

src-mac
src-ip
dst-mac
dst-ip
mac-ip
show etherchannel load-balance
EtherChannel Load-Balancing Operational State (src-mac)
Both switches must have the same operating algorithm.

show etherchannel summary
show etherchannel port-channel
HIS
S: L2
U: Use
Router-on-a-stick
Switch Virtual Interface
Routed Ports
Etherchannel L3
Port-security
Spoof
Private VLAN
MAC ACL
Port ACL
VLAN ACL
HSRP
VRRP
GLBP
DHCP
Troubleshooting
Goals
- Tshoot Port-security
- Tshoot Dhcp Snooping
- Tshoot Dynamic ARP inspection
1. Tshoot Port-security
1.1 Port-sec is configured but not enabled
1.2 Static MAC configured incorrectly
1.3 Maximum MAC reached
1.5 Port-sec not saved
1.1 Port-sec is configured but not enabled
int fa0/0
sw port-security -> When not added
sw port-sec max 1
sw port-sec violation shutdown
sw port-sec mac-address sticky
sw port-sec mac-address 0001.0002.0003
ASW1(config-if)#do sh port-sec int fa0/2
Port Security : Disabled

Port Status : Secure-down
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses: 2
Total MAC Addresses: 0
Configured MAC Addresses: 0
Sticky MAC Addresses: 1
Last Source Address:Vlan: 0040.0BC4.A853:10
Security Violation Count: 0
#show port-sec int fa0/2
1.2 Static MAC configured incorrectly int fa0/2

sw port-sec mac 0001.0002.0003
ASW1#show port-security address
Secure Mac Address Table
vlan Mac Address Type Ports Remaining Age
(mins)
------------
10 0001.0002.0003 SecureConfigured
FastEthernet0/2 -
10 0040.0BC4.A853 SecureSticky FastEthernet0/2 -
1.3 Maximum MAC reached
int fa0/0
sw port-sec max 1 -> Default is 1
1.4 Port violation
When a legitimate user has been blocked by violation rules
Protect: DROP // NO NOTIFICATION // NO COUNTER

Restrict: DROP // NOTIFICATION // COUNTER
Shutdown (Default): ERR-DISABLED // DROP // NOTIFICATION // COUNTER
PRS
ASW1#show int fa0/1

FastEthernet0/1 is down, line protocol is down (err-disabled)
Hardware is Lance, address is 0030.f29b.c201 (bia 0030.f29b.c201)
ASW1#show interfaces status

Port Name Status vlan Duplex Speed Type
Po13 connected car car
Po23 connected car car
Fa0/1 err-disabled 10 a-full a-100 10/100BaseTX
#show errdisable
Types of causes that produce the err-disabled state
Port-sec
DAI
bpduguard
Ethcerchannel
dhcp
psecure-violation
1.5 Port-sec not saved
wr
copy rs
IP dhcp snooping
Dynamic ARP Inspection
IP Source Guard
MAC ACL
Port ACL
VACL
2. HSRP AD for hosts -> GW Virtual int vlan 10
ip address 192.168.1.1 255.255.255.0
standby 10 ip 192.168.1.254
standby 10 preempt
standby 10 track fa0/0 decrement 50
standby 10 priority 110
standby 10 timers 1 3
What is the active router?

What router has preempt configured?
GW Virtual
Virtual MAC
Tracking Interfaces
Tracking Routing Table
tracking with IPsla "Monitoring"
Failures
2.1 Virtual IP address that does not correspond.
- Configured on PC
- Configured in HSRP group
2.2 DHCP server sent incorrect GW
2.3 Wrong group number assigned
int vlan 10
ip address 192.168.1.1 255.255.255.0
standby 20 ip 192.168.1.254
standby 10 preempt
standby 10 track fa0/0 decrement 50
standby 10 priority 110
standby 10 timers 1 3
Check on both routers
2.4 Group not assigned
int vlan 20
ip address 192.168.20.1 255.255.255.0
standby ip 192.168.1.254
Check on both routers
2.5 Connectivity between two HSRP routers
R1
int vlan 10
ip address 192.168.1.1 255.255.255.0
R2
int vlan 10
ip address 192.168.1.2 255.255.255.0
Functioning
HSRP in load balancing mode

HSRP in primary/backup mode
2.6 Preempt -> Raise with the ACTIVE role
2.7 track fa0/0 decrement 50

It may happen that a track:
- It is not implemented
- It was implemented incorrectly
- incorrect IPsla
2.8 Priority 110

- Priority must match AD design
- Primary Higher priority than backup
- Correctly equate SVI priorities
- Match Spanning-tree
spanning-tree vlan 10,20,30 root primary

spanning-tree vlan 10,20,30 root secondary
- VRRP
- GLBP
Ticket Incidents -> Isolated problems

Ticket Requirement -> A change is requested
Ticket Consultations -> Information
Problem Ticket -> Many TTs of the same incident
*** Resolution time 20 Minutes ****
*** End 21:25 ***
3. Troubleshooting router-on-a-trunk
3. Troubleshooting router-on-a-stick
GW are configured on a router
int gi0/0.10
encapsulation dot1q 10
ip add 192.168.10.1 255.255.255.0 !
S.W.
int fa0/24
desc LINK_RO1
sw trunk enc dot
sw mode tunk
sw none
sw trunk native vlan 99
sw trunk all vlan 10,20,30,40
3.1.1 PC may have a different IP than GW

3.1.2 Access port has another VLAN
3.1.3 VLAN does not exist in any SW
3.1.4 Trunk port to the router is connected to another port
3.1.5 That port fa0/24 is not in trunk mode
3.1.6 That the VLAN is not included in the trunk
3.1.7 Trunk port encapsulation is opposite to that of the router
3.1.8 Router physical interface this DOWN

3.1.9 Subinterface is disabled
3.2 Troubleshooting Switched Virtual Interface (SVI)
int vlan 10
ip add 192.168.10.1 255.255.255.0
no shut
desc LAN_VLAN10
3.2.1 VLAN is not created in SW #vlan 10

3.2.2 VLAN interface is disabled
3.2.3 At least one trunk port must exist for the SVI to go up.
3.2.4 Command #IP routing is not configured
3.2.5 On a SWL2 Gateway #ip default-gateway (GW)
3.3 Troubleshooting Routed Ports
int fa0/1
no switchchport
ip add 10.232.0.1 255.255.255.0
It is not associated with a VLAN

Routing
STP is not associated
DTP is not associated
Does not support subinterfaces
Can be used for ethcerchannel L3
IP Routing in a SWL3
3.3.1 Invalid IP address
3.3.2 ip routing
3.3.3 Invalid mask
3.3.4 It may be in shutdown
3.4 Troubleshooting Layer 3 Etherchannel
3.4.1 Configurations are different

3.4.2 Negotiation mode
3.4.3 Distribution algorithm does not match
src-mac
src-ip
dst-mac
dst-ip
src-dst mac
src-dst ip
DSW1(config)#port-channel load-balance ?
src-ac
dst-ip
Layer 2 Troubleshooting Summary

- Trunks
- VTP
- VLAN
- DTP
- Spanning tree
- Etherchannel
- Port-security
- DHCP Snooping
- HSRP
- Inter-VLAN Routing
- Router on a Trunk
- Router on a Stick
- DHCP

Layer 2 Troubleshooting

Uploaded by

Copyright:

Available Formats

Layer 2 Troubleshooting

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Layer 2 Troubleshooting

Uploaded by

Copyright:

Available Formats

Troubleshooting Layer 2

VLAN is not configured

1.1 Encapsulation differences

2.1 Differences in VTP version

3.1 Configure an incorrect IP address

DTP trunk negotiation

2960 switches by default support dot1q encapsulation

show interface fa0/1 switchport

1.2 Incompatible Trunking Modes

show interface fa0/1 switchport

1.3 VTP Domain Name Differences

Two switches have client mode activated.

vtp mode server

show vtp status

1.4 Differences in the Native VLAN

Transport protocols such as:

1.5 VLANs not included (Allowed)

sw trunk allowed vlan 10,20,30,40

sw trunk all vlan 50

sw trunk all vlan remove

2.1 Differences in VTP version

Vtp version 1|2|3

2.2 differences in VTP mode

show vtp status

2.3 Differences in vTP password

When connecting to a server with a higher revision number

3.1 Configure an incorrect IP address

show ip int brief (Router/SwitchL3)

3.2 The VLAN is not configured

show vlan on each switch

3.3 A port has another VLAN

Get STP information

- show spanning-tree vlan 10

- show spanning-tree interface fa0/24

- show spanning-tree interface fa0/24 detail

- Different MST region name

#show spanning-tree mst configuration

1. MAC table corruption

- When a SW exists outside the STP domain

Switch sends a syslog message

flapping an AAAA MAC between two ports.

Destination MAC broadcast frame FFFF.FFFF.FFFF

Storm-control int fa0/5

spann protf default

show spann int fa0/1 portfast

spanning-tree portfast bpduguard default

Bridge ID - Switch + MAC Priority

Root Guard leaves port in inconsistent state

interface by interface is enabled

show spanning-tree guard root

***Resolve ticket 03***

Create logical links from 1 or more physical links.

Portchannel is a virtual interface that replicates its configuration to physical ports.

Up to 16 interfaces can be added on a Po, but only 8 interfaces will be active.

2.1 Differences in port configuration

2.2 Differences in Etherchannel configuration

Hash calculation -> how to transmit frames

Hash algorithm can be based on MAC

show etherchannel load-balance

Resolve ticket 03

* End 21:25 *